WO2018121797A1 - Trust network-based decentralized public key management method and management system - Google Patents

Trust network-based decentralized public key management method and management system Download PDF

Info

Publication number
WO2018121797A1
WO2018121797A1 PCT/CN2018/074647 CN2018074647W WO2018121797A1 WO 2018121797 A1 WO2018121797 A1 WO 2018121797A1 CN 2018074647 W CN2018074647 W CN 2018074647W WO 2018121797 A1 WO2018121797 A1 WO 2018121797A1
Authority
WO
WIPO (PCT)
Prior art keywords
public key
record
trust
network
user
Prior art date
Application number
PCT/CN2018/074647
Other languages
French (fr)
Chinese (zh)
Inventor
朱岩
Original Assignee
北京科技大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京科技大学 filed Critical 北京科技大学
Publication of WO2018121797A1 publication Critical patent/WO2018121797A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

Definitions

  • the invention mainly belongs to the field of information security technology, and particularly relates to a decentralized public key management method and management system based on a trust network.
  • PKI Public Key Infrastructure
  • PKI Public Key Infrastructure
  • Users can use the PKI platform to provide The security services implement and develop a variety of security features and applications based on public key cryptography. It can be said that the PKI framework has become the foundation and credibility of the modern Internet.
  • the existing PKI architecture is dominated by government and companies.
  • PKI-based public key management is far from being popularized on the Internet. At the general user level, PKI is rarely accepted, limiting the general public's need for privacy protection and other security services.
  • PKI architecture cannot be popularized.
  • PGP Perfect Privacy
  • the present invention provides a decentralized public key management method and management system based on a trust network.
  • the public key management method can support infrastructure for authentication, encryption, integrity, and accountability services.
  • a decentralized public key management method wherein the decentralized public key management method adds all verified public key records to a consistent public key storage structure in a decentralized network platform for storage;
  • the method can generate a public key log chain, and the public key log chain can sequentially access the same user in order from back to front in time. Identify all relevant public key records;
  • the method can form an authentication chain based on the recommender signature in the public key record, the authentication chain can form a trust network, the trust network can record the delivery process of the recommendation relationship and realize the transmission of the trust relationship.
  • the consistent public key storage structure refers to that all nodes in the decentralized network platform participate in maintaining and storing the same user public key record set.
  • the structure of the public key record includes the following structure:
  • Status information including a forward pointer pointing to the previous public key record, the forward pointer is used to generate a public key log chain in chronological order and record the change of the public key record state;
  • the forward pointer refers to the location information of the previous log of the record in the system, and may be the record address information or the hash value of the record;
  • Public key information used to store related information of the user's public key; including public key length and cryptographic parameter list;
  • Certificate information used to store information related to the use of the user's public key; including: certificate version, serial number, owner, expiration date; the owner information of the certificate information may be signed or claimed by any name, but must be Guarantee the full platform uniqueness of the signature or logo.
  • the method of signature or identification includes real name, pseudonym, email address, website address, uniform resource locator URL, and so on.
  • the signature or logo pseudonym method used can implement the user's "anonymity".
  • the implementation method includes using the hash name of the user's real name as the owner's signature or identification ID to ensure uniqueness.
  • the unidirectionality of the Hash function guarantees the known signature. Unable to guess the real name.
  • signature list for storing a digital signature of the above three aspects of information by the recommender or the public key owner, the signature list including at least one digital signature, each digital signature containing a pointer to the signer's public key record; signature The list can also include the signature type and signature;
  • Each digital signature can be used as a recommendation for a different referrer.
  • a pointer to the signer's public key record is stored in each signature, so that the pointer can be used to obtain the recommender's public key, and the public key is used to verify the validity of the signature. If the verification is passed, it indicates that the recommendation is valid; otherwise it indicates that the recommendation is invalid and the signed information is not trusted. The security of this type of recommendation comes from the unforgeability of the signature.
  • the public key record can record public key certificates used by various public key cryptosystems, and the public key certificates include: X.509, PKI certificate, PGP certificate, and self-certificate.
  • the public key certificate includes public key information, certificate information, and a list of signatures.
  • the self-certificate refers to a certificate formed by the public key record owner calculating the signature by using the public key in the record.
  • the generation of the public key log chain includes the following steps:
  • the change of the public key record status refers to a protocol executed by changing the public key record status, and the protocol includes: a registration protocol, an update protocol, and a revocation protocol.
  • the registration protocol is used for authenticity verification of a public key record of a user and generation of a public key log chain; the registration protocol includes the following process:
  • Trust request phase the public key owner generates a public key record and sends a trust request
  • Signature collection phase The public key owner collects the list of recommenders' signatures and sends a registration request;
  • each node of the network platform verifies the signature in the registration request, and writes the public key record into the public key storage structure after passing the verification;
  • Each node of the network platform establishes a head node of the public key log chain in the lookup table, and links the aforementioned public key record to the head node of the public key log chain.
  • step 2) the verification of the validity of the public key by each node of the network platform is a validity verification process of the public key owner credibility verification and the held public key.
  • Public key owner credibility verification can be verified by trust metrics such as friend relationship, trust relationship, trust calculation model, etc.
  • the public key validity verification process includes encrypting the secret by public key and sending it to the public key holder for decryption and return. The way to verify in a secret way.
  • the update protocol is mainly used for user password update and upgrade, that is, replacing the old key with a new one. If the certificate has expired, it can be upgraded within the specified time without re-registration.
  • the update protocol includes the following process:
  • Update request phase the public key owner generates an updated public key record, and signs the update public key record with the old private key and sends an update request;
  • Each node of the network platform links the updated public key log to the head node of the public key log chain in the public key lookup table.
  • the revocation agreement is used by the public key owner to initiate an application to revoke and discard the public key certificate. After the public key is revoked, it cannot be activated and reused, and can only be re-registered to apply for a new certificate.
  • the revocation agreement includes the following process:
  • the revocation request phase the public key owner generates the revocation public key record and signs the revocation public key record with the private key and sends the revocation request;
  • each node of the network platform verifies the validity of the signature in the revoked public key record by using the public key in the public key log chain, and records the revoked public key record after passing the verification;
  • Each node of the network platform links the undo public key log to the head node of the public key log chain in the public key lookup table.
  • the generation of the authentication chain based on the trust network is specifically as follows:
  • Each public key record signature list stores at least one recommender signature, and each of the recommender signatures is a recommendation certificate of the recommender, and each recommender signature stores a signer public key record pointer, according to the signer
  • the public key record pointer can form an authentication chain.
  • the authentication chain can form a trust network, and the trust relationship supported by the trust network includes direct trust, hierarchical trust, and indirect trust relationship.
  • the method for obtaining the trust relationship includes: negotiating trust by members in the decentralized network platform, and issuing the certificate according to a third-party trusted certificate authority (such as a PKI certificate authority CA).
  • the method is also capable of retrieving a user's public key based on the user identification in the public key record.
  • the retrieval of the user public key depends on a public key retrieval structure, which is composed of a lookup table and a list of head nodes of the public key log chain; the lookup table uses the user identifier of the public key owner as a search key.
  • the methods for constructing the lookup table include: a hash lookup table, a binary search tree, a B tree, a B+ tree, and a lexicographic index table.
  • the user ID is retrieved based on the user identifier in the public key record, specifically:
  • Retrieval request phase the requester generates and sends a query request according to the user ID of the public key to be queried;
  • each node of the network platform relies on the keyword retrieval method of the lookup table to find the item corresponding to the user identifier, and extracts the head node of the public key log chain from the item;
  • Each node of the network platform searches in order from the head node of the public key log chain to obtain the most recent valid public key record, and performs the trustworthiness of the public key record obtained by the search according to the public key trust model. Metric, output the public key record and the credibility measurement result;
  • Consistency check phase The requester receives a specified number of public key records and credibility measurement results, and compares the received query results; if they are consistent, determines the availability of the public key and returns the public key. ; otherwise, it returns "failed".
  • the credibility of the public key in the public key record can be measured by the public key log chain and the record information in the authentication chain. According to the metric, the public key credibility can be divided into different trust levels, and the trust level includes: fully trusted The edge is credible, effective but not credible and invalid.
  • the public key trust model in step 3) is an algorithm or function, algorithm or function for measuring the credibility of the public key record according to the recommender list, the public key validity period, and the public key state change information in the public key record.
  • the output is a credibility metric; the determining the availability of the public key refers to whether the public key record can be used depending on whether the credibility metric is greater than or equal to the security requirement of the public key operation. For example, the credibility measure of the public key record is edge trusted, the security requirement of the public key operation is completely trusted, and the edge trust is less than fully trusted, then the public key record will not be suitable for use.
  • a decentralized public key management system based on trust network A decentralized public key management system based on trust network.
  • the public key management system includes a decentralized network platform and a consistent public key storage structure with network-wide consistency.
  • the centralized network platform is constructed by a distributed data system, including: a blockchain network, a P2P network, and a distribution.
  • a database system a multi-party secure computing system;
  • the consistent public key storage structure is configured to store a public key record that is verified.
  • nodes In this decentralized network, there is a peer relationship between nodes, no central node, and each node has a network-consistent consistent storage structure, which is used for "billing"
  • the form records the various state changes of the public key of the user (including individuals, companies, enterprises, etc.) in the life cycle, wherein the public key life cycle includes the whole process of generating, publishing, updating, and canceling the public key.
  • Consistency means that all nodes in the network platform will participate in the maintenance of the user's public key's full lifecycle management, and establish a reliable correspondence between the identity and the public key through the consensus mechanism of the large-scale node, the public key storage structure It is also multi-copy, but maintains the consistency, integrity, and non-changeability of data between multiple copies.
  • the consistent public key storage structure of the present invention is used to store information of a user's public key and record state changes in chronological order, and is called "public key record", "public key log” or "public key certificate”.
  • the public key record is submitted by the public key owner (or holder) to the system, and after being verified by the system, it is added to the decentralized network platform for storage.
  • the method of the invention enables a user in the network to efficiently, conveniently and accurately verify, query and obtain the public key of a certain user (represented by an identity), and at the same time ensure the validity, correctness and consistency of the obtained public key. Not deceptive.
  • the security risk of public key management lies in how to guarantee the credibility of the public key. Since the information obtained in the Internet is not reliable, the present invention guarantees the credibility and authenticity of the public key certificate.
  • the invention has wide application value, including a secure, reliable and efficient key management solution for any public key cryptosystem, including identity authentication, key exchange, encryption, signature, secure computing and other security services, and Meeting the key management needs of the government, enterprises, military, schools, hospitals and other large-scale user groups will drive the development of the entire Internet security industry in China and promote the establishment of a more secure and reliable Internet trust mechanism.
  • Figure 1 is a system configuration diagram of a public key management framework in the present invention.
  • FIG. 2 is a flow chart showing the execution of a registration protocol in the present invention.
  • Figure 3 is a flow chart showing the execution of an update protocol in the present invention.
  • Figure 4 is a flow chart showing the execution of the revocation protocol in the present invention.
  • Figure 5 is a flow chart showing the execution of the public key retrieval protocol in the present invention.
  • Figure 6 is a block diagram of an information storage structure based on a blockchain in the present invention.
  • the blockchain network includes the following entities:
  • each member P i is an independent execution node of the system and stores a copy of the blockchain BC;
  • 3-block storage structure BC: ⁇ B 1 ,...,B n ⁇ :
  • Consensus Agreement An agreement to ensure that all members of the blockchain system collaborate and obtain common results, such as mining mechanisms, and the agreement of the Byzantine.
  • the data structures used in the block storage structure include:
  • Hash Tree HTree A binary tree used to organize all data records ⁇ cert 1 ,...,cert m ⁇ in the data store body k .
  • the leaf node is the hash value Hress(cert i ) of the data record cert i
  • Block head B k Block head B k .
  • information for storing a user public key pk in each data record cert i is called a public key record or a public key certificate.
  • the public key record structure is defined as follows:
  • public key information pk_info: ⁇ public key length pk_length, type pk_type, parameter list para_list, etc. ⁇ ;
  • the state information before the state_info is used to store this public key pointer forward_ptr cert i recording address information in a block chain, the previous record of this public key (e.g., cert j), i.e., a public key record chain (See below)
  • the public key information pk_info and the certificate information cert_info in the public key record are consistent with the two parts of the common X.509 or PGP public key digital certificate.
  • the signature information sig_info is used to store a digital signature for data including the block information state_info, the public key information pk_info, and the certificate information cert_info.
  • the signature list sig_list can store multiple signatures, and in some cases can also store "self-signed", that is, the public key certificate is performed with the certificate holder's private key. signature.
  • the public key lookup table is constructed by a Hash lookup table, which enables the retrieval of public key certificates. As shown in Figure 1, the Hash lookup table is defined as follows:
  • HashMap ⁇ 0, 1 ⁇ * ⁇ [0, m-1], used to convert the owner "identifier holderID" into the address in the random Hash lookup table t ⁇ HashMap(holderID);
  • the public key log chain Cert_Link i,j : ⁇ link i,j ,cert 1 ,...,cert t ⁇ records the usage record of the public key identifier holderID, where the link header is link i,j .
  • the kth record is cert k , which can be found by the cert k-1 hash pointer cert k-1 .
  • forward_ptr Hash(cert k );
  • the "forward pointer forward_ptr" constitutes a public key record singly linked list, and the public key certificate chain records all the information of the public key certificate.
  • Step 1 retrieve the request phase
  • the requester A generates and sends a query request according to the identifier reqID of the public key to be queried;
  • Step 3 Log chain search phase
  • cert k .sig_num indicates the number of recommender signatures in the public key record
  • m indicates the length of the public key log chain
  • left(cert k .POV) indicates the remaining validity period length
  • trust(cert k ) trust metric value is four categories. : Fully trusted L3, edge trusted L2, valid but not trusted L1, invalid return trust metric L0.
  • the public key record and trust metric (cert, trust(cert k )) are output.
  • the requester A After the requester A receives the specified number (such as at least 5) of the platform query return result ⁇ (cert, trust(cert k )) ⁇ , the requester A compares the results. If they are consistent, the availability of the public key is determined according to the trust metric trust(cert k ), and the public key cert.pk_info is returned; otherwise, "failed" is returned.
  • the specified number such as at least 5
  • the requester A After the requester A receives the specified number (such as at least 5) of the platform query return result ⁇ (cert, trust(cert k )) ⁇ , the requester A compares the results. If they are consistent, the availability of the public key is determined according to the trust metric trust(cert k ), and the public key cert.pk_info is returned; otherwise, "failed" is returned.
  • the public key record cert operation type refers to the type of protocol executed by this record, including: registration protocol Protocol_Regist, update protocol Protocol_Update, and revocation protocol Protocol_Revoke.
  • the registered user A (identified as holderID) generates a public/private key pair (pk A , sk A ), and generates a “certificate registration request” cert A for pk A according to the certificate record cert format, and passes the blockchain.
  • the network net is sent to all system members in the form of a "trust request";
  • the registration applicant A puts the signature ⁇ sig k ⁇ into the public key certificate cert after collecting enough ⁇ sig k ⁇ of the recommender (for example, setting up enough for at least 5 signatures).
  • a 's signature list sig_list is used as a trust basis and is again submitted to the blockchain network in the form of a "registration request";
  • the block chain network (each node) is recommended by the author's public key certificate cert A signature review ⁇ sig k ⁇ , i.e. one by one with the signature sig k Intro_ptr k points to authenticate the public key pk k And according to the "block generation method", it is added to cert A to the current block B i of the blockchain for storage.
  • the block, link.ptr Hash(cert A ), constructs the public key certificate chain Cert_Link t .
  • the trust structure refers to a public key trust relationship formed by a "recommendation relationship" composed of a plurality of recommenders Pk signatures when a public key is registered in the blockchain.
  • This kind of trust relationship is transitive, that is, subject A learns from the trust of subject B to subject C, and forms an indirect trust relationship between subjects A and C.
  • Protocol_Update (as shown in Figure 3):
  • the public/private key pair of public key owner A is (pk A , sk A ), which generates a new public/private key pair (pk' A , sk' A ) and uses the public key.
  • the new public key certificate format pk 'a encapsulated obtained cert' a, of cert 'a sign sig' a with the old private key sk a, and sends it to "update request" block chains to form a network;
  • the blockchain network (in each node) reviews the submitted public key certificate cert' A , that is, the signature sig' A is verified by the old public key pk A in the replaced block, and the approval is followed by The block building method adds cert' A to the current block of the blockchain for storage.
  • each node of the network platform adds a new record cert' A to the "public key log chain" header node in the public key lookup table.
  • Protocol_Revoke (as shown in Figure 4)
  • the public key owner A fills in an empty certificate cert A and fills in the operation type as "undo", then the private key sk A is signed to sign the empty certificate sig A , and it is in the form of "revoked request" Sent to the blockchain network;
  • the blockchain network (in each node) reviews the submitted public key certificate cert A , that is, the public key pk A in the forward block authenticates the signature sig A. If the audit is passed, cert A is added to the current block of the blockchain for storage according to the block building method.
  • each node of the network platform adds the revocation record cert A to the "public key log chain" header node in the public key lookup table, and the process is the third step of the Protocol_Update protocol.
  • a decentralized public key management system based on the trust network can be constructed.
  • the system is shown in FIG. 1 .
  • the system is described as follows:
  • the six block headers are ⁇ hdr 1 , hdr 2 , hdr 3 , hdr 4 , hdr 5 , hdr 6 ⁇ , respectively, which form a block head list through the block chain pointer.
  • Figure 1 shows a body comprising a public key CERT i, i recorded in the data store.
  • PK A public key
  • operation type Regist registration, Update update, Revoke revocation
  • FIG. 3 The right side of Figure 1 shows a public key log chain lookup table consisting of a hash lookup table. As described in the above 3) public key retrieval structure, the lookup table is composed of a hash map HashMap, m pointer arrays A[0:m-1], and three collision list tables Link i .
  • Public key log chain construction The head node of the public key log chain is stored in each node of the collision list Link i in the hash lookup table, and is linked into a singly linked list by the forward_ptr in each public key record. As shown in Figure 1, for user A's public key lookup, user A's public key log chain node is first obtained by link m-3,1 ⁇ A[HashMap(A)], and then user A's is obtained along the chain pointer. Public key log chain
  • Trust network The recommender or owner signature Sig i in the cert i is recorded by the public key to constitute the trust transfer relationship and network of the public key.
  • the recommender or owner signature Sig i in the cert i is recorded by the public key to constitute the trust transfer relationship and network of the public key.
  • FIG 1 when the public key of user A is registered, there are signatures Sig R1 and Sig R2 of two recommenders (users R1 and R2 respectively); continue to query the public key records of the two recommenders, and they know that they have one common The recommender R signed them Sig R and Sig R' .
  • a trust network is constructed: R ⁇ R1 ⁇ A and R ⁇ R2 ⁇ A, where ⁇ represents a trust relationship, that is, R ⁇ R1 indicates that the credibility of R1 is derived from R.
  • a more complex trust network can be constructed.

Abstract

The present invention primarily relates to the field of information security technology, and specifically relates to a novel decentralized public key management method and trust model, the method being constructed on a distributed data network platform like blockchain or P2P, ensuring each node of the platform is capable of participating in maintaining full life cycle management of a user public key, and recording a every status change in a user public key during a life cycle in ledger form. The present method can add public key records which have passed verification to a consistent public key storage structure of a platform to be saved; all public key records of the same user may be arranged from first to last in order of time to generate a public key log chain, and an authentication chain and a trust network may be formed based on a recommender signature; efficient public key search may be implemented based on a user identifier. The present invention ensures convenient and accurate issuance and acquisition of a user public key, ensures an acquired public key is valid, correct, consistent, and not deceptive, and can act as infrastructure to support authentication, encryption, integrity and accountability services.

Description

一种基于信任网络的去中心化公钥管理方法和管理系统Decentralized public key management method and management system based on trust network 技术领域Technical field
本发明主要属于信息安全技术领域,具体涉及一种基于信任网络的去中心化公钥管理方法和管理系统。The invention mainly belongs to the field of information security technology, and particularly relates to a decentralized public key management method and management system based on a trust network.
背景技术Background technique
近年来随着移动智能设备和云计算等新技术的广泛应用,人们通过因特网进行沟通越来越多,电子商务和线上交易日趋普及,人类正向数字社会迈进。为了保障数字社会中各种网络活动的数据机密性、完整性、可用性和真实性,各种现代密码技术被广泛采用,特别是公钥密码技术,已经成为保证互联网和整个数字社会的安全核心。与传统对称密码技术相比,公钥密码技术不仅能够实现数据加密和消息认证,还可实现用户身份认证、数字签名、安全计算、密钥交换、可验证秘密共享等功能,为保证新型互联网业务发展奠定了坚实的安全基础。In recent years, with the wide application of new technologies such as mobile smart devices and cloud computing, people are communicating more and more through the Internet. E-commerce and online transactions are becoming more and more popular, and human beings are moving towards the digital society. In order to protect the data confidentiality, integrity, usability and authenticity of various network activities in the digital society, various modern cryptography technologies have been widely adopted, especially public key cryptography, which has become the core of security for the Internet and the entire digital society. Compared with traditional symmetric cryptography, public key cryptography not only enables data encryption and message authentication, but also implements functions such as user identity authentication, digital signature, secure computing, key exchange, and verifiable secret sharing to ensure new Internet services. Development has laid a solid foundation for security.
现有公钥密码技术是建立在PKI(公钥基础设施)上的,它是一种支持公开密钥管理并能提供“公钥证书”签发和认证服务的基础设施,用户可以利用PKI平台提供的安全服务实现和开发各种基于公钥密码的安全功能和应用。可以说,PKI构架已经成为现代互联网的基石和可信性的基础,然而,现有PKI构架是以政府和公司为主导的,以PKI为基础的公钥管理方式远没有在互联网中被普及和使用,特别是普通用户一级,PKI还很少被接受,限制了普通大众对于隐私保护和其它安全服务需求的实现。PKI构架无法普及原因在于:1)用户实名认证完成公钥证书签发,违背互联网匿名性原则;2)收费成本对普通大众过高;3)不提供证书的存储和获取服务。另一种公钥管理技术是PGP(完美隐私)架构,它是由互联网中用户自发形成的,并在用户所熟悉或信任的朋友之间进行公钥交换的一种技术。也由于组织比较松散,没有被广泛使用。The existing public key cryptography technology is built on PKI (Public Key Infrastructure), which is an infrastructure that supports public key management and provides "public key certificate" issuance and authentication services. Users can use the PKI platform to provide The security services implement and develop a variety of security features and applications based on public key cryptography. It can be said that the PKI framework has become the foundation and credibility of the modern Internet. However, the existing PKI architecture is dominated by government and companies. PKI-based public key management is far from being popularized on the Internet. At the general user level, PKI is rarely accepted, limiting the general public's need for privacy protection and other security services. The reasons why the PKI architecture cannot be popularized are: 1) the user's real-name authentication completes the issuance of the public key certificate, violating the principle of Internet anonymity; 2) the charging cost is too high for the general public; 3) the storage and retrieval service of the certificate is not provided. Another public key management technology is the PGP (Perfect Privacy) architecture, which is a technology that is spontaneously formed by users on the Internet and exchanges public keys between friends that users are familiar with or trust. Also because the organization is loose, it is not widely used.
发明内容Summary of the invention
针对上述问题,本发明提供一种基于信任网络的去中心化公钥管理方法和管理系统。所述公钥管理方法能支持认证、加密、完整性和可追究性服务的基础设施。In view of the above problems, the present invention provides a decentralized public key management method and management system based on a trust network. The public key management method can support infrastructure for authentication, encryption, integrity, and accountability services.
本发明是通过以下技术方案实现的:The invention is achieved by the following technical solutions:
一种去中心化的公钥管理方法,所述去中心化公钥管理方法将所有通过验 证的公钥记录加入到去中心化网络平台中的一致性公钥存储结构中进行保存;A decentralized public key management method, wherein the decentralized public key management method adds all verified public key records to a consistent public key storage structure in a decentralized network platform for storage;
对于公钥存储结构中同一个用户标识下的所有公钥记录,所述方法能够生成公钥日志链,所述公钥日志链能够按照时间从后到前的顺序依次访问与所述同一个用户标识相关的所有公钥记录;For all public key records under the same user ID in the public key storage structure, the method can generate a public key log chain, and the public key log chain can sequentially access the same user in order from back to front in time. Identify all relevant public key records;
所述方法能够基于公钥记录中的推荐人签名形成认证链,所述认证链能够形成一个信任网络,所述信任网络能够记录推荐关系的传递过程以及实现信任关系的传递。The method can form an authentication chain based on the recommender signature in the public key record, the authentication chain can form a trust network, the trust network can record the delivery process of the recommendation relationship and realize the transmission of the trust relationship.
其中,所述一致性公钥存储结构是指去中心化网络平台中所有节点共同参与维护和存储相同的用户公钥记录集,该公钥记录的结构包含如下结构:The consistent public key storage structure refers to that all nodes in the decentralized network platform participate in maintaining and storing the same user public key record set. The structure of the public key record includes the following structure:
1)状态信息:包括一个前向指针,该前向指针指向前一条公钥记录,所述前向指针用于按照时间顺序生成公钥日志链并记录公钥记录状态的改变;状态信息中的前向指针是指本记录在系统中前一日志的位置信息,可以是记录地址信息或该记录的Hash值等;1) Status information: including a forward pointer pointing to the previous public key record, the forward pointer is used to generate a public key log chain in chronological order and record the change of the public key record state; The forward pointer refers to the location information of the previous log of the record in the system, and may be the record address information or the hash value of the record;
2)公钥信息:用于存储用户公钥的相关信息;包括公钥长度、密码学参数列表;2) Public key information: used to store related information of the user's public key; including public key length and cryptographic parameter list;
3)证书信息:用于存储与用户公钥使用相关的信息;包括:证书版本、序列号、拥有者、有效期;证书信息的拥有者信息可以采用任意的名称进行署名或宣称用户标识,但必须保证署名或标识的全平台唯一性。署名或标识的方式包括真名、假名、Email地址、网站地址、统一资源定位符URL等。3) Certificate information: used to store information related to the use of the user's public key; including: certificate version, serial number, owner, expiration date; the owner information of the certificate information may be signed or claimed by any name, but must be Guarantee the full platform uniqueness of the signature or logo. The method of signature or identification includes real name, pseudonym, email address, website address, uniform resource locator URL, and so on.
所使用的署名或标识假名方式可实现用户“匿名”,实现方法包括采用用户真名的Hash值命名作为拥有者署名或标识ID,即可保证唯一性,Hash函数的单向性可保证已知署名无法猜测真名。The signature or logo pseudonym method used can implement the user's "anonymity". The implementation method includes using the hash name of the user's real name as the owner's signature or identification ID to ensure uniqueness. The unidirectionality of the Hash function guarantees the known signature. Unable to guess the real name.
4)签名列表:用于存储推荐人或公钥拥有者对上述三方面信息的数字签名,所述签名列表包括至少一个数字签名,每个数字签名包含一个指向签名者公钥记录的指针;签名列表还可以包括签名类型、签名;4) signature list: for storing a digital signature of the above three aspects of information by the recommender or the public key owner, the signature list including at least one digital signature, each digital signature containing a pointer to the signer's public key record; signature The list can also include the signature type and signature;
每个数字签名可用来作为不同推荐人的推荐证明。每个签名中保存有指向签名者公钥记录的指针,因而可用该指针获得推荐人的公钥,并使用该公钥对该签名的有效性进行验证。如果验证通过,则表明该推荐是有效的;否则表明该推荐是无效的,被签名信息不可信。这种推荐证明的安全性来源于签名的不可伪造性。Each digital signature can be used as a recommendation for a different referrer. A pointer to the signer's public key record is stored in each signature, so that the pointer can be used to obtain the recommender's public key, and the public key is used to verify the validity of the signature. If the verification is passed, it indicates that the recommendation is valid; otherwise it indicates that the recommendation is invalid and the signed information is not trusted. The security of this type of recommendation comes from the unforgeability of the signature.
所述公钥记录能够记录各种公钥密码体制所使用的公钥证书,所述公钥证书包括:X.509、PKI证书、PGP证书、自证书。公钥证书包括公钥信息、证书信息、签名列表。其中自证书是指公钥记录拥有者用该记录中的公钥计算得到签名而形成的证书。The public key record can record public key certificates used by various public key cryptosystems, and the public key certificates include: X.509, PKI certificate, PGP certificate, and self-certificate. The public key certificate includes public key information, certificate information, and a list of signatures. The self-certificate refers to a certificate formed by the public key record owner calculating the signature by using the public key in the record.
公钥日志链的生成包括以下步骤:The generation of the public key log chain includes the following steps:
1)公钥记录验证:中心化网络平台中的各节点对用户提交的公钥记录进行验证;1) Public key record verification: each node in the centralized network platform verifies the public key record submitted by the user;
2)生成公钥日志链:将通过验证的公钥记录存储在去中心化网络平台的一致性存储结构中;根据所述状态信息中的前向指针生成公钥日志链,所述公钥日志链能够从头节点开始按照时间从后到前的顺序依次访问与该公钥相关的所有公钥记录。其中,所述公钥日志链的拥有者采用任意且唯一性字符串作为用户标识,用户标识可采用用户真名的Hash值作为假名实现用户匿名。2) generating a public key log chain: storing the verified public key record in a consistent storage structure of the decentralized network platform; generating a public key log chain according to the forward pointer in the status information, the public key log The chain can access all public key records associated with the public key in order from the head node in order from time to time. The owner of the public key log chain uses an arbitrary and unique character string as a user identifier, and the user identifier can use the hash value of the user's real name as a pseudonym to implement user anonymity.
其中,所述公钥记录状态的改变是指改变该公钥记录状态所执行的协议,所述协议包括:注册协议、更新协议、撤销协议。The change of the public key record status refers to a protocol executed by changing the public key record status, and the protocol includes: a registration protocol, an update protocol, and a revocation protocol.
所述注册协议用于用户公钥记录的可信性验证与公钥日志链生成;所述注册协议包括如下过程:The registration protocol is used for authenticity verification of a public key record of a user and generation of a public key log chain; the registration protocol includes the following process:
1)信任请求阶段:公钥拥有者生成公钥记录和发送信任请求;1) Trust request phase: the public key owner generates a public key record and sends a trust request;
2)公钥验证阶段:网络平台各节点对公钥可信性进行验证;2) Public key verification phase: each node of the network platform verifies the public key credibility;
3)签名收集阶段:公钥所有者收集推荐人签名列表并发送注册请求;3) Signature collection phase: The public key owner collects the list of recommenders' signatures and sends a registration request;
4)记录生成阶段:网络平台各节点对注册请求中的签名进行验证,并在通过验证后将公钥记录写入公钥存储结构;4) Record generation phase: each node of the network platform verifies the signature in the registration request, and writes the public key record into the public key storage structure after passing the verification;
5)日志链生成阶段:网络平台各节点在查找表中建立公钥日志链的头节点,并将前述公钥记录链接到公钥日志链的头节点之后。5) Log chain generation phase: Each node of the network platform establishes a head node of the public key log chain in the lookup table, and links the aforementioned public key record to the head node of the public key log chain.
步骤2)中,网络平台各节点对公钥有效性进行验证是一个公钥所有者可信性验证与所持公钥的有效性验证过程。公钥所有者可信性验证可通过朋友关系、信任关系、信任计算模型等信任度量模型进行验证;公钥的有效性验证过程包括通过公钥加密秘密后发送给公钥持有者解密并返还秘密的方式进行验证的方式。In step 2), the verification of the validity of the public key by each node of the network platform is a validity verification process of the public key owner credibility verification and the held public key. Public key owner credibility verification can be verified by trust metrics such as friend relationship, trust relationship, trust calculation model, etc. The public key validity verification process includes encrypting the secret by public key and sending it to the public key holder for decryption and return. The way to verify in a secret way.
更新协议主要用于用户的密码更新和升级,也就是用新密钥代替旧密钥。如果证书已经失效,则在规定时间内可进行升级,无需重新注册。所述更新协议 包括如下过程:The update protocol is mainly used for user password update and upgrade, that is, replacing the old key with a new one. If the certificate has expired, it can be upgraded within the specified time without re-registration. The update protocol includes the following process:
1)更新请求阶段:公钥拥有者生成更新公钥记录,并用旧私钥对更新公钥记录进行签名和发送更新请求;1) Update request phase: the public key owner generates an updated public key record, and signs the update public key record with the old private key and sends an update request;
2)记录生成阶段:网络平台各节点用公钥日志链中的旧公钥对更新公钥记录中签名有效性进行验证,并在通过验证后对新公钥进行记录;2) Record generation phase: each node of the network platform verifies the validity of the signature in the updated public key record by using the old public key in the public key log chain, and records the new public key after passing the verification;
3)日志链变更阶段:网络平台各节点将更新公钥日志链接到公钥查找表中公钥日志链的头节点之后。3) Log chain change phase: Each node of the network platform links the updated public key log to the head node of the public key log chain in the public key lookup table.
撤销协议被用来公钥所有者主动提出申请对公钥证书进行撤销和丢弃,公钥撤销后无法进行激活和重用,只能重新注册申请新的证书;所述撤销协议包括如下过程:The revocation agreement is used by the public key owner to initiate an application to revoke and discard the public key certificate. After the public key is revoked, it cannot be activated and reused, and can only be re-registered to apply for a new certificate. The revocation agreement includes the following process:
1)撤销请求阶段:公钥所有者生成撤销公钥记录并用私钥对撤销公钥记录签名和发送撤销请求;1) The revocation request phase: the public key owner generates the revocation public key record and signs the revocation public key record with the private key and sends the revocation request;
2)记录生成阶段:网络平台各节点用公钥日志链中公钥对撤销公钥记录中签名的有效性进行验证,并在通过验证后对所述撤销公钥记录进行记录;2) Record generation phase: each node of the network platform verifies the validity of the signature in the revoked public key record by using the public key in the public key log chain, and records the revoked public key record after passing the verification;
3)日志链变更阶段:网络平台各节点将所述撤销公钥日志链接到公钥查找表中公钥日志链的头节点之后。3) Log chain change phase: Each node of the network platform links the undo public key log to the head node of the public key log chain in the public key lookup table.
基于信任网络的认证链的生成具体为:The generation of the authentication chain based on the trust network is specifically as follows:
每一个公钥记录签名列表中存储至少一个推荐人签名,每一个所述推荐人签名为该推荐人的推荐证明,每一个推荐人签名中保存有签名者公钥记录指针,根据所述签名者公钥记录指针能够形成认证链。Each public key record signature list stores at least one recommender signature, and each of the recommender signatures is a recommendation certificate of the recommender, and each recommender signature stores a signer public key record pointer, according to the signer The public key record pointer can form an authentication chain.
所述认证链能够形成一个信任网络,该信任网络支持的信任关系包含直接信任、层次信任、间接信任关系。所述信任关系获取方法包括:由去中心化网络平台中成员协商信任、基于第三方可信认证机构签发(如PKI认证机构CA)。The authentication chain can form a trust network, and the trust relationship supported by the trust network includes direct trust, hierarchical trust, and indirect trust relationship. The method for obtaining the trust relationship includes: negotiating trust by members in the decentralized network platform, and issuing the certificate according to a third-party trusted certificate authority (such as a PKI certificate authority CA).
所述方法还能够基于公钥记录中的用户标识,实现用户公钥的检索。The method is also capable of retrieving a user's public key based on the user identification in the public key record.
所述用户公钥的检索依赖于一种公钥检索结构,该公钥检索结构由查找表和公钥日志链的头节点列表构成;查找表以公钥拥有者的用户标识为查找关键字,构造查找表的方法包括:哈希查找表、二叉查找树、B树、B+树、字典序索引表。The retrieval of the user public key depends on a public key retrieval structure, which is composed of a lookup table and a list of head nodes of the public key log chain; the lookup table uses the user identifier of the public key owner as a search key. The methods for constructing the lookup table include: a hash lookup table, a binary search tree, a B tree, a B+ tree, and a lexicographic index table.
基于公钥记录中的用户标识,实现用户公钥的检索,具体为:The user ID is retrieved based on the user identifier in the public key record, specifically:
1)检索请求阶段:请求者根据待查询公钥的用户标识生成并发送查询请求;1) Retrieval request phase: the requester generates and sends a query request according to the user ID of the public key to be queried;
2)查找表检索阶段:网络平台各节点依靠查找表的关键字检索方法发现用户标识对应的项,并从该项中提取公钥日志链的头节点;2) Lookup table retrieval stage: each node of the network platform relies on the keyword retrieval method of the lookup table to find the item corresponding to the user identifier, and extracts the head node of the public key log chain from the item;
3)日志链查找阶段:网络平台各节点从公钥日志链的头节点开始依次查找,得到最近的一条有效公钥记录,并按照公钥信任模型对查找获得的公钥记录的可信性进行度量,输出该公钥记录和可信性度量结果;3) Log chain search phase: Each node of the network platform searches in order from the head node of the public key log chain to obtain the most recent valid public key record, and performs the trustworthiness of the public key record obtained by the search according to the public key trust model. Metric, output the public key record and the credibility measurement result;
4)一致校验阶段:请求者收到指定数目的公钥记录和可信性度量结果,并比对收到的查询结果是否一致;如果一致,则确定公钥的可用性,并返回该公钥;否则,返回“失败”。4) Consistency check phase: The requester receives a specified number of public key records and credibility measurement results, and compares the received query results; if they are consistent, determines the availability of the public key and returns the public key. ; otherwise, it returns "failed".
公钥记录中公钥的可信性能够由公钥日志链和认证链中的记录信息予以度量,根据度量可将公钥可信性分为不同可信等级,可信等级包括:完全可信、边缘可信、有效但不可信、无效。The credibility of the public key in the public key record can be measured by the public key log chain and the record information in the authentication chain. According to the metric, the public key credibility can be divided into different trust levels, and the trust level includes: fully trusted The edge is credible, effective but not credible and invalid.
步骤3)中公钥信任模型是一种根据该公钥记录中的推荐人列表、公钥有效期、公钥状态变化信息对该公钥记录的可信性进行度量的算法或函数,算法或函数的输出为可信性度量;所述确定公钥的可用性是指依靠可信性度量是否大于等于公钥操作的安全性要求,返回公钥记录是否能被使用。如:公钥记录的可信性度量为边缘可信,公钥操作的安全性要求为完全可信,边缘可信低于完全可信,那么公钥记录将不适合使用。The public key trust model in step 3) is an algorithm or function, algorithm or function for measuring the credibility of the public key record according to the recommender list, the public key validity period, and the public key state change information in the public key record. The output is a credibility metric; the determining the availability of the public key refers to whether the public key record can be used depending on whether the credibility metric is greater than or equal to the security requirement of the public key operation. For example, the credibility measure of the public key record is edge trusted, the security requirement of the public key operation is completely trusted, and the edge trust is less than fully trusted, then the public key record will not be suitable for use.
一种基于信任网络的去中心化公钥管理系统。A decentralized public key management system based on trust network.
所述公钥管理系统包括去中心化网络平台和具有全网一致性的一致性公钥存储结构,所述中心化网络平台由分布式数据系统构造,包括:区块链网络、P2P网络、分布式数据库系统、多方安全计算系统;所述一致性公钥存储结构用于存储通过验证的公钥记录。The public key management system includes a decentralized network platform and a consistent public key storage structure with network-wide consistency. The centralized network platform is constructed by a distributed data system, including: a blockchain network, a P2P network, and a distribution. a database system, a multi-party secure computing system; the consistent public key storage structure is configured to store a public key record that is verified.
在这个去中心化网络中各节点之间具有对等关系,无中心节点,且各节点之间具有全网一致性的一致性存储结构,该一致性存储结构被用于以“记账单”形式记录用户(包括个人、公司、企事业单位等)公钥在生命周期内的各种状态改变,其中,公钥生命周期包括公钥产生、公布、更新、注销的全过程。这里,“一致性”表示网络平台中的所有节点都将参与维护用户公钥的全生命周期管理,通过大规模节点的共识机制建立身份标识与公钥之间可靠的对应关系,公钥存储结构也是多副本的,但保持多副本之间数据的一致性、完整性和不可更改性。In this decentralized network, there is a peer relationship between nodes, no central node, and each node has a network-consistent consistent storage structure, which is used for "billing" The form records the various state changes of the public key of the user (including individuals, companies, enterprises, etc.) in the life cycle, wherein the public key life cycle includes the whole process of generating, publishing, updating, and canceling the public key. Here, "consistency" means that all nodes in the network platform will participate in the maintenance of the user's public key's full lifecycle management, and establish a reliable correspondence between the identity and the public key through the consensus mechanism of the large-scale node, the public key storage structure It is also multi-copy, but maintains the consistency, integrity, and non-changeability of data between multiple copies.
本发明所述的一致性公钥存储结构,被用于存储用户公钥的信息和按照时间顺序记录状态改变,被称为“公钥记录”、“公钥日志”或“公钥证书”。该公钥记录是由公钥拥有者(或持有者)向系统提交的,在通过本系统验证之后,加入到去中心化网络平台中予以保存。The consistent public key storage structure of the present invention is used to store information of a user's public key and record state changes in chronological order, and is called "public key record", "public key log" or "public key certificate". The public key record is submitted by the public key owner (or holder) to the system, and after being verified by the system, it is added to the decentralized network platform for storage.
本发明的有益技术效果Advantageous technical effects of the present invention
本发明所述方法使得网络中用户可以高效、方便、准确地验证、查询和获取某个用户(用身份标识表示)的公开密钥,同时保证所获取公钥的有效性、正确性、一致性、不可欺骗性。同时,公钥管理的安全风险在于如何保障公钥的可信性,由于互联网中获取的信息并不可靠,但本发明保证了公钥证书的可信性和来源的真实性。The method of the invention enables a user in the network to efficiently, conveniently and accurately verify, query and obtain the public key of a certain user (represented by an identity), and at the same time ensure the validity, correctness and consistency of the obtained public key. Not deceptive. At the same time, the security risk of public key management lies in how to guarantee the credibility of the public key. Since the information obtained in the Internet is not reliable, the present invention guarantees the credibility and authenticity of the public key certificate.
所述方法有如下特点:The method has the following characteristics:
1)采用中心化网络平台进行去中心化管理,能够支持任意数目证书机构或用户参与证书管理;1) Decentralized management using a centralized network platform, capable of supporting any number of certificate institutions or users to participate in certificate management;
2)形成支持基于信任网络的认证链,能够对用户获得的的公钥记录进行可信性验证;2) Forming an authentication chain supporting the trust network, and performing credibility verification on the public key record obtained by the user;
3)提供用户公钥的快速查找和存储与访问服务;3) Provide fast search and storage and access services for the user's public key;
4)公钥记录,以时间记账本形式支持公钥全生命周期管理;4) Public key record, supporting public key life cycle management in the form of time bookkeeping;
5)公钥日志链,提供公钥证书的完整性和可追究性服务;5) Public key log chain, providing integrity and accountability services for public key certificates;
6)标识匿名,支持用户以匿名方式进行公钥证书签发和获取;6) Identifying anonymity, allowing users to anonymously issue and obtain public key certificates;
7)与现有PKI和PGP架构相兼容,并具有较好扩展性和较强安全性。7) Compatible with existing PKI and PGP architectures, with good scalability and strong security.
本发明具有广泛的应用价值,包括可为任意公钥密码体制系统提供安全、可靠、高效的密钥管理解决方案,包括身份认证、密钥交换、加密、签名、安全计算等安全服务,并可满足政府、企事业单位、军队、学校、医院等对大规模用户群下的密钥管理需要,将带动我国整个互联网安全产业的发展,并推动更加安全可靠互联网信任机制的建立。The invention has wide application value, including a secure, reliable and efficient key management solution for any public key cryptosystem, including identity authentication, key exchange, encryption, signature, secure computing and other security services, and Meeting the key management needs of the government, enterprises, military, schools, hospitals and other large-scale user groups will drive the development of the entire Internet security industry in China and promote the establishment of a more secure and reliable Internet trust mechanism.
附图说明DRAWINGS
图1是本发明中公开密钥管理构架的系统结构图。BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a system configuration diagram of a public key management framework in the present invention.
图2是本发明中注册协议执行的流程图。2 is a flow chart showing the execution of a registration protocol in the present invention.
图3是本发明中更新协议执行的流程图。Figure 3 is a flow chart showing the execution of an update protocol in the present invention.
图4是本发明中撤销协议执行的流程图。Figure 4 is a flow chart showing the execution of the revocation protocol in the present invention.
图5是本发明中公钥检索协议执行的流程图。Figure 5 is a flow chart showing the execution of the public key retrieval protocol in the present invention.
图6是本发明中基于区块链的信息存储结构图。Figure 6 is a block diagram of an information storage structure based on a blockchain in the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细描述。应当理解,此处所描述的具体实施例仅仅用于解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
相反,本发明涵盖任何由权利要求定义的在本发明的精髓和范围上做的替代、修改、等效方法以及方案。进一步,为了使公众对本发明有更好的了解,在下文对本发明的细节描述中,详尽描述了一些特定的细节部分。对本领域技术人员来说没有这些细节部分的描述也可以完全理解本发明。Rather, the invention is to cover any alternatives, modifications, and equivalents and embodiments of the invention. Further, in order to provide a better understanding of the present invention, the specific details are described in detail in the detailed description of the invention. The invention may be fully understood by those skilled in the art without a description of these details.
实施例1Example 1
1)去中心化平台构造1) Decentralized platform construction
本实施例是构建在区块链系统基础上,如图6所示,该区块链网络包括下面实体:This embodiment is constructed on the basis of a blockchain system. As shown in FIG. 6, the blockchain network includes the following entities:
①系统成员P:={P 1,…,P n}:每名成员P i是系统的一个独立执行节点,并存储区块链BC的一个副本; 1 system member P:={P 1 ,..., P n }: each member P i is an independent execution node of the system and stores a copy of the blockchain BC;
②分布式网络net:保证系统内成员之间相互联通的P2P网络;2 distributed network net: a P2P network that ensures that members in the system are connected to each other;
③区块存储结构BC:={B 1,…,B n}:区块链是由很多数据块B i构成的分布式存储结构,每个数据块B i:={hdr i,body i}由一个“区块头hdr i”和包含一定数目数据记录的“数据存储体body i”两部分构成; 3-block storage structure BC:={B 1 ,...,B n }: The blockchain is a distributed storage structure composed of a number of data blocks B i , each data block B i :={hdr i ,body i } It consists of a "block header hdr i " and a "data store body i " containing a certain number of data records;
④共识协议:保证区块链系统中所有成员相互协作并获得共同结果的协议,如挖矿机制、拜赞庭一致协议等。4 Consensus Agreement: An agreement to ensure that all members of the blockchain system collaborate and obtain common results, such as mining mechanisms, and the agreement of the Byzantine.
给定哈希函数Hash:{0,1}*→{0,1}l,区块存储结构中所使用的数据结构包括:Given the hash function Hash: {0,1}*→{0,1}l, the data structures used in the block storage structure include:
①区块头哈希链表HTable:用于将所有区块头{B 1,…,B n}组织在一起的单向链表,链表指针ptr=Hash(B i)为前一块数据的Hash函数值,即B i+1:={ptr,block_info,…,root}; 1 block header hash table HTable: a singly linked list used to organize all block headers {B 1 ,...,B n }, the list pointer ptr=Hash(B i ) is the hash function value of the previous block data, ie B i+1 :={ptr,block_info,...,root};
②记录哈希树HTree:用于将数据存储体body k中所有数据记录{cert 1,…,cert m}组织起来的二叉树,叶子结点为数据记录cert i的哈希值Hash(cert i),树中间结点node i存储下属结点(node 2i,node 2i+1)的Hash函数值,即 node i=Hash(node 2i,node 2i+1),树根节点root=node 1存储在区块头B k中。 2 Record Hash Tree HTree: A binary tree used to organize all data records {cert 1 ,...,cert m } in the data store body k . The leaf node is the hash value Hress(cert i ) of the data record cert i The tree node node i stores the Hash function value of the subordinate node (node 2i , node 2i+1 ), that is, node i =Hash(node 2i , node 2i+1 ), and the root node root=node 1 is stored in the area. Block head B k .
本区块链中所有记录{cert i}被存储在关系数据库系统中,并以Hash(cert i)为关键字或指针地址进行查找。 All records {cert i } in this blockchain are stored in the relational database system and searched with Hash(cert i ) as the key or pointer address.
2)公钥记录结构2) Public key record structure
在本实施例中,如图6所示,每个数据记录cert i中存储一个用户公钥pk的信息,被称为公钥记录或公钥证书。公钥记录结构定义如下: In this embodiment, as shown in FIG. 6, information for storing a user public key pk in each data record cert i is called a public key record or a public key certificate. The public key record structure is defined as follows:
①状态信息state_info:={前向指针forward_ptr、操作类型op_type等};1 state information state_info: = { forward pointer forward_ptr, operation type op_type, etc.};
②公钥信息pk_info:={公钥长度pk_length、类型pk_type、参数列表para_list等};2 public key information pk_info: = {public key length pk_length, type pk_type, parameter list para_list, etc.};
③证书信息cert_info:={证书版本version、序列号serial_num、拥有者的用户标识holderID、有效期POV等};3 certificate information cert_info: = {certificate version version, serial number serial_num, owner's user ID holderID, expiration date POV, etc.};
④签名信息sig_info:={列表大小size、签名数目sig_num、签名记录表sig_list等};其中,签名记录表sig_list:={推荐人指针Intro_ptr、签名类型sig_type、签名sig等}。4 signature information sig_info: = {list size size, number of signatures sig_num, signature record table sig_list, etc.}; wherein the signature record table sig_list: = {recommended pointer Intro_ptr, signature type sig_type, signature sig, etc.}.
在上述定义中,状态信息state_info中的前向指针forward_ptr被用来存储本公钥记录cert i在区块链中此公钥的前一条记录(如cert j)的地址信息,即公钥记录链(见后面介绍)中前一块的Hash指针,即forward_ptr=Hash(cert j)。公钥记录中的公钥信息pk_info和证书信息cert_info与常见的X.509或PGP公钥数字证书中这两部分保持一致。 In the above definition, the state information before the state_info is used to store this public key pointer forward_ptr cert i recording address information in a block chain, the previous record of this public key (e.g., cert j), i.e., a public key record chain (See below) The hash pointer of the previous block, namely forward_ptr=Hash(cert j ). The public key information pk_info and the certificate information cert_info in the public key record are consistent with the two parts of the common X.509 or PGP public key digital certificate.
签名信息sig_info用来存储对包括区块信息state_info、公钥信息pk_info、证书信息cert_info在内数据的数字签名。但与通常的X.509公钥数字证书不同,签名列表sig_list可以存储多个签名,在某些情况下也可以存储“自签名”,即用证书持有者的私钥对该公钥证书进行签名。The signature information sig_info is used to store a digital signature for data including the block information state_info, the public key information pk_info, and the certificate information cert_info. However, unlike the usual X.509 public key digital certificate, the signature list sig_list can store multiple signatures, and in some cases can also store "self-signed", that is, the public key certificate is performed with the certificate holder's private key. signature.
为了实现用户匿名,拥有者的用户标识holderID可以为拥有者真实标识的哈希值,即holderID=Hash(holderID)。In order to achieve user anonymity, the owner's user ID holderID may be the hash value of the owner's real identity, ie holderID=Hash(holderID).
3)公钥检索结构3) Public key retrieval structure
公钥查找表是由Hash查找表构造,可实现公钥证书的查找。如图1所示,该Hash查找表定义如下:The public key lookup table is constructed by a Hash lookup table, which enables the retrieval of public key certificates. As shown in Figure 1, the Hash lookup table is defined as follows:
1、密码学碰撞自由Hash函数HashMap:{0,1} *→[0,m-1],用于将拥有者“标识holderID”转化为随机Hash查找表中的地址t←HashMap(holderID); 1, cryptography collision free Hash function HashMap: {0, 1} * → [0, m-1], used to convert the owner "identifier holderID" into the address in the random Hash lookup table t←HashMap(holderID);
2、长度为m的指针数组A[0:m-1],每个数组单元存储“碰撞链表”的指针,即A[i]=Link i,用于以“碰撞链表Link i”的形式存储每个Hash值对应的公钥记录列表,如果某一矩阵单元无对应记录,则存储NULL; 2. A pointer array A[0:m-1] of length m, each array unit storing a pointer of the "collision linked list", that is, A[i]=Link i for storing in the form of "collision linked list Link i " a list of public key records corresponding to each hash value, if a certain matrix unit has no corresponding record, then store NULL;
3、碰撞链表Link i用于存储Hash值映射到该单元A[i]的所有公钥记录构成的链表,链表中每一项包含一个“公钥证书链”的头节点link i,j:={ID,active,ptr},其中,如果link t,j.ID=holderID,那么该指针link i,j.ptr存储指向区块链中存储该公钥记录链Cert_Link i,j的第一条记录cert的地址Hash(cert)(即link i,j.ptr=Hash(cert))和该公钥记录链的基本信息。 3. The collision list Link i is used to store a linked list of all public key records mapped to the unit A[i], and each item in the list contains a "public key certificate chain" header node link i,j := {ID,active,ptr}, where, if link t,j .ID=holderID, then the pointer link i,j .ptr stores the first record storing the public key record chain Cert_Link i,j in the blockchain The cert address Hash(cert) (ie link i, j .ptr=Hash(cert)) and the basic information of the public key record chain.
4、公钥日志链Cert_Link i,j:={link i,j,cert 1,…,cert t}记录了公钥标识holderID的使用记录,其中,链表头为link i,j4. The public key log chain Cert_Link i,j :={link i,j ,cert 1 ,...,cert t } records the usage record of the public key identifier holderID, where the link header is link i,j .
a)第一个记录为cert 1,可由link i,j的哈希地址指针link i,j.ptr=Hash(cert 1)找到该记录; a) The first one is cert 1, by link i, j hash address pointer link i, j .ptr = Hash ( cert 1) find the record;
b)第二个记录为cert 2,可由cert 1的哈希地址指针cert 1.forward_ptr=Hash(cert 2)找到该记录; b) The second recording is cert 2, cert by the hash address pointer cert. 1 1 .forward_ptr = Hash (cert 2) to locate the record;
c)重复上述过程,第k条记录为cert k,可由cert k-1的哈希指针cert k-1.forward_ptr=Hash(cert k)找到该记录; c) repeat the above process, the kth record is cert k , which can be found by the cert k-1 hash pointer cert k-1 .forward_ptr=Hash(cert k );
d)该过程直至最后记录,它的前向指针为空,即cert t.forward_ptr=NULL。 d) The process is up to the last record, its forward pointer is empty, ie cert t .forward_ptr=NULL.
由此可见,公钥证书链Cert_Link i,j:={link i,j,cert 1,…,cert t}是由碰撞链表Link i中某一节点link i,j开始,通过公钥证书记录中“前向指针forward_ptr”构成公钥记录单向链表,公钥证书链记录了该公钥证书的所有信息。 It can be seen that the public key certificate chain Cert_Link i,j :={link i,j ,cert 1 ,...,cert t } is started by a node link i,j in the link list Link i , and is recorded by the public key certificate. The "forward pointer forward_ptr" constitutes a public key record singly linked list, and the public key certificate chain records all the information of the public key certificate.
4)基于用户标识的公钥检索协议(如图5所示):4) Public key retrieval protocol based on user identification (as shown in Figure 5):
第1步:检索请求阶段Step 1: Retrieve the request phase
请求者A根据待查询公钥的标识reqID,生成并发送查询请求;The requester A generates and sends a query request according to the identifier reqID of the public key to be queried;
第2步:哈希查找阶段Step 2: Hash search phase
网络平台各节点(包括本地节点)计算t←HashMap(reqID),在Hash查找表提取项Link t←A[t]=A[HashMap(reqID)]对应的“碰撞链表”Link t:={link t,1,…,link t,k}中,逐项比较link t,j.ID=reqID。如果第j项成立,则提取link t,j,它是“公钥日志链” Cert_Link t,j的头节点;否则,返回“失败”。 Network platform each node (including the local node) computing t ← HashMap (reqID), the lookup table extraction items Link in Hash t ← A [t] = A [HashMap (reqID)] corresponding to the "collision list" Link t: = {link In t,1 ,...,link t,k }, link t,j .ID=reqID is compared item by item. If the jth entry is true, the link t,j is extracted, which is the head node of the "public key log chain" Cert_Link t,j ; otherwise, it returns "failure".
第3步:日志链查找阶段Step 3: Log chain search phase
从“公钥日志链”Cert_Link t,j:={link t,j,cert 1,…,cert m}的表头节点link t,j依次查找每一个公钥记录,得到最近的一条有效公钥记录cert k,并按照公钥信任模型,例如采用公式 Find each public key record in turn from the header node link t,j of the "public key log chain" Cert_Link t,j :={link t,j ,cert 1 ,...,cert m } to get the nearest valid public key. Record cert k and trust the model according to the public key, for example using the formula
trust=(cert k.sig_num+m)·left(cert k.POV) Trust=(cert k .sig_num+m)·left(cert k .POV)
Figure PCTCN2018074647-appb-000001
Figure PCTCN2018074647-appb-000001
其中,cert k.sig_num表示该公钥记录中的推荐者签名数目,m表示公钥日志链长度,left(cert k.POV)表示剩余的有效期长度,trust(cert k)信任度量值为四类:完全可信L3、边缘可信L2、有效但不可信L1、无效返还信任度量值L0。最终,输出该公钥记录和信任度量值(cert,trust(cert k))。 Where cert k .sig_num indicates the number of recommender signatures in the public key record, m indicates the length of the public key log chain, left(cert k .POV) indicates the remaining validity period length, and trust(cert k ) trust metric value is four categories. : Fully trusted L3, edge trusted L2, valid but not trusted L1, invalid return trust metric L0. Finally, the public key record and trust metric (cert, trust(cert k )) are output.
第4步:一致校验阶段Step 4: Consistency Check Phase
请求者A收到指定数目(如至少5个)的平台查询返回结果{(cert,trust(cert k))}后,请求者A比对这些结果是否一致。如果一致,则根据信任度量值trust(cert k)确定公钥的可用性,并返回该公钥cert.pk_info;否则,返回“失败”。 After the requester A receives the specified number (such as at least 5) of the platform query return result {(cert, trust(cert k ))}, the requester A compares the results. If they are consistent, the availability of the public key is determined according to the trust metric trust(cert k ), and the public key cert.pk_info is returned; otherwise, "failed" is returned.
例如,公钥操作的安全性要求为L2,如果trust(cert k)=L3>L2,则表示公钥可用;反之,如果trust(cert k)=L1<L2,则表示公钥不可用。需要说明的是,即便通过上述方法判断该公钥不可用,但依然可以让用户最后决定是否使用该公钥。 For example, the security requirement for public key operation is L2. If trust(cert k )=L3>L2, the public key is available. Conversely, if trust(cert k )=L1<L2, the public key is unavailable. It should be noted that even if the public key is not available by the above method, the user can finally decide whether to use the public key.
4)三个操作协议(如图2,3,4所示)4) Three operating protocols (as shown in Figures 2, 3, 4)
公钥记录cert操作类型是指本记录所执行的协议类型,包括:注册协议Protocol_Regist、更新协议Protocol_Update、撤销协议Protocol_Revoke等。The public key record cert operation type refers to the type of protocol executed by this record, including: registration protocol Protocol_Regist, update protocol Protocol_Update, and revocation protocol Protocol_Revoke.
三个主要协议描述如下:The three main protocols are described below:
①注册协议Protocol_Regist(如图2所示):1 registration agreement Protocol_Regist (as shown in Figure 2):
第一步,注册用户A(标识为holderID)生成公/私密钥对(pk A,sk A),并按照证书记录cert格式对pk A生成“证书注册请求”cert A,并通过区块链网络net以“信任请求”形式发送到所有系统成员; In the first step, the registered user A (identified as holderID) generates a public/private key pair (pk A , sk A ), and generates a “certificate registration request” cert A for pk A according to the certificate record cert format, and passes the blockchain. The network net is sent to all system members in the form of a "trust request";
第二步,每名区块链网络成员P k(被称为推荐人)可选择对“信任请求”中 的公钥pk A进行认证,如果认证成功,则用P k自己的私钥sk k进行签名sig k=sign(sk k,cert A),并将签名sig k和本人公钥记录指针作为推荐人指针Intro_ptr k返还给注册申请者A; The second step, each block chain network members P k (referred to as referees) to select the "Trust request" public key pk A for authentication, if authentication is successful, P k with its own private key sk k Signing sig k =sign(sk k , cert A ), and returning the signature sig k and the personal public key record pointer as the recommender pointer Intro_ptr k to the registration applicant A;
这里的认证方法是:推荐人P k发送一个使用注册者的公钥pk A加密秘密消息m得到c=Encrypt(pk A,m),并发到注册申请者邮箱,注册申请者A用私钥sk A解密该秘密信息m=decrypt(sk A,c),并把信息m传回给推荐人P kThe authentication method here is: the recommender P k sends a public key pk A using the registrant to encrypt the secret message m to obtain c=Encrypt(pk A , m), and sends it to the registration applicant's mailbox, and the registration applicant A uses the private key sk A decrypts the secret information m=decrypt(sk A , c) and passes the information m back to the recommender P k .
第三步,注册申请者A在收集到足够多(例如,设定足够多为至少5个签名)的推荐人签名{sig k}后,将这些签名{sig k}放入到公钥证书cert A的签名列表sig_list中作为信任依据,并再次以“注册请求”形式提交给区块链网络; In the third step, the registration applicant A puts the signature {sig k } into the public key certificate cert after collecting enough {sig k } of the recommender (for example, setting up enough for at least 5 signatures). A 's signature list sig_list is used as a trust basis and is again submitted to the blockchain network in the form of a "registration request";
第四步,区块链网络(中各结点)对提交公钥证书cert A中的推荐人签名{sig k}进行审核,即逐一对签名sig k用Intro_ptr k指向的公钥pk k进行认证,并按照“区块生成方法”将它加入cert A到区块链的当前区块B i中进行存储。 A fourth step, the block chain network (each node) is recommended by the author's public key certificate cert A signature review {sig k}, i.e. one by one with the signature sig k Intro_ptr k points to authenticate the public key pk k And according to the "block generation method", it is added to cert A to the current block B i of the blockchain for storage.
第五步,在Hash查找表中按照t←Hash(holderID)计算Hash索引值t,并在指针数组A中第t项A[t]所指的碰撞链表Link t←A[t],且Link t:={link t,1,…,link t,k};在按照链表指针ptr t,1,…,ptr t,k逐一验证ID t, j=holderID,如果没有相同项,则加入新的一项link,并把它作为公钥证书链的头节点Link t:={link,link t,1,…,link t,k},并将节点中的前向指针指向上一步新生成的区块,即link.ptr=Hash(cert A),从而构造出公钥证书链Cert_Link tIn the fifth step, the Hash index value t is calculated according to t←Hash(holderID) in the Hash lookup table, and the collision list Link t ←A[t] pointed out by the tth item A[t] in the pointer array A, and Link t :={link t,1 ,...,link t,k }; verify ID t , j =holderID one by one according to the linked list pointers ptr t,1 ,...,ptr t,k , if there is no identical item, add new A link and use it as the head node of the public key certificate chain Link t :={link,link t,1 ,...,link t,k }, and point the forward pointer in the node to the newly generated area of the previous step. The block, link.ptr=Hash(cert A ), constructs the public key certificate chain Cert_Link t .
在上述协议中,信任结构是指区块链中某一公钥注册时由多名推荐人P k签名构成的“推荐关系”所形成的公钥信任关系。这种信任关系具有传递性,即主体A借鉴主体B对主体C的信任性,形成主体A与C之间的间接信任关系。 In the above protocol, the trust structure refers to a public key trust relationship formed by a "recommendation relationship" composed of a plurality of recommenders Pk signatures when a public key is registered in the blockchain. This kind of trust relationship is transitive, that is, subject A learns from the trust of subject B to subject C, and forms an indirect trust relationship between subjects A and C.
②更新协议Protocol_Update(如图3所示):2 update the protocol Protocol_Update (as shown in Figure 3):
第一步,令公钥拥有者A的旧公/私密钥对为(pk A,sk A),它生成新的公/私密钥对(pk′ A,sk′ A),并用公钥证书格式对新公钥pk′ A进行封装得到cert′ A,在用旧的私钥sk A对cert′ A进行签名sig′ A,并将它以“更新请求”形式发送到区块链网络; In the first step, the public/private key pair of public key owner A is (pk A , sk A ), which generates a new public/private key pair (pk' A , sk' A ) and uses the public key. the new public key certificate format pk 'a encapsulated obtained cert' a, of cert 'a sign sig' a with the old private key sk a, and sends it to "update request" block chains to form a network;
第二步,区块链网络(中各结点)对提交公钥证书cert′ A进行审核,即用被取代区块内的旧公钥pk A对签名sig′ A进行验证,审核通过则按照区块建立方法将cert′ A加入到区块链的当前区块中进行存储。 In the second step, the blockchain network (in each node) reviews the submitted public key certificate cert' A , that is, the signature sig' A is verified by the old public key pk A in the replaced block, and the approval is followed by The block building method adds cert' A to the current block of the blockchain for storage.
第三步,网络平台各节点将新记录cert′ A添加到公钥查找表中“公钥日志链” 表头节点之后。过程如下:在Hash查找表中按照t←Hash(holderID)计算Hash索引值t,并在指针数组A中第t项A[t]所指的碰撞链表Link t←A[t],且Link t:={link t,1,…,link t,k};在按照链表指针ptr t,1,…,ptr t,k逐一验证ID t,j=holderID,直到找到第一个匹配项link t,k:={ID,active,ptr},将该哈希指针ptr赋值给新记录cert′ A的前向指针cert′ A.forward_ptr=link t,k.ptr,再更改link t,k.ptr=Hash(cert′ A),从而实现将新纪录cert′ A添加到“公钥日志链”Cert_Link t,k:={link t,k,cert′ A,cert 1,…,cert t}。 In the third step, each node of the network platform adds a new record cert' A to the "public key log chain" header node in the public key lookup table. The process is as follows: in the Hash lookup table, the Hash index value t is calculated according to t←Hash(holderID), and the collision list Link t ←A[t] pointed out by the tth item A[t] in the pointer array A, and Link t :={link t,1 ,...,link t,k }; verify ID t,j =holderID one by one according to the linked list pointers ptr t,1 ,...,ptr t,k until the first match link t is found, k: = {ID, active, ptr}, assigning the hash pointer to the new record ptr cert 'cert a forward pointer of' a .forward_ptr = link t, k .ptr, and then change the link t, k .ptr = Hash(cert' A ), thereby adding the new record cert' A to the "public key log chain" Cert_Link t,k :={link t,k ,cert' A , cert 1 ,...,cert t }.
③撤销协议Protocol_Revoke(如图4所示):3 Cancel the protocol Protocol_Revoke (as shown in Figure 4):
第一步,公钥所有者A填写一个空证书cert A,并填写操作类型为“撤销”,再被注销私钥sk A对该空证书进行签名sig A,并将它以“撤销请求”形式发送到区块链网络; In the first step, the public key owner A fills in an empty certificate cert A and fills in the operation type as "undo", then the private key sk A is signed to sign the empty certificate sig A , and it is in the form of "revoked request" Sent to the blockchain network;
第二步,区块链网络(中各结点)对提交公钥证书cert A进行审核,即前向区块内的公钥pk A对签名sig A进行认证。如果审核通过,则按照区块建立方法将cert A加入到区块链的当前区块中进行存储。 In the second step, the blockchain network (in each node) reviews the submitted public key certificate cert A , that is, the public key pk A in the forward block authenticates the signature sig A. If the audit is passed, cert A is added to the current block of the blockchain for storage according to the block building method.
第三步,网络平台各节点将撤销记录cert A添加到公钥查找表中“公钥日志链”表头节点之后,过程如Protocol_Update协议第三步。 In the third step, each node of the network platform adds the revocation record cert A to the "public key log chain" header node in the public key lookup table, and the process is the third step of the Protocol_Update protocol.
5)系统总体构造(如图1所示)5) The overall structure of the system (as shown in Figure 1)
综合上述基于信任网络的去中心化公钥管理方法中的各种结构和协议,可构造一个基于信任网络的去中心化公钥管理系统,该系统如图1所示。该系统描述如下:Combining the various structures and protocols in the above-described decentralized public key management method based on the trust network, a decentralized public key management system based on the trust network can be constructed. The system is shown in FIG. 1 . The system is described as follows:
1)去中心化的存储结构采用区块链网络,图1描述了一个6个区块BC={B 1,B 2,B 3,B 4,B 5,B 6}构成的区块链示意结构,其中,每个区块包括B i:={hdr i,body i}。6个区块头分别为{hdr 1,hdr 2,hdr 3,hdr 4,hdr 5,hdr 6},它们通过区块链指针构成一个区块头链表。 1) The decentralized storage structure uses a blockchain network. Figure 1 depicts a blockchain consisting of six blocks BC={B 1 , B 2 , B 3 , B 4 , B 5 , B 6 } A structure in which each block includes B i :={hdr i , body i }. The six block headers are {hdr 1 , hdr 2 , hdr 3 , hdr 4 , hdr 5 , hdr 6 }, respectively, which form a block head list through the block chain pointer.
2)对应于每个区块B i的数据存储体body i,图1显示了包含在数据存储体body i的一个公钥记录cert i。为了方便,我们按照公钥名称PK A(表示用户A的公钥)和操作类型(Regist注册,Update更新,Revoke撤销)加以命名每个公钥记录。 2) corresponding to the data store of each block body B i i, Figure 1 shows a body comprising a public key CERT i, i recorded in the data store. For convenience, we name each public key record by public key name PK A (representing user A's public key) and operation type (Regist registration, Update update, Revoke revocation).
3)图1右侧显示了一个哈希查找表构成的公钥日志链查找表。如前述3)中公钥检索结构所述,该查找表由一个哈希映射HashMap、m个指针数组A[0:m-1]、以及三个碰撞链表Link i构成。 3) The right side of Figure 1 shows a public key log chain lookup table consisting of a hash lookup table. As described in the above 3) public key retrieval structure, the lookup table is composed of a hash map HashMap, m pointer arrays A[0:m-1], and three collision list tables Link i .
4)公钥日志链构造:公钥日志链的头节点被存储在哈希查找表中碰撞链表Link i的每个节点中,并通过每个公钥记录中的forward_ptr链接成一个单向链表。如图1所示,对于用户A的公钥查找,首先通过link m-3,1←A[HashMap(A)]得到用户A的公钥日志链头节点,然后沿着链指针得到用户A的公钥日志链 4) Public key log chain construction: The head node of the public key log chain is stored in each node of the collision list Link i in the hash lookup table, and is linked into a singly linked list by the forward_ptr in each public key record. As shown in Figure 1, for user A's public key lookup, user A's public key log chain node is first obtained by link m-3,1 ←A[HashMap(A)], and then user A's is obtained along the chain pointer. Public key log chain
Cert_Link A:={link m-3,1,PK A(Revoke),PK A(Upate),PK A(Regist)}。 Cert_Link A :={link m-3,1 , PK A (Revoke), PK A (Upate), PK A (Regist)}.
通过上述公钥日志链可知,该公钥经历了从注册到更新、最后到注销的过程。Through the above public key log chain, the public key goes through the process from registration to update and finally to logout.
5)信任网络:由公钥记录cert i中的推荐者或拥有者签名Sig i构成了该公钥的信任转递关系及网络。如图1所示,用户A的公钥注册时有2个推荐人(分别为用户R1和R2)的签名Sig R1和Sig R2;继续查询两个推荐人的公钥记录,可知他们具有一个共同的推荐人R为他们进行了签名Sig R和Sig R′。根据上述关系构造了一个信任网络:R←R1←A和R←R2←A,其中,←表示信任关系,即R←R1表示R1的可信性来源于R。根据上述信任关系可构造更加复杂的信任网络。 5) Trust network: The recommender or owner signature Sig i in the cert i is recorded by the public key to constitute the trust transfer relationship and network of the public key. As shown in Figure 1, when the public key of user A is registered, there are signatures Sig R1 and Sig R2 of two recommenders (users R1 and R2 respectively); continue to query the public key records of the two recommenders, and they know that they have one common The recommender R signed them Sig R and Sig R' . According to the above relationship, a trust network is constructed: R←R1←A and R←R2←A, where ← represents a trust relationship, that is, R←R1 indicates that the credibility of R1 is derived from R. According to the above trust relationship, a more complex trust network can be constructed.

Claims (19)

  1. 一种基于信任网络的去中心化公钥管理方法,其特征在于,所述去中心化公钥管理方法将所有通过验证的公钥记录加入到去中心化网络平台中的一致性公钥存储结构中进行保存;A decentralized public key management method based on a trust network, characterized in that the decentralized public key management method adds all verified public key records to a consistent public key storage structure in a decentralized network platform Save in
    对于公钥存储结构中同一个用户标识下的所有公钥记录,所述方法能够生成公钥日志链,所述公钥日志链能够按照时间从后到前的顺序依次访问与所述同一个用户标识相关的所有公钥记录;For all public key records under the same user ID in the public key storage structure, the method can generate a public key log chain, and the public key log chain can sequentially access the same user in order from back to front in time. Identify all relevant public key records;
    所述方法能够基于公钥记录中的推荐人签名形成认证链,所述认证链能够形成一个信任网络,所述信任网络能够记录推荐关系的传递过程以及实现信任关系的传递。The method can form an authentication chain based on the recommender signature in the public key record, the authentication chain can form a trust network, the trust network can record the delivery process of the recommendation relationship and realize the transmission of the trust relationship.
  2. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述去中心化网络平台由分布式数据系统构造,包括:区块链网络、P2P网络、分布式数据库系统、多方安全计算系统。The method for decentralized public key management based on a trust network according to claim 1, wherein the decentralized network platform is constructed by a distributed data system, including: a blockchain network, a P2P network, and a distribution. Database system, multi-party secure computing system.
  3. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述一致性公钥存储结构是指去中心化网络平台中所有节点共同参与维护和存储相同的用户公钥记录集,所述公钥记录包括:The trust network-based decentralized public key management method according to claim 1, wherein the consistent public key storage structure refers to that all nodes in the decentralized network platform participate in maintenance and storage in the same manner. User public key record set, the public key record includes:
    1)状态信息:包括一个用于指向前一条公钥记录的前向指针,所述前向指针用于按照时间顺序生成公钥日志链并记录公钥记录状态的改变;1) Status information: including a forward pointer for pointing to the previous public key record, the forward pointer is used to generate a public key log chain in chronological order and record the change of the public key record state;
    2)公钥信息:用于存储用户公钥的相关信息;2) Public key information: used to store related information of the user's public key;
    3)证书信息:用于存储与用户公钥使用相关的信息;3) Certificate information: used to store information related to the use of the user's public key;
    4)签名列表:用于存储推荐人或公钥拥有者对上述三方面信息的数字签名,所述签名列表包括至少一个数字签名,每个数字签名包含一个指向签名者公钥记录的指针。4) Signature list: used to store the digital signature of the above three aspects of information by the recommender or the public key owner. The signature list includes at least one digital signature, and each digital signature includes a pointer to the signer's public key record.
  4. 根据权利要求3所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述公钥记录能够记录各种公钥密码体制所使用的公钥证书,所述公钥证书包括:X.509、PKI证书、PGP证书、自证书。The trust network-based decentralized public key management method according to claim 3, wherein the public key record is capable of recording a public key certificate used by various public key cryptosystems, and the public key certificate Including: X.509, PKI certificate, PGP certificate, self-certificate.
  5. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述信任网络支持的信任关系包含直接信任、层次信任、间接信任关系。The trust network-based decentralized public key management method according to claim 1, wherein the trust relationship supported by the trust network comprises a direct trust, a hierarchical trust, and an indirect trust relationship.
  6. 根据权利要求5所述的一种基于信任网络的去中心化公钥管理方法,其特征 在于,所述信任关系获取方法包括:由去中心化网络平台中成员协商、基于第三方可信认证机构签发。The trust network-based decentralized public key management method according to claim 5, wherein the trust relationship obtaining method comprises: a member negotiation by a decentralized network platform, and a third-party trusted authentication mechanism Issued.
  7. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,公钥记录中公钥的可信性能够由公钥日志链和认证链中的记录信息予以度量,根据度量可将公钥可信性分为不同可信等级,可信等级包括:完全可信、边缘可信、有效但不可信、无效。The method for decentralized public key management based on a trust network according to claim 1, wherein the credibility of the public key in the public key record can be measured by the record information in the public key log chain and the authentication chain. According to the metric, the public key credibility can be divided into different credibility levels, and the credibility level includes: completely credible, edge trusted, valid but not trusted, invalid.
  8. 根据权利要求1所述一种基于信任网络的去中心化公钥管理方法,其特征在于,公钥日志链的生成包括以下步骤:The method for decentralized public key management based on a trust network according to claim 1, wherein the generating of the public key log chain comprises the following steps:
    1)公钥记录验证:中心化网络平台中的各节点对用户提交的公钥记录进行验证;1) Public key record verification: each node in the centralized network platform verifies the public key record submitted by the user;
    2)生成公钥日志链:将通过验证的公钥记录存储在去中心化网络平台的一致性存储结构中;根据所述状态信息中的前向指针生成公钥日志链,所述公钥日志链能够从头节点开始按照时间从后到前的顺序依次访问与该公钥相关的所有公钥记录。2) generating a public key log chain: storing the verified public key record in a consistent storage structure of the decentralized network platform; generating a public key log chain according to the forward pointer in the status information, the public key log The chain can access all public key records associated with the public key in order from the head node in order from time to time.
  9. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述公钥日志链的拥有者采用任意且唯一性字符串作为用户标识,用户标识可采用用户真名的Hash值作为假名实现用户匿名。The trust network-based decentralized public key management method according to claim 1, wherein the owner of the public key log chain uses an arbitrary and unique character string as a user identifier, and the user identifier can be a user. The hash value of the real name is used as a pseudonym to implement user anonymity.
  10. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述认证链生成方法为:每一个公钥记录签名列表中存储至少一个推荐人签名,每一个所述推荐人签名为该推荐人的推荐证明,每一个推荐人签名中保存有签名者公钥记录指针,根据所述签名者公钥记录指针能够形成认证链。The trust network-based decentralized public key management method according to claim 1, wherein the authentication chain generation method is: storing at least one recommender signature in each public key record signature list, each of which The recommender signature is a recommendation certificate of the recommender, and each poster signature holds a signer public key record pointer, and the signer public key record pointer can form an authentication chain.
  11. 根据权利要求1所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述方法还能够基于公钥记录中的用户标识,实现用户公钥的检索。The method for decentralized public key management based on a trust network according to claim 1, wherein the method is further capable of realizing retrieval of a user's public key based on a user identifier in the public key record.
  12. 根据权利要求11所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述用户公钥的检索依赖于一种公钥检索结构,该公钥检索结构由查找表和公钥日志链的头节点列表构成;查找表以公钥拥有者的用户标识为查找关键字,构造查找表的方法包括:哈希查找表、二叉查找树、B树、B+树、字典序索引表。The trust network-based decentralized public key management method according to claim 11, wherein the retrieval of the user public key is dependent on a public key retrieval structure, and the public key retrieval structure is composed of a lookup table and The head node list of the public key log chain is composed; the lookup table uses the user ID of the public key owner as a search key, and the method for constructing the lookup table includes: a hash lookup table, a binary search tree, a B tree, a B+ tree, and a lexicographical order. direction chart.
  13. 根据权利要求12所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述公钥检索结构能基于用户标识实现快速的用户公钥检索,具体为:The trust network-based decentralized public key management method according to claim 12, wherein the public key retrieval structure can implement fast user public key retrieval based on the user identifier, specifically:
    1)检索请求阶段:请求者根据待查询公钥的用户标识生成并发送查询请求;1) Retrieval request phase: the requester generates and sends a query request according to the user ID of the public key to be queried;
    2)查找表检索阶段:网络平台各节点依靠查找表的关键字检索方法发现用户标识对应的项,并从该项中提取公钥日志链的头节点;2) Lookup table retrieval stage: each node of the network platform relies on the keyword retrieval method of the lookup table to find the item corresponding to the user identifier, and extracts the head node of the public key log chain from the item;
    3)日志链查找阶段:网络平台各节点从公钥日志链的头节点开始依次查找,得到最近的一条有效公钥记录,并按照公钥信任模型对查找获得的公钥记录的可信性进行度量,输出该公钥记录和可信性度量结果;3) Log chain search phase: Each node of the network platform searches in order from the head node of the public key log chain to obtain the most recent valid public key record, and performs the trustworthiness of the public key record obtained by the search according to the public key trust model. Metric, output the public key record and the credibility measurement result;
    4)一致校验阶段:请求者收到指定数目的公钥记录和可信性度量结果,并比对收到的查询结果是否一致;如果一致,则确定公钥的可用性,并返回该公钥;否则,返回“失败”。4) Consistency check phase: The requester receives a specified number of public key records and credibility measurement results, and compares the received query results; if they are consistent, determines the availability of the public key and returns the public key. ; otherwise, it returns "failed".
  14. 根据权利要求13所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述公钥信任模型是根据该公钥记录中的推荐人列表、公钥有效期、公钥状态变化信息对该公钥记录的可信性进行度量,输出为可信性度量;所述确定公钥的可用性是指依靠可信性度量是否大于等于公钥操作的安全性要求,返回公钥记录是否能被使用。The trust network-based decentralized public key management method according to claim 13, wherein the public key trust model is based on a list of recommenders, a public key validity period, and a public key status in the public key record. The change information measures the credibility of the public key record, and the output is a credibility measure; the determining the availability of the public key refers to whether the credibility measure is greater than or equal to the security requirement of the public key operation, and returns the public key record. Can it be used?
  15. 根据权利要求3所述一种基于信任网络的去中心化公钥管理方法,其特征在于,所述公钥记录状态的改变是指改变该公钥记录状态所执行的协议,所述协议包括:注册协议、更新协议、撤销协议。The de-centralized public key management method based on the trust network according to claim 3, wherein the change of the public key recording state refers to a protocol executed by changing the public key recording state, and the protocol includes: Registration agreement, update agreement, cancellation agreement.
  16. 根据权利要求15所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述注册协议用于用户公钥记录的可信性验证与公钥日志链生成;所述注册协议包括如下过程:The trust network-based decentralized public key management method according to claim 15, wherein the registration protocol is used for credibility verification and public key log chain generation of user public key records; The agreement includes the following process:
    1)信任请求阶段:公钥拥有者生成公钥记录和发送信任请求;1) Trust request phase: the public key owner generates a public key record and sends a trust request;
    2)公钥验证阶段:网络平台各节点对公钥可信性进行验证;2) Public key verification phase: each node of the network platform verifies the public key credibility;
    3)签名收集阶段:公钥所有者收集推荐人签名列表并发送注册请求;3) Signature collection phase: The public key owner collects the list of recommenders' signatures and sends a registration request;
    4)记录生成阶段:网络平台各节点对注册请求中的签名进行验证,并在通过验证后将公钥记录写入公钥存储结构;4) Record generation phase: each node of the network platform verifies the signature in the registration request, and writes the public key record into the public key storage structure after passing the verification;
    5)日志链生成阶段:网络平台各节点在查找表中建立公钥日志链的头节点, 并将前述公钥记录链接到公钥日志链的头节点之后。5) Log chain generation phase: Each node of the network platform establishes a head node of the public key log chain in the lookup table, and links the aforementioned public key record to the head node of the public key log chain.
  17. 根据权利要求15所述的一种基于信任网络的去中心化公钥管理方法,其特征在于,所述更新协议用于用户的密码更新和升级;所述更新协议包括如下过程:The trust network-based decentralized public key management method according to claim 15, wherein the update protocol is used for user password update and upgrade; and the update protocol includes the following process:
    1)更新请求阶段:公钥拥有者生成更新公钥记录,并用旧私钥对更新公钥记录进行签名和发送更新请求;1) Update request phase: the public key owner generates an updated public key record, and signs the update public key record with the old private key and sends an update request;
    2)记录生成阶段:网络平台各节点用公钥日志链中的旧公钥对更新公钥记录中签名有效性进行验证,并在通过验证后对新公钥进行记录;2) Record generation phase: each node of the network platform verifies the validity of the signature in the updated public key record by using the old public key in the public key log chain, and records the new public key after passing the verification;
    3)日志链变更阶段:网络平台各节点将更新公钥日志链接到公钥查找表中公钥日志链的头节点之后。3) Log chain change phase: Each node of the network platform links the updated public key log to the head node of the public key log chain in the public key lookup table.
  18. 根据权利要求15所述一种基于信任网络的去中心化公钥管理方法,其特征在于,所述撤销协议用于公钥所有者主动提出申请对公钥证书进行撤销和丢弃,公钥撤销后无法进行激活和重用;所述撤销协议包括如下过程:The de-centralized public key management method based on the trust network according to claim 15, wherein the revocation protocol is used by the public key owner to actively apply for revocation and discarding the public key certificate, and after the public key is revoked Unable to activate and reuse; the revocation agreement includes the following process:
    1)撤销请求阶段:公钥所有者生成撤销公钥记录并用私钥对撤销公钥记录签名和发送撤销请求;1) The revocation request phase: the public key owner generates the revocation public key record and signs the revocation public key record with the private key and sends the revocation request;
    2)记录生成阶段:网络平台各节点用公钥日志链中公钥对撤销公钥记录中签名的有效性进行验证,并在通过验证后对所述撤销公钥记录进行记录;2) Record generation phase: each node of the network platform verifies the validity of the signature in the revoked public key record by using the public key in the public key log chain, and records the revoked public key record after passing the verification;
    3)日志链变更阶段:网络平台各节点将所述撤销公钥日志链接到公钥查找表中公钥日志链的头节点之后。3) Log chain change phase: Each node of the network platform links the undo public key log to the head node of the public key log chain in the public key lookup table.
  19. 一种基于信任网络的去中心化公钥管理系统,其特征在于,所述公钥管理系统包括去中心化网络平台和具有全网一致性的一致性公钥存储结构,所述中心化网络平台为区块链网络、P2P网络或分布式数据库系统;所述一致性公钥存储结构用于存储通过验证的公钥记录。A decentralized public key management system based on a trust network, characterized in that the public key management system comprises a decentralized network platform and a consistent public key storage structure with network-wide consistency, the centralized network platform The blockchain network, the P2P network, or the distributed database system; the consistent public key storage structure is configured to store the verified public key record.
PCT/CN2018/074647 2016-12-26 2018-01-31 Trust network-based decentralized public key management method and management system WO2018121797A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611218516.9 2016-12-26
CN201611218516.9A CN107070644B (en) 2016-12-26 2016-12-26 Decentralized public key management method and management system based on trust network

Publications (1)

Publication Number Publication Date
WO2018121797A1 true WO2018121797A1 (en) 2018-07-05

Family

ID=59624385

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/074647 WO2018121797A1 (en) 2016-12-26 2018-01-31 Trust network-based decentralized public key management method and management system

Country Status (2)

Country Link
CN (1) CN107070644B (en)
WO (1) WO2018121797A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019133307A1 (en) * 2017-12-29 2019-07-04 Ebay Inc. Traceable key block-chain ledger
CN114205809A (en) * 2021-11-12 2022-03-18 天津大学 Unmanned ship ad hoc network method based on block chain
EP3831012A4 (en) * 2018-07-27 2022-04-27 HRL Laboratories, LLC Bidirectional blockchain
US20220270085A1 (en) * 2019-05-21 2022-08-25 nChain Holdings Limited Destination addressing associated with a distributed ledger
WO2022231983A1 (en) * 2021-04-29 2022-11-03 Arris Enterprises Llc Centralized database with provisions to prevent pki key and security certificate duplication

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070644B (en) * 2016-12-26 2020-02-28 北京科技大学 Decentralized public key management method and management system based on trust network
CN107517256B (en) * 2017-08-24 2020-08-07 李昊星 Information distribution method and device
CN107769925B (en) * 2017-09-15 2020-06-19 山东大学 Public key infrastructure system based on block chain and certificate management method thereof
US11449887B2 (en) * 2017-10-09 2022-09-20 American Express Travel Related Services Company, Inc. Systems and methods for loyalty point distribution
US11397962B2 (en) 2017-10-09 2022-07-26 American Express Travel Related Services Company, Inc. Loyalty point distributions using a decentralized loyalty ID
US11699166B2 (en) 2017-10-09 2023-07-11 American Express Travel Related Services Company, Inc. Multi-merchant loyalty point partnership
CN107733892A (en) * 2017-10-17 2018-02-23 光载无限(北京)科技有限公司 Link network system and link network individual's operation flow based on the control of intelligent contract
CN108242999B (en) * 2017-10-26 2021-04-16 招商银行股份有限公司 Key escrow method, device and computer-readable storage medium
CN108009918B (en) * 2017-11-23 2021-10-26 深圳捷汇科技有限公司 Accounting method of block chain consensus algorithm transaction system and electronic equipment
CN108053308A (en) * 2017-12-08 2018-05-18 横琴密达科技有限责任公司 A kind of method and system of monetary device selection and intelligent Trade based on block chain
CN108124505B (en) * 2017-12-19 2020-06-30 深圳前海达闼云端智能科技有限公司 Method and device for acquiring trusted node, storage medium and block link node
US11544708B2 (en) 2017-12-29 2023-01-03 Ebay Inc. User controlled storage and sharing of personal user information on a blockchain
US11615060B2 (en) * 2018-04-12 2023-03-28 ISARA Corporation Constructing a multiple entity root of trust
CN108924081B (en) * 2018-05-03 2021-04-30 深圳中泰智丰物联网科技有限公司 Method for protecting user privacy and resisting malicious users in Internet of things based on edge calculation
CN108769014B (en) * 2018-05-29 2019-05-14 山东九州信泰信息科技股份有限公司 A method of PGP verification is carried out to Email based on block chain technology
CN110611641B (en) * 2018-06-15 2021-11-02 成都高新信息技术研究院 Block chain mobile user terminal system
CN108876371B (en) * 2018-06-26 2021-01-29 广州天高软件科技有限公司 Consumption data storage, data verification and data source tracing method based on block chain
CN108881471B (en) * 2018-07-09 2020-09-11 北京信息科技大学 Union-based whole-network unified trust anchor system and construction method
CN108874631A (en) * 2018-07-10 2018-11-23 佛山伊苏巨森科技有限公司 A kind of system for entry validity in test database data structure
CN109067521A (en) * 2018-07-27 2018-12-21 天津大学 A kind of public key distribution method based on block chain
CN110830256A (en) * 2018-08-14 2020-02-21 珠海金山办公软件有限公司 File signature method and device, electronic equipment and readable storage medium
US11301452B2 (en) 2018-10-09 2022-04-12 Ebay, Inc. Storing and verification of derivative work data on blockchain with original work data
CN111314060B (en) * 2018-12-12 2022-12-13 中移动信息技术有限公司 Key updating method, device and storage medium
CN109951279B (en) * 2019-03-15 2022-03-29 南京邮电大学 Anonymous data storage method based on block chain and edge device
CN109902074B (en) * 2019-04-17 2021-02-09 江苏全链通信息科技有限公司 Data center-based log storage method and system
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
CN111190909B (en) * 2019-05-17 2020-12-15 延安大学 Data credible processing method
CN110247960B (en) * 2019-05-27 2021-12-07 矩阵元技术(深圳)有限公司 Method and device for realizing secure multi-party computation, computer equipment and storage medium
CN110474775B (en) * 2019-07-04 2020-09-01 阿里巴巴集团控股有限公司 User creating method, device and equipment in block chain type account book
US10791122B2 (en) 2019-07-04 2020-09-29 Alibaba Group Holding Limited Blockchain user account data
CN110675685A (en) * 2019-09-29 2020-01-10 张华平 Industrial and commercial management professional training system based on block chain
CN110719167B (en) * 2019-10-16 2022-09-27 郑州师范学院 Block chain-based signcryption method with timeliness
CN110855679B (en) * 2019-11-15 2021-11-30 微位(深圳)网络科技有限公司 uPKI combined public key authentication method and system
CN111047313B (en) * 2020-03-12 2020-12-04 支付宝(杭州)信息技术有限公司 Code scanning payment, information sending and key management method, device and equipment
CN111917734B (en) * 2020-07-12 2023-03-10 中信银行股份有限公司 Method and device for managing public key, electronic equipment and computer readable storage medium
CN111859348B (en) * 2020-07-31 2022-07-19 上海微位网络科技有限公司 Identity authentication method and device based on user identification module and block chain technology
US10958450B1 (en) 2020-10-15 2021-03-23 ISARA Corporation Constructing a multiple-entity root certificate data block chain
CN112511553B (en) * 2020-12-08 2021-12-07 清华大学 Hierarchical Internet trust degree sharing method
CN112861155A (en) * 2021-02-25 2021-05-28 浙江清华长三角研究院 Public key issuing method in off-center computing scene
CN113055886B (en) * 2021-03-15 2023-02-24 中国联合网络通信集团有限公司 Terminal authentication method, system, server and medium in edge computing network
CN115632791B (en) * 2022-10-12 2024-03-19 南京航空航天大学 Dynamic cross-chain data consistency decentration verification method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105701372A (en) * 2015-12-18 2016-06-22 布比(北京)网络技术有限公司 Block chain identity construction and verification method
CN106230808A (en) * 2016-07-28 2016-12-14 杭州云象网络技术有限公司 A kind of personal credit information system method based on block chain technology
WO2016200885A1 (en) * 2015-06-08 2016-12-15 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction
CN107070644A (en) * 2016-12-26 2017-08-18 北京科技大学 A kind of decentralization public key management method and management system based on trust network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016029119A1 (en) * 2014-08-21 2016-02-25 myVBO, LLC Systems and methods for managing alternative currency transactions and optimizing financial rewards
CN105591753A (en) * 2016-01-13 2016-05-18 杭州复杂美科技有限公司 Application method of CA certificate on block chain
CN105592098B (en) * 2016-01-16 2018-09-14 杭州复杂美科技有限公司 The management method of ballot and CA certificate on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016200885A1 (en) * 2015-06-08 2016-12-15 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction
CN105701372A (en) * 2015-12-18 2016-06-22 布比(北京)网络技术有限公司 Block chain identity construction and verification method
CN106230808A (en) * 2016-07-28 2016-12-14 杭州云象网络技术有限公司 A kind of personal credit information system method based on block chain technology
CN107070644A (en) * 2016-12-26 2017-08-18 北京科技大学 A kind of decentralization public key management method and management system based on trust network

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019133307A1 (en) * 2017-12-29 2019-07-04 Ebay Inc. Traceable key block-chain ledger
EP3831012A4 (en) * 2018-07-27 2022-04-27 HRL Laboratories, LLC Bidirectional blockchain
US20220270085A1 (en) * 2019-05-21 2022-08-25 nChain Holdings Limited Destination addressing associated with a distributed ledger
WO2022231983A1 (en) * 2021-04-29 2022-11-03 Arris Enterprises Llc Centralized database with provisions to prevent pki key and security certificate duplication
US11601290B2 (en) 2021-04-29 2023-03-07 Arris Enterprises Llc Centralized database with provisions to prevent PKI key and security certificate duplication
CN114205809A (en) * 2021-11-12 2022-03-18 天津大学 Unmanned ship ad hoc network method based on block chain

Also Published As

Publication number Publication date
CN107070644A (en) 2017-08-18
CN107070644B (en) 2020-02-28

Similar Documents

Publication Publication Date Title
WO2018121797A1 (en) Trust network-based decentralized public key management method and management system
Qi et al. Cpds: Enabling compressed and private data sharing for industrial Internet of Things over blockchain
AU2021206913B2 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
TWI749583B (en) Chain structure data storage, verification, realization method, system, device and media
Lin et al. A new transitively closed undirected graph authentication scheme for blockchain-based identity management systems
Miao et al. Verifiable searchable encryption framework against insider keyword-guessing attack in cloud storage
Zhang et al. An efficient blockchain-based hierarchical data sharing for Healthcare Internet of Things
US20210089676A1 (en) Methods and systems for secure data exchange
Fromknecht et al. A decentralized public key infrastructure with identity retention
JP2023504535A (en) Identity (ID) based public key generation protocol
CN111614680B (en) CP-ABE-based traceable cloud storage access control method and system
Yan et al. Efficient identity-based public integrity auditing of shared data in cloud storage with user privacy preserving
CN110191153A (en) Social communication method based on block chain
Patsonakis et al. Towards a smart contract-based, decentralized, public-key infrastructure
CN114205136A (en) Traffic data resource sharing method and system based on block chain technology
CN112235260B (en) Anonymous data storage method, device, equipment and storage medium
CN113824563A (en) Cross-domain identity authentication method based on block chain certificate
EP4097915A1 (en) Attestation service for use with a blockchain network
CN114503508A (en) Computer-implemented method and system for storing authenticated data on blockchains
Zhang et al. Redactable transactions in consortium blockchain: Controlled by multi-authority CP-ABE
Yang et al. Identity-based cloud storage auditing for data sharing with access control of sensitive information
CN115136566A (en) Distributed database
Liu et al. Blockchain-assisted comprehensive key management in CP-ABE for cloud-stored data
Huang et al. Customized data sharing scheme based on blockchain and weighted attribute
Wang et al. A new secure data deduplication approach supporting user traceability

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18734061

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18734061

Country of ref document: EP

Kind code of ref document: A1