WO2019093963A1 - 基于异构身份的交互系统及方法 - Google Patents

基于异构身份的交互系统及方法 Download PDF

Info

Publication number
WO2019093963A1
WO2019093963A1 PCT/SG2017/050566 SG2017050566W WO2019093963A1 WO 2019093963 A1 WO2019093963 A1 WO 2019093963A1 SG 2017050566 W SG2017050566 W SG 2017050566W WO 2019093963 A1 WO2019093963 A1 WO 2019093963A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity
heterogeneous
terminal device
subsystem
physical
Prior art date
Application number
PCT/SG2017/050566
Other languages
English (en)
French (fr)
Inventor
吴双
阮子瀚
雷浩
Original Assignee
华为国际有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为国际有限公司 filed Critical 华为国际有限公司
Priority to CN201780096222.XA priority Critical patent/CN111264045B/zh
Priority to PCT/SG2017/050566 priority patent/WO2019093963A1/zh
Publication of WO2019093963A1 publication Critical patent/WO2019093963A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present application relates to the field of communications technologies, and in particular, to an interactive system and method based on heterogeneous identity.
  • IoT devices are characterized by diversity, and they can be devices in different identity systems. For example: Some IoT devices have their account and password in their identity system; some IoT devices have their identity in their identity system (International Mobile Subscriber Identification Number, IMSI); The identity of the device in its own identity system is its certificate or identity based signature (IBS).
  • IMSI International Mobile Subscriber Identification Number
  • IBS identity based signature
  • IoT devices of different identity systems do not have a unified standard interface and no unified identity, the interaction between the IoT devices of different identity systems cannot achieve identity authentication, communication, and transactions.
  • the prior art uses a method of establishing an Internet of Things platform to solve this problem. That is, all IoT devices in the heterogeneous identity system trust the IoT platform to interact with the unified identity provided by each IoT device through the IoT platform.
  • the present application provides a heterogeneous identity-based interactive system and method, so that different devices in a heterogeneous identity system can implement interaction without relying on a unified IoT platform, which can improve the reliability of the interactive system, and more importantly.
  • a heterogeneous identity-based interactive system and method so that different devices in a heterogeneous identity system can implement interaction without relying on a unified IoT platform, which can improve the reliability of the interactive system, and more importantly.
  • the present application provides a heterogeneous identity-based interactive system, including: M blockchain consensus nodes and M heterogeneous identity systems, where M is a positive integer greater than one; heterogeneous identity systems include heterogeneous identity
  • the subsystem, heterogeneous identity subsystem includes terminal devices.
  • the first heterogeneous identity subsystem obtains the unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system, and sends the unified identity of the first terminal device to the first heterogeneous identity subsystem.
  • the heterogeneous identity system corresponds to the blockchain consensus node, so that the unified identity of the first terminal device is shared among the M blockchain consensus nodes; the second heterogeneous identity subsystem acquires the second heterogeneous identity subsystem including The second terminal device has a unified identity in the interaction system, and sends the unified identity of the second terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the second heterogeneous identity subsystem belongs, so that the second terminal
  • the unified identity of the device is shared among the M blockchain consensus nodes; the first heterogeneous identity subsystem and the second heterogeneous identity subsystem are based on the unified identity of the first terminal device Interacting with the unified identity of the second terminal device; wherein the first heterogeneous identity subsystem and the second heterogeneous identity subsystem belong to two different heterogeneous identity systems in the M heterogeneous identity systems.
  • the beneficial effects of the present application include: Since the heterogeneous identity subsystem can acquire the unified identity of the included terminal device, and send the unified identity to the corresponding blockchain consensus node, so that the unified identity is in the M blockchain consensus node. Between, thereby enabling interaction between heterogeneous identity subsystems. In this application, there is no need to set up an independent IoT platform. Instead, M blockchain consensus nodes are set up, and information can be shared among the consensus nodes of the blockchains, thereby avoiding a single point of failure of the IoT platform in the prior art, thereby improving the reliability of the entire interactive system.
  • the system further includes: a processing module.
  • the first heterogeneous identity subsystem generates a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, and generates a summary of the physical identity certificate, where the physical identity certificate is used to prove the unified identity of the first terminal device.
  • the association relationship of the first terminal device; the processing module acquires and stores the physical identity certificate, and generates a link of the physical identity certificate; sends the link of the physical identity certificate to the first heterogeneous identity subsystem; the first heterogeneous identity subsystem will summarize And the link is sent to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are shared among the M blockchain consensus nodes; the second heterogeneous identity subsystem acquires Summary and link, validate the physical identity certificate based on the digest and link, and send a message to the first heterogeneous identity subsystem when the verification of the physical identity certificate is successful.
  • the beneficial effects of the present application include:
  • the heterogeneous identity subsystem can generate the physical identity certificate of the terminal device it includes, and the other heterogeneous identity subsystem can verify the physical identity certificate. When the verification is successful, the heterogeneous identity subsystem is between Interaction can be performed. When the verification fails, the heterogeneous identity subsystems cannot interact with each other, thereby improving the reliability of the entire interactive system.
  • the unified identity of the first terminal device is a public key in a public private key pair;
  • the second heterogeneous identity subsystem acquires a public key of the heterogeneous identity system corresponding to the first terminal device, and the first terminal device corresponds to a public key in a heterogeneous identity system and a public key of a public-private key pair;
  • the second heterogeneous identity subsystem detects and acquires a physical identity certificate corresponding to the link in the processing module; and the second heterogeneous identity subsystem calculates the physics a summary of the identity certificate; if the summary of the physical identity certificate obtained by the calculation is the same as the summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, the second heterogeneous The identity subsystem verifies the physical identity certificate according to the public key of the heterogeneous identity system corresponding to the first terminal device, the public key of the first terminal device in the corresponding heterogeneous identity
  • the beneficial effects of the present application include: when the unified identity of the first terminal device is a public key in a public private key pair, the second heterogeneous identity subsystem can effectively verify the physical identity certificate by using the optional method, thereby improving the entire interaction. System reliability.
  • the first heterogeneous identity subsystem obtains the PKI certificate and the PKI of the corresponding heterogeneous identity system of the first terminal device.
  • Signature of the certificate the first heterogeneous identity subsystem obtains the first signature obtained by signing the public key of the first terminal device in the corresponding heterogeneous identity system by using the private key of a public private key pair;
  • the subsystem obtains a second signature obtained by signing the public key of the public-private key pair by the private key of the first terminal device in the corresponding heterogeneous identity system, and the first heterogeneous identity subsystem sets the PKI certificate and the PKI certificate.
  • the signature, the first signature, and the second signature generate a physical identity certificate of the first terminal device.
  • the first heterogeneous identity subsystem can effectively generate the physical identity certificate of the first terminal device by using the optional mode.
  • the second heterogeneous identity subsystem verifies the PKI certificate signature according to the public key of the heterogeneous identity system corresponding to the first terminal device and the PKI certificate, and the corresponding public key of the public key pair and the first terminal device are different.
  • the public key in the identity system verifies the first signature and the second signature; if the PKI signature, the first signature, and the second signature are both verified successfully, the second heterogeneous identity subsystem determines that the verification of the physical identity verification is successful.
  • the beneficial effects of the present application include: based on the manner in which the first heterogeneous identity subsystem generates the physical identity certificate of the first terminal device, the second heterogeneous identity subsystem can effectively verify the physical identity certificate by using the optional method, thereby improving The reliability of the entire interactive system.
  • the first heterogeneous identity subsystem obtains a private key pair through a public private key pair to the corresponding terminal identity device in the corresponding heterogeneous identity system.
  • the public key in the signature is obtained, and the obtained first signature is obtained;
  • the first heterogeneous identity subsystem acquires a public key of a public-private key pair by using a private key of the first terminal device in the corresponding heterogeneous identity system, and obtains a second signature;
  • the first heterogeneous identity subsystem generates the physical identity of the first terminal device by the first terminal device in the identity, the first signature, and the second signature of the corresponding heterogeneous identity system.
  • the beneficial effects of the present application include: When the heterogeneous identity system corresponding to the first terminal device is an IBC-based system, the first heterogeneous identity subsystem can effectively generate the physical identity certificate of the first terminal device by using the optional mode.
  • the second heterogeneous identity subsystem determines, according to the public key of the heterogeneous identity system corresponding to the first terminal device, the identity of the first terminal device in the corresponding heterogeneous identity system. a public key of the identity system; the second heterogeneous identity subsystem verifies the first signature and the second signature according to the public key of a public private key pair and the public key of the first terminal device in the corresponding heterogeneous identity system; If both the signature and the second signature are successfully verified, the second heterogeneous identity subsystem determines that the verification of the physical identity verification is successful.
  • the beneficial effects of the present application include: based on the manner in which the first heterogeneous identity subsystem generates the physical identity certificate of the first terminal device, the second heterogeneous identity subsystem can effectively verify the physical identity certificate by using the optional method, thereby improving The reliability of the entire interactive system.
  • the second heterogeneous identity subsystem acquires and stores the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled. Or the non-enabled state; correspondingly, if the status indication information indicates that the status of the unified identity of the first terminal device is the enabled state, the second heterogeneous identity subsystem detects and acquires the physical identity certificate corresponding to the link in the processing module.
  • the beneficial effects of the present application include: if the status indication information indicates that the status of the unified identity of the terminal device is inactive, it is not necessary to detect the physical identity of the terminal device. Thereby reducing the resource consumption of the interactive system.
  • the system further includes: a processing module and a physical identity generating device; the physical identity generating device acquires a unified identity of the first terminal device, and generates a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, the physical identity Demonstrating an association relationship between the unified identity of the first terminal device and the first terminal device; the first heterogeneous identity subsystem obtains the physical identity certificate and generates a summary of the physical identity certificate; the processing module acquires and stores the physical identity certificate, and Generating a link to the physical identity certificate; transmitting the link to the physical identity certificate to the first heterogeneous identity subsystem; the first heterogeneous identity subsystem sends the digest and the link to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs The blockchain consensus node, so that the digest and link are shared between the M blockchain consensus nodes; the second heterogeneous identity subsystem gets the digest and links, validates the physical identity based on the digest and links, and is in the physical identity
  • the beneficial effects of the present application include:
  • the physical identity generating device can generate a terminal device included in the heterogeneous identity subsystem
  • Physical identity verification other heterogeneous identity subsystems can verify the physical identity certificate.
  • the heterogeneous identity subsystems can interact with each other.
  • the verification fails, the heterogeneous identity subsystems cannot interact with each other. , thereby improving the reliability of the entire interactive system.
  • the second heterogeneous identity subsystem obtains the public key of the heterogeneous identity system corresponding to the first terminal device; correspondingly, the second heterogeneous identity subsystem detects and obtains the physical identity certificate corresponding to the link in the processing module; The second heterogeneous identity subsystem calculates a summary of the physical identity certificate; if the calculated physical identity certificate is abstracted and the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs The abstract is the same, and the second heterogeneous identity subsystem verifies the physical identity certificate according to the public key of the heterogeneous identity system corresponding to the first terminal device.
  • the beneficial effects of the present application include:
  • the second heterogeneous identity subsystem can effectively verify the physical identity certificate by using the optional method, thereby improving the reliability of the entire interactive system.
  • the unified identity of the first terminal device is a public key in a public-private key pair;
  • the physical identity generating device acquires an identity of the first terminal device in the corresponding heterogeneous identity system and a public key in a public-private key pair;
  • the physical identity generating device signs the first terminal device's identity in the corresponding heterogeneous identity system and the public key in a public-private key pair according to the private key of the physical identity generating device to obtain a first signature;
  • the physical identity generating device A terminal device generates a physical identity certificate in the identity of the corresponding heterogeneous identity system, the public key in a public private key pair, and the first signature.
  • the beneficial effects of the present application include:
  • the first heterogeneous identity subsystem can effectively generate the physical identity certificate of the first terminal device by using the optional method.
  • the second heterogeneous identity subsystem acquires and stores the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled. Or the non-enabled state; correspondingly, if the status indication information indicates that the status of the unified identity of the first terminal device is the enabled state, the second heterogeneous identity subsystem detects and acquires the physical identity certificate corresponding to the link in the processing module.
  • the beneficial effects of the present application include: if the status indication information indicates that the status of the unified identity of the terminal device is inactive, it is not necessary to detect the physical identity of the terminal device. Thereby reducing the resource consumption of the interactive system.
  • the first heterogeneous identity subsystem includes only the first terminal device; or the first heterogeneous identity subsystem includes the first terminal device, the first proxy server of the first terminal device, and the first key escrow center;
  • the second heterogeneous identity subsystem includes only the second terminal device; or the second heterogeneous identity subsystem includes the second terminal device, the first proxy server of the second terminal device, and the first key escrow center.
  • the present application provides a heterogeneous identity-based interaction method, which is applied to an interaction system based on heterogeneous identity, and the system includes: M blockchain consensus nodes and M heterogeneous identity systems, where M is greater than A positive integer of 1; a heterogeneous identity system includes a heterogeneous identity subsystem, and the heterogeneous identity subsystem includes a terminal device; correspondingly, the method includes: the first heterogeneous identity subsystem acquires the first of the first heterogeneous identity subsystem The unified identity of the terminal device in the interaction system, and the unified identity of the first terminal device is sent to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so as to unify the first terminal device
  • the identity is shared among the M blockchain consensus nodes; the second heterogeneous identity subsystem acquires the unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interactive system, and unifies the second terminal device
  • the identity is sent
  • Consensus shared among nodes; a first subsystem and a second isomerization isomers identity identity identity subsystem is based on unity of the first terminal device and second terminal device The identity interacts; wherein the first heterogeneous identity subsystem and the second heterogeneous identity subsystem belong to two different heterogeneous identity systems in the M heterogeneous identity systems.
  • the first heterogeneous identity subsystem, the second heterogeneous identity subsystem, and the physical identity generation device are respectively introduced, and the implementation principle and technical effects thereof can refer to the system related to the first aspect and the principle and technology of the optional method of the first aspect. The effect will not be described here.
  • the application provides a first heterogeneous identity subsystem, where the first heterogeneous identity subsystem includes: an obtaining module, a sending module, and a receiving module.
  • the obtaining module is configured to obtain a unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system, where the sending module is configured to send the unified identity of the first terminal device to the first heterogeneous identity subsystem.
  • a blockchain consensus node corresponding to the heterogeneous identity system, so that the unified identity of the first terminal device is shared among the M blockchain consensus nodes;
  • the acquiring module is further configured to acquire the unified identity of the second terminal device,
  • the sending module is configured to send a message to the second heterogeneous identity subsystem to which the second terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiving module is configured to receive the second heterogeneous identity The message sent by the subsystem.
  • the application provides a second heterogeneous identity subsystem, where the second heterogeneous identity subsystem includes an obtaining module, a sending module, and a receiving module;
  • the obtaining module is configured to obtain a unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interaction system, where the sending module is configured to send the unified identity of the second terminal device to the second heterogeneous identity subsystem a blockchain consensus node corresponding to the heterogeneous identity system, so that the unified identity of the second terminal device is shared among the M blockchain consensus nodes; the obtaining module is further configured to acquire the unified identity of the first terminal device, The sending module is further configured to send a message to the first heterogeneous identity subsystem to which the first terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiving module is configured to receive the first heterogeneous identity The message sent by the subsystem.
  • the application provides a physical identity generating device, including: an obtaining module and a generating module; the acquiring module is configured to acquire a unified identity of the first terminal device; and the generating module is configured to generate, according to the unified identity of the first terminal device A physical identity certificate of a terminal device, the physical identity certificate is used to prove the association relationship between the unified identity of the first terminal device and the first terminal device.
  • the application provides a first heterogeneous identity subsystem, where the first heterogeneous identity subsystem includes: a processor, a transmitter, and a receiver.
  • the processor is configured to obtain a unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system, where the transmitter is configured to send the unified identity of the first terminal device to the heterogeneous a blockchain consensus node corresponding to the identity system, so that the unified identity of the first terminal device is shared among the M blockchain consensus nodes; the processor is further configured to acquire a unified identity of the second terminal device, where the transmitter uses Sending a message to the second heterogeneous identity subsystem to which the second terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiver is configured to receive the second heterogeneous identity subsystem to send the message Message.
  • the application provides a second heterogeneous identity subsystem, where the second heterogeneous identity subsystem includes a processor, a transmitter, and a receiver;
  • the processor is configured to obtain a unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interaction system, where the transmitter is configured to send the unified identity of the second terminal device to the second heterogeneous identity subsystem Constructing a blockchain consensus node corresponding to the identity system, so that the unified identity of the second terminal device is shared among the M blockchain consensus nodes; the processor is further configured to acquire a unified identity of the first terminal device, the transmitter Also used for the first terminal device The unified identity and the unified identity of the second terminal device send a message to the first heterogeneous identity subsystem to which the first terminal device belongs, or the receiver is configured to receive the message sent by the first heterogeneous identity subsystem.
  • the application provides a physical identity generating device, including: a processor and a memory for storing execution code of the processor, so that the processor implements the following functions; acquiring a unified identity of the first terminal device, and The physical identity certificate of the first terminal device is generated according to the unified identity of the first terminal device, and the physical identity certificate is used to prove the association between the unified identity of the first terminal device and the first terminal device.
  • the ninth aspect the application provides a computer storage medium for storing computer software instructions used by the first heterogeneous identity subsystem related to the third aspect or the sixth aspect, which is configured to perform the foregoing third aspect or The procedure involved in the sixth aspect.
  • the application provides a computer program product comprising instructions for causing a computer to perform a function performed by a first heterogeneous identity subsystem in a third aspect or a sixth aspect when the computer program is executed by a computer .
  • the present application provides a computer storage medium for storing computer software instructions for use in the second heterogeneous identity subsystem related to the fourth aspect or the seventh aspect, comprising Or the procedure involved in the seventh aspect.
  • the present application provides a computer program product comprising instructions for causing a computer to perform execution of a second heterogeneous identity subsystem of the fourth aspect or the seventh aspect when the computer program is executed by a computer Features.
  • the application provides a computer storage medium for storing computer software instructions for use in the physical identity generating device of the fifth aspect or the eighth aspect, comprising The procedures involved in the aspect.
  • the application provides a computer program product comprising instructions which, when executed by a computer, cause the computer to perform the functions performed by the physical identity generating device of the fifth aspect or the eighth aspect.
  • the present application provides a heterogeneous identity-based interactive system and method, including: M blockchain consensus nodes and M heterogeneous identity systems, where M is a positive integer greater than one; heterogeneous identity systems include heterogeneous identity subsystems
  • the heterogeneous identity subsystem includes terminal devices.
  • the first heterogeneous identity subsystem obtains the unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system, and sends the unified identity of the first terminal device to the first heterogeneous identity subsystem.
  • the heterogeneous identity system corresponds to the blockchain consensus node, so that the unified identity of the first terminal device is shared among the M blockchain consensus nodes; the second heterogeneous identity subsystem acquires the second heterogeneous identity subsystem including The second terminal device has a unified identity in the interaction system, and sends the unified identity of the second terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the second heterogeneous identity subsystem belongs, so that the second terminal
  • the unified identity of the device is shared among the M blockchain consensus nodes; the first heterogeneous identity subsystem and the second heterogeneous identity subsystem interact based on the unified identity of the first terminal device and the unified identity of the second terminal device;
  • the first heterogeneous identity subsystem and the second heterogeneous identity subsystem belong to two different heterogeneous identity systems in the M heterogeneous identity systems.
  • FIG. 1 is a schematic diagram of a heterogeneous identity based interaction system 10 according to an embodiment of the present application
  • FIG. 2 is a partial schematic diagram of a heterogeneous identity-based interactive system according to an embodiment of the present disclosure
  • FIG. 3 is a partial schematic diagram of a heterogeneous identity-based interactive system according to another embodiment of the present disclosure
  • FIG. 4 is an interaction flowchart of a heterogeneous identity-based interaction method according to an embodiment of the present disclosure
  • FIG. 5 is an interaction flowchart of a heterogeneous identity-based interaction method according to another embodiment of the present application.
  • FIG. 7 is an interaction flowchart of a heterogeneous identity-based interaction method according to another embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a second heterogeneous identity subsystem 90 according to an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a physical identity generation device 100 according to an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a first heterogeneous identity subsystem 110 according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a second heterogeneous identity subsystem 120 according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of a physical identity generation device 130 according to an embodiment of the present application. Detailed ways
  • Public Key Cryptography Also known as asymmetric cryptography, it is a type of cryptographic algorithm that requires two separate keys, one of which is a secret private key (private key) and the other is a public key. (public key). Public and private keys These two parts are mathematically linked. The public key is used to encrypt the plaintext or verify the digital signature; the private key is used to decrypt the ciphertext or create a digital signature.
  • Digital Signature A mathematical scheme used to demonstrate the authenticity of a digital message or document.
  • a valid digital signature allows the recipient to determine that the message was created by a known sender (authentication), and the sender cannot deny the signing of the message (non-repudiation). Simultaneous verification of the digital signature also confirms that the message was not altered in transmission (integrity).
  • Certificate and Certificate Authority In cryptography, the Certificate Authority CA is the entity that issues digital certificates. The digital certificate proves the ownership of the public key through the specified subject of the certificate. This allows other (dependent parties) to rely on signatures or assertions about the private key corresponding to the authentication public key. In this trust relationship model, the CA is a trusted third party, trusted by the principal (owner) of the certificate and the party that relies on the certificate. Many public key infrastructure (PKI) solutions use CA.
  • PKI public key infrastructure
  • Transport Layer Security is a security protocol designed to provide security and data integrity guarantees for Internet communications. It is primarily used in applications such as browsers, email, instant messaging, and network fax. TLS supports communication partners to perform identity authentication, key agreement, and encrypted communication through certificates.
  • PKI certificate system To establish a trusted third-party CA, the user needs to apply for a certificate to one or more CAs for its public key.
  • the CA issues a certificate for the user's public key to guarantee the user's ownership of the public key.
  • the verification of the public key certificate is actually to verify the CA's signature on the certificate.
  • the general process for the user to apply for a certificate is: The user generates a public-private key pair, and sets his own public key and identity information. After sending to the CA, after making the necessary verification, the CA generates a certificate for the user's public key to bind the public key and user identity information.
  • the certificate is the signature of the CA's public key and identity information by the CA through its own public key.
  • the CA's public key is recognized and no further guarantee is required, so the user's certificate and public key can be verified by other parties.
  • IBC Identity-Based Cryptography
  • IBS Identity Based Signature
  • IBE Identity Based Encryption
  • IBS is a special public key cryptography technology that uses the user's identity (ID) as its own public key, so no digital certificate is required to bind the public key and the user's ID. However, a trusted Key Generation Center (KGC) is required to generate the user's private key.
  • KGC Key Generation Center
  • Block Chain is a distributed database that maintains a growing list of ordered records called blocks. Each block contains a timestamp and a link to the previous block.
  • the blockchain naturally has the function of tamper-proof data, and once the data is recorded in the blockchain, the data cannot be unilaterally modified.
  • P2P peer-to-peer
  • P2P peer-to-peer
  • the blockchain is "an open, distributed ledger that effectively records transactions between the parties and various other information and records them permanently in a verifiable manner.
  • Block chain consensus node (Peer), Consensus algorithm (Consensus Algorithm): The blockchain consists of several blockchain consensus nodes. Each blockchain consensus node can be a physical machine or a cloud virtual machine. A logical node such as a container. Each blockchain consensus node saves the complete data and code in the blockchain. The blockchain consensus nodes implement consistency of blockchain data through a consensus algorithm.
  • the terminal device referred to in the present application may be referred to as an Internet of Things (IoT) device, and the terminal device may be connected to the IoT for a computer, a mobile phone, a printer, a refrigerator, a robot, a sensor, an electric meter, a water meter, and the like.
  • IoT Internet of Things
  • the present application solves the problem of low reliability of the interactive system in the prior art based on the above related technology.
  • FIG. 1 is a schematic diagram of a heterogeneous identity-based interaction system 10 according to an embodiment of the present disclosure.
  • the application scenario of the system is as follows: When two heterogeneous identity terminal devices need to perform identity authentication and communication, When interacting with transactions, etc., it needs to be implemented based on the interactive system.
  • the interaction system 10 includes: M blockchain consensus nodes 11 and M heterogeneous identity systems 12; M heterogeneous identity systems 12 and M blockchain consensus nodes 11
  • M is a positive integer greater than one;
  • the heterogeneous identity system comprises a heterogeneous identity subsystem 13
  • the heterogeneous identity subsystem 13 comprises a terminal device.
  • Each of the blockchain consensus nodes 11 may be a physical machine or a logical node such as a virtual machine or a container in the cloud. This application does not limit this.
  • some heterogeneous identity subsystems 13 only include terminal devices.
  • the application scenario of this case is: When the terminal device is not a lightweight device, that is, the terminal device has sufficient storage space and communication capability, the heterogeneous identity subsystem 13 includes only the terminal device.
  • the terminal device is not a lightweight device, that is, the terminal device has sufficient storage space and communication capability
  • the heterogeneous identity subsystem 13 includes only the terminal device.
  • Mobile phones, computers, and tablet devices can be understood as non-lightweight devices.
  • Some heterogeneous identity subsystems 13 include a terminal device 14, a proxy server 15 corresponding to the terminal device 14, and a key escrow center 16 corresponding to the proxy server 15.
  • the application scenario of this case is: When the terminal device is a lightweight device, that is, the terminal device does not have sufficient storage space and communication capability, the heterogeneous identity subsystem 13 is implemented by the proxy server 15 and the key escrow center 16 Interaction with other terminal devices.
  • electricity meters, water meters, refrigerators and printers can be understood as lightweight devices.
  • the key escrow center 16 can be a physical device or a logical node.
  • each heterogeneous identity subsystem in all heterogeneous identity subsystems included in the interaction system 10 may include only terminal devices or each heterogeneous identity subsystem of all heterogeneous identity subsystems. Both include terminal devices, proxy servers, and key escrow centers. It is also possible that some heterogeneous identity subsystems in all heterogeneous identity subsystems only include terminal devices, and other heterogeneous identity subsystems include terminal devices, proxy servers, and key escrow centers. This application does not limit this.
  • the first heterogeneous identity subsystem acquires the unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system, and sends the unified identity of the first terminal device to the first heterogeneous identity subsystem.
  • the blockchain consensus node corresponding to the heterogeneous identity system belongs to enable the unified identity of the first terminal device to be shared among the M blockchain consensus nodes.
  • the second heterogeneous identity subsystem acquires the unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interaction system, and sends the unified identity of the second terminal device to the second heterogeneous identity subsystem.
  • the first heterogeneous identity subsystem and the second heterogeneous identity subsystem belong to any two different heterogeneous identity systems in the M heterogeneous identity systems.
  • the heterogeneous identity subsystem needs to obtain the unified identity of the terminal devices it includes. So that the heterogeneous identity subsystem can interact based on the unified identity of the terminal device.
  • the unified identity of the terminal device in the interaction system may be a public key in a public-private key pair. Alternatively, it may be a symmetric key, such as: an account number, an ID, etc. of the terminal device.
  • the unified identity of the terminal device in the interactive system may be different from the identity in the corresponding heterogeneous identity system, or may be the same, for example: when the identity of the terminal device in the corresponding heterogeneous identity system is its public key.
  • the unified identity of the terminal device in the interactive system is also a public key in a public-private key pair. Based on this, the terminal device can use its public key in the heterogeneous identity system as its unified identity.
  • the unified identity of the terminal device in the interactive system is different from its identity in the heterogeneous identity system, for example:
  • the unified identity of the terminal device in the interactive system is also a public key in a public-private key pair. Based on this, the terminal device cannot use its own account in the heterogeneous identity system as its unified identity. In this case, the heterogeneous identity subsystem in which the terminal device resides needs to generate a unified identity for the terminal device.
  • FIG. 2 is a partial schematic diagram of a heterogeneous identity-based interaction system according to an embodiment of the present application, where multiple blocks are stored in the blockchain.
  • Smart Contract which is also called Distributed Application.
  • the smart contract has a one-to-one correspondence with the blockchain consensus node.
  • the smart contract can be combined with the blockchain consensus node.
  • the same physical device or the same logical node may be located on different physical devices or different logical nodes.
  • the smart contract includes: a unified identity of the terminal device; optionally, the smart contract further includes: a status indication information of the unified identity, and a summary of the physical identity certificate of the terminal device to be mentioned below and a storage link corresponding to the physical identity certificate Wait.
  • the status indication information of the unified identity is used to indicate that the unified identity of the terminal device is an enabled state or a non-enabled state.
  • the heterogeneous identity subsystems including the terminal devices can interact with each other.
  • the interactions in the heterogeneous identity subsystem of the present application may be communication, identity authentication, and transaction interaction behavior.
  • the heterogeneous identity subsystem can use the existing TLS to communicate based on the unified identity of the included terminal devices, which is not limited in this application.
  • the present application provides a heterogeneous identity-based interactive system, including: M blockchain consensus nodes and M heterogeneous identity systems, heterogeneous identity systems include heterogeneous identity subsystems, heterogeneous identity subsystems include The terminal device, wherein the heterogeneous identity subsystem can obtain the unified identity of the included terminal device, and send the unified identity to the blockchain consensus node corresponding to the heterogeneous identity system to which the heterogeneous identity subsystem belongs, and the terminal device is unified.
  • Identity is shared between M blockchain consensus nodes to enable interaction between heterogeneous identity subsystems.
  • M blockchain consensus nodes are set up, and information can be shared among the consensus nodes of the blockchain, thereby avoiding a single point of failure of the IoT platform in the prior art, thereby improving the reliability of the entire interactive system.
  • the execution actions of the heterogeneous identity subsystem are all performed by the terminal device it includes.
  • the execution action of the heterogeneous identity subsystem is performed by the terminal device, the proxy server, and the key escrow center included in the subsystem.
  • the proxy server applies for the terminal device to apply for the unified identity of the terminal device in the interaction system, and stores the unified identity in the key escrow center.
  • the unified identity can be obtained from the key escrow center.
  • the functions of the terminal device, proxy server and key escrow center are as follows:
  • the terminal device sends a unified identity request message to the proxy server, where the unified identity request message is used to apply for a unified identity for the terminal device.
  • the unified identity request message includes an ID of the terminal device.
  • the proxy server forwards the unified identity request message to the key escrow center.
  • the key escrow center randomly generates a unified identity for the terminal device, and stores a correspondence between the ID of the terminal device and the unified identity of the terminal device; and sends the unified identity to the proxy server.
  • the proxy server sends the unified identity of the terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the heterogeneous identity subsystem belongs, so that the unified identity of the terminal device is shared among the M blockchain consensus nodes. Based on this, the terminal devices or heterogeneous identity subsystems in each heterogeneous identity system can interact based on the unified identity of the shared terminal devices.
  • heterogeneous identity subsystems can be based only on a unified identity or on a unified identity and physical identity, for example: When two heterogeneous identity subsystems need to be traded, they need to be verified The physical identity of the terminal devices included with each other. When the authenticator successfully authenticates the physical identity of the terminal device included in the other party, the interactive behavior such as the transaction can be performed. Otherwise, the corresponding interaction is not performed.
  • a physical identity certificate needs to be generated for each heterogeneous identity subsystem, wherein the physical identity certificate is used to prove the association between the unified identity of the terminal device included in the heterogeneous identity subsystem and the terminal device, that is, to prove the unified Whether the identity belongs to the terminal device.
  • the first option The heterogeneous identity subsystem itself generates the physical identity certificate of the terminal device it includes.
  • the second optional method The physical identity generation device generates a physical identity certificate for the terminal device.
  • the terminal device when the unified identity of the terminal device is a public key in a public-private key pair, the terminal device stores the private key in the public-private key pair by itself (instead of storing the private key through the key escrow center), and the terminal device is Corresponding heterogeneous identity system
  • the heterogeneous identity subsystem can generate the physical identity certificate of the terminal device by itself.
  • the physical identity generation device may also generate a physical identity certificate of the terminal device.
  • the terminal device when the unified identity of the terminal device is a public key in a public-private key pair, the terminal device stores the private key in the public-private key pair by itself (instead of storing the private key through the key escrow center), and the terminal device is When the key in the corresponding heterogeneous identity system is a symmetric key, the physical identity generating device generates a physical identity certificate of the terminal device for the terminal device.
  • the physical identity generating device when the unified identity of the terminal device is a public key in a public-private key pair, and the key escrow center stores the private key in the public-private key pair, the physical identity generating device generates a physical identity certificate of the terminal device for the terminal device.
  • the physical identity generating device provided by the present application may be a CA.
  • the interactive system is further described by taking the first optional mode as an example. As shown in FIG. 1 and FIG. 2, the interactive system further includes: a processing module 17.
  • the first heterogeneous identity subsystem generates a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, and generates a summary of the physical identity certificate, where the physical identity certificate is used to prove the unified identity of the first terminal device.
  • the association relationship of a terminal device is a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, and generates a summary of the physical identity certificate, where the physical identity certificate is used to prove the unified identity of the first terminal device.
  • the processing module 17 acquires and stores the physical identity certificate and generates a link for the physical identity certificate; sends the link of the physical identity card to the first heterogeneous identity subsystem.
  • the first heterogeneous identity subsystem sends the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are in the M blockchain consensus node. Sharing between.
  • the second heterogeneous identity subsystem obtains a summary and link verification physical identity certificate, and verifies the physical identity certificate based on the digest and link, and sends a message to the first heterogeneous identity subsystem upon successful verification of the physical identity certificate.
  • the M heterogeneous identity subsystems correspond to the N processing modules, where M and N may be equal or unequal, and if M and N are equal, M heterogeneous identity subsystems and N processing modules It is a one-to-one correspondence. It should be noted that only the processing module 17 and a heterogeneous identity subsystem are connected in FIG. 1 . In fact, the processing module can be connected to multiple heterogeneous identity subsystems. limit.
  • the processing module may be a physical storage device or a logical storage node, which is not limited in this application.
  • the abstract of the physical identity certificate may be a hash of the physical identity certificate.
  • a link to the physical identity is used to find the physical identity certificate.
  • the first heterogeneous identity subsystem may generate a random symmetric key K, and encrypt the symmetric key ⁇ by using a unified identity of the second terminal device, such as a public key in a public-private key pair, to obtain a ciphertext.
  • KC a unified identity of the second terminal device
  • the physical identity certificate is encrypted by K, and based on this, the physical identity certificate stored by the processing module 17 is the encrypted physical identity certificate.
  • the second heterogeneous identity subsystem first decrypts the KC by using the private key in the public-private key pair to obtain a symmetric key K.
  • the encrypted physical identity certificate is then decrypted by a symmetric key to obtain a physical identification.
  • the first heterogeneous identity subsystem sends a signature of the message formed by the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs.
  • the second heterogeneous identity subsystem obtains the signature of the digest and the link and the message composed of the digest and the link, and the second heterogeneous identity subsystem first verifies the signature, and if the verification is successful, the first heterogeneous identity subsystem belongs to The blockchain consensus node corresponding to the heterogeneous identity system treats the digest and the link as invalid information.
  • the second heterogeneous identity subsystem obtains the digest and the link in the following manner: the first heterogeneous identity subsystem goes to the second The heterogeneous identity subsystem sends the address of the smart contract storing the summary and the link and the digest, by which the first heterogeneous identity subsystem first finds the smart contract storing the digest and the link, and then finds the link through the digest .
  • the blockchain consensus node stores state indication information of the unified identity of the corresponding terminal device, where the state indication information is used to indicate that the unified identity of the terminal device is enabled or disabled. .
  • the second heterogeneous identity subsystem acquires and stores the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled or The non-enabled state; correspondingly, if the status indication information indicates that the status of the unified identity of the first terminal device is the enabled state, the second heterogeneous identity subsystem detects and acquires the physical identity certificate corresponding to the link in the processing module. If the status indication information indicates that the status of the unified identity of the first terminal device is inactive, the second heterogeneous identity subsystem does not need to detect the physical identity of the first terminal device.
  • the status indication information indicates that the status of the unified identity of the terminal device is not enabled, it is not necessary to detect the physical identity of the terminal device. Thereby reducing the resource consumption of the interactive system.
  • the first heterogeneous identity subsystem may use a certain algorithm for obtaining the unified identity of the first terminal device to obtain the first terminal device.
  • the physical identity certificate can be used as long as the physical identity certificate can prove the association relationship between the unified identity of the first terminal device and the first terminal device.
  • the heterogeneous identity system corresponding to the first terminal device may be a PKI-based system or an IBC-based system. Due to the different heterogeneous identity systems corresponding to the first terminal device, the manner in which the first heterogeneous identity subsystem generates the physical identity certificate is also different.
  • the first heterogeneous identity subsystem acquires the PKI certificate and the PKI of the corresponding heterogeneous identity system of the first terminal device.
  • Signing a certificate obtaining a first signature obtained by signing a public key of the first terminal device in the corresponding heterogeneous identity system by using the private key of the public key pair; obtaining the first signature by the first terminal device.
  • the private key in the heterogeneous identity system signs the public key of a public private key pair, and obtains the second signature; generates the physical identity of the first terminal device by using the PKI certificate, the signature of the PKI certificate, the first signature, and the second signature. prove.
  • the first signature is generated by a system or device that issues the public-private key pair.
  • the second signature is generated by a heterogeneous identity system corresponding to the first terminal device.
  • the first heterogeneous identity subsystem actively sends a request message to the CA of its corresponding heterogeneous identity system to request to obtain the PKI certificate of the first terminal device and the signature of the PKI certificate, or the first heterogeneous identity subsystem does not need to The request message is sent to the CA, but the CA actively sends the PKI certificate and the signature of the PKI certificate to the first heterogeneous identity subsystem.
  • the signature sigl Sign(skl, hl), where Sign() is the signature algorithm of the asymmetric algorithm. This application does not limit the signature algorithm.
  • the process of generating the first signature by the system or device that issues the public-private key pair includes: the device or the system in the corresponding heterogeneous identity of the first terminal device by using the private key sk2 in the public-private key pair
  • H2 where Sign() is the signature algorithm of the asymmetric algorithm. This application does not limit the signature algorithm.
  • the second signature sig3 Sign(sk3, h3), where Sign() is the signature algorithm of the asymmetric algorithm.
  • the PKI certificate, the signature of the PKI certificate, the first signature, and the second signature generate the physical identity certificate of the first terminal device, including: the PKI certificate, the signature of the PKI certificate, the first signature, and the second signature.
  • the physical identity of a terminal device that is, the physical identity certificate includes: a PKI certificate, a signature of the PKI certificate, a first signature, and a second signature.
  • the heterogeneous identity system corresponding to the first terminal device is an IBC-based system
  • the first heterogeneous identity subsystem obtains a corresponding key to the first terminal device through a private key pair of the public key pair.
  • the public key in the identity system is signed to obtain the first signature
  • the public key of the public key pair is signed by the first terminal device in the corresponding heterogeneous identity system to obtain the second signature
  • a terminal device generates a physical identity certificate of the first terminal device in the ID, the first signature, and the second signature of the corresponding heterogeneous identity system.
  • the first signature is generated by a system or device that issues the public-private key pair.
  • the second signature is generated by a heterogeneous identity system corresponding to the first terminal device.
  • the process of generating the first signature by the system or device that issues the public-private key pair includes: by using the private key sk2 in the public-private key pair, the publicity of the first terminal device in the corresponding heterogeneous identity system
  • generating, by the first terminal device, the physical identity certificate of the first terminal device in the ID, the first signature, and the second signature of the corresponding heterogeneous identity system including: placing the first terminal device in the corresponding heterogeneous identity system
  • the ID, the first signature, and the second signature constitute a physical identity certificate of the first terminal device, that is, the physical identity certificate includes: an ID, a first signature, and a second signature of the first terminal device in the corresponding heterogeneous identity system.
  • the second heterogeneous identity subsystem has a corresponding function for verifying the physical identity certificate, which is specifically as follows:
  • the unified identity of the first terminal device is a public key in a public private key pair;
  • the second heterogeneous identity subsystem acquires a public key of the heterogeneous identity system corresponding to the first terminal device, and the first terminal device corresponds to The public key in a heterogeneous identity system and the public key of a public-private key pair.
  • the second heterogeneous identity subsystem detects and obtains the physical identity certificate corresponding to the link in the processing module; calculates a summary of the physical identity certificate; if the summary of the physical identity certificate obtained by the calculation and the first heterogeneous identity subsystem belong to The summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system is the same, according to the public key of the heterogeneous identity system corresponding to the first terminal device, and the first terminal device in the corresponding heterogeneous identity system.
  • the public key and the public key of a public-private key pair verify the physical identity certificate.
  • the public key of the heterogeneous identity system refers to the public key of the CA in the heterogeneous identity system. If the heterogeneous identity system is an IBC-based system, the public key of the heterogeneous identity system refers to the global public key in the heterogeneous identity system.
  • heterogeneous identity system corresponding to the first terminal device is a PKI-based system or is based on IBC.
  • the system, the second heterogeneous identity subsystem to verify the physical identity certificate is divided into the following two cases:
  • the second heterogeneous identity subsystem verifies the PKI certificate signature according to the public key and the PKI certificate of the heterogeneous identity system corresponding to the first terminal device, the public key according to a public private key pair, and the corresponding heterogeneous identity of the first terminal device.
  • the public key in the system verifies the first signature and the second signature; if the PKI signature, the first signature, and the second signature are both verified successfully, it is determined that the verification of the physical identity verification is successful.
  • the second heterogeneous identity subsystem receives the signed message (M, sigl), where M represents the PKI certificate, sigl represents the signature of the PKI certificate, and the second heterogeneous identity subsystem can obtain the CA.
  • the verification process of the first signature is: the second heterogeneous identity subsystem first calculates a hash value h2 of the public key of the first terminal device in the corresponding heterogeneous identity system, and obtains the public-private key pair. Public key pk2. Then call the verification algorithm Verify(pk2,h2, sig2) of the asymmetric algorithm. Sig2 is the first signature. The VerifyO algorithm returns a Boolean value. If the value is true, the first signature verification succeeds; if the value is false, the first signature verification fails.
  • the verification process of the second signature is: the second heterogeneous identity subsystem first calculates the hash value h3 of the public key of the public-private key pair, and obtains the public key pk3 of the first terminal device in the corresponding heterogeneous identity system. . Then call the verification algorithm Verify(pk3,h3, sig3) of the asymmetric algorithm. Sig3 is the second signature. The VerifyO algorithm returns a Boolean value. If the value is true, the second signature is successfully verified. If the value is false, the second signature verification fails.
  • the second heterogeneous identity subsystem determines, according to the public key of the heterogeneous identity system corresponding to the first terminal device, the first terminal device in the corresponding heterogeneous identity system according to the ID of the corresponding heterogeneous identity system.
  • Public key verifying the first signature according to the public key of a public private key pair and the public key of the first terminal device in the corresponding heterogeneous identity system, and verifying according to the public key of the first terminal device in the corresponding heterogeneous identity system
  • the second signature if both the first signature and the second signature are successfully verified, it is determined that the verification of the physical identity verification is successful.
  • the public key of the heterogeneous identity system corresponding to the first terminal device and the identity of the first heterogeneous identity system of the first terminal device may be determined by using the prior art in the corresponding heterogeneous identity system. Public key, this application does not limit this.
  • the verification process of the first signature is: the second heterogeneous identity subsystem first calculates a hash value h2 of the public key of the first terminal device in the corresponding heterogeneous identity system, and obtains the public key pk2 of the public key pair. . Then call the verification algorithm Verify(pk2,h2, sig2) of the asymmetric algorithm. Sig2 is the first signature. The VerifyO algorithm returns a Boolean value. If the value is true, the first signature is successfully verified. If the value is false, the first signature verification fails.
  • the verification process of the second signature is: the second heterogeneous identity subsystem first calculates the hash value h3 of the public key of the public-private key pair, and obtains the public key pk3 of the first terminal device in the corresponding heterogeneous identity system. . Then call the verification algorithm Verify(pk3,h3, sig2) of the asymmetric algorithm. Sig3 is the second signature. The VerifyO algorithm returns a Boolean value. If the value is true, the second signature is successfully verified. If the value is false, the second signature verification fails.
  • the second heterogeneous identity subsystem may also generate a physical identity certificate of the second terminal device, correspondingly, The first heterogeneous identity subsystem can also verify the physical identity of the second terminal device.
  • the method for generating the physical identity certificate of the second terminal device by the second heterogeneous identity subsystem is similar to the method for generating the physical identity certificate of the first terminal device by the first heterogeneous identity subsystem, where the first heterogeneous identity subsystem verifies
  • the physical identity of the second terminal device is similar to the method for verifying the physical identity of the first terminal device by the second heterogeneous identity subsystem, which is not described herein again.
  • the execution actions of the heterogeneous identity subsystem are all performed by the terminal device it includes.
  • the heterogeneous identity subsystem includes the terminal device, the proxy server, and the key escrow center
  • the execution action of the heterogeneous identity subsystem is performed by the terminal device, the proxy server, and the key escrow center included in the subsystem.
  • the functions of the terminal device, the proxy server and the key escrow center are as follows:
  • the first heterogeneous identity subsystem includes: a first terminal device, a first proxy server, and a first key escrow center
  • the heterogeneous identity system corresponding to the first terminal device is a PKI-based system
  • the process of the identity system generating the physical identity certificate is: the first proxy server sends a physical identity request message to the CA, where the physical identity request message includes: an ID of the first terminal device and a unified identity; and the CA is based on the ID and unified of the first terminal device
  • the identity generates a PKI certificate and a PKI certificate signature for the first terminal device; the CA sends the PKI certificate and the PKI certificate signature to the first proxy server; the first proxy server acquires the first signature and the second signature.
  • the first proxy server generates a physical authentication of the first terminal device by using the PKI certificate, the signature of the PKI certificate, the first signature, and the second signature.
  • the second heterogeneous identity subsystem is: the second terminal device, the second proxy server, and the second key escrow center
  • the process for the first heterogeneous identity system to verify the physical identity of the first terminal device is:
  • the second proxy server verifies the PKI certificate signature according to the public key and PKI certificate of the heterogeneous identity system corresponding to the first terminal device, and verifies the public key according to a public-private key pair and the public key of the first terminal device in the corresponding heterogeneous identity system.
  • the first signature and the second signature if the verification of the PKI signature, the first signature, and the second signature are successful, it is determined that the verification of the physical identity verification is successful.
  • the specific steps of the second proxy server for verifying the physical identity certificate of the first terminal device refer to the above content, which is not limited in this application.
  • the heterogeneous identity subsystem can generate the physical identity certificate of the terminal device included by itself, and the other heterogeneous identity subsystem can verify the physical identity certificate. When the verification succeeds, the heterogeneous identity subsystem The interaction between the heterogeneous identity subsystems can be performed when the verification fails, thereby improving the reliability of the entire interactive system.
  • FIG. 3 is a partial diagram of a heterogeneous identity-based interactive system according to another embodiment of the present application.
  • the interaction system further includes: a processing module 17 and a physical identity generation device 18; it should be noted that the heterogeneous identity subsystem may have a corresponding physical identity generation device 18
  • the physical identity generation device 18 can generate a physical identity certificate for the corresponding heterogeneous identity subsystem.
  • the physical identity generating device 18 is a CA.
  • the physical identity generating device 18 acquires the unified identity of the first terminal device, and generates a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, where the physical identity certificate is used to prove the unified identity of the first terminal device.
  • the association relationship of the first terminal device is used to prove the unified identity of the first terminal device.
  • the first heterogeneous identity subsystem obtains a physical identity certificate and generates a summary of the physical identity certificate.
  • the processing module 17 acquires and stores the physical identity certificate and generates a link to the physical identity certificate; the link to the physical identity certificate is sent to the first heterogeneous identity subsystem.
  • the first heterogeneous identity subsystem sends the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are in the M blockchain consensus node. Sharing between.
  • the second heterogeneous identity subsystem obtains a digest and a link, validates the physical identity certificate against the digest and link, and sends a message to the first heterogeneous identity subsystem upon successful verification of the physical identity certificate.
  • the M heterogeneous identity subsystems correspond to the N processing modules, where M and N may be equal or unequal, and if M and N are equal, M heterogeneous identity subsystems and N processing modules It is a one-to-one correspondence.
  • the processing module may be a physical storage device or a logical storage node, which is not limited in this application.
  • the abstract of the physical identity certificate may be a hash of the physical identity certificate.
  • a link to the physical identity is used to find the physical identity certificate.
  • the first heterogeneous identity subsystem may generate a random symmetric key ⁇ , and encrypt the symmetric key ⁇ by using a unified identity of the second terminal device, such as a public key in a public-private key pair, to obtain a ciphertext.
  • KC a unified identity of the second terminal device
  • the physical identity certificate is encrypted by K, and based on this, the physical identity certificate stored by the processing module 17 is the encrypted physical identity certificate.
  • the second heterogeneous identity subsystem first decrypts the KC by using the private key in the public-private key pair to obtain a symmetric key K.
  • the encrypted physical identity certificate is then decrypted by a symmetric key to obtain a physical identification.
  • the first heterogeneous identity subsystem sends a signature of the message formed by the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs.
  • the second heterogeneous identity subsystem obtains the signature of the digest and the link and the message composed of the digest and the link, and the second heterogeneous identity subsystem first verifies the signature, and if the verification is successful, the first heterogeneous identity subsystem belongs to The blockchain consensus node corresponding to the heterogeneous identity system treats the digest and the link as invalid information.
  • the second heterogeneous identity subsystem obtains the digest and the link in the following manner: the first heterogeneous identity subsystem sends the address of the smart contract storing the digest and the link to the second heterogeneous identity subsystem and the digest, first The heterogeneous identity subsystem first finds the smart contract that stores the digest and the link through the address, and then finds the link through the digest.
  • the blockchain consensus node stores state indication information of the unified identity of the corresponding terminal device, where the state indication information is used to indicate that the unified identity of the terminal device is enabled or disabled. .
  • the second heterogeneous identity subsystem acquires and stores the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled or The non-enabled state; correspondingly, if the status indication information indicates that the status of the unified identity of the first terminal device is the enabled state, the second heterogeneous identity subsystem detects and acquires the physical identity certificate corresponding to the link in the processing module. If the status indication information indicates that the status of the unified identity of the first terminal device is a non-enabled state, there is no need to detect the physical identity certificate of the first terminal device.
  • the status indication information indicates that the status of the unified identity of the terminal device is not enabled, it is not necessary to detect the physical identity of the terminal device. Thereby reducing the resource consumption of the interactive system.
  • the specific manner of the physical identity generation device generating the physical identity of the first terminal device is: wherein the physical identity generation device may obtain a physical identity certificate of the first terminal device by using a certain algorithm for the unified identity of the first terminal device. As long as the physical identity certificate can prove the association relationship between the unified identity of the first terminal device and the first terminal device.
  • the heterogeneous identity system corresponding to the first terminal device may be a ⁇ -based system, an IBC-based system, A system based on an account password or an IMSI-based system.
  • the physical identity generating device generates the physical identity certificate as follows - optionally, the unified identity of the first terminal device is a public key in a public private key pair; then the physical identity generating device 18 obtains the corresponding heterogeneous identity of the first terminal device The ID of the system and the public key in the public-private key pair; the private key of the first-party device in the corresponding heterogeneous identity system and the public key in the public-private key pair according to the private key of the physical identity generating device 18 Signing, obtaining a first signature; generating, by the first terminal device, a physical identity certificate in an ID of the corresponding heterogeneous identity system, a public key in the public-private key pair, and the first signature.
  • the first terminal device generates the physical identity certificate in the ID of the corresponding heterogeneous identity system, the public key in the public key pair, and the first signature, including: the corresponding heterogeneous identity of the first terminal device
  • the ID of the system, the public key of the public key pair, and the first signature constitute a physical identity certificate of the first terminal device, that is, the physical identity certificate of the first terminal device includes: the corresponding terminal identity device in the corresponding heterogeneous identity system ID, the public key of the public-private key pair, and the first signature.
  • the second heterogeneous identity subsystem obtains the public key of the heterogeneous identity system corresponding to the first terminal device; correspondingly, the second heterogeneous identity subsystem detects and obtains the physical identity certificate corresponding to the link in the processing module 17 Calculating a summary of the physical identity certificate; if the summary of the physical identity certificate obtained by the calculation is the same as the summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, The public key of the heterogeneous identity system corresponding to the first terminal device verifies the physical identity certificate.
  • the second heterogeneous identity subsystem determines the heterogeneous identity system corresponding to the first terminal device according to the unified identity of the first terminal device, and sends a request message to the heterogeneous identity system to request to obtain the heterogeneous identity system.
  • Public key if the heterogeneous identity system corresponding to the first terminal device is a PKI-based system, the public key of the heterogeneous identity system refers to the public key of the CA in the heterogeneous identity system. If the heterogeneous identity system is an IBC-based system, the public key of the heterogeneous identity system refers to the global public key in the heterogeneous identity system.
  • the process of verifying the physical identity according to the public key of the heterogeneous identity system corresponding to the first terminal device is: as described above, the physical identity certificate includes: the ID of the first terminal device in the corresponding heterogeneous identity system, The public key and the first signature of a public private key pair.
  • the second heterogeneous identity subsystem obtains the physical identity certificate, based on this, the second heterogeneous identity subsystem first calculates the ID of the first terminal device in the corresponding heterogeneous identity system, the public-private key pair.
  • VerifyO algorithm returns a Boolean value. If the value is true, the physical identity verification is successful. If the value is false, the physical identity verification fails.
  • the execution actions of the heterogeneous identity subsystem are all performed by the terminal device it includes.
  • the heterogeneous identity subsystem includes the terminal device, the proxy server, and the key escrow center
  • the execution action of the heterogeneous identity subsystem is performed by the terminal device, the proxy server, and the key escrow center included in the subsystem.
  • the functions of the terminal device, the proxy server and the key escrow center are as follows:
  • the first proxy server in the first heterogeneous identity subsystem obtains the physical identity certificate of the first terminal device, and the first proxy server agent interacts with the first heterogeneous identity subsystem.
  • the second proxy server in the second heterogeneous identity subsystem verifies the physical identity certificate.
  • the physical identity generating device may generate a physical identity certificate of the terminal device included in the heterogeneous identity subsystem, and the other heterogeneous identity subsystem may verify the physical identity certificate, and when the verification succeeds, the heterogeneous identity The subsystems can interact with each other. When the verification fails, the heterogeneous identity subsystems cannot interact with each other, thereby improving the reliability of the entire interactive system.
  • the interaction system further includes a certificate issuing device.
  • the certificate issuing device issues a certificate to the heterogeneous identity system, and deploys a block for the heterogeneous identity system.
  • a chain consensus node to implement interaction between heterogeneous identity subsystems in the heterogeneous identity system and heterogeneous identity subsystems in other heterogeneous identity systems.
  • FIG. 4 is an interaction flowchart of a heterogeneous identity-based interaction method according to an embodiment of the present disclosure, where the method is performed by the foregoing heterogeneous identity-based interaction system. Specifically, as shown in FIG. 4, the method includes The following steps are as follows: Step S401: The first heterogeneous identity subsystem acquires a unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system;
  • Step S402 The first heterogeneous identity subsystem sends the unified identity of the first terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs (referred to as the first blockchain in this application). a consensus node), such that the unified identity of the first terminal device is shared among the M blockchain consensus nodes;
  • Step S403 The second heterogeneous identity subsystem acquires a unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interaction system.
  • Step S404 The second heterogeneous identity subsystem sends the unified identity of the second terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the second heterogeneous identity subsystem belongs (referred to as the second blockchain in this application). a consensus node), so that the unified identity of the second terminal device is shared among the M blockchain consensus nodes;
  • Step S405 The first heterogeneous identity subsystem and the second heterogeneous identity subsystem interact based on the unified identity of the first terminal device and the unified identity of the second terminal device.
  • the first heterogeneous identity subsystem and the second heterogeneous identity subsystem belong to two different heterogeneous identity systems in the M heterogeneous identity systems.
  • the heterogeneous identity-based interaction method provided by the present application may be performed by the heterogeneous identity-based interaction system, and the content and effect of the corresponding content and the effect are the same as those of the heterogeneous identity-based interaction system, and details are not described herein.
  • the execution steps of the heterogeneous identity subsystem are all performed by the terminal device it includes.
  • the heterogeneous identity subsystem includes the terminal device, the proxy server, and the key escrow center
  • the execution action of the heterogeneous identity subsystem is performed by the terminal device, the proxy server, and the key escrow center included in the subsystem.
  • the first heterogeneous identity subsystem includes: a first terminal device, a first proxy server, and a first key escrow center:
  • the second heterogeneous identity subsystem includes only the second terminal device, and the foregoing method is specifically as follows:
  • FIG. 5 is an interaction flowchart of a heterogeneous identity-based interaction method according to another embodiment of the present disclosure, where the method is performed by the foregoing heterogeneous identity-based interaction system, specifically, as shown in FIG. 5, the method is Including the following steps: Step S501: The first terminal device sends a unified identity request message to the first proxy server.
  • the unified identity request message is used to apply for a unified identity for the terminal device.
  • the unified identity request message includes an ID of the terminal device.
  • Step S502 The first proxy server forwards the unified identity request message to the first key escrow center.
  • Step S503 The first key escrow center randomly generates a unified identity for the terminal device, and stores a correspondence between the ID of the terminal device and the unified identity of the terminal device.
  • Step S504 The first key escrow center sends the unified identity to the first proxy server.
  • Step S505 The first proxy server sends the unified identity of the first terminal device to the blockchain consensus node (referred to as the first blockchain consensus node) corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs. So that the unified identity of the first terminal device is shared among the M blockchain consensus nodes.
  • the blockchain consensus node referred to as the first blockchain consensus node
  • Step S506 The second terminal device acquires a unified identity of the second terminal device in the interaction system.
  • Step S507 The second terminal device sends the unified identity of the second terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the second heterogeneous identity subsystem belongs (referred to as the second blockchain consensus node in this application). So that the unified identity of the second terminal device is shared among the M blockchain consensus nodes;
  • Step S508 The first proxy server and the second terminal device interact based on the unified identity of the first terminal device and the unified identity of the second terminal device.
  • the heterogeneous identity-based interaction method provided by the present application may be performed by the heterogeneous identity-based interaction system, and the content and effect of the corresponding content and the effect are the same as those of the heterogeneous identity-based interaction system, and details are not described herein.
  • heterogeneous identity subsystems can be based only on a unified identity or on a unified identity and physical identity, for example: When two heterogeneous identity subsystems need to be traded, they need to be verified The physical identity of the terminal devices included with each other. When the authenticator successfully authenticates the physical identity of the terminal device included in the other party, the interactive behavior such as the transaction can be performed. Otherwise, the corresponding interaction is not performed.
  • a physical identity certificate needs to be generated for each heterogeneous identity subsystem, wherein the physical identity certificate is used to prove the association between the unified identity of the terminal device included in the heterogeneous identity subsystem and the terminal device, that is, to prove the unified Whether the identity belongs to the terminal device.
  • the first option The heterogeneous identity subsystem itself generates the physical identity certificate of the terminal device it includes.
  • the second optional method The physical identity generation device generates a physical identity certificate for the terminal device.
  • FIG. 6 is an interaction flowchart of a heterogeneous identity-based interaction method according to another embodiment of the present application, where the method is performed by the foregoing heterogeneous identity-based interaction system, where The interaction system further includes: a processing module; specifically, as shown in FIG. 6, the foregoing step 405 includes the following process:
  • Step S601 The first heterogeneous identity subsystem generates a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, and generates a summary of the physical identity certificate.
  • the physical identity certificate is used to prove the association between the unified identity of the first terminal device and the first terminal device.
  • Step S602 The processing module acquires a physical identity certificate of the first terminal device.
  • Step S603 The processing module stores the physical identity certificate and generates a link of the physical identity certificate
  • Step S604 The processing module sends a link of the physical identity certificate to the first heterogeneous identity subsystem.
  • Step S605 The first heterogeneous identity subsystem sends the digest and the link to the first blockchain consensus node; so that the digest and the link are shared among the M blockchain consensus nodes;
  • Step S606 The second heterogeneous identity subsystem obtains a summary of the first heterogeneous identity system from the second blockchain consensus node. And links;
  • Step S607 The second heterogeneous identity subsystem verifies the physical identity certificate according to the digest and the link;
  • Step S608 The second heterogeneous identity subsystem sends a message to the first heterogeneous identity subsystem when the verification of the physical identity certificate is successful.
  • the unified identity of the first terminal device is a public key in a public private key pair;
  • the second heterogeneous identity subsystem acquires a public key of the heterogeneous identity system corresponding to the first terminal device, and the first terminal device corresponds to a public key in a heterogeneous identity system and a public key of a public-private key pair;
  • step S607 includes: detecting and obtaining a physical identity certificate corresponding to the link in the processing module; calculating a summary of the physical identity certificate;
  • the summary of the physical identity certificate is the same as the summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, according to the public key of the heterogeneous identity system corresponding to the first terminal device.
  • the first terminal device verifies the physical identity certificate in the public key of the corresponding heterogeneous identity system and the public key of a public private key pair.
  • step S601 obtaining a PKI certificate of the first terminal device in the corresponding heterogeneous identity system and a signature of the PKI certificate;
  • the private key of a public-private key pair signs the public key of the first terminal device in the corresponding heterogeneous identity system, and obtains the first signature;
  • step S607 includes: verifying the PKI certificate signature according to the public key and the PKI certificate of the heterogeneous identity system corresponding to the first terminal device, the public key according to a public-private key pair, and the first terminal device in the corresponding heterogeneous identity system.
  • the public key verifies the first signature and the second signature; if the verification of the PKI signature, the first signature, and the second signature is successful, it is determined that the verification of the physical identity verification is successful.
  • step S601 includes: obtaining, by the public key pair of the public-private key pair, the first terminal device in the corresponding heterogeneous identity system. Signing the public key to obtain the first signature; obtaining a second signature obtained by signing the public key of a public-private key pair by the private key of the first terminal device in the corresponding heterogeneous identity system; and obtaining the second terminal; The device generates a physical identity certificate of the first terminal device in the identity, the first signature, and the second signature of the corresponding heterogeneous identity system.
  • step S607 includes: determining, according to the public key of the heterogeneous identity system corresponding to the first terminal device, the identity of the first terminal device in the corresponding heterogeneous identity system according to the identity of the corresponding heterogeneous identity system of the first terminal device Key; verifying the first signature and the second signature according to the public key of a public-private key pair and the public key of the first terminal device in the corresponding heterogeneous identity system; if both the first signature and the second signature are successfully verified, determining Successful verification of physical identification.
  • the method further includes: the first blockchain consensus node acquires and stores the unified identity of the first terminal device and the state indication information of the unified identity of the first terminal device, where the state indication information is used to indicate the first terminal device
  • the unified identity is an enabled state or a non-enabled state; correspondingly, if the state indication information indicates that the state of the unified identity of the first terminal device is the enabled state, the second heterogeneous identity subsystem detects and acquires the link corresponding in the processing module. Physical identification.
  • FIG. 7 is an interaction flowchart of a heterogeneous identity-based interaction method according to another embodiment of the present application, where the method is performed by the foregoing heterogeneous identity-based interaction system, where The interaction system further includes: a processing module and a physical identity generation device; specifically, as shown in FIG. 7, the foregoing step 405 includes the following process: Step S701: The physical identity generating device acquires the unified identity of the first terminal device from the first heterogeneous identity subsystem. Step S702: The physical identity generating device generates the physical identity certificate of the first terminal device according to the unified identity of the first terminal device.
  • the physical identity certificate is used to prove the association between the unified identity of the first terminal device and the first terminal device.
  • Step S703 The first heterogeneous identity subsystem obtains the physical identity certificate from the physical identity generation device.
  • Step S704 The first heterogeneous identity subsystem generates a summary of the physical identity certificate
  • Step S705 The processing module obtains a physical identity certificate.
  • Step S706 The processing module stores the physical identity certificate, and generates a link of the physical identity certificate
  • Step S707 The processing module sends a link of the physical identity certificate to the first heterogeneous identity subsystem.
  • Step S708 The first heterogeneous identity subsystem sends the digest and the link to the first blockchain consensus node; so that the digest and the link are shared among the M blockchain consensus nodes;
  • Step S709 The second heterogeneous identity subsystem obtains a digest and a link from the second blockchain consensus node.
  • Step S710 The second heterogeneous identity subsystem verifies the physical identity certificate according to the digest and the link;
  • Step S711 The second heterogeneous identity subsystem sends a message to the first heterogeneous identity subsystem when the verification of the physical identity certificate is successful.
  • step S710 the method further includes: acquiring, by the second heterogeneous identity subsystem, a public key of the heterogeneous identity system corresponding to the first terminal device; and correspondingly, step S710 includes: detecting, in the processing module, the physical entity corresponding to the link Identification; a summary of the physical identity certificate; if the summary of the physical identity certificate obtained by the calculation is the same as the summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, Then, the physical identity certificate is verified according to the public key of the heterogeneous identity system corresponding to the first terminal device.
  • the unified identity of the first terminal device is a public key in a public private key pair
  • Step S702 includes: obtaining an identity of the first terminal device in the corresponding heterogeneous identity system and a public key in a public-private key pair; Generating the device's private key according to the physical identity of the first terminal device in the identity of the corresponding heterogeneous identity system and the public key in the public-private key pair to obtain the first signature; The identity of the identity system, the public key in a public private key pair, and the first signature generate a physical identity certificate.
  • step S710 further includes: the first blockchain consensus node acquires and stores the unified identity of the first terminal device and the state indication information of the unified identity of the first terminal device, where the state indication information is used to indicate the first terminal device.
  • the unified identity is an enabled state or a non-enabled state; correspondingly, step S701 includes: if the state indication information indicates that the state of the unified identity of the first terminal device is the enabled state, the heterogeneous identity subsystem detects and acquires in the processing module The corresponding physical identification of the link.
  • the first heterogeneous identity system includes only the first terminal device; or the first heterogeneous identity system includes the first terminal device, a proxy server of the first terminal device, and a key escrow center; and the second heterogeneous identity system Only the second terminal device is included; or, the second heterogeneous identity system includes the second terminal device, the proxy server of the second terminal device, and the key escrow center.
  • the heterogeneous identity-based interaction method provided by the present application may be performed by the heterogeneous identity-based interaction system, and the content and effect of the corresponding content and the effect are the same as those of the heterogeneous identity-based interaction system, and details are not described herein.
  • FIG. 8 is a schematic structural diagram of a first heterogeneous identity subsystem 80 according to an embodiment of the present disclosure. As shown in FIG. 8, the first heterogeneous identity subsystem 80 includes: an obtaining module 81, a sending module 82, and a receiving module 83.
  • the obtaining module 81 is configured to acquire the unifiedness of the first terminal device included in the first heterogeneous identity subsystem in the interaction system Identity.
  • the sending module 82 is configured to send the unified identity of the first terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the unified identity of the first terminal device is in the M regions.
  • Blockchain consensus nodes are shared between.
  • the obtaining module 81 is further configured to acquire a unified identity of the second terminal device.
  • the sending module 82 is configured to send a message to the second heterogeneous identity subsystem to which the second terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiving module 83 is configured to receive the second heterogeneous identity.
  • the message sent by the subsystem is configured to send a message to the second heterogeneous identity subsystem to which the second terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiving module 83 is configured to receive the second heterogeneous identity.
  • the first heterogeneous identity subsystem 80 further includes a generation module 84.
  • the generating module 84 is configured to generate a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, and generate a summary of the physical identity certificate, where the physical identity certificate is used to prove the unified identity of the first terminal device and the first terminal device Relationship.
  • the obtaining module 81 is further configured to obtain a link of the physical identity certificate of the first terminal device.
  • the sending module 82 is further configured to send the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are shared among the M blockchain consensus nodes.
  • the receiving module 83 is further configured to receive the message sent by the second heterogeneous identity subsystem.
  • the obtaining module 81 is specifically configured to obtain a PKI certificate and a PKI certificate of the first terminal device in the corresponding heterogeneous identity system. And obtaining a first signature obtained by signing a public key of the first terminal device in the corresponding heterogeneous identity system by using a private key of a public-private key pair; obtaining the corresponding heterogeneity through the first terminal device The private key in the identity system signs the public key of a public-private key pair, resulting in a second signature.
  • the generating module 84 is specifically configured to generate a PKI certificate, a signature of the PKI certificate, a first signature, and a second signature to generate a physical identity certificate of the first terminal device.
  • the obtaining module 81 is specifically configured to obtain a private key pair through a public-private key pair to the first terminal device in the corresponding heterogeneous identity system.
  • the public key is signed, and the obtained first signature is obtained; and the second signature obtained by signing the public key of a public-private key pair by the private key of the first terminal device in the corresponding heterogeneous identity system is obtained.
  • the generating module 84 is specifically configured to generate, by the first terminal device, the physical identity certificate of the first terminal device in the identity, the first signature, and the second signature of the corresponding heterogeneous identity system.
  • the obtaining module 81 is further configured to obtain a physical identity certificate.
  • the generation module 84 is used to generate a summary of the physical identity certificate; the acquisition module is also used to obtain a link to the physical identity certificate.
  • the sending module 82 is configured to send the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are shared among the M blockchain consensus nodes.
  • the receiving module 83 is further configured to receive the message sent by the second heterogeneous identity subsystem.
  • the first heterogeneous identity subsystem includes only the first terminal device; or the first heterogeneous identity subsystem includes the first terminal device, the first proxy server of the first terminal device, and the first key escrow center.
  • the first heterogeneous identity subsystem includes the first terminal device, the first proxy server of the first terminal device, and the first key escrow center.
  • FIG. 9 is a schematic structural diagram of a second heterogeneous identity subsystem 90 according to an embodiment of the present disclosure.
  • the second heterogeneous identity subsystem 90 includes: an obtaining module 91, a sending module 92, and a receiving module 93.
  • the obtaining module 91 is configured to obtain a unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interaction system.
  • the sending module 92 is configured to send the unified identity of the second terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the second heterogeneous identity subsystem belongs, so that the unified identity of the second terminal device is in the M blocks. Chain consensus nodes are shared between.
  • the obtaining module 91 is further configured to obtain a unified identity of the first terminal device.
  • the sending module 92 is further configured to send a message to the first heterogeneous identity subsystem to which the first terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiving module 93 is configured to receive the first identifier.
  • the message sent by the identity subsystem is further configured to send a message to the first heterogeneous identity subsystem to which the first terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device.
  • the second heterogeneous identity subsystem further includes a verification module 94.
  • the obtaining module 91 is further configured to obtain a summary and a link of the physical identity certificate of the first terminal device.
  • the verification module 94 is used to verify the physical identity certificate based on the abstract and the link.
  • the sending module 92 is further configured to send a message to the first heterogeneous identity subsystem when the verification of the physical identity certificate is successful.
  • the second heterogeneous identity subsystem further includes: a detection module 95 and a calculation module 96.
  • the unified identity of the first terminal device is a public key in a public-private key pair; the obtaining module 91 is further configured to obtain a public key of the heterogeneous identity system corresponding to the first terminal device, and the first terminal device is in the corresponding heterogeneous identity system.
  • the public key and the public key of a public-private key pair are examples of the public key and the public key of a public-private key pair.
  • the detecting module 95 is configured to detect and obtain a physical identity certificate corresponding to the link in the processing module.
  • the calculation module 96 is used to calculate a summary of the physical identification.
  • the verification module 94 is configured to use the first terminal according to the first terminal.
  • the public key of the heterogeneous identity system corresponding to the device, the public key of the first terminal device in the corresponding heterogeneous identity system, and the public key of a public private key pair verify the physical identity certificate.
  • the verification module 94 is specifically configured to verify, according to the public key and the PKI certificate of the heterogeneous identity system corresponding to the first terminal device, the PKI certificate signature, the public key according to a public-private key pair, and the corresponding heterogeneity of the first terminal device.
  • the public key in the identity system verifies the first signature and the second signature; if the PKI signature, the first signature, and the second signature are both verified successfully, it is determined that the verification of the physical identity verification is successful.
  • the verification module 94 is specifically configured to determine, according to the public key of the heterogeneous identity system corresponding to the first terminal device, the first terminal device in the corresponding heterogeneous identity according to the identifier of the corresponding heterogeneous identity system of the first terminal device.
  • Public key of the system verifying the first signature and the second signature according to the public key of a public private key pair and the public key of the first terminal device in the corresponding heterogeneous identity system; if both the first signature and the second signature are successfully verified , to determine the successful verification of the physical identity certificate.
  • the obtaining module 91 is further configured to acquire and store the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled or The non-enabled state; correspondingly, if the status indication information indicates that the status of the unified identity of the first terminal device is the enabled state, the physical identity certificate corresponding to the link is detected and acquired in the processing module.
  • the second heterogeneous identity subsystem obtains the public key of the heterogeneous identity system corresponding to the first terminal device; correspondingly, the detecting module 95 detects and acquires the physical identity certificate corresponding to the link in the processing module; a summary of the physical identity certificate; if the summary of the physical identity certificate obtained by the calculation is the same as the summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, the verification module 94 The physical identity certificate is verified according to the public key of the heterogeneous identity system corresponding to the first terminal device.
  • the obtaining module 91 acquires and stores the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled or disabled.
  • the detecting module 95 is specifically configured to detect and obtain the physical identity certificate corresponding to the link in the processing module.
  • the second heterogeneous identity subsystem includes only the second terminal device; or the second heterogeneous identity subsystem includes the second terminal device, the first proxy server of the second terminal device, and the first key escrow center.
  • FIG. 10 is a schematic structural diagram of a physical identity generating device 100 according to an embodiment of the present disclosure. As shown in FIG. 10, the physical identity generating device 100 includes: an obtaining module 101 and a generating module 102.
  • the obtaining module 101 is configured to obtain a unified identity of the first terminal device.
  • the generating module 102 is configured to generate a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, where the physical identity certificate is used to prove the association between the unified identity of the first terminal device and the first terminal device.
  • the unified identity of the first terminal device is a public key in a public-private key pair; the obtaining module 101 is further configured to obtain the identity of the first terminal device in the corresponding heterogeneous identity system and a public-private key pair. key.
  • the generating module 102 is specifically configured to: sign the identity of the corresponding heterogeneous identity system and the public key in a public-private key pair according to the private key of the physical identity generating device, to obtain a first signature;
  • the device generates a physical identity certificate in the identity of the corresponding heterogeneous identity system, the public key in a public private key pair, and the first signature.
  • FIG. 11 is a schematic structural diagram of a first heterogeneous identity subsystem 110 according to an embodiment of the present disclosure.
  • the first heterogeneous identity subsystem 110 includes: a processor 111, a transmitter 112, and a receiver 113.
  • the processor 111 is configured to obtain a unified identity of the first terminal device included in the first heterogeneous identity subsystem in the interaction system.
  • the transmitter 112 is configured to send the unified identity of the first terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the unified identity of the first terminal device is in the M regions.
  • Blockchain consensus nodes are shared between.
  • the processor 111 is further configured to acquire a unified identity of the second terminal device.
  • the transmitter 112 is configured to send a message to the second heterogeneous identity subsystem to which the second terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiver 113 is configured to receive the second heterogeneous identity.
  • the message sent by the subsystem is configured to send a message to the second heterogeneous identity subsystem to which the second terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiver 113 is configured to receive the second heterogeneous identity.
  • the processor 111 is further configured to generate a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, and generate a summary of the physical identity certificate, where the physical identity certificate is used to prove the unified identity of the first terminal device. The relationship with the first terminal device.
  • the processor 111 is further configured to acquire a link of the physical identity certificate of the first terminal device.
  • the sender 112 is further configured to send the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are shared among the M blockchain consensus nodes.
  • the receiver 113 is further configured to receive the message sent by the second heterogeneous identity subsystem.
  • the processor ill is specifically configured to obtain a PKI certificate and a PKI certificate of the first terminal device in the corresponding heterogeneous identity system. And obtaining a first signature obtained by signing a public key of the first terminal device in the corresponding heterogeneous identity system by using a private key of a public-private key pair; obtaining the corresponding heterogeneity through the first terminal device
  • the private key in the identity system signs the public key of a public-private key pair, resulting in a second signature.
  • the processor 111 is specifically configured to generate a PKI certificate, a signature of the PKI certificate, a first signature, and a second signature to generate a physical identity certificate of the first terminal device.
  • the processor 111 is specifically configured to obtain a private key pair through a public private key pair to the first terminal device in the corresponding heterogeneous identity system.
  • the public key is signed, and the obtained first signature is obtained; and the second signature obtained by signing the public key of a public-private key pair by the private key of the first terminal device in the corresponding heterogeneous identity system is obtained.
  • the processor i l is specifically configured to generate, by the first terminal device, the physical identity certificate of the first terminal device in the identity, the first signature, and the second signature of the corresponding heterogeneous identity system.
  • the processor 111 is further configured to obtain a physical identity certificate.
  • the processor 111 is configured to generate a summary of the physical identity certificate; the obtaining module is further configured to obtain a link of the physical identity certificate.
  • the sender 112 is configured to send the digest and the link to the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, so that the digest and the link are shared among the M blockchain consensus nodes.
  • the receiver 113 is further configured to receive the message sent by the second heterogeneous identity subsystem.
  • the first heterogeneous identity subsystem includes only the first terminal device; or the first heterogeneous identity subsystem includes the first terminal device, the first proxy server of the first terminal device, and the first key escrow center.
  • FIG. 12 is a schematic structural diagram of a second heterogeneous identity subsystem 120 according to an embodiment of the present disclosure. As shown in FIG. 12, the second heterogeneous identity subsystem 120 includes: a processor 121, a transmitter 122, and a receiver 123.
  • the processor 121 is configured to obtain a unified identity of the second terminal device included in the second heterogeneous identity subsystem in the interaction system.
  • the transmitter 122 is configured to send the unified identity of the second terminal device to the blockchain consensus node corresponding to the heterogeneous identity system to which the second heterogeneous identity subsystem belongs, so that the unified identity of the second terminal device is in the M blocks. Chain consensus nodes are shared between.
  • the processor 121 is further configured to acquire a unified identity of the first terminal device.
  • the transmitter 122 is further configured to send a message to the first heterogeneous identity subsystem to which the first terminal device belongs based on the unified identity of the first terminal device and the unified identity of the second terminal device, or the receiver 123 is configured to receive the first identifier.
  • the second heterogeneous identity subsystem further includes a verification module 94.
  • the processor 121 is further configured to obtain a summary and a link of the physical identity certificate of the first terminal device.
  • the processor 121 is configured to verify the physical identity certificate based on the digest and the link.
  • the sender 122 is further configured to send a message to the first heterogeneous identity subsystem upon successful verification of the physical identity certificate.
  • the unified identity of the first terminal device is a public key in a public-private key pair; the processor 121 is further configured to acquire a public key of the heterogeneous identity system corresponding to the first terminal device, and the corresponding information of the first terminal device is different.
  • the processor 121 is configured to detect and obtain a physical identity certificate corresponding to the link in the processing module.
  • the processor 121 is configured to calculate a summary of the physical identification.
  • the processor 121 is configured to use the first terminal according to the first terminal.
  • the public key of the heterogeneous identity system corresponding to the device, the public key of the first terminal device in the corresponding heterogeneous identity system, and the public key of a public private key pair verify the physical identity certificate.
  • the processor 121 is configured to verify, according to the public key and the PKI certificate of the heterogeneous identity system corresponding to the first terminal device, the PKI certificate signature, the public key according to a public private key pair, and the corresponding heterogeneity of the first terminal device.
  • the public key in the identity system verifies the first signature and the second signature; if the PKI signature, the first signature, and the second signature are both verified successfully, it is determined that the verification of the physical identity verification is successful.
  • the processor 121 is configured to determine, according to the public key of the heterogeneous identity system corresponding to the first terminal device, the identity of the first terminal device in the corresponding heterogeneous identity according to the identifier of the corresponding heterogeneous identity system of the first terminal device.
  • Public key of the system verifying the first signature and the second signature according to the public key of a public private key pair and the public key of the first terminal device in the corresponding heterogeneous identity system; if both the first signature and the second signature are successfully verified , to determine the successful verification of the physical identity certificate.
  • the processor 121 is further configured to acquire and store the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled or The non-enabled state; correspondingly, if the status indication information indicates that the status of the unified identity of the first terminal device is the enabled state, the physical identity certificate corresponding to the link is detected and acquired in the processing module.
  • the second heterogeneous identity subsystem acquires the public key of the heterogeneous identity system corresponding to the first terminal device; correspondingly, the processor 121 detects and acquires the physical identity certificate corresponding to the link in the processing module; a summary of the physical identity certificate; if the summary of the physical identity certificate obtained by the calculation is the same as the summary of the physical identity certificate stored by the blockchain consensus node corresponding to the heterogeneous identity system to which the first heterogeneous identity subsystem belongs, the processor 121 The physical identity certificate is verified according to the public key of the heterogeneous identity system corresponding to the first terminal device.
  • the processor 121 acquires and stores the unified identity of the first terminal device and the status indication information of the unified identity of the first terminal device, where the status indication information is used to indicate that the unified identity of the first terminal device is enabled or disabled.
  • the processor 121 is specifically configured to detect and acquire the physical identity certificate corresponding to the link in the processing module.
  • the second heterogeneous identity subsystem includes only the second terminal device; or the second heterogeneous identity subsystem includes the second terminal device, the first proxy server of the second terminal device, and the first key escrow center.
  • FIG. 13 is a schematic structural diagram of a physical identity generating device 130 according to an embodiment of the present disclosure, as shown in FIG.
  • the physical identity generation device 130 includes a processor 131 and a memory 132 for storing execution code of the processor 131.
  • the processor 131 is configured to acquire a unified identity of the first terminal device.
  • the processor 131 is configured to generate a physical identity certificate of the first terminal device according to the unified identity of the first terminal device, where the physical identity certificate is used to prove the association between the unified identity of the first terminal device and the first terminal device.
  • the unified identity of the first terminal device is a public key in a public-private key pair; the obtaining module 101 is further configured to obtain the identity of the first terminal device in the corresponding heterogeneous identity system and a public-private key pair. key.
  • the processor 131 is specifically configured to: sign the identity of the corresponding heterogeneous identity system and the public key in a public-private key pair according to the private key of the physical identity generation device to obtain a first signature; The device generates a physical identity certificate in the identity of the corresponding heterogeneous identity system, the public key in a public private key pair, and the first signature.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请提供一种基于异构身份的交互系统及方法,该系统包括 M 个区块链共识节点和 M 个异构身份系统;异构身份系统包括异构身份子系统,异构身份子系统包括终端设备。第一异构身份子系统和第二异构身份子系统分别获取各自包括的终端设备的统一身份,将获取的统一身份发送给各自所属的异构身份系统对应的区块链共识节点,以使统一身份在 M 个区块链共识节点之间共享;第一异构身份子系统和第二异构身份子系统基于第一终端设备的统一身份和第二终端设备的统一身份进行交互。从而提高交互系统的可靠性。

Description

说明书
基于异构身份的交互系统及方法 技术领域
本申请涉及通信技术领域, 尤其涉及一种基于异构身份的交互系统及方法。
背景技术
随着物联网技术的不断发展, 物联网设备呈现出了多样性的特点, 它们可以是不同身 份系统中的设备。 例如: 有些物联网设备在所属的身份系统中的身份是它的账号和密码; 有些物联网设备在所属的身份系统中的身份是它的 (International Mobile Subscriber Identification Number, IMSI) ; 还有些物联网设备在所属的身份系统中的身份是它的证书 或者是基于身份的数字签名 (Identity Based Signature, IBS ) 等。
由于不同身份系统的物联网设备没有统一的标准接口, 也没有统一的身份, 因此不同 身份系统的物联网设备之间不能实现两两身份认证、 通信、 交易等交互行为。 现有技术采 用建立物联网平台的方式以解决这一问题。 即所有异构身份系统中的物联网设备都信任该 物联网平台, 通过物联网平台为各个物联网设备提供的统一身份进行交互。
然而, 随着物联网技术的不断发展, 物联网设备的规模也在不断壮大, 目前物联网设 备的规模已经上升到百亿、 千亿级别。 基于此, 这将给物联网平台的处理能力和存储能力 带来极大的挑战, 并且该方式易造成物联网平台的单点故障, 进而造成整个交互系统的可 靠性较低的问题。 发明内容
本申请提供一种基于异构身份的交互系统及方法, 使得异构身份系统下的不同设备可 以不需要依赖统一的物联网平台就可以实现交互, 一方面可以提高交互系统的可靠性, 更 重要的是当未来全球范围内的智能设备产生两两交互的需求时, 很可能因为地域的限制, 不存在单一的物联网平台可以供全球所有设备使用。 本发明为这种场景提供了一种解决方 案。
第一方面, 本申请提供一种基于异构身份的交互系统, 包括: M个区块链共识节点和 M个异构身份系统, M为大于 1的正整数; 异构身份系统包括异构身份子系统, 异构身份 子系统包括终端设备。 其中, 第一异构身份子系统获取第一异构身份子系统包括的第一终 端设备在交互系统中的统一身份, 并将第一终端设备的统一身份发送给第一异构身份子系 统所属的异构身份系统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块 链共识节点之间共享; 第二异构身份子系统获取第二异构身份子系统包括的第二终端设备 在交互系统中的统一身份, 并将第二终端设备的统一身份发送给第二异构身份子系统所属 的异构身份系统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识 节点之间共享; 第一异构身份子系统和第二异构身份子系统基于第一终端设备的统一身份 和第二终端设备的统一身份进行交互; 其中, 第一异构身份子系统和第二异构身份子系统 属于 M个异构身份系统中的两个不同的异构身份系统。
本申请的有益效果包括: 由于异构身份子系统可以获取包括的终端设备的统一身份, 并将该统一身份发送给对应的区块链共识节点,以使统一身份在 M个区块链共识节点之间, 从而实现异构身份子系统之间的交互。 本申请中, 无需设置独立的物联网平台。 而是设置 M个区块链共识节点, 这些区块链共识节点之间可以共享信息, 从而避免现有技术中物联 网平台的单点故障, 进而提高整个交互系统的可靠性。
可选地, 系统还包括: 处理模块。 基于此, 第一异构身份子系统根据第一终端设备的 统一身份生成第一终端设备的物理身份证明, 并生成物理身份证明的摘要, 物理身份证明 用于证明第一终端设备的统一身份与第一终端设备的关联关系; 处理模块获取并存储物理 身份证明, 并生成物理身份证明的链接; 将物理身份证明的链接发送给第一异构身份子系 统; 第一异构身份子系统将摘要和链接发送给第一异构身份子系统所属的异构身份系统对 应的区块链共识节点, 以使摘要和链接在 M个区块链共识节点之间共享; 第二异构身份子 系统获取摘要和链接, 根据摘要和链接验证物理身份证明, 并在对物理身份证明验证成功 时, 向第一异构身份子系统发送消息。
本申请的有益效果包括: 异构身份子系统可以自己生成其包括的终端设备的物理身份 证明, 其他异构身份子系统可以验证该物理身份证明, 当验证成功时, 异构身份子系统之 间可以进行交互, 当验证失败时, 异构身份子系统之间不可以进行交互, 从而提高整个交 互系统的可靠性。
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 第二异构身份子系统获取 第一终端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥 和一公私钥对的公钥; 相应的, 第二异构身份子系统在处理模块中检测并获取链接对应的 物理身份证明; 第二异构身份子系统计算物理身份证明的摘要; 若通过计算得到的物理身 份证明的摘要和第一异构身份子系统所属的异构身份系统对应的区块链共识节点存储的 物理身份证明的摘要相同, 则第二异构身份子系统根据第一终端设备对应的异构身份系统 的公钥、 第一终端设备在对应的异构身份系统中的公钥和一公私钥对的公钥验证物理身份 证明。
本申请的有益效果包括: 当第一终端设备的统一身份为一公私钥对中的公钥时, 第二 异构身份子系统通过该可选方式可以有效的验证物理身份证明, 从而提高整个交互系统的 可靠性。
可选地, 若第一终端设备对应的异构身份系统是基于公钥基础设施 PKI的系统, 则第 一异构身份子系统获取第一终端设备在对应的异构身份系统的 PKI证书以及 PKI证书的签 名; 第一异构身份子系统获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系 统中的公钥进行签名, 得到的第一签名; 第一异构身份子系统获取通过该第一终端设备在 对应的异构身份系统中的私钥对一公私钥对的公钥进行签名, 得到的第二签名; 第一异构 身份子系统将 PKI证书、 PKI证书的签名、 第一签名和第二签名生成第一终端设备的物理 身份证明。
本申请的有益效果包括: 当第一终端设备对应的异构身份系统是基于 PKI 的系统时, 第一异构身份子系统通过该可选方式可以有效的生成第一终端设备的物理身份证明。 可选地, 第二异构身份子系统根据第一终端设备对应的异构身份系统的公钥和 PKI证 书验证 PKI证书签名、根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的 公钥验证第一签名和第二签名; 若对 PKI签名、 第一签名和第二签名均验证成功, 则第二 异构身份子系统确定对物理身份证明验证成功。
本申请的有益效果包括: 基于上述第一异构身份子系统生成第一终端设备的物理身份 证明的方式, 第二异构身份子系统通过该可选方式可以有效的验证物理身份证明, 从而提 高整个交互系统的可靠性。
可选地, 若第一终端设备对应的异构身份系统是基于 IBC的系统, 则第一异构身份子 系统获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行签 名, 得到的第一签名; 第一异构身份子系统获取通过第一终端设备在对应的异构身份系统 中的私钥对一公私钥对的公钥进行签名, 得到的第二签名; 第一异构身份子系统将第一终 端设备在对应的异构身份系统的身份标识、 第一签名和第二签名生成第一终端设备的物理 身份证明。
本申请的有益效果包括: 当第一终端设备对应的异构身份系统是基于 IBC的系统时, 第一异构身份子系统通过该可选方式可以有效的生成第一终端设备的物理身份证明。
可选地, 第二异构身份子系统根据第一终端设备对应的异构身份系统的公钥和第一终 端设备在对应的异构身份系统的身份标识确定第一终端设备在对应的异构身份系统的公 钥; 第二异构身份子系统根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中 的公钥验证第一签名和第二签名; 若对第一签名和第二签名均验证成功, 则第二异构身份 子系统确定对物理身份证明验证成功。
本申请的有益效果包括: 基于上述第一异构身份子系统生成第一终端设备的物理身份 证明的方式, 第二异构身份子系统通过该可选方式可以有效的验证物理身份证明, 从而提 高整个交互系统的可靠性。
可选地, 第二异构身份子系统获取并存储第一终端设备的统一身份以及第一终端设备 的统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态 或者非启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状 态, 则第二异构身份子系统在处理模块中检测并获取链接对应的物理身份证明。
本申请的有益效果包括: 若状态指示信息指示终端设备的统一身份的状态为非启用状 态, 则无需检测终端设备的物理身份证明。 从而降低交互系统的资源消耗。
可选地, 系统还包括: 处理模块和物理身份生成设备; 物理身份生成设备获取第一终 端设备的统一身份, 并根据第一终端设备的统一身份生成第一终端设备的物理身份证明, 物理身份证明用于证明第一终端设备的统一身份与第一终端设备的关联关系; 第一异构身 份子系统获取物理身份证明, 并生成物理身份证明的摘要; 处理模块获取并存储物理身份 证明, 并生成物理身份证明的链接; 将物理身份证明的链接发送给第一异构身份子系统; 第一异构身份子系统将摘要和链接发送给第一异构身份子系统所属的异构身份系统对应 的区块链共识节点, 以使摘要和链接在 M个区块链共识节点之间共享; 第二异构身份子系 统获取摘要和链接,根据摘要和链接验证物理身份证明,并在对物理身份证明验证成功时, 向第一异构身份子系统发送消息。
本申请的有益效果包括: 物理身份生成设备可以生成异构身份子系统包括的终端设备 的物理身份证明, 其他异构身份子系统可以验证该物理身份证明, 当验证成功时, 异构身 份子系统之间可以进行交互, 当验证失败时, 异构身份子系统之间不可以进行交互, 从而 提高整个交互系统的可靠性。
可选地,第二异构身份子系统获取第一终端设备对应的异构身份系统的公钥;相应的, 第二异构身份子系统在处理模块中检测并获取链接对应的物理身份证明; 第二异构身份子 系统计算物理身份证明的摘要; 若通过计算得到的物理身份证明的摘要和第一异构身份子 系统所属的异构身份系统对应的区块链共识节点存储的物理身份证明的摘要相同, 则第二 异构身份子系统根据第一终端设备对应的异构身份系统的公钥验证物理身份证明。
本申请的有益效果包括: 第二异构身份子系统通过该可选方式可以有效的验证物理身 份证明, 从而提高整个交互系统的可靠性。
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 物理身份生成设备获取第 一终端设备在对应的异构身份系统的身份标识以及一公私钥对中的公钥; 物理身份生成设 备根据物理身份生成设备的私钥对第一终端设备在对应的异构身份系统的身份标识以及 一公私钥对中的公钥进行签名, 得到第一签名; 物理身份生成设备将第一终端设备在对应 的异构身份系统的身份标识、 一公私钥对中的公钥和第一签名生成物理身份证明。
本申请的有益效果包括: 第一异构身份子系统通过该可选方式可以有效的生成第一终 端设备的物理身份证明。
可选地, 第二异构身份子系统获取并存储第一终端设备的统一身份以及第一终端设备 的统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态 或者非启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状 态, 则第二异构身份子系统在处理模块中检测并获取链接对应的物理身份证明。
本申请的有益效果包括: 若状态指示信息指示终端设备的统一身份的状态为非启用状 态, 则无需检测终端设备的物理身份证明。 从而降低交互系统的资源消耗。
可选地, 第一异构身份子系统仅包括第一终端设备; 或者, 第一异构身份子系统包括 第一终端设备、 第一终端设备的第一代理服务器和第一密钥托管中心; 第二异构身份子系 统仅包括第二终端设备; 或者, 第二异构身份子系统包括第二终端设备、 第二终端设备的 第一代理服务器和第一密钥托管中心。
下面介绍基于异构身份的交互方法, 其实现原理和技术效果与第一方面涉及的系统以 及第一方面的可选方式的原理和技术效果类似, 此处不再赘述。
第二方面, 本申请提供一种基于异构身份的交互方法, 该方法应用于基于异构身份的 交互系统,系统包括: M个区块链共识节点和 M个异构身份系统, M为大于 1的正整数; 异构身份系统包括异构身份子系统, 异构身份子系统包括终端设备; 相应的, 方法包括: 第一异构身份子系统获取第一异构身份子系统包括的第一终端设备在交互系统中的统一 身份, 并将第一终端设备的统一身份发送给第一异构身份子系统所属的异构身份系统对应 的区块链共识节点, 以使第一终端设备的统一身份在 M个区块链共识节点之间共享; 第二 异构身份子系统获取第二异构身份子系统包括的第二终端设备在交互系统中的统一身份, 并将第二终端设备的统一身份发送给第二异构身份子系统所属的异构身份系统对应的区 块链共识节点, 以使第二终端设备的统一身份在 M个区块链共识节点之间共享; 第一异构 身份子系统和第二异构身份子系统基于第一终端设备的统一身份和第二终端设备的统一 身份进行交互; 其中,第一异构身份子系统和第二异构身份子系统属于 M个异构身份系统 中的两个不同的异构身份系统。
下面分别介绍第一异构身份子系统、 第二异构身份子系统和物理身份生成设备, 其实 现原理和技术效果可参照第一方面涉及的系统以及第一方面的可选方式的原理和技术效 果, 此处不再赘述。
第三方面, 本申请提供一种第一异构身份子系统, 其中, 第一异构身份子系统包括: 获取模块、 发送模块和接收模块。
获取模块用于获取第一异构身份子系统包括的第一终端设备在交互系统中的统一身 份, 该发送模块用于将第一终端设备的统一身份发送给第一异构身份子系统所属的异构身 份系统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块链共识节点之间 共享; 该获取模块还用于获取第二终端设备的统一身份, 所述发送模块用于基于第一终端 设备的统一身份和第二终端设备的统一身份向第二终端设备所属的第二异构身份子系统 发送消息, 或者所述接收模块用于接收第二异构身份子系统发送的消息。
第四方面, 本申请提供一种第二异构身份子系统, 其中, 第二异构身份子系统包括获 取模块、 发送模块和接收模块;
该获取模块用于获取第二异构身份子系统包括的第二终端设备在交互系统中的统一 身份, 该发送模块用于将第二终端设备的统一身份发送给第二异构身份子系统所属的异构 身份系统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识节点之 间共享; 该获取模块还用于获取第一终端设备的统一身份, 该发送模块还用于基于第一终 端设备的统一身份和第二终端设备的统一身份向第一终端设备所属的第一异构身份子系 统发送消息, 或者该接收模块用于接收第一异构身份子系统发送的消息。
第五方面, 本申请提供一种物理身份生成设备, 包括: 获取模块和生成模块; 该获取模块用于获取第一终端设备的统一身份; 生成模块用于根据第一终端设备的统 一身份生成第一终端设备的物理身份证明, 物理身份证明用于证明第一终端设备的统一身 份与第一终端设备的关联关系。
第六方面, 本申请提供一种第一异构身份子系统, 其中, 第一异构身份子系统包括: 处理器、 发送器和接收器。
处理器用于获取第一异构身份子系统包括的第一终端设备在交互系统中的统一身份, 该发送器用于将第一终端设备的统一身份发送给第一异构身份子系统所属的异构身份系 统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块链共识节点之间共享; 该处理器还用于获取第二终端设备的统一身份, 所述发送器用于基于第一终端设备的统一 身份和第二终端设备的统一身份向第二终端设备所属的第二异构身份子系统发送消息, 或 者所述接收器用于接收第二异构身份子系统发送的消息。
第七方面, 本申请提供一种第二异构身份子系统, 其中, 第二异构身份子系统包括处 理器、 发送器和接收器;
该处理器用于获取第二异构身份子系统包括的第二终端设备在交互系统中的统一身 份, 该发送器用于将第二终端设备的统一身份发送给第二异构身份子系统所属的异构身份 系统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识节点之间共 享; 该处理器还用于获取第一终端设备的统一身份, 该发送器还用于基于第一终端设备的 统一身份和第二终端设备的统一身份向第一终端设备所属的第一异构身份子系统发送消 息, 或者该接收器用于接收第一异构身份子系统发送的消息。
第八方面, 本申请提供一种物理身份生成设备, 包括: 处理器和用于存储所述处理器 的执行代码的存储器, 以使处理器实现如下功能; 获取第一终端设备的统一身份, 并根据 第一终端设备的统一身份生成第一终端设备的物理身份证明, 物理身份证明用于证明第一 终端设备的统一身份与第一终端设备的关联关系。
第九方面, 本申请提供一种计算机存储介质, 用于储存为上述第三方面或第六方面涉 及的第一异构身份子系统所用的计算机软件指令, 其包含用于执行上述第三方面或第六方 面所涉及的程序。
第十方面, 本申请提供一种计算机程序产品, 其包含指令, 当计算机程序被计算机所 执行时, 该指令使得计算机执行第三方面或第六方面中第一异构身份子系统所执行的功能。
第十一方面, 本申请提供一种计算机存储介质, 用于储存为上述第四方面或第七方面 涉及的第二异构身份子系统所用的计算机软件指令, 其包含用于执行上述第四方面或第七 方面所涉及的程序。
第十二方面, 本申请提供一种计算机程序产品, 其包含指令, 当计算机程序被计算机 所执行时, 该指令使得计算机执行第四方面或第七方面中第二异构身份子系统所执行的功 能。
第十三方面, 本申请提供一种计算机存储介质, 用于储存为上述第五方面或第八方面 涉及的物理身份生成设备所用的计算机软件指令, 其包含用于执行上述第五方面或第八方 面所涉及的程序。
第十四方面, 本申请提供一种计算机程序产品, 其包含指令, 当计算机程序被计算机 所执行时, 该指令使得计算机执行第五方面或第八方面中物理身份生成设备所执行的功能。
本申请提供一种基于异构身份的交互系统及方法,包括: M个区块链共识节点和 M个 异构身份系统, M为大于 1的正整数; 异构身份系统包括异构身份子系统, 异构身份子系 统包括终端设备。 其中, 第一异构身份子系统获取第一异构身份子系统包括的第一终端设 备在交互系统中的统一身份, 并将第一终端设备的统一身份发送给第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块链共 识节点之间共享; 第二异构身份子系统获取第二异构身份子系统包括的第二终端设备在交 互系统中的统一身份, 并将第二终端设备的统一身份发送给第二异构身份子系统所属的异 构身份系统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识节点 之间共享; 第一异构身份子系统和第二异构身份子系统基于第一终端设备的统一身份和第 二终端设备的统一身份进行交互; 其中, 第一异构身份子系统和第二异构身份子系统属于 M个异构身份系统中的两个不同的异构身份系统。 在本申请中, 无需设置独立的物联网平 台。而是设置 M个区块链共识节点, 这些区块链共识节点之间可以共享信息, 从而避免现 有技术中物联网平台的单点故障, 进而提高整个交互系统的可靠性。 附图说明
图 1为本申请一实施例提供的一种基于异构身份的交互系统 10的示意图;
图 2为本申请一实施例提供的一种基于异构身份的交互系统的局部示意图; 图 3为本申请另一实施例提供的一种基于异构身份的交互系统的局部示意图;
图 4为本申请一实施例提供的一种基于异构身份的交互方法的交互流程图; 图 5为本申请另一实施例提供的一种基于异构身份的交互方法的交互流程图 图 6为本申请再一实施例提供的一种基于异构身份的交互方法的交互流程图 图 7为本申请又一实施例提供的一种基于异构身份的交互方法的交互流程图 图 8为本申请一实施例提供的第一异构身份子系统 80的结构示意图
图 9为本申请一实施例提供的第二异构身份子系统 90的结构示意图
图 10为本申请一实施例提供的物理身份生成设备 100的结构示意图
图 11为本申请一实施例提供的第一异构身份子系统 110的结构示意图;
图 12为本申请一实施例提供的第二异构身份子系统 120的结构示意图;
图 13为本申请一实施例提供的物理身份生成设备 130的结构示意图。 具体实施方式
以下, 对本申请中的部分专业用语进行解释说明, 以便于本领域技术人员理解。 公钥密码 (Public Key Cryptography): 也称为非对称密码, 是一类密码算法, 需要两个 单独的密钥, 其中之一是保密的私有密钥 (私钥) , 另一个是公开密钥 (公钥) 。 公私钥 这两个部分在数学上是联系在一起的。 公钥用于加密明文或验证数字签名; 而私钥用于解 密密文或创建数字签名。
数字签名 (Digital Signature): 用于演示数字消息或文档的真实性的数学方案。 有效的 数字签名可以让接收者判定该消息是由已知的发送者 (认证) 创建的, 发送方不能否认对 消息签过名 (不可否认性) 。 同时验证数字签名还可以确认消息在传输 (完整性) 中未被 更改。
证书 (Certificate)和证书授权 (Certificate Authority, CA): 在密码学中, 证书授权 CA中 心是颁发数字证书的实体。 数字证书通过证书的指定主题证明公钥的所有权。 这允许其他 (依赖方) 依赖签名或关于对应于认证公钥的私钥的断言。 在这种信任关系模型中, CA 是受信任的第三方, 由证书的主体 (所有者) 和依赖证书的一方信任。 许多公钥基础设施 (Public Key Infrastructure, PKI) 方案都采用 CA。
传输层安全协议 (Transport Layer Security, TLS ) 是一种安全协议, 目的是为互联网 通信, 提供安全及数据完整性保障。 它主要应用于浏览器、 电子邮件、 即时通信、 和网络 传真等应用程序中。 TLS支持通信双方通过证书完成身份认证、 密钥协商、 加密通信等功 能。
PKI证书工作原理
假设 Alice和 Bob用数字签名 (非对称算法的用途之一) 进行认证时, Bob需要确保 所使用的确实是 Alice的公钥。 由于公钥是由随机选取的私钥导出的无意义字符串, 无任 何可辨认的现实特征。因此需要一种机制来保证 Bob及所有人确信该公钥确实是 Alice的。
PKI证书体系:建立可信任的第三方 CA,用户需向一个或多个 CA为其公钥申请证书, CA为该用户的公钥颁发证书, 担保用户对公钥的拥有。 而验证公钥证书实际是验证 CA 对该证书的签名。
其中, 用户申请证书的大致流程是: 用户生成公私钥对, 并将自己的公钥及身份信息 发送给 CA, 做必要的验证后, CA为用户的公钥产生一个证书, 以绑定该公钥与用户身份 信息。 其中, 证书是 CA通过自己的公钥对用户的公钥和身份信息的签名。 而 CA的公钥 是公认的, 无需进一步担保, 因此用户的证书及公钥可被其他方验证。
IBS身份认证工作原理
基于身份的密码机制 (Identity-Based Cryptography, IBC) 包括基于身份的签名技术
(Identity Based Signature, IBS )和基于身份的加密技术(Identity Based Encryption, IBE)。
IBS是特殊的公钥密码技术,它利用用户的身份标识(Identity, ID)作为自己的公钥, 因而不需要数字证书来绑定公钥和用户的 ID。 但需要可信任的密钥生成中心 (Key Generation Center, KGC)生成用户的私钥。
区块链 (Block Chain): 是一个分布式数据库, 它保持不断增长的名为区块的有序记录 列表。 每个块包含一个时间戳和指向前一个区块的链接。 区块链天然具有防篡改数据的功 能,数据一旦被记录到区块链中, 该数据则不能被单方面修改。通过使用对等网络(Peer to Peer, P2P)和分布式时间戳服务器, 区块链上的数据可以实现自动管理。 区块链是 "一个 开放的分布式分类帐, 可以有效地记录双方之间的交易以及其它各种信息, 并以可验证的 方式永久记录。
区块链共识节点 (Peer)、 共识算法 (Consensus Algorithm): 区块链由若干区块链共识节 点组成, 每个区块链共识节点可以是一台物理机器, 也可以是云端的虚拟机、 容器等逻辑 节点。 每一个区块链共识节点都会保存区块链中的完整数据和代码。 区块链共识节点之间 通过共识算法实现区块链数据的一致性。
本申请涉及到的终端设备可以被称为物联网 (Internet of thing, IoT)设备, 该终端设备 可以为电脑、 手机、 打印机、 冰箱、 机器人、 传感器、 电表、 水表等等可以接入到 IoT中 的终端设备。
本申请基于上述相关技术来解决现有技术中交互系统可靠性低的问题。
具体地, 图 1为本申请一实施例提供的一种基于异构身份的交互系统 10的示意图, 其中, 该系统的应用场景是: 当两种异构身份的终端设备需要进行身份认证、 通信、 交易 等交互行为时, 需要基于该交互系统实现。 具体地, 如图 1所示, 该交互系统 10包括: M 个区块链共识节点 11和 M个异构身份系统 12; M个异构身份系统 12与 M个区块链共识 节点 11一一对应, M为大于 1的正整数; 异构身份系统包括异构身份子系统 13, 异构身 份子系统 13包括终端设备。 其中, 每个区块链共识节点 11可以是一台物理机器, 也可以 是云端的虚拟机、 容器等逻辑节点, 本申请对此不做限制。
其中, 如图 1所示, 有些异构身份子系统 13仅包括终端设备。 这种情况的应用场景 是: 当终端设备不是轻量级设备时, 即该终端设备具有足够的存储空间以及通信能力, 则 异构身份子系统 13 仅包括终端设备。 例如: 手机、 计算机和平板设备等可以被理解为非 轻量级设备。 有些异构身份子系统 13包括终端设备 14、 终端设备 14对应的代理服务器 15以及代理服务器 15对应的密钥托管中心 16。 这种情况的应用场景是: 当终端设备是轻 量级设备时, 即该终端设备不具有足够的存储空间以及通信能力, 则异构身份子系统 13 通过代理服务器 15和密钥托管中心 16实现与其他终端设备之间的交互。 例如: 电表、 水 表、冰箱和打印机等可以被理解为轻量级设备。该密钥托管中心 16可以是一个物理设备, 也可以是一个逻辑节点。 需要说明的是, 交互系统 10 中包括的所有异构身份子系统中的每个异构身份子系统 可以仅包括终端设备, 也可以是所有异构身份子系统中的每个异构身份子系统均包括终端 设备、 代理服务器和密钥托管中心。 还可以是所有异构身份子系统中的部分异构身份子系 统仅包括终端设备,其他部分异构身份子系统包括终端设备、代理服务器和密钥托管中心。 本申请对此不做限制。
进一步地, 第一异构身份子系统获取第一异构身份子系统包括的第一终端设备在交互 系统中的统一身份, 并将第一终端设备的统一身份发送给第一异构身份子系统所属的异构 身份系统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块链共识节点之 间共享。 第二异构身份子系统获取第二异构身份子系统包括的第二终端设备在交互系统中 的统一身份, 并将第二终端设备的统一身份发送给第二异构身份子系统所属的异构身份系 统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识节点之间共享; 第一异构身份子系统和第二异构身份子系统基于第一终端设备的统一身份和第二终端设 备的统一身份进行交互; 其中,第一异构身份子系统和第二异构身份子系统属于 M个异构 身份系统中的两个不同的异构身份系统。
即第一异构身份子系统和第二异构身份子系统属于 M个异构身份系统中的任意两个 不同的异构身份系统。 为了实现两个不同异构身份子系统的交互, 异构身份子系统需要获 取其包括的终端设备的统一身份。 以使异构身份子系统可以基于终端设备的统一身份进行 交互。
可选地, 终端设备在交互系统中的统一身份可以是一公私钥对中的公钥。 或者, 可以 是一对称密钥, 比如: 是终端设备的账号、 ID等。 其中, 终端设备在交互系统中的统一身 份可能和在其对应的异构身份系统中身份不同, 也可能相同, 例如: 当终端设备在对应的 异构身份系统中的身份是其公钥。 而规定终端设备在交互系统中的统一身份也是一公私钥 对中的公钥, 基于此, 终端设备可以将自己在异构身份系统中的公钥作为它的统一身份。 不过大多数情况下, 终端设备在交互系统中的统一身份和其在异构身份系统中的身份不同, 例如: 当终端设备在对应的异构身份系统中的身份是其账号。 而规定终端设备在交互系统 中的统一身份也是一公私钥对中的公钥, 基于此, 终端设备不可以将自己在异构身份系统 中的账号作为它的统一身份。 这种情况下, 该终端设备所在的异构身份子系统需要为该终 端设备生成统一身份。
异构身份子系统各自获取了包括的终端设备的统一身份之后, 需要将终端设备的统一 身份发送给异构身份子系统所属的异构身份系统对应的区块链共识节点, 基于上述专业术 语的介绍可知, 区块链共识节点之间可以共享信息, 具体地, 图 2为本申请一实施例提供 的一种基于异构身份的交互系统的局部示意图,在区块链上还存储有多个智能合约(Smart Contract) , 该智能合约还被称为分布式应用 (Distributed Application) , 可选的, 智能合 约与区块链共识节点一一对应, 其中, 该智能合约可以和区块链共识节点位于同一物理设 备或者同一逻辑节点上, 也可以位于不同的物理设备, 或者不同的逻辑节点上, 本申请对 此不做限制。 智能合约包括: 终端设备的统一身份; 可选地, 智能合约还包括: 该统一身 份的状态指示信息、 以及下面将要提到的终端设备的物理身份证明的摘要以及该物理身份 证明对应的存储链接等。 其中, 统一身份的状态指示信息用于指示终端设备的统一身份是 启用状态或者是非启用状态等。 终端设备的统一身份在 M个区块链共识节点之间共享之后,包括这些终端设备的异构 身份子系统之间可以进行交互。 可选地, 本申请中异构身份子系统中的交互可以是通信、 身份认证以及交易都能交互行为。
若该交互指的是异构身份子系统之间的通信行为, 则异构身份子系统可以基于包括的 终端设备的统一身份采用现有的 TLS进行通信, 本申请对此不做限制。
综上, 本申请提供一种基于异构身份的交互系统, 包括: M个区块链共识节点和 M个 异构身份系统,异构身份系统包括异构身份子系统,异构身份子系统包括终端设备,其中, 异构身份子系统可以获取包括的终端设备的统一身份, 并将该统一身份发送给异构身份子 系统所属的异构身份系统对应的区块链共识节点,终端设备的统一身份在 M个区块链共识 节点之间共享, 从而实现异构身份子系统之间的交互。 本申请中, 无需设置独立的物联网 平台。而是设置 M个区块链共识节点, 这些区块链共识节点之间可以共享信息, 从而避免 现有技术中物联网平台的单点故障, 进而提高整个交互系统的可靠性。
可选地, 当异构身份子系统仅包括终端设备时, 上述异构身份子系统的执行动作全部 由它所包括的终端设备执行。
可选地, 当异构身份子系统包括终端设备、 代理服务器和密钥托管中心时, 上述异构 身份子系统的执行动作由该子系统所包括的终端设备、 代理服务器和密钥托管中心执行。 其中, 代理服务器为该终端设备申请该终端设备在交互系统中的统一身份, 并将统一身份 存储在密钥托管中心, 当需要使用该统一身份时,可以从密钥托管中心中获取该统一身份。 终端设备、 代理服务器和密钥托管中心三者的功能具体如下:
终端设备向代理服务器发送统一身份请求消息, 其中, 该统一身份请求消息用于为终 端设备申请统一身份。 可选地, 该统一身份请求消息包括终端设备的 ID。
代理服务器向密钥托管中心转发统一身份请求消息。
密钥托管中心为终端设备随机生成统一身份, 并存储终端设备的 ID与该终端设备的 统一身份的对应关系; 并将该统一身份发送给代理服务器。
代理服务器向异构身份子系统所属的异构身份系统对应的区块链共识节点发送终端 设备的统一身份, 以使终端设备的统一身份在 M个区块链共识节点之间共享。基于此, 各 个异构身份系统中的终端设备或者异构身份子系统可以基于共享的终端设备的统一身份 进行交互。
进一步地, 异构身份子系统之间的交互可以仅基于统一身份进行, 也可以基于统一身 份和物理身份证明进行, 例如: 当两个异构身份子系统需要进行交易时, 它们之间需要验 证彼此包括的终端设备的物理身份。 当验证方对对方包括的终端设备的物理身份验证成功 时, 才可以进行交易等交互行为。 否则, 不进行相应的交互行为。
基于此, 需要为每个异构身份子系统生成物理身份证明, 其中, 物理身份证明用于证 明异构身份子系统包括的终端设备的统一身份与该终端设备的关联关系, 即用于证明统一 身份是否属于该终端设备。 而为每个异构身份子系统生成物理身份证明包括两个可选方式: 第一种可选方式: 异构身份子系统自己生成它包括的终端设备的物理身份证明。
第二种可选方式: 物理身份生成设备为终端设备生成物理身份证明。
例如: 当终端设备的统一身份是一公私钥对中的公钥, 该终端设备自己存储该一公私 钥对中的私钥 (而不是通过密钥托管中心存储私钥) , 且该终端设备在对应的异构身份系 统中的密钥是非对称密钥时, 异构身份子系统可以自己生成终端设备的物理身份证明。 当 然, 这种情况下, 也可以是物理身份生成设备生成终端设备的物理身份证明。
例如: 当终端设备的统一身份是一公私钥对中的公钥, 该终端设备自己存储该一公私 钥对中的私钥 (而不是通过密钥托管中心存储私钥) , 且该终端设备在对应的异构身份系 统中的密钥是对称密钥时, 物理身份生成设备为终端设备生成该终端设备的物理身份证明。
例如: 当终端设备的统一身份是一公私钥对中的公钥, 密钥托管中心存储该一公私钥 对中的私钥时, 物理身份生成设备为终端设备生成该终端设备的物理身份证明。
可选地, 本申请提供的物理身份生成设备可以是 CA。
下面以上述第一种可选方式为例对交互系统进行进一步的说明:结合图 1和图 2所示, 该交互系统还包括: 处理模块 17。
其中, 第一异构身份子系统根据第一终端设备的统一身份生成第一终端设备的物理身 份证明, 并生成物理身份证明的摘要, 物理身份证明用于证明第一终端设备的统一身份与 第一终端设备的关联关系。
处理模块 17 获取并存储物理身份证明, 并生成物理身份证明的链接; 将物理身份证 明的链接发送给第一异构身份子系统。
第一异构身份子系统将摘要和链接发送给第一异构身份子系统所属的异构身份系统 对应的区块链共识节点, 以使摘要和所述链接在 M个区块链共识节点之间共享。
第二异构身份子系统获取摘要和链接验证物理身份证明, 并根据摘要和链接验证物理 身份证明, 并在对物理身份证明验证成功时, 向第一异构身份子系统发送消息。
可选地, M个异构身份子系统和 N个处理模块对应, 其中, M和 N可以相等, 也可 以不相等, 如果 M和 N相等, 则 M个异构身份子系统和 N个处理模块是一一对应关系。 需要说明的是, 图 1 中仅示出的是处理模块 17和一个异构身份子系统连接的情况, 实际 上, 该处理模块可以和多个异构身份子系统连接, 本申请对此不做限制。
可选地, 处理模块可以是一个物理存储设备, 也可以是一个逻辑存储节点, 本申请对 此不做限制。
可选地, 物理身份证明的摘要可以是物理身份证明的哈希值。
可选地, 物理身份证明的链接用于査找物理身份证明。
可选地, 第一异构身份子系统可以生成随机的对称密钥 K, 并利用第二终端设备的统 一身份, 如一公私钥对中的公钥对该对称密钥 Κ进行加密, 得到密文 KC。 通过 K对物理 身份证明进行加密,基于此,处理模块 17存储的物理身份证明为加密后的物理身份证明。 相应的, 第二异构身份子系统在验证物理身份证明之前, 首先通过所述一公私钥对中的私 钥解密 KC, 得到对称密钥 K。 然后通过对称密钥 Κ解密加密后的物理身份证明, 得到物 理身份证明。
可选地, 第一异构身份子系统向第一异构身份子系统所属的异构身份系统对应的区块 链共识节点发送摘要和链接构成的消息的签名。 基于此, 第二异构身份子系统获取摘要和 链接以及摘要和链接构成的消息的签名,第二异构身份子系统先验证该签名,若验证成功, 则第一异构身份子系统所属的异构身份系统对应的区块链共识节点将该摘要和链接视为 无效信息。
可选地, 第二异构身份子系统获取摘要和链接的方式为: 第一异构身份子系统向第二 异构身份子系统发送存储摘要和链接的智能合约的地址以及该摘要, 第一异构身份子系统 通过该地址先査找到存储该摘要和该链接的智能合约, 然后通过该摘要査找到该链接。
可选地, 如图 1和图 2所示, 区块链共识节点存储对应的终端设备的统一身份的状态 指示信息, 该状态指示信息用于指示终端设备的统一身份为启用状态或者非启用状态。
基于此, 第二异构身份子系统获取并存储第一终端设备的统一身份以及第一终端设备 的统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态 或者非启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状 态, 则第二异构身份子系统在处理模块中检测并获取链接对应的物理身份证明。 若状态指 示信息指示第一终端设备的统一身份的状态为非启用状态, 则第二异构身份子系统无需检 测第一终端设备的物理身份证明。
本申请中, 若状态指示信息指示终端设备的统一身份的状态为非启用状态, 则无需检 测终端设备的物理身份证明。 从而降低交互系统的资源消耗。
进一步地, 第一异构身份子系统生成第一终端设备的物理身份证明的具体方式为: 第一异构身份子系统可以对第一终端设备的统一身份采用一定的算法得到第一终端 设备的物理身份证明, 只要该物理身份证明可以证明第一终端设备的统一身份与第一终端 设备的关联关系即可。
或者,第一终端设备对应的异构身份系统可能是基于 PKI的系统或者是基于 IBC的系 统等。 由于第一终端设备对应的异构身份系统的不同, 第一异构身份子系统生成物理身份 证明的方式也不尽相同。
一种可选方式, 若第一终端设备对应的异构身份系统是基于公钥 PKI的系统, 则第一 异构身份子系统获取第一终端设备在对应的异构身份系统的 PKI证书以及 PKI证书的签名; 获取通过所述一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行签 名, 得到的第一签名; 获取通过所述第一终端设备在对应的异构身份系统中的私钥对一公 私钥对的公钥进行签名, 得到的第二签名; 将 PKI证书、 PKI证书的签名、 第一签名和第 二签名生成第一终端设备的物理身份证明。
其中, 第一签名由颁发所述一公私钥对的系统或者设备生成。 第二签名由第一终端设 备对应的异构身份系统生成。
具体地, 第一异构身份子系统主动向其对应的异构身份系统的 CA发送请求消息, 以 请求获取第一终端设备的 PKI证书以及 PKI证书的签名,或者第一异构身份子系统无需向 该 CA发送请求消息, 而是该 CA主动向第一异构身份子系统发送 PKI证书以及 PKI证书 的签名。 可选地, CA对 PKI证书的签名过程包括: CA对于待签名的 PKI证书 M, 计算 得到 M 的哈希值 hl=Hash(M), 然后用 CA 的私钥 ski 和哈希值 hi 计算得到签名 sigl=Sign(skl,hl), 其中 Sign()是非对称算法的签名算法。 本申请对该签名算法不做限制。
进一步地, 颁发所述一公私钥对的系统或者设备生成第一签名的过程包括: 该设备或 者系统通过所述一公私钥对中的私钥 sk2, 对第一终端设备在对应的异构身份系统中的公 钥 pk2, 计算得到 pk2的哈希值 h2=Hash(pk2), 然后用所述一公私钥对中的私钥和哈希值 h2计算得到第一签名 sig2=Sign(Sk2,h2), 其中 Sign()是非对称算法的签名算法。 本申请对 该签名算法不做限制。
同样的, 第一终端设备对应的异构身份系统生成第二签名的过程包括; 通过第一终端 设备在对应的异构身份系统中的私钥 sk3,对一公私钥对的公钥 pk3,计算得到 pk3的哈希 值 h3=Hash(pk3), 然后用私钥 sk3和哈希值 h3计算得到第二签名 sig3=Sign(sk3,h3), 其中 Sign()是非对称算法的签名算法。
可选地, 将 PKI证书、 PKI证书的签名、 第一签名和第二签名生成第一终端设备的物 理身份证明, 包括: 将 PKI证书、 PKI证书的签名、 第一签名和第二签名组成第一终端设 备的物理身份证明, 即物理身份证明包括: PKI证书、 PKI证书的签名、 第一签名和第二 签名。
另一种可选方式: 若第一终端设备对应的异构身份系统是基于 IBC的系统, 则第一异 构身份子系统获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公 钥进行签名, 得到第一签名; 获取通过第一终端设备在对应的异构身份系统中的私钥对一 公私钥对的公钥进行签名, 得到第二签名; 将第一终端设备在对应的异构身份系统的 ID、 第一签名和第二签名生成第一终端设备的物理身份证明。
其中, 第一签名由颁发所述一公私钥对的系统或者设备生成。 第二签名由第一终端设 备对应的异构身份系统生成。
具体地, 颁发所述一公私钥对的系统或者设备生成第一签名的过程包括; 通过所述一 公私钥对中的私钥 sk2, 对第一终端设备在对应的异构身份系统中的公钥 pkl, 计算得到 pkl的哈希值 h2=Hash(pkl),然后用所述一公私钥对中的私钥和哈希值 h2计算得到第一签 名 sig2=Sign(sk2,h2),其中 Sign()是非对称算法的签名算法。本申请对该签名算法不做限制。
同样的, 通过第一终端设备对应的异构身份系统生成第二签名的过程包括; 通过第一 终端设备在对应的异构身份系统中的私钥 sk3, 对一公私钥对的公钥 pk2, 计算得到 pk2 的哈希值 h3=Hash(pk2),然后用私钥 sk3和哈希值 h3计算得到第二签名 sig3=Sign(sk3,h3), 其中 Sign()是非对称算法的签名算法。
可选地, 将第一终端设备在对应的异构身份系统的 ID、第一签名和第二签名生成第一 终端设备的物理身份证明, 包括: 将第一终端设备在对应的异构身份系统的 ID、 第一签名 和第二签名组成第一终端设备的物理身份证明, 即物理身份证明包括: 第一终端设备在对 应的异构身份系统的 ID、 第一签名和第二签名。
进一步地, 基于上述第一异构身份子系统生成第一终端设备的物理身份证明的方式, 第二异构身份子系统具有对应的验证物理身份证明的功能, 具体如下:
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 第二异构身份子系统获取 第一终端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥 和一公私钥对的公钥。 相应的, 第二异构身份子系统在处理模块中检测并获取链接对应的 物理身份证明; 计算物理身份证明的摘要; 若通过计算得到的物理身份证明的摘要和第一 异构身份子系统所属的异构身份系统对应的区块链共识节点存储的物理身份证明的摘要 相同, 则根据第一终端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份 系统中的公钥和一公私钥对的公钥验证物理身份证明。
其中, 若第一终端设备对应的异构身份系统为基于 PKI的系统, 则异构身份系统的公 钥指的是该异构身份系统中的 CA的公钥。 若异构身份系统为基于 IBC的系统, 则异构身 份系统的公钥指的是该异构身份系统中的全局公钥。
进一步地, 针对第一终端设备对应的异构身份系统为基于 PKI的系统或者是基于 IBC 的系统, 则第二异构身份子系统验证物理身份证明具体分为如下两种情况:
1、 第二异构身份子系统根据第一终端设备对应的异构身份系统的公钥和 PKI证书验 证 PKI证书签名、根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的公钥 验证第一签名和第二签名; 若对 PKI签名、 第一签名和第二签名均验证成功, 则确定对物 理身份证明验证成功。
具体地, 假设第二异构身份子系统收到带签名的消息 (M,sigl), 其中, M表示 PKI证 书, sigl表示对 PKI证书的签名, 同时第二异构身份子系统可以获取到 CA的公钥 pkl。 基于此, 第二异构身份子系统首先计算 M的哈希值 hl=Hash(M), 然后调用非对称算法的 验证算法 Verify(pkl,hl, sigl)。 VerifyO算法会返回一个布尔值, 如果值为真, 则 PKI证书 签名验证成功; 如果值为假, 则 PKI证书签名验证失败。
同样的, 对第一签名的验证过程为: 第二异构身份子系统首先计算第一终端设备在对 应的异构身份系统中的公钥的哈希值 h2, 获取所述一公私钥对的公钥 pk2。 然后调用非对 称算法的验证算法 Verify(pk2,h2, sig2)。 sig2为第一签名。 VerifyO算法会返回一个布尔值, 如果值为真, 则第一签名验证成功; 如果值为假, 则第一签名验证失败。
对第二签名的验证过程为: 第二异构身份子系统首先计算所述一公私钥对的公钥的哈 希值 h3, 获取第一终端设备在对应的异构身份系统中的公钥 pk3。 然后调用非对称算法的 验证算法 Verify(pk3,h3, sig3)。 Sig3为第二签名。 VerifyO算法会返回一个布尔值, 如果值 为真, 则第二签名验证成功; 如果值为假, 则第二签名验证失败。
最后, 若对 PKI签名、 第一签名和第二签名均验证成功, 则确定对第一终端设备的物 理身份证明验证成功。
2、 第二异构身份子系统根据第一终端设备对应的异构身份系统的公钥和第一终端设 备在对应的异构身份系统的 ID确定第一终端设备在对应的异构身份系统的公钥; 根据一 公私钥对的公钥和第一终端设备在对应的异构身份系统中的公钥验证第一签名, 并根据第 一终端设备在对应的异构身份系统中的公钥验证第二签名; 若对第一签名和第二签名均验 证成功, 则确定对物理身份证明验证成功。
具体地, 可以采用现有技术根据第一终端设备对应的异构身份系统的公钥和第一终端 设备在对应的异构身份系统的身份标识确定第一终端设备在对应的异构身份系统的公钥, 本申请对此不做限制。
对第一签名的验证过程为: 第二异构身份子系统首先计算第一终端设备在对应的异构 身份系统中的公钥的哈希值 h2, 获取所述一公私钥对的公钥 pk2。 然后调用非对称算法的 验证算法 Verify(pk2,h2, sig2)。 sig2为第一签名。 VerifyO算法会返回一个布尔值, 如果值 为真, 则第一签名验证成功; 如果值为假, 则第一签名验证失败。
对第二签名的验证过程为: 第二异构身份子系统首先计算所述一公私钥对的公钥的哈 希值 h3, 获取第一终端设备在对应的异构身份系统中的公钥 pk3。 然后调用非对称算法的 验证算法 Verify(pk3,h3, sig2)。 Sig3为第二签名。 VerifyO算法会返回一个布尔值, 如果值 为真, 则第二签名验证成功; 如果值为假, 则第二签名验证失败。
最后, 若对 PKI签名、 第一签名和第二签名均验证成功, 则确定对第一终端设备的物 理身份证明验证成功。
进一步地, 第二异构身份子系统也可以生成第二终端设备的物理身份证明, 相应的, 第一异构身份子系统也可以验证第二终端设备的物理身份证明。 其中, 第二异构身份子系 统生成第二终端设备的物理身份证明的方法与第一异构身份子系统生成第一终端设备的 物理身份证明的方法类似, 第一异构身份子系统验证第二终端设备的物理身份证明与第二 异构身份子系统验证第一终端设备的物理身份证明的方法类似, 本申请对此不再赘述。
可选地, 当异构身份子系统仅包括终端设备时, 上述异构身份子系统的执行动作全部 由它所包括的终端设备执行。
可选地, 当异构身份子系统包括终端设备、 代理服务器和密钥托管中心时, 上述异构 身份子系统的执行动作由该子系统所包括的终端设备、 代理服务器和密钥托管中心执行。 其中, 终端设备、 代理服务器和密钥托管中心三者的功能具体如下:
假设第一异构身份子系统包括:第一终端设备、第一代理服务器和第一密钥托管中心, 以第一终端设备对应的异构身份系统为基于 PKI的系统为例, 第一异构身份系统生成物理 身份证明的过程是: 第一代理服务器向 CA发送物理身份请求消息, 其中该物理身份请求 消息包括: 第一终端设备的 ID和统一身份; CA根据第一终端设备的 ID和统一身份为第 一终端设备生成 PKI证书以及 PKI证书签名; CA将 PKI证书和 PKI证书签名发送给第一 代理服务器; 第一代理服务器获取第一签名和第二签名。 最后, 第一代理服务器将 PKI证 书、 PKI证书的签名、 第一签名和第二签名生成第一终端设备的物理身份证明。
相应的, 假设第二异构身份子系统包括: 第二终端设备、 第二代理服务器和第二密钥 托管中心, 第一异构身份系统验证第一终端设备的物理身份证明的过程是: 第二代理服务 器根据第一终端设备对应的异构身份系统的公钥和 PKI证书验证 PKI证书签名、根据一公 私钥对的公钥和第一终端设备在对应的异构身份系统中的公钥验证第一签名和第二签名; 若对 PKI签名、 第一签名和第二签名均验证成功, 则确定对物理身份证明验证成功。 其中 第二代理服务器验证第一终端设备的物理身份证明的具体步骤参照上述内容, 本申请对此 不做限制。
综上,在本申请中,异构身份子系统可以自己生成其包括的终端设备的物理身份证明, 其他异构身份子系统可以验证该物理身份证明, 当验证成功时, 异构身份子系统之间可以 进行交互, 当验证失败时, 异构身份子系统之间不可以进行交互, 从而提高整个交互系统 的可靠性。
下面以异构身份子系统生成物理身份证明的第二种可选方式为例对交互系统进行进 一步的说明:图 3为本申请另一实施例提供的一种基于异构身份的交互系统的局部示意图, 结合图 1、 图 2和图 3, 可选地, 交互系统还包括: 处理模块 17和物理身份生成设备 18; 需要说明的是, 异构身份子系统可以具有对应的物理身份生成设备 18, 这种情况下, 物理 身份生成设备 18 可以为对应的异构身份子系统生成物理身份证明。 可选地, 物理身份生 成设备 18为 CA。
具体地, 物理身份生成设备 18 获取第一终端设备的统一身份, 并根据第一终端设备 的统一身份生成第一终端设备的物理身份证明, 物理身份证明用于证明第一终端设备的统 一身份与第一终端设备的关联关系。
第一异构身份子系统获取物理身份证明, 并生成物理身份证明的摘要。
处理模块 17 获取并存储物理身份证明, 并生成物理身份证明的链接; 将物理身份证 明的链接发送给第一异构身份子系统。 第一异构身份子系统将摘要和链接发送给第一异构身份子系统所属的异构身份系统 对应的区块链共识节点, 以使所述摘要和链接在 M个区块链共识节点之间共享。
第二异构身份子系统获取摘要和链接, 根据摘要和链接验证物理身份证明, 并在对物 理身份证明验证成功时, 向第一异构身份子系统发送消息。
可选地, M个异构身份子系统和 N个处理模块对应, 其中, M和 N可以相等, 也可 以不相等, 如果 M和 N相等, 则 M个异构身份子系统和 N个处理模块是一一对应关系。
可选地, 处理模块可以是一个物理存储设备, 也可以是一个逻辑存储节点, 本申请对 此不做限制。
可选地, 物理身份证明的摘要可以是物理身份证明的哈希值。
可选地, 物理身份证明的链接用于査找物理身份证明。
可选地, 第一异构身份子系统可以生成随机的对称密钥 κ, 并利用第二终端设备的统 一身份, 如一公私钥对中的公钥对该对称密钥 Κ进行加密, 得到密文 KC。 通过 K对物理 身份证明进行加密,基于此,处理模块 17存储的物理身份证明为加密后的物理身份证明。 相应的, 第二异构身份子系统在验证物理身份证明之前, 首先通过所述一公私钥对中的私 钥解密 KC, 得到对称密钥 K。 然后通过对称密钥 Κ解密加密后的物理身份证明, 得到物 理身份证明。
可选地, 第一异构身份子系统向第一异构身份子系统所属的异构身份系统对应的区块 链共识节点发送摘要和链接构成的消息的签名。 基于此, 第二异构身份子系统获取摘要和 链接以及摘要和链接构成的消息的签名,第二异构身份子系统先验证该签名,若验证成功, 则第一异构身份子系统所属的异构身份系统对应的区块链共识节点将该摘要和链接视为 无效信息。
可选地, 第二异构身份子系统获取摘要和链接的方式为: 第一异构身份子系统向第二 异构身份子系统发送存储摘要和链接的智能合约的地址以及该摘要, 第一异构身份子系统 通过该地址先査找到存储该摘要和该链接的智能合约, 然后通过该摘要査找到该链接。
可选地, 如图 2和图 3所示, 区块链共识节点存储对应的终端设备的统一身份的状态 指示信息, 该状态指示信息用于指示终端设备的统一身份为启用状态或者非启用状态。
基于此, 第二异构身份子系统获取并存储第一终端设备的统一身份以及第一终端设备 的统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态 或者非启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状 态, 则第二异构身份子系统在处理模块中检测并获取链接对应的物理身份证明。 若状态指 示信息指示第一终端设备的统一身份的状态为非启用状态, 则无需检测第一终端设备的物 理身份证明。
本申请中, 若状态指示信息指示终端设备的统一身份的状态为非启用状态, 则无需检 测终端设备的物理身份证明。 从而降低交互系统的资源消耗。
进一步地, 物理身份生成设备生成第一终端设备的物理身份证明的具体方式为: 其中, 物理身份生成设备可以对第一终端设备的统一身份采用一定的算法得到第一终 端设备的物理身份证明, 只要该物理身份证明可以证明第一终端设备的统一身份与第一终 端设备的关联关系即可。
或者, 第一终端设备对应的异构身份系统可能是基于 ΡΚΙ的系统、 基于 IBC的系统、 基于账号密码的系统或者基于 IMSI 的系统等。 物理身份生成设备生成物理身份证明的方 式如下- 可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 则物理身份生成设备 18 获取第一终端设备在对应的异构身份系统的 ID 以及所述一公私钥对中的公钥; 根据物理 身份生成设备 18的私钥对第一终端设备在对应的异构身份系统的 ID以及所述一公私钥对 中的公钥进行签名, 得到第一签名; 将第一终端设备在对应的异构身份系统的 ID、 所述一 公私钥对中的公钥和第一签名生成物理身份证明。
其中, 根据物理身份生成设备 18的私钥对第一终端设备在对应的异构身份系统的 ID 以及所述一公私钥对中的公钥进行签名,包括:物理身份生成设备 18通过自己的私钥 ski, 对于待签名的第一终端设备在对应的异构身份系统的 ID以及所述一公私钥对中的公钥 M, 计算得到 M的哈希值 hl=Hash(M), 然后用 CA的私钥 ski和哈希值 hi计算得到第一签名 sigl=Sign(skl,hl), 其中 Sign()是非对称算法的签名算法。 本申请对该签名算法不做限制。
可选地, 将第一终端设备在对应的异构身份系统的 ID、所述一公私钥对中的公钥和第 一签名生成物理身份证明, 包括: 第一终端设备在对应的异构身份系统的 ID、 所述一公私 钥对中的公钥和第一签名组成第一终端设备的物理身份证明, 即第一终端设备的物理身份 证明包括: 第一终端设备在对应的异构身份系统的 ID、所述一公私钥对中的公钥和第一签 名。
可选地,第二异构身份子系统获取第一终端设备对应的异构身份系统的公钥;相应的, 第二异构身份子系统在处理模块 17 中检测并获取链接对应的物理身份证明; 计算物理身 份证明的摘要; 若通过计算得到的物理身份证明的摘要和第一异构身份子系统所属的异构 身份系统对应的区块链共识节点存储的物理身份证明的摘要相同, 则根据第一终端设备对 应的异构身份系统的公钥验证物理身份证明。
可选地, 第二异构身份子系统根据第一终端设备的统一身份确定第一终端设备对应的 异构身份系统, 并向该异构身份系统发送请求消息, 以请求获取该异构身份系统的公钥。 其中, 若第一终端设备对应的异构身份系统为基于 PKI的系统, 则异构身份系统的公钥指 的是该异构身份系统中的 CA的公钥。 若异构身份系统为基于 IBC的系统, 则异构身份系 统的公钥指的是该异构身份系统中的全局公钥。
可选地, 根据第一终端设备对应的异构身份系统的公钥验证物理身份证明过程是: 如 上所述, 物理身份证明包括: 第一终端设备在对应的异构身份系统的 ID、 所述一公私钥对 中的公钥和第一签名。 当第二异构身份子系统获取到该物理身份证明后, 基于此, 第二异 构身份子系统首先计算第一终端设备在对应的异构身份系统的 ID、所述一公私钥对中的公 钥构成的消息 M的哈希值 hl=Hash(M), 然后调用非对称算法的验证算法 Verify(pkl,hl, sig2), sig2为第一签名。 其中, pkl是第一终端设备对应的异构身份系统的公钥。 VerifyO 算法会返回一个布尔值, 如果值为真, 则物理身份证明验证成功; 如果值为假, 则物理身 份证明验证失败。
可选地, 当异构身份子系统仅包括终端设备时, 上述异构身份子系统的执行动作全部 由它所包括的终端设备执行。
可选地, 当异构身份子系统包括终端设备、 代理服务器和密钥托管中心时, 上述异构 身份子系统的执行动作由该子系统所包括的终端设备、 代理服务器和密钥托管中心执行。 其中, 终端设备、 代理服务器和密钥托管中心三者的功能具体如下:
第一异构身份子系统中的第一代理服务器获取第一终端设备的物理身份证明, 第一代 理服务器代理第一终端设备与第二异构身份子系统进行交互。 第二异构身份子系统中的第 二代理服务器验证物理身份证明。
综上, 在本申请中, 物理身份生成设备可以生成该异构身份子系统包括的终端设备的 物理身份证明, 其他异构身份子系统可以验证该物理身份证明, 当验证成功时, 异构身份 子系统之间可以进行交互, 当验证失败时, 异构身份子系统之间不可以进行交互, 从而提 高整个交互系统的可靠性。
可选地, 上述交互系统还包括一个证书颁发设备, 当一个异构身份系统需要加入该交 互系统时, 该证书颁发设备向该异构身份系统颁发证书, 并为该异构身份系统部署区块链 共识节点, 以实现该异构身份系统中的异构身份子系统与其他异构身份系统中的异构身份 子系统之间的交互。
下面介绍基于异构身份的交互方法, 具体如下:
图 4为本申请一实施例提供的一种基于异构身份的交互方法的交互流程图, 其中该方 法由上述基于异构身份的交互系统执行, 具体地, 如图 4所示, 该方法包括如下步骤: 步骤 S401 :第一异构身份子系统获取第一异构身份子系统包括的第一终端设备在该交 互系统中的统一身份;
步骤 S402:第一异构身份子系统将第一终端设备的统一身份发送给第一异构身份子系 统所属的异构身份系统对应的区块链共识节点 (本申请称为第一区块链共识节点) , 以使 第一终端设备的统一身份在 M个区块链共识节点之间共享;
步骤 S403:第二异构身份子系统获取第二异构身份子系统包括的第二终端设备在交互 系统中的统一身份;
步骤 S404:第二异构身份子系统将第二终端设备的统一身份发送给第二异构身份子系 统所属的异构身份系统对应的区块链共识节点 (本申请称为第二区块链共识节点) , 以使 第二终端设备的统一身份在 M个区块链共识节点之间共享;
步骤 S405:第一异构身份子系统和第二异构身份子系统基于第一终端设备的统一身份 和第二终端设备的统一身份进行交互。
其中,第一异构身份子系统和第二异构身份子系统属于 M个异构身份系统中的两个不 同的异构身份系统。
本申请提供的基于异构身份的交互方法可以由上述基于异构身份的交互系统执行, 对 应内容和效果与上述基于异构身份的交互系统的内容和效果相同, 在此不再赘述。
可选地, 当异构身份子系统仅包括终端设备时, 上述异构身份子系统的执行步骤全部 由它所包括的终端设备执行。
可选地, 当异构身份子系统包括终端设备、 代理服务器和密钥托管中心时, 上述异构 身份子系统的执行动作由该子系统所包括的终端设备、 代理服务器和密钥托管中心执行。 假设第一异构身份子系统包括: 第一终端设备、 第一代理服务器和第一密钥托管中心: 第 二异构身份子系统仅包括第二终端设备, 则上述方法具体如下: 具体地, 图 5为本申请另 一实施例提供的一种基于异构身份的交互方法的交互流程图, 其中该方法由上述基于异构 身份的交互系统执行, 具体地, 如图 5所示, 该方法包括如下步骤: 步骤 S501 : 第一终端设备向第一代理服务器发送统一身份请求消息;
其中, 该统一身份请求消息用于为终端设备申请统一身份。 可选地, 该统一身份请求 消息包括终端设备的 ID。
步骤 S502: 第一代理服务器向第一密钥托管中心转发统一身份请求消息;
步骤 S503: 第一密钥托管中心为终端设备随机生成统一身份, 并存储终端设备的 ID 与该终端设备的统一身份的对应关系;
步骤 S504: 第一密钥托管中心将该统一身份发送给第一代理服务器;
步骤 S505:第一代理服务器向第一异构身份子系统所属的异构身份系统对应的区块链 共识节点 (本申请称为第一区块链共识节点) 发送第一终端设备的统一身份, 以使第一终 端设备的统一身份在 M个区块链共识节点之间共享。
步骤 S506: 第二终端设备获取第二终端设备在交互系统中的统一身份;
步骤 S507:第二终端设备将第二终端设备的统一身份发送给第二异构身份子系统所属 的异构身份系统对应的区块链共识节点 (本申请称为第二区块链共识节点) , 以使第二终 端设备的统一身份在 M个区块链共识节点之间共享;
步骤 S508:第一代理服务器和第二终端设备基于第一终端设备的统一身份和第二终端 设备的统一身份进行交互。
本申请提供的基于异构身份的交互方法可以由上述基于异构身份的交互系统执行, 对 应内容和效果与上述基于异构身份的交互系统的内容和效果相同, 在此不再赘述。
进一步地, 异构身份子系统之间的交互可以仅基于统一身份进行, 也可以基于统一身 份和物理身份证明进行, 例如: 当两个异构身份子系统需要进行交易时, 它们之间需要验 证彼此包括的终端设备的物理身份。 当验证方对对方包括的终端设备的物理身份验证成功 时, 才可以进行交易等交互行为。 否则, 不进行相应的交互行为。
基于此, 需要为每个异构身份子系统生成物理身份证明, 其中, 物理身份证明用于证 明异构身份子系统包括的终端设备的统一身份与该终端设备的关联关系, 即用于证明统一 身份是否属于该终端设备。 而为每个异构身份子系统生成物理身份证明包括两个可选方式: 第一种可选方式: 异构身份子系统自己生成它包括的终端设备的物理身份证明。
第二种可选方式: 物理身份生成设备为终端设备生成物理身份证明。
基于第一种可选方式进行说明, 图 6为本申请再一实施例提供的一种基于异构身份的 交互方法的交互流程图, 其中该方法由上述基于异构身份的交互系统执行, 其中, 该交互 系统还包括: 处理模块; 具体地, 如图 6所示, 上述步骤 405包括如下流程:
步骤 S601 :第一异构身份子系统根据第一终端设备的统一身份生成第一终端设备的物 理身份证明, 并生成物理身份证明的摘要;
其中, 物理身份证明用于证明第一终端设备的统一身份与第一终端设备的关联关系。 步骤 S602: 处理模块获取第一终端设备的物理身份证明;
步骤 S603: 处理模块存储物理身份证明, 并生成物理身份证明的链接;
步骤 S604: 处理模块将物理身份证明的链接发送给第一异构身份子系统;
步骤 S605: 第一异构身份子系统将摘要和链接发送给第一区块链共识节点; 以使摘要 和链接在 M个区块链共识节点之间共享;
步骤 S606:第二异构身份子系统从第二区块链共识节点获取第一异构身份系统的摘要 和链接;
步骤 S607: 第二异构身份子系统根据摘要和链接验证物理身份证明;
步骤 S608: 第二异构身份子系统在对物理身份证明验证成功时, 向第一异构身份子系 统发送消息。
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 第二异构身份子系统获取 第一终端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥 和一公私钥对的公钥; 相应的, 步骤 S607 包括: 在处理模块中检测并获取链接对应的物 理身份证明; 计算物理身份证明的摘要; 若通过计算得到的物理身份证明的摘要和第一异 构身份子系统所属的异构身份系统对应的区块链共识节点存储的物理身份证明的摘要相 同, 则根据第一终端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系 统中的公钥和一公私钥对的公钥验证物理身份证明。
可选地, 若第一终端设备对应的异构身份系统是基于 PKI的系统, 则步骤 S601 : 获取 第一终端设备在对应的异构身份系统的 PKI证书以及 PKI证书的签名;获取通过所述一公 私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行签名, 得到的第一签名; 获取通过根据第一终端设备在对应的异构身份系统中的私钥对一公私钥对的公钥进行签 名, 得到的第二签名; 将 PKI证书、 PKI证书的签名、 第一签名和第二签名生成第一终端 设备的物理身份证明。
相应的, 步骤 S607包括: 根据第一终端设备对应的异构身份系统的公钥和 PKI证书 验证 PKI证书签名、根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的公 钥验证第一签名和第二签名; 若对 PKI签名、 第一签名和第二签名均验证成功, 则确定对 物理身份证明验证成功。
可选地,若第一终端设备对应的异构身份系统是基于 IBC的系统,则步骤 S601包括: 获取通过所述一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行签 名, 得到的第一签名; 获取通过第一终端设备在对应的异构身份系统中的私钥对一公私钥 对的公钥进行签名,得到的第二签名;将第一终端设备在对应的异构身份系统的身份标识、 第一签名和第二签名生成第一终端设备的物理身份证明。
相应的, 步骤 S607包括: 根据第一终端设备对应的异构身份系统的公钥和第一终端 设备在对应的异构身份系统的身份标识确定第一终端设备在对应的异构身份系统的公钥; 根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的公钥验证第一签名和 第二签名; 若对第一签名和第二签名均验证成功, 则确定对物理身份证明验证成功。
可选地, 所述方法还包括: 第一区块链共识节点获取并存储第一终端设备的统一身份 以及第一终端设备的统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统 一身份为启用状态或者非启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身 份的状态为启用状态, 则第二异构身份子系统在处理模块中检测并获取链接对应的物理身 份证明。
基于第二种可选方式进行说明, 图 7为本申请又一实施例提供的一种基于异构身份的 交互方法的交互流程图, 其中该方法由上述基于异构身份的交互系统执行, 其中, 该交互 系统还包括: 处理模块和物理身份生成设备; 具体地, 如图 7所示, 上述步骤 405包括如 下流程: 步骤 S701 : 物理身份生成设备从第一异构身份子系统获取第一终端设备的统一身份; 步骤 S702:物理身份生成设备根据第一终端设备的统一身份生成第一终端设备的物理 身份证明;
其中, 物理身份证明用于证明第一终端设备的统一身份与第一终端设备的关联关系; 步骤 S703 : 第一异构身份子系统从物理身份生成设备获取物理身份证明;
步骤 S704: 第一异构身份子系统生成物理身份证明的摘要;
步骤 S705: 处理模块获取物理身份证明;
步骤 S706: 处理模块存储物理身份证明, 并生成物理身份证明的链接;
步骤 S707: 处理模块将物理身份证明的链接发送给第一异构身份子系统;
步骤 S708: 第一异构身份子系统将摘要和链接发送给第一区块链共识节点; 以使摘要 和链接在 M个区块链共识节点之间共享;
步骤 S709: 第二异构身份子系统从第二区块链共识节点获取摘要和链接;
步骤 S710: 第二异构身份子系统根据摘要和链接验证物理身份证明;
步骤 S711 : 第二异构身份子系统在对物理身份证明验证成功时, 向第一异构身份子系 统发送消息。
可选地, 步骤 S710之前还包括: 第二异构身份子系统获取第一终端设备对应的异构 身份系统的公钥; 相应的, 步骤 S710包括: 在处理模块中检测并获取链接对应的物理身 份证明; 计算物理身份证明的摘要; 若通过计算得到的物理身份证明的摘要和第一异构身 份子系统所属的异构身份系统对应的区块链共识节点存储的物理身份证明的摘要相同, 则 根据第一终端设备对应的异构身份系统的公钥验证物理身份证明。
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 步骤 S702包括: 获取第 一终端设备在对应的异构身份系统的身份标识以及一公私钥对中的公钥; 根据物理身份生 成设备的私钥对第一终端设备在对应的异构身份系统的身份标识以及一公私钥对中的公 钥进行签名, 得到第一签名; 将第一终端设备在对应的异构身份系统的身份标识、 一公私 钥对中的公钥和第一签名生成物理身份证明。
可选地, 步骤 S710之前还包括: 第一区块链共识节点获取并存储第一终端设备的统 一身份以及第一终端设备的统一身份的状态指示信息, 状态指示信息用于指示第一终端设 备的统一身份为启用状态或者非启用状态; 相应的, 步骤 S701 包括: 若状态指示信息指 示第一终端设备的统一身份的状态为启用状态, 则第异构身份子系统在处理模块中检测并 获取链接对应的物理身份证明。
可选地, 第一异构身份系统仅包括第一终端设备; 或者, 第一异构身份系统包括第一 终端设备、 第一终端设备的代理服务器和密钥托管中心; 第二异构身份系统仅包括第二终 端设备; 或者, 第二异构身份系统包括第二终端设备、 第二终端设备的代理服务器和密钥 托管中心。
本申请提供的基于异构身份的交互方法可以由上述基于异构身份的交互系统执行, 对 应内容和效果与上述基于异构身份的交互系统的内容和效果相同, 在此不再赘述。
图 8为本申请一实施例提供的第一异构身份子系统 80的结构示意图, 如图 8所示, 第一异构身份子系统 80包括: 获取模块 81、 发送模块 82和接收模块 83。
获取模块 81 用于获取第一异构身份子系统包括的第一终端设备在交互系统中的统一 身份。
该发送模块 82用于将第一终端设备的统一身份发送给第一异构身份子系统所属的异 构身份系统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块链共识节点 之间共享。
该获取模块 81还用于获取第二终端设备的统一身份。
发送模块 82用于基于第一终端设备的统一身份和第二终端设备的统一身份向第二终 端设备所属的第二异构身份子系统发送消息, 或者接收模块 83 用于接收第二异构身份子 系统发送的消息。
可选地, 第一异构身份子系统 80还包括生成模块 84。
该生成模块 84用于根据第一终端设备的统一身份生成第一终端设备的物理身份证明, 并生成物理身份证明的摘要, 物理身份证明用于证明第一终端设备的统一身份与第一终端 设备的关联关系。
获取模块 81还用于获取第一终端设备的物理身份证明的链接。
发送模块 82还用于将摘要和链接发送给第一异构身份子系统所属的异构身份系统对 应的区块链共识节点, 以使摘要和链接在 M个区块链共识节点之间共享。
进一步地, 当物理身份证明被第二异构身份子系统验证成功时, 接收模块 83 还用于 接收第二异构身份子系统发送的消息。
可选地, 若第一终端设备对应的异构身份系统是基于公钥基础设施 PKI的系统, 则获 取模块 81具体用于获取第一终端设备在对应的异构身份系统的 PKI证书以及 PKI证书的 签名; 并获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行 签名, 得到的第一签名; 获取通过该第一终端设备在对应的异构身份系统中的私钥对一公 私钥对的公钥进行签名, 得到的第二签名。
生成模块 84具体用于将 PKI证书、 PKI证书的签名、第一签名和第二签名生成第一终 端设备的物理身份证明。
可选地, 若第一终端设备对应的异构身份系统是基于 IBC的系统, 则获取模块 81具 体用于获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行 签名, 得到的第一签名; 并获取通过第一终端设备在对应的异构身份系统中的私钥对一公 私钥对的公钥进行签名, 得到的第二签名。
生成模块 84 具体用于将第一终端设备在对应的异构身份系统的身份标识、 第一签名 和第二签名生成第一终端设备的物理身份证明。
可选地, 获取模块 81还用于获取物理身份证明。
生成模块 84 用于生成物理身份证明的摘要; 获取模块还用于获取物理身份证明的链 接。
发送模块 82用于将将摘要和链接发送给第一异构身份子系统所属的异构身份系统对 应的区块链共识节点, 以使摘要和链接在 M个区块链共识节点之间共享。
进一步地, 当物理身份证明被第二异构身份子系统验证成功时, 接收模块 83 还用于 接收第二异构身份子系统发送的消息。
可选地, 第一异构身份子系统仅包括第一终端设备; 或者, 第一异构身份子系统包括 第一终端设备、 第一终端设备的第一代理服务器和第一密钥托管中心。 本申请提供的第一异构身份子系统, 其实现原理和技术效果可参照上述基于异构身份 的交互系统的实现原理和技术效果, 此处不再赘述。
图 9为本申请一实施例提供的第二异构身份子系统 90的结构示意图, 如图 9所示, 第二异构身份子系统 90包括: 获取模块 91、 发送模块 92和接收模块 93。
获取模块 91 用于获取第二异构身份子系统包括的第二终端设备在交互系统中的统一 身份。
发送模块 92用于将第二终端设备的统一身份发送给第二异构身份子系统所属的异构 身份系统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识节点之 间共享。
获取模块 91还用于获取第一终端设备的统一身份。
发送模块 92还用于基于第一终端设备的统一身份和第二终端设备的统一身份向第一 终端设备所属的第一异构身份子系统发送消息, 或者该接收模块 93 用于接收第一异构身 份子系统发送的消息。
可选地, 第二异构身份子系统还包括验证模块 94。
其中, 获取模块 91还用于获取第一终端设备的物理身份证明的摘要和链接。
验证模块 94用于根据摘要和链接验证物理身份证明。
发送模块 92还用于在对物理身份证明验证成功时,向第一异构身份子系统发送消息。 可选地, 第二异构身份子系统还包括: 检测模块 95和计算模块 96。
第一终端设备的统一身份为一公私钥对中的公钥; 获取模块 91 还用于获取第一终端 设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥和一公私 钥对的公钥。
相应的, 检测模块 95用于在处理模块中检测并获取链接对应的物理身份证明。
计算模块 96用于计算物理身份证明的摘要。
若通过计算得到的物理身份证明的摘要和第一异构身份子系统所属的异构身份系统 对应的区块链共识节点存储的物理身份证明的摘要相同, 则验证模块 94 用于根据第一终 端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥和一公 私钥对的公钥验证物理身份证明。
可选地, 验证模块 94具体用于根据第一终端设备对应的异构身份系统的公钥和 PKI 证书验证 PKI证书签名、根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中 的公钥验证第一签名和第二签名; 若对 PKI签名、 第一签名和第二签名均验证成功, 则确 定对物理身份证明验证成功。
可选地, 验证模块 94 具体用于根据第一终端设备对应的异构身份系统的公钥和第一 终端设备在对应的异构身份系统的身份标识确定第一终端设备在对应的异构身份系统的 公钥; 根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的公钥验证第一签 名和第二签名; 若对第一签名和第二签名均验证成功, 则确定对物理身份证明验证成功。
可选地, 获取模块 91 还用于获取并存储第一终端设备的统一身份以及第一终端设备 的统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态 或者非启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状 态, 则在处理模块中检测并获取链接对应的物理身份证明。 可选地,第二异构身份子系统获取第一终端设备对应的异构身份系统的公钥;相应的, 检测模块 95在处理模块中检测并获取链接对应的物理身份证明; 计算模块 96计算物理身 份证明的摘要; 若通过计算得到的物理身份证明的摘要和第一异构身份子系统所属的异构 身份系统对应的区块链共识节点存储的物理身份证明的摘要相同, 则验证模块 94根据第 一终端设备对应的异构身份系统的公钥验证物理身份证明。
可选地, 获取模块 91 获取并存储第一终端设备的统一身份以及第一终端设备的统一 身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态或者非 启用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状态, 则 检测模块 95具体用于在处理模块中检测并获取链接对应的物理身份证明。
可选地, 第二异构身份子系统仅包括第二终端设备; 或者, 第二异构身份子系统包括 第二终端设备、 第二终端设备的第一代理服务器和第一密钥托管中心。
本申请提供的第二异构身份子系统, 其实现原理和技术效果可参照上述基于异构身份 的交互系统的实现原理和技术效果, 此处不再赘述。
图 10为本申请一实施例提供的物理身份生成设备 100的结构示意图, 如图 10所示, 物理身份生成设备 100包括: 获取模块 101和生成模块 102。
获取模块 101, 用于获取第一终端设备的统一身份。
生成模块 102,用于根据第一终端设备的统一身份生成第一终端设备的物理身份证明, 物理身份证明用于证明第一终端设备的统一身份与第一终端设备的关联关系。
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 获取模块 101还用于获取 第一终端设备在对应的异构身份系统的身份标识以及一公私钥对中的公钥。
生成模块 102具体用于根据物理身份生成设备的私钥对第一终端设备在对应的异构身 份系统的身份标识以及一公私钥对中的公钥进行签名, 得到第一签名; 将第一终端设备在 对应的异构身份系统的身份标识、 一公私钥对中的公钥和第一签名生成物理身份证明。
本申请提供的物理身份生成设备, 其实现原理和技术效果可参照上述基于异构身份的 交互系统的实现原理和技术效果, 此处不再赘述。
图 11为本申请一实施例提供的第一异构身份子系统 110的结构示意图,如图 11所示, 第一异构身份子系统 110包括: 处理器 111、 发送器 112和接收器 113。
处理器 111用于获取第一异构身份子系统包括的第一终端设备在交互系统中的统一身 份。
该发送器 112用于将第一终端设备的统一身份发送给第一异构身份子系统所属的异构 身份系统对应的区块链共识节点,以使第一终端设备的统一身份在 M个区块链共识节点之 间共享。
该处理器 111还用于获取第二终端设备的统一身份。
发送器 112用于基于第一终端设备的统一身份和第二终端设备的统一身份向第二终端 设备所属的第二异构身份子系统发送消息, 或者接收器 113用于接收第二异构身份子系统 发送的消息。
可选地, 该处理器 111还用于根据第一终端设备的统一身份生成第一终端设备的物理 身份证明, 并生成物理身份证明的摘要, 物理身份证明用于证明第一终端设备的统一身份 与第一终端设备的关联关系。 处理器 111还用于获取第一终端设备的物理身份证明的链接。
发送器 112还用于将摘要和链接发送给第一异构身份子系统所属的异构身份系统对应 的区块链共识节点, 以使摘要和链接在 M个区块链共识节点之间共享。
进一步地, 当物理身份证明被第二异构身份子系统验证成功时, 接收器 113还用于接 收第二异构身份子系统发送的消息。
可选地, 若第一终端设备对应的异构身份系统是基于公钥基础设施 PKI的系统, 则处 理器 i l l具体用于获取第一终端设备在对应的异构身份系统的 PKI证书以及 PKI证书的签 名; 并获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行签 名, 得到的第一签名; 获取通过该第一终端设备在对应的异构身份系统中的私钥对一公私 钥对的公钥进行签名, 得到的第二签名。
处理器 111具体用于将 PKI证书、 PKI证书的签名、 第一签名和第二签名生成第一终 端设备的物理身份证明。
可选地, 若第一终端设备对应的异构身份系统是基于 IBC的系统, 则处理器 111具体 用于获取通过一公私钥对的私钥对第一终端设备在对应的异构身份系统中的公钥进行签 名, 得到的第一签名; 并获取通过第一终端设备在对应的异构身份系统中的私钥对一公私 钥对的公钥进行签名, 得到的第二签名。
处理器 i l l具体用于将第一终端设备在对应的异构身份系统的身份标识、 第一签名和 第二签名生成第一终端设备的物理身份证明。
可选地, 处理器 111还用于获取物理身份证明。
处理器 111用于生成物理身份证明的摘要;获取模块还用于获取物理身份证明的链接。 发送器 112用于将将摘要和链接发送给第一异构身份子系统所属的异构身份系统对应 的区块链共识节点, 以使摘要和链接在 M个区块链共识节点之间共享。
进一步地, 当物理身份证明被第二异构身份子系统验证成功时, 接收器 113还用于接 收第二异构身份子系统发送的消息。
可选地, 第一异构身份子系统仅包括第一终端设备; 或者, 第一异构身份子系统包括 第一终端设备、 第一终端设备的第一代理服务器和第一密钥托管中心。
本申请提供的第一异构身份子系统, 其实现原理和技术效果可参照上述基于异构身份 的交互系统的实现原理和技术效果, 此处不再赘述。
图 12为本申请一实施例提供的第二异构身份子系统 120的结构示意图,如图 12所示, 第二异构身份子系统 120包括: 处理器 121、 发送器 122和接收器 123。
处理器 121用于获取第二异构身份子系统包括的第二终端设备在交互系统中的统一身 份。
发送器 122用于将第二终端设备的统一身份发送给第二异构身份子系统所属的异构身 份系统对应的区块链共识节点,以使第二终端设备的统一身份在 M个区块链共识节点之间 共享。
处理器 121还用于获取第一终端设备的统一身份。
发送器 122还用于基于第一终端设备的统一身份和第二终端设备的统一身份向第一终 端设备所属的第一异构身份子系统发送消息, 或者该接收器 123用于接收第一异构身份子 系统发送的消息。 可选地, 第二异构身份子系统还包括验证模块 94。
其中, 处理器 121还用于获取第一终端设备的物理身份证明的摘要和链接。
处理器 121用于根据摘要和链接验证物理身份证明。
发送器 122还用于在对物理身份证明验证成功时, 向第一异构身份子系统发送消息。 可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 处理器 121还用于获取第 一终端设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥和 一公私钥对的公钥。
相应的, 处理器 121用于在处理模块中检测并获取链接对应的物理身份证明。
处理器 121用于计算物理身份证明的摘要。
若通过计算得到的物理身份证明的摘要和第一异构身份子系统所属的异构身份系统 对应的区块链共识节点存储的物理身份证明的摘要相同, 则处理器 121用于根据第一终端 设备对应的异构身份系统的公钥、 第一终端设备在对应的异构身份系统中的公钥和一公私 钥对的公钥验证物理身份证明。
可选地, 处理器 121具体用于根据第一终端设备对应的异构身份系统的公钥和 PKI证 书验证 PKI证书签名、根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的 公钥验证第一签名和第二签名; 若对 PKI签名、 第一签名和第二签名均验证成功, 则确定 对物理身份证明验证成功。
可选地, 处理器 121具体用于根据第一终端设备对应的异构身份系统的公钥和第一终 端设备在对应的异构身份系统的身份标识确定第一终端设备在对应的异构身份系统的公 钥; 根据一公私钥对的公钥和第一终端设备在对应的异构身份系统中的公钥验证第一签名 和第二签名; 若对第一签名和第二签名均验证成功, 则确定对物理身份证明验证成功。
可选地, 处理器 121还用于获取并存储第一终端设备的统一身份以及第一终端设备的 统一身份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态或 者非启用状态;相应的,若状态指示信息指示第一终端设备的统一身份的状态为启用状态, 则在处理模块中检测并获取链接对应的物理身份证明。
可选地,第二异构身份子系统获取第一终端设备对应的异构身份系统的公钥;相应的, 处理器 121在处理模块中检测并获取链接对应的物理身份证明; 处理器 121计算物理身份 证明的摘要; 若通过计算得到的物理身份证明的摘要和第一异构身份子系统所属的异构身 份系统对应的区块链共识节点存储的物理身份证明的摘要相同, 则处理器 121根据第一终 端设备对应的异构身份系统的公钥验证物理身份证明。
可选地, 处理器 121获取并存储第一终端设备的统一身份以及第一终端设备的统一身 份的状态指示信息, 状态指示信息用于指示第一终端设备的统一身份为启用状态或者非启 用状态; 相应的, 若状态指示信息指示第一终端设备的统一身份的状态为启用状态, 则处 理器 121具体用于在处理模块中检测并获取链接对应的物理身份证明。
可选地, 第二异构身份子系统仅包括第二终端设备; 或者, 第二异构身份子系统包括 第二终端设备、 第二终端设备的第一代理服务器和第一密钥托管中心。
本申请提供的第二异构身份子系统, 其实现原理和技术效果可参照上述基于异构身份 的交互系统的实现原理和技术效果, 此处不再赘述。
图 13为本申请一实施例提供的物理身份生成设备 130的结构示意图, 如图 13所示, 物理身份生成设备 130包括:处理器 131和用于存储处理器 131的执行代码的存储器 132。 处理器 131, 用于获取第一终端设备的统一身份;
处理器 131, 用于根据第一终端设备的统一身份生成第一终端设备的物理身份证明, 物理身份证明用于证明第一终端设备的统一身份与第一终端设备的关联关系。
可选地, 第一终端设备的统一身份为一公私钥对中的公钥; 获取模块 101还用于获取 第一终端设备在对应的异构身份系统的身份标识以及一公私钥对中的公钥。
处理器 131具体用于根据物理身份生成设备的私钥对第一终端设备在对应的异构身份 系统的身份标识以及一公私钥对中的公钥进行签名, 得到第一签名; 将第一终端设备在对 应的异构身份系统的身份标识、 一公私钥对中的公钥和第一签名生成物理身份证明。
本申请提供的物理身份生成设备, 其实现原理和技术效果可参照上述基于异构身份的 交互系统的实现原理和技术效果, 此处不再赘述。

Claims

权 利 要 求 书
1、 一种基于异构身份的交互系统, 其特征在于, 包括: M个区块链共识节点和 M个 异构身份系统, M为大于 1的正整数; 所述异构身份系统包括异构身份子系统, 所述异构 身份子系统包括终端设备;
第一异构身份子系统获取所述第一异构身份子系统包括的第一终端设备在所述交互 系统中的统一身份, 并将所述第一终端设备的统一身份发送给所述第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述第一终端设备的统一身份在所述 M个 区块链共识节点之间共享;
第二异构身份子系统获取所述第二异构身份子系统包括的第二终端设备在所述交互 系统中的统一身份, 并将所述第二终端设备的统一身份发送给所述第二异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述第二终端设备的统一身份在所述 M个 区块链共识节点之间共享;
所述第一异构身份子系统和所述第二异构身份子系统基于所述第一终端设备的统一 身份和所述第二终端设备的统一身份进行交互;
其中,所述第一异构身份子系统和所述第二异构身份子系统属于所述 M个异构身份系 统中的两个不同的异构身份系统。
2、 根据权利要求 1所述的系统, 其特征在于, 还包括: 处理模块;
所述第一异构身份子系统根据所述第一终端设备的统一身份生成所述第一终端设备 的物理身份证明, 并生成所述物理身份证明的摘要, 所述物理身份证明用于证明所述第一 终端设备的统一身份与所述第一终端设备的关联关系;
所述处理模块获取并存储所述物理身份证明, 并生成所述物理身份证明的链接; 将所 述物理身份证明的链接发送给所述第一异构身份子系统;
所述第一异构身份子系统将所述摘要和所述链接发送给所述第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述摘要和所述链接在所述 M个区块链共 识节点之间共享; 所述第二异构身份子系统获取所述摘要和所述链接, 根据所述摘要和所 述链接验证所述物理身份证明, 并在对所述物理身份证明验证成功时, 向所述第一异构身 份子系统发送消息。
3、 根据权利要求 2所述的系统, 其特征在于, 所述第一终端设备的统一身份为一公 私钥对中的公钥; 所述第二异构身份子系统获取所述第一终端设备对应的异构身份系统的 公钥、 所述第一终端设备在对应的异构身份系统中的公钥和所述一公私钥对的公钥; 相应的, 所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述 物理身份证明;
所述第二异构身份子系统计算所述物理身份证明的摘要;
若通过计算得到的所述物理身份证明的摘要和所述第一异构身份子系统所属的异构 身份系统对应的区块链共识节点存储的所述物理身份证明的摘要相同, 则所述第二异构身 份子系统根据所述第一终端设备对应的异构身份系统的公钥、 所述第一终端设备在对应的 异构身份系统中的公钥和所述一公私钥对的公钥验证所述物理身份证明。
4、 根据权利要求 3 所述的系统, 其特征在于, 若所述第一终端设备对应的异构身份 系统是基于公钥基础设施 PKI的系统, 则所述第一异构身份子系统获取所述第一终端设备 在对应的异构身份系统的 ΡΚΙ证书以及所述 ΡΚΙ证书的签名;
所述第一异构身份子系统获取通过所述一公私钥对的私钥对所述第一终端设备在对 应的异构身份系统中的公钥进行签名, 得到的第一签名;
所述第一异构身份子系统获取通过该所述第一终端设备在对应的异构身份系统中的 私钥对所述一公私钥对的公钥进行签名, 得到的第二签名;
所述第一异构身份子系统将所述 ΡΚΙ证书、 所述 ΡΚΙ证书的签名、 所述第一签名和所 述第二签名生成所述第一终端设备的物理身份证明。
5、 根据权利要求 4所述的系统, 其特征在于, 所述第二异构身份子系统根据所述第 一终端设备对应的异构身份系统的公钥和所述 ΡΚΙ证书验证所述 ΡΚΙ证书签名、根据所述 一公私钥对的公钥和所述第一终端设备在对应的异构身份系统中的公钥验证所述第一签 名和所述第二签名;
若对所述 ΡΚΙ签名、 所述第一签名和所述第二签名均验证成功, 则所述第二异构身份 子系统确定对所述物理身份证明验证成功。
6、 根据权利要求 3 所述的系统, 其特征在于, 若所述第一终端设备对应的异构身份 系统是基于 IBC的系统, 则所述第一异构身份子系统获取通过所述一公私钥对的私钥对所 述第一终端设备在对应的异构身份系统中的公钥进行签名, 得到的第一签名;
所述第一异构身份子系统获取通过所述第一终端设备在对应的异构身份系统中的私 钥对所述一公私钥对的公钥进行签名, 得到的第二签名;
所述第一异构身份子系统将所述第一终端设备在对应的异构身份系统的身份标识、 所 述第一签名和所述第二签名生成所述第一终端设备的物理身份证明。
7、 根据权利要求 6所述的系统, 其特征在于, 所述第二异构身份子系统根据所述第 一终端设备对应的异构身份系统的公钥和所述第一终端设备在对应的异构身份系统的身 份标识确定所述第一终端设备在对应的异构身份系统的公钥;
所述第二异构身份子系统根据所述一公私钥对的公钥和所述第一终端设备在对应的 异构身份系统中的公钥验证所述第一签名和所述第二签名;
若对所述第一签名和所述第二签名均验证成功, 则所述第二异构身份子系统确定对所 述物理身份证明验证成功。
8、 根据权利要求 3-7任一项所述的系统, 其特征在于,
所述第二异构身份子系统获取并存储所述第一终端设备的统一身份以及所述第一终 端设备的统一身份的状态指示信息, 所述状态指示信息用于指示所述第一终端设备的统一 身份为启用状态或者非启用状态;
相应的, 若所述状态指示信息指示所述第一终端设备的统一身份的状态为启用状态, 则所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述物理身份 证明。
9、 根据权利要求 1 所述的系统, 其特征在于, 还包括: 处理模块和物理身份生成设 备;
所述物理身份生成设备获取所述第一终端设备的统一身份, 并根据所述第一终端设备 的统一身份生成所述第一终端设备的物理身份证明, 所述物理身份证明用于证明所述第一 终端设备的统一身份与所述第一终端设备的关联关系;
所述第一异构身份子系统获取所述物理身份证明, 并生成所述物理身份证明的摘要; 所述处理模块获取并存储所述物理身份证明, 并生成所述物理身份证明的链接; 将所 述物理身份证明的链接发送给所述第一异构身份子系统;
所述第一异构身份子系统将所述摘要和所述链接发送给所述第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述摘要和所述链接在所述 M个区块链共 识节点之间共享;
所述第二异构身份子系统获取所述摘要和所述链接, 根据所述摘要和所述链接验证所 述物理身份证明, 并在对所述物理身份证明验证成功时, 向所述第一异构身份子系统发送 消息。
10、 根据权利要求 9所述的系统, 其特征在于, 所述第二异构身份子系统获取所述第 一终端设备对应的异构身份系统的公钥;
相应的, 所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述 物理身份证明;
所述第二异构身份子系统计算所述物理身份证明的摘要;
若通过计算得到的所述物理身份证明的摘要和所述第一异构身份子系统所属的异构 身份系统对应的区块链共识节点存储的所述物理身份证明的摘要相同, 则所述第二异构身 份子系统根据所述第一终端设备对应的异构身份系统的公钥验证所述物理身份证明。
11、 根据权利要求 9或 10所述的系统, 其特征在于, 所述第一终端设备的统一身份 为一公私钥对中的公钥; 所述物理身份生成设备获取所述第一终端设备在对应的异构身份 系统的身份标识以及所述一公私钥对中的公钥;
所述物理身份生成设备根据所述物理身份生成设备的私钥对所述第一终端设备在对 应的异构身份系统的身份标识以及所述一公私钥对中的公钥进行签名, 得到第一签名; 所述物理身份生成设备将所述第一终端设备在对应的异构身份系统的身份标识、 所述 一公私钥对中的公钥和所述第一签名生成所述物理身份证明。
12、 根据权利要求 10所述的系统, 其特征在于,
所述第二异构身份子系统获取并存储所述第一终端设备的统一身份以及所述第一终 端设备的统一身份的状态指示信息, 所述状态指示信息用于指示所述第一终端设备的统一 身份为启用状态或者非启用状态;
相应的, 若所述状态指示信息指示所述第一终端设备的统一身份的状态为启用状态, 则所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述物理身份 证明。
13、 根据权利要求 9-12任一项所述的系统, 其特征在于, 所述第一异构身份子系统仅 包括所述第一终端设备; 或者, 所述第一异构身份子系统包括所述第一终端设备、 所述第 一终端设备的第一代理服务器和第一密钥托管中心;
所述第二异构身份子系统仅包括所述第二终端设备; 或者, 所述第二异构身份子系统 包括所述第二终端设备、 所述第二终端设备的第一代理服务器和第一密钥托管中心。
14、 一种基于异构身份的交互方法, 其特征在于, 所述方法应用于基于异构身份的交 互系统, 所述系统包括: M个区块链共识节点和 M个异构身份系统, M为大于 1的正整 数;所述异构身份系统包括异构身份子系统,所述异构身份子系统包括终端设备;相应的, 所述方法包括:
第一异构身份子系统获取所述第一异构身份子系统包括的第一终端设备在所述交互 系统中的统一身份, 并将所述第一终端设备的统一身份发送给所述第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述第一终端设备的统一身份在所述 M个 区块链共识节点之间共享;
第二异构身份子系统获取所述第二异构身份子系统包括的第二终端设备在所述交互 系统中的统一身份, 并将所述第二终端设备的统一身份发送给所述第二异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述第二终端设备的统一身份在所述 M个 区块链共识节点之间共享;
所述第一异构身份子系统和所述第二异构身份子系统基于所述第一终端设备的统一 身份和所述第二终端设备的统一身份进行交互;
其中,所述第一异构身份子系统和所述第二异构身份子系统属于所述 M个异构身份系 统中的两个不同的异构身份系统。
15、 根据权利要求 14所述的方法, 其特征在于, 所述系统还包括: 处理模块; 相应 的, 所述第一异构身份子系统和所述第二异构身份子系统基于所述第一终端设备的统一身 份和所述第二终端设备的统一身份进行交互, 包括:
所述第一异构身份子系统根据所述第一终端设备的统一身份生成所述第一终端设备 的物理身份证明, 并生成所述物理身份证明的摘要, 所述物理身份证明用于证明所述第一 终端设备的统一身份与所述第一终端设备的关联关系;
所述处理模块获取并存储所述物理身份证明, 并生成所述物理身份证明的链接; 将所 述物理身份证明的链接发送给所述第一异构身份子系统;
所述第一异构身份子系统将所述摘要和所述链接发送给所述第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述摘要和所述链接在所述 M个区块链共 识节点之间共享;
所述第二异构身份子系统获取所述摘要和所述链接, 根据所述摘要和所述链接验证所 述物理身份证明, 并在对所述物理身份证明验证成功时, 向所述第一异构身份子系统发送 消息。
16、 根据权利要求 15 所述的方法, 其特征在于, 所述第一终端设备的统一身份为一 公私钥对中的公钥; 所述方法还包括:
所述第二异构身份子系统获取所述第一终端设备对应的异构身份系统的公钥、 所述第 一终端设备在对应的异构身份系统中的公钥和所述一公私钥对的公钥;
相应的, 所述第二异构身份子系统根据所述摘要和所述链接验证所述物理身份证明, 包括:
所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述物理身 份证明;
所述第二异构身份子系统计算所述物理身份证明的摘要;
若通过计算得到的所述物理身份证明的摘要和所述第一异构身份子系统所属的异构 身份系统对应的区块链共识节点存储的所述物理身份证明的摘要相同, 则所述第二异构身 份子系统根据所述第一终端设备对应的异构身份系统的公钥、 所述第一终端设备在对应的 异构身份系统中的公钥和所述一公私钥对的公钥验证所述物理身份证明。
17、 根据权利要求 16所述的方法, 其特征在于, 若所述第一终端设备对应的异构身 份系统是基于公钥基础设施 PKI的系统, 则所述第一异构身份子系统根据所述第一终端设 备的统一身份生成所述第一终端设备的物理身份证明, 包括:
所述第一异构身份子系统获取所述第一终端设备在对应的异构身份系统的 PKI证书以 及所述 PKI证书的签名;
所述第一异构身份子系统获取通过所述一公私钥对的私钥对所述第一终端设备在对 应的异构身份系统中的公钥进行签名, 得到的第一签名;
所述第一异构身份子系统获取通过该所述第一终端设备在对应的异构身份系统中的 私钥对所述一公私钥对的公钥进行签名, 得到的第二签名;
所述第一异构身份子系统将所述 PKI证书、 所述 PKI证书的签名、 所述第一签名和所 述第二签名生成所述第一终端设备的物理身份证明。
18、 根据权利要求 17 所述的方法, 其特征在于, 所述第二异构身份子系统根据所述 第一终端设备对应的异构身份系统的公钥、 所述第一终端设备在对应的异构身份系统中的 公钥和所述一公私钥对的公钥验证所述物理身份证明, 包括:
所述第二异构身份子系统根据所述第一终端设备对应的异构身份系统的公钥和所述 PKI证书验证所述 PKI证书签名、 根据所述一公私钥对的公钥和所述第一终端设备在对应 的异构身份系统中的公钥验证所述第一签名和所述第二签名;
若对所述 PKI签名、 所述第一签名和所述第二签名均验证成功, 则所述第二异构身份 子系统确定对所述物理身份证明验证成功。
19、 根据权利要求 16所述的方法, 其特征在于, 若所述第一终端设备对应的异构身 份系统是基于 IBC的系统, 则所述第一异构身份子系统根据所述第一终端设备的统一身份 生成所述第一终端设备的物理身份证明, 包括:
所述第一异构身份子系统获取通过所述一公私钥对的私钥对所述第一终端设备在对 应的异构身份系统中的公钥进行签名, 得到的第一签名;
所述第一异构身份子系统获取通过所述第一终端设备在对应的异构身份系统中的私 钥对所述一公私钥对的公钥进行签名, 得到的第二签名;
所述第一异构身份子系统将所述第一终端设备在对应的异构身份系统的身份标识、 所 述第一签名和所述第二签名生成所述第一终端设备的物理身份证明。
20、 根据权利要求 19所述的方法, 其特征在于, 所述第二异构身份子系统根据所述 第一终端设备对应的异构身份系统的公钥、 所述第一终端设备在对应的异构身份系统中的 公钥和所述一公私钥对的公钥验证所述物理身份证明, 包括:
所述第二异构身份子系统根据所述第一终端设备对应的异构身份系统的公钥和所述 第一终端设备在对应的异构身份系统的身份标识确定所述第一终端设备在对应的异构身 份系统的公钥;
所述第二异构身份子系统根据所述一公私钥对的公钥和所述第一终端设备在对应的 异构身份系统中的公钥验证所述第一签名和所述第二签名;
若对所述第一签名和所述第二签名均验证成功, 则所述第二异构身份子系统确定对所 述物理身份证明验证成功。
21、 根据权利要求 16-20任一项所述的方法, 其特征在于, 还包括:
所述第二异构身份子系统获取并存储所述第一终端设备的统一身份以及所述第一终 端设备的统一身份的状态指示信息, 所述状态指示信息用于指示所述第一终端设备的统一 身份为启用状态或者非启用状态;
相应的, 所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述 物理身份证明, 包括:
若所述状态指示信息指示所述第一终端设备的统一身份的状态为启用状态, 则所述第 二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述物理身份证明。
22、 根据权利要求 14所述的方法, 其特征在于, 所述系统还包括: 处理模块和物理 身份生成设备; 相应的, 所述第一异构身份子系统和所述第二异构身份子系统基于所述第 一终端设备的统一身份和所述第二终端设备的统一身份进行交互, 包括:
所述物理身份生成设备获取所述第一终端设备的统一身份, 并根据所述第一终端设备 的统一身份生成所述第一终端设备的物理身份证明, 所述物理身份证明用于证明所述第一 终端设备的统一身份与所述第一终端设备的关联关系;
所述第一异构身份子系统获取所述物理身份证明, 并生成所述物理身份证明的摘要; 所述处理模块获取并存储所述物理身份证明, 并生成所述物理身份证明的链接; 将所 述物理身份证明的链接发送给所述第一异构身份子系统;
所述第一异构身份子系统将所述摘要和所述链接发送给所述第一异构身份子系统所 属的异构身份系统对应的区块链共识节点,以使所述摘要和所述链接在所述 M个区块链共 识节点之间共享;
所述第二异构身份子系统获取所述摘要和所述链接, 根据所述摘要和所述链接验证所 述物理身份证明, 并在对所述物理身份证明验证成功时, 向所述第一异构身份子系统发送 消息。
23、 根据权利要求 22所述的方法, 其特征在于, 所述方法还包括:
所述第二异构身份子系统获取所述第一终端设备对应的异构身份系统的公钥; 相应的, 所述第二异构身份子系统根据所述摘要和所述链接验证所述物理身份证明, 包括:
所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述物理身 份证明;
所述第二异构身份子系统计算所述物理身份证明的摘要;
若通过计算得到的所述物理身份证明的摘要和所述第一异构身份子系统所属的异构 身份系统对应的区块链共识节点存储的所述物理身份证明的摘要相同, 则所述第二异构身 份子系统根据所述第一终端设备对应的异构身份系统的公钥验证所述物理身份证明。
24、 根据权利要求 22或 23所述的系统, 其特征在于, 所述第一终端设备的统一身份 为一公私钥对中的公钥; 相应的, 所述物理身份生成设备根据所述第一终端设备的统一身 份生成所述第一终端设备的物理身份证明, 包括:
所述物理身份生成设备获取所述第一终端设备在对应的异构身份系统的身份标识以 及所述一公私钥对中的公钥; 所述物理身份生成设备根据所述物理身份生成设备的私钥对所述第一终端设备在对 应的异构身份系统的身份标识以及所述一公私钥对中的公钥进行签名, 得到第一签名; 所述物理身份生成设备将所述第一终端设备在对应的异构身份系统的身份标识、 所述 一公私钥对中的公钥和所述第一签名生成所述物理身份证明。
25、 根据权利要求 23所述的方法, 其特征在于, 还包括:
所述第二异构身份子系统获取并存储所述第一终端设备的统一身份以及所述第一终 端设备的统一身份的状态指示信息, 所述状态指示信息用于指示所述第一终端设备的统一 身份为启用状态或者非启用状态;
相应的, 所述第二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述 物理身份证明, 包括:
若所述状态指示信息指示所述第一终端设备的统一身份的状态为启用状态, 则所述第 二异构身份子系统在所述处理模块中检测并获取所述链接对应的所述物理身份证明。
26、 根据权利要求 22-25任一项所述的方法, 其特征在于, 所述第一异构身份子系统 仅包括所述第一终端设备; 或者, 所述第一异构身份子系统包括所述第一终端设备、 所述 第一终端设备的第一代理服务器和第一密钥托管中心;
所述第二异构身份子系统仅包括所述第二终端设备; 或者, 所述第二异构身份子系统 包括所述第二终端设备、 所述第二终端设备的第一代理服务器和第一密钥托管中心。
PCT/SG2017/050566 2017-11-10 2017-11-10 基于异构身份的交互系统及方法 WO2019093963A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201780096222.XA CN111264045B (zh) 2017-11-10 2017-11-10 基于异构身份的交互系统及方法
PCT/SG2017/050566 WO2019093963A1 (zh) 2017-11-10 2017-11-10 基于异构身份的交互系统及方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SG2017/050566 WO2019093963A1 (zh) 2017-11-10 2017-11-10 基于异构身份的交互系统及方法

Publications (1)

Publication Number Publication Date
WO2019093963A1 true WO2019093963A1 (zh) 2019-05-16

Family

ID=66439042

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2017/050566 WO2019093963A1 (zh) 2017-11-10 2017-11-10 基于异构身份的交互系统及方法

Country Status (2)

Country Link
CN (1) CN111264045B (zh)
WO (1) WO2019093963A1 (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989381A (zh) * 2021-03-24 2021-06-18 中国电子科技集团公司第三十研究所 一种基于区块链防关联的统一异构身份标识方法
CN113556738A (zh) * 2021-07-23 2021-10-26 广州鲁邦通物联网科技有限公司 一种dtu设备与节点设备的密钥协商方法、dtu设备、节点设备以及密钥协商系统
CN113783836A (zh) * 2021-08-02 2021-12-10 南京邮电大学 基于区块链和ibe算法的物联网数据访问控制方法及系统
CN116055055A (zh) * 2022-11-29 2023-05-02 北京笔新互联网科技有限公司 跨域认证方法及系统

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112184245B (zh) * 2020-09-30 2024-04-26 深圳前海微众银行股份有限公司 一种跨区块链的交易身份确认方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9635000B1 (en) * 2016-05-25 2017-04-25 Sead Muftic Blockchain identity management system based on public identities ledger
CN107079036A (zh) * 2016-12-23 2017-08-18 深圳前海达闼云端智能科技有限公司 注册及授权方法、装置及系统
US20170302663A1 (en) * 2016-04-14 2017-10-19 Cisco Technology, Inc. BLOCK CHAIN BASED IoT DEVICE IDENTITY VERIFICATION AND ANOMALY DETECTION
CN107276973A (zh) * 2016-12-10 2017-10-20 江苏恒为信息科技有限公司 一种互联网物品身份标识构建及验证方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867929B (zh) * 2010-05-25 2013-03-13 北京星网锐捷网络技术有限公司 认证方法、系统、认证服务器和终端设备
US20160164884A1 (en) * 2014-12-05 2016-06-09 Skuchain, Inc. Cryptographic verification of provenance in a supply chain
JP6684930B2 (ja) * 2016-09-18 2020-04-22 深▲セン▼前▲海▼▲達▼▲闥▼▲雲▼端智能科技有限公司Cloudminds (Shenzhen) Robotics Systems Co., Ltd. ブロックチェーンに基づくアイデンティティ認証方法、装置、ノード及びシステム
CN106686008B (zh) * 2017-03-03 2019-01-11 腾讯科技(深圳)有限公司 信息存储方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170302663A1 (en) * 2016-04-14 2017-10-19 Cisco Technology, Inc. BLOCK CHAIN BASED IoT DEVICE IDENTITY VERIFICATION AND ANOMALY DETECTION
US9635000B1 (en) * 2016-05-25 2017-04-25 Sead Muftic Blockchain identity management system based on public identities ledger
CN107276973A (zh) * 2016-12-10 2017-10-20 江苏恒为信息科技有限公司 一种互联网物品身份标识构建及验证方法
CN107079036A (zh) * 2016-12-23 2017-08-18 深圳前海达闼云端智能科技有限公司 注册及授权方法、装置及系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHU, XIAOYANG ET AL.: "Autonomic Identity Framework for the Internet of Things", PROC. OF IEEE ICCAC'17, 22 September 2017 (2017-09-22), pages 69 - 79, XP033163674, [retrieved on 20180111], DOI: doi:10.1109/ICCAC.2017.14 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989381A (zh) * 2021-03-24 2021-06-18 中国电子科技集团公司第三十研究所 一种基于区块链防关联的统一异构身份标识方法
CN112989381B (zh) * 2021-03-24 2022-03-22 中国电子科技集团公司第三十研究所 一种基于区块链防关联的统一异构身份标识方法
CN113556738A (zh) * 2021-07-23 2021-10-26 广州鲁邦通物联网科技有限公司 一种dtu设备与节点设备的密钥协商方法、dtu设备、节点设备以及密钥协商系统
CN113783836A (zh) * 2021-08-02 2021-12-10 南京邮电大学 基于区块链和ibe算法的物联网数据访问控制方法及系统
CN113783836B (zh) * 2021-08-02 2023-06-20 南京邮电大学 基于区块链和ibe算法的物联网数据访问控制方法及系统
CN116055055A (zh) * 2022-11-29 2023-05-02 北京笔新互联网科技有限公司 跨域认证方法及系统

Also Published As

Publication number Publication date
CN111264045A (zh) 2020-06-09
CN111264045B (zh) 2023-06-30

Similar Documents

Publication Publication Date Title
US10903991B1 (en) Systems and methods for generating signatures
Malina et al. A secure publish/subscribe protocol for internet of things
CN111066285B (zh) 基于sm2签名恢复公钥的方法
US9065637B2 (en) System and method for securing private keys issued from distributed private key generator (D-PKG) nodes
WO2019093963A1 (zh) 基于异构身份的交互系统及方法
JP3864249B2 (ja) 暗号通信システム、その端末装置及びサーバ
US11870891B2 (en) Certificateless public key encryption using pairings
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
US20150288527A1 (en) Verifiable Implicit Certificates
JP2012253826A (ja) Idベース暗号化(ibe)に対して暗黙の証明証およびアプリケーションを生成する方法およびシステム
KR20100050846A (ko) 키 교환 시스템 및 방법
CN114710275B (zh) 物联网环境下基于区块链的跨域认证和密钥协商方法
WO2019110018A1 (zh) 通信网络系统的消息验证方法、通信方法和通信网络系统
Yin et al. An efficient and secured data storage scheme in cloud computing using ECC-based PKI
TW202232913A (zh) 共享金鑰產生技術
Limkar et al. A mechanism to ensure identity-based anonymity and authentication for IoT infrastructure using cryptography
CN110519040B (zh) 基于身份的抗量子计算数字签名方法和系统
CN114696999A (zh) 一种身份鉴别方法和装置
CN116455561A (zh) 用于轻量装置的嵌入式tls协议
JP5333613B2 (ja) 代行パラメータ情報生成装置、代行装置、代行パラメータ情報生成プログラム、代行プログラム及び通信システム
TWI761243B (zh) 群組即時通訊的加密系統和加密方法
GB2421407A (en) Generating a shared symmetric key using identifier based cryptography
CN113918971A (zh) 基于区块链的消息传输方法、装置、设备及可读存储介质
CN110572788B (zh) 基于非对称密钥池和隐式证书的无线传感器通信方法和系统
JP5643251B2 (ja) 秘密情報通知システム、秘密情報通知方法、プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17931734

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17931734

Country of ref document: EP

Kind code of ref document: A1