WO2020062668A1 - Identity authentication method, identity authentication device, and computer readable medium - Google Patents

Identity authentication method, identity authentication device, and computer readable medium Download PDF

Info

Publication number
WO2020062668A1
WO2020062668A1 PCT/CN2018/123518 CN2018123518W WO2020062668A1 WO 2020062668 A1 WO2020062668 A1 WO 2020062668A1 CN 2018123518 W CN2018123518 W CN 2018123518W WO 2020062668 A1 WO2020062668 A1 WO 2020062668A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity
user
information
public key
verification
Prior art date
Application number
PCT/CN2018/123518
Other languages
French (fr)
Chinese (zh)
Inventor
褚秋实
左龙龙
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN201811153209.6A priority Critical patent/CN109067801B/en
Priority to CN201811153209.6 priority
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020062668A1 publication Critical patent/WO2020062668A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0876Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0861Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using biometrical features, e.g. fingerprint, retina-scan

Abstract

Embodiments of the present application disclose an identity authentication method, an identity authentication device, and a computer readable medium. The method comprises: a second user node acquiring, according to a first user address identifier of a first user, and from a blockchain, first identity mapping information corresponding to the first user address identifier, the first identity mapping information comprising the first user address identifier, a first public key, and a first identity fingerprint; encrypting, by means of the first public key, a second public key of a second user, obtaining an identity authentication request, and broadcasting the identity authentication request to an entire network; receiving identity feedback information; and authenticating the feedback information according to a private key of the second user and the first identity fingerprint, and if the authentication passes, determining that the first user address identifier is a user address identifier of the first user. The embodiments of the present application allocate public keys to users in a secure, efficient, and cheap manner, and effectively authenticate user identities.

Description

一种身份认证方法、身份认证装置及计算机可读介质Identity authentication method, identity authentication device and computer-readable medium
本申请要求于2018年9月29日提交中国专利局、申请号为2018111532096、申请名称为“一种身份认证方法、身份认证装置及计算机可读介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on September 29, 2018 with the Chinese Patent Office, application number 2018111532096, and application name "One Identity Authentication Method, Identity Authentication Device, and Computer-readable Media", the entire contents of which Incorporated by reference in this application.
技术领域Technical field
本申请涉及区块链技术领域,尤其涉及一种身份认证方法、身份认证装置及计算机可读介质。The present application relates to the field of blockchain technology, and in particular, to an identity authentication method, an identity authentication device, and a computer-readable medium.
背景技术Background technique
区块链是一串使用密码学方法相关联产生的数据块,每一个数据块中包含了过去一定时间内所有区块链网络的网络交易信息,用于验证其信息的有效性和生成洗衣歌区块。近年来区块链技术得到广泛的关注和发展。区块链技术,又称为“分布式账本技术”,其本质是去中心化,且寓于分布式结构的数据存储、传输和证明的方法,有多个节点集体参与的分布式数据库系统。他不是一种单一的技术,而是多种技术整合的结果,利用区块链技术维护一个可靠地、难以篡改的账本记录,可以降低信任的风险,并能有效的降低多参与方协作的维护成本。Blockchain is a series of data blocks generated by using cryptographic methods.Each data block contains network transaction information of all blockchain networks in a certain period of time in the past. It is used to verify the validity of its information and generate laundry songs. Block. In recent years, blockchain technology has received widespread attention and development. Blockchain technology, also known as "distributed ledger technology", is essentially a decentralized method of data storage, transmission, and certification in a distributed structure. A distributed database system with multiple nodes collectively participating. He is not a single technology, but the result of the integration of multiple technologies. Using blockchain technology to maintain a reliable and difficult to tamper with the ledger records can reduce the risk of trust and effectively reduce the maintenance of multi-participant collaboration. cost.
现有的PKI/CA技术是以数字证书认证中心为基础,通过第三方可信CA来发放数字证书,并与应用系统对接,通过发布CRL和OCSP为应用系统提供证书状态查询服务,实现相关的身份认证以及完整性保护。但是当前PKI模式成本非常高,目前全球只有几家证书授权机构能够进行证书签发(公钥),签发收费很高,目前只有大型机构,公司,网站才能负担;另外当前证书签发的模式,效率非常低,需要来回核实审批等;当前模式在时效和成本上太大,导致无法让普通用户享受安全,廉价的公钥分发服务。The existing PKI / CA technology is based on a digital certificate certification center. It issues digital certificates through a third-party trusted CA and interfaces with application systems. It provides certificate status query services for application systems by issuing CRLs and OCSPs to achieve related Identity authentication and integrity protection. However, the current cost of the PKI model is very high. At present, only a few certificate authorities in the world can issue certificates (public keys), and the issuing fees are very high. Currently, only large institutions, companies, and websites can afford it. In addition, the current model of certificate issuance is very efficient. Low, need to check back and forth for approval, etc .; the current model is too time-consuming and costly, making it impossible for ordinary users to enjoy secure and cheap public key distribution services.
发明内容Summary of the Invention
本申请实施例提供一种身份认证方法,可安全、高效且廉价的分发用户公钥以及有效的对用户身份进行验证。The embodiments of the present application provide an identity authentication method, which can securely, efficiently, and inexpensively distribute a user's public key and effectively verify a user's identity.
第一方面,本申请实施例提供了一种身份认证方法,该方法包括:In a first aspect, an embodiment of the present application provides an identity authentication method. The method includes:
验证节点接收已验证的第一用户信息,所述第一用户信息包括第一用户的第一地址标识、第一公钥和第一身份标识;The verification node receives verified first user information, where the first user information includes a first address identifier, a first public key, and a first identity identifier of the first user;
所述验证节点使用预设的第一单向加密算法对所述第一身份标识加密,得到第一身份指纹;The verification node encrypts the first identity using a preset first one-way encryption algorithm to obtain a first identity fingerprint;
所述验证节点生成所述第一地址标识、所述第一公钥以及所述第一身份指纹的映射关系作为第一身份映射信息;Generating, by the verification node, a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as first identity mapping information;
所述验证节点将所述第一身份映射信息添加到区块链中The verification node adds the first identity mapping information to a blockchain
第二方面,本申请实施例还提供了一种身份认证方法,该方法包括:In a second aspect, an embodiment of the present application further provides an identity authentication method, which includes:
第二用户节点根据第一用户的第一用户地址标识从区块链中获取与所述第一用户地址标识对应的第一身份映射信息,所述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;The second user node obtains first identity mapping information corresponding to the first user address identifier from the blockchain according to the first user address identifier of the first user, where the first identity mapping information includes the first user address identifier, A first public key and a first identity fingerprint;
所述第二用户节点使用所述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将所述身份验证请求全网广播;The second user node encrypts the second public key of the second user by using the first public key, obtains an authentication request, and broadcasts the authentication request across the network;
所述第二用户节点接收身份反馈信息,所述身份反馈信息为使用所述第一用户的私钥对所述身份验证请求解密得到所述第二公钥后,使用所述第二公钥对第一用户的第一身份标识加密得到的信息;Receiving, by the second user node, identity feedback information, where the identity feedback information is decrypted by using the private key of the first user to obtain the second public key, and then using the second public key pair Information obtained by encrypting the first identity of the first user;
所述第二用户节点根据所述第二用户私钥和所述第一身份指纹对所述反馈信息进行验证,若验证通过,则确定所述第一用户地址标识为所述第一用户的用户地址标识。Verifying, by the second user node, the feedback information based on the second user private key and the first identity fingerprint, and if the verification succeeds, determining that the first user address identifier is a user of the first user Address identification.
第三方面,本申请实施例提供了一种设备,作为验证节点,该设备包:In a third aspect, an embodiment of the present application provides a device as a verification node, and the device package includes:
第一接收单元,用于接收已验证的第一用户信息,所述第一用户信息包括第一用户的第一地址标识、第一公钥、第一身份标识;A first receiving unit, configured to receive verified first user information, where the first user information includes a first address identifier, a first public key, and a first identity identifier of the first user;
第一加密单元,用于使用第一单向加密算法对所述第一身份标识加密,得到第一身份指纹;A first encryption unit, configured to encrypt the first identity using a first one-way encryption algorithm to obtain a first identity fingerprint;
第一生成单元,用于生成所述第一地址标识、所述第一公钥以及所述第一身份指纹的映射关系作为第一身份映射信息;A first generating unit, configured to generate a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as first identity mapping information;
第一添加单元,用于将所述第一身份映射信息添加到区块链中。A first adding unit is configured to add the first identity mapping information to a blockchain.
第四方面,本申请实施例提供了一种设备,作为第二用户节点,该设备包:In a fourth aspect, an embodiment of the present application provides a device as a second user node. The device package includes:
获取单元,用于根据第一用户的第一用户地址标识从区块链中获取与所述第一用户地址标识对应的第一身份映射信息,所述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;An obtaining unit, configured to obtain first identity mapping information corresponding to the first user address identifier from a blockchain according to the first user address identifier of the first user, where the first identity mapping information includes the first user address identifier A first public key and a first identity fingerprint;
第二加密单元,用于使用所述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将所述身份验证请求全网广播;A second encryption unit, configured to encrypt the second public key of the second user by using the first public key, obtain an authentication request, and broadcast the authentication request across the network;
第二接收单元,用于接收身份反馈信息,所述身份反馈信息为使用所述第一用户的私钥对所述身份验证请求解密得到所述第二公钥后,使用所述第二公钥对第一用户的第一身份标识加密得到的信息;The second receiving unit is configured to receive identity feedback information, where the identity feedback information is obtained by decrypting the authentication request using the private key of the first user, and then using the second public key. Information obtained by encrypting the first identity of the first user;
验证单元,用于根据所述第二用户私钥和所述第一身份指纹对所述反馈信息进行验证,若验证通过,则确定所述第一用户地址标识为所述第一用户的用户地址标识。A verification unit, configured to verify the feedback information according to the second user private key and the first identity fingerprint; if the verification is passed, determine that the first user address identifier is the user address of the first user Logo.
第五方面,本申请实施例提供了身份认证装置,包括处理器、存储器和通信模块,其中,所述存储器用于存储程序代码,所述处理器用于调用所述程序代码来执行所述第一方面和第二方面中的方法及其任一种可选方式的方法。In a fifth aspect, an embodiment of the present application provides an identity authentication device, including a processor, a memory, and a communication module, where the memory is used to store program code, and the processor is used to call the program code to execute the first Aspect and the method of the second aspect and the method of any of its alternatives.
第六方面,本申请实施例提供了一种计算机可读存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法和第二方面。According to a sixth aspect, an embodiment of the present application provides a computer-readable storage medium. The computer storage medium stores a computer program, where the computer program includes program instructions, and the program instructions cause the processing when executed by a processor. The processor performs the method of the first aspect and the second aspect.
在本身申请实施例中,验证节点通过用户提供的用户地址标识、公钥和身份标识对用户的身份信息进行确认核实后,将通过单向加密算法对用户提供的身份标识进行加密计算得到用户的身份指纹。然后将用户的公钥、用户地址标识和上述身份指纹绑定生成身份映射信息,并将上述身份映射信息添加到区块链中。由于上述身份映射信息是通过验证节点对用户的身份核实后对并用户的用户地址标识、公钥以及身份指纹生成的,并确定了用户真实拥有上述用户地址表示和公钥对应的私钥,因此在区块链中,其他用户节点可以通过用户地址标识来准确的获取到用户的公钥和身份指纹。In the embodiment of the application itself, after the verification node confirms and verifies the user's identity information through the user's address identifier, public key and identity provided by the user, the identity provided by the user is encrypted and calculated using a one-way encryption algorithm to obtain the user's Identity fingerprint. Then bind the user's public key, user address identification and the above identity fingerprint to generate identity mapping information, and add the above identity mapping information to the blockchain. Since the above identity mapping information is generated by verifying the identity of the user with the verification node, the user's user address identifier, public key, and identity fingerprint are generated, and it is determined that the user actually owns the private key corresponding to the user address representation and public key, In the blockchain, other user nodes can accurately obtain the user's public key and identity fingerprint through user address identification.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍。In order to explain the technical solution of the embodiment of the present application more clearly, the drawings used in the description of the embodiment will be briefly introduced below.
图1是本申请实施例提供一种身份认证方法的示意流程图;FIG. 1 is a schematic flowchart of an identity authentication method according to an embodiment of the present application;
图2是本申请实施例提供的另一种身份认证方法的示意流程图;2 is a schematic flowchart of another identity authentication method according to an embodiment of the present application;
图3是本申请实施例提供的一种身份认证装置的功能单元组成图;FIG. 3 is a functional unit composition diagram of an identity authentication device according to an embodiment of the present application; FIG.
图4是本申请实施例提供的另一种身份认证装置的功能单元组成图;4 is a functional unit composition diagram of another identity authentication device according to an embodiment of the present application;
图5是本申请实施例提供的一种身份认证装置的结构示意图。FIG. 5 is a schematic structural diagram of an identity authentication device according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In the following, the technical solutions in the embodiments of the present application will be clearly and completely described with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
由于区块链天生的公开透明,防篡改的机制,所以可以代替传统证书签发的信任中间机构;个人、机构都可以生成自己的非对称加密密钥对,将私钥自己保留,将用户地址标识、对应公钥以及对应身份指纹发布到区块链中,在区块链中形成用户地址标识、对应公钥以及对应身份指纹的映射关系,以便接入区块链的节点在知晓某个人的地址标识的情况下,可以通过该地址标识在区块链中获取到与之对应的公钥,从而安全的获取到准确的公钥,并通过身份指纹来核实该用户的身份。其中,身份指纹是对用户的身份标识采用单向加密计算生成到的,即由用户身份标识可以得到身份指纹,但是由身份指纹不能得到身份标识。Due to the inherent openness and transparency of the blockchain and the tamper-resistant mechanism, it can replace the trust intermediary institutions that issue traditional certificates; individuals and institutions can generate their own asymmetric encryption key pairs, retain their private keys themselves, and identify user addresses. , The corresponding public key and the corresponding identity fingerprint are issued to the blockchain, and the mapping relationship between the user address identifier, the corresponding public key, and the corresponding identity fingerprint is formed in the blockchain, so that the node accessing the blockchain is aware of a person's address In the case of identification, the public key corresponding to it can be obtained in the blockchain through the address identifier, so as to securely obtain the accurate public key, and verify the identity of the user through the identity fingerprint. Among them, the identity fingerprint is generated by one-way encryption calculation of the user's identity, that is, the identity fingerprint can be obtained from the user's identity, but the identity cannot be obtained from the identity fingerprint.
参见图1,图1是本申请实施例提供一种身份认证方法的示意流程图,如图所示该方法可包括:Referring to FIG. 1, FIG. 1 is a schematic flowchart of an identity authentication method provided by an embodiment of the present application. As shown in the figure, the method may include:
101:验证节点接收已验证的第一用户信息,上述第一用户信息包括第一用户的第一地址标识、第一公钥、第一身份标识。101: A verification node receives verified first user information, where the first user information includes a first address identifier, a first public key, and a first identity of the first user.
在本申请实施例中,接入区块链的个人、机构或企业等用户通过区块链节点终端生成非对称的加密秘钥对,分别为公钥和私钥,并根据公钥生成用户地址标识。用户在生成秘钥对后,通过安全的方式(线上或线下)将自己的用户 地址标识、公钥以及能表明自己身份的身份标识提供给区块链网络中的验证节点。然后区块链网络中的验证节点对用户提供的身份标识进行验证。当验证通过后,执行步骤102。In the embodiment of the present application, users such as individuals, institutions, or enterprises accessing the blockchain generate an asymmetric encryption key pair through a blockchain node terminal, which are a public key and a private key, respectively, and generate a user address based on the public key. Logo. After generating the key pair, the user provides his user address identification, public key, and identity that can identify himself to the verification node in the blockchain network in a secure manner (online or offline). The verification node in the blockchain network then verifies the identity provided by the user. When the verification is passed, step 102 is performed.
其中,上述用户的身份标识为能够证实上述用户身份的信息,例如,若上述用户为个人用户,则上述身份标识可以包括用户姓名和身份证号等信息;若上述用户为企业,则上述身份标识可以包括企业名称和企业的组织结构代码等信息。上述验证节点为区块链网络中可以信任的第三方信任机构或平台,例如,公安系统、工商管理系统等。The identity of the user is information that can verify the identity of the user. For example, if the user is an individual user, the identity may include information such as a user name and an ID number; if the user is an enterprise, the identity is It can include information such as the company name and the organization's organizational code. The above verification nodes are trusted third-party trust organizations or platforms in the blockchain network, such as public security systems, business management systems, and the like.
102:验证节点使用预设第一单向加密算法对上述第一身份标识加密,得到第一身份指纹。102: The verification node encrypts the first identity using the preset first one-way encryption algorithm to obtain a first identity fingerprint.
在本申请实施例中,当区块链网络中的验证节点对用户提供的身份标识进行验证,验证通过后,便使用单向加密算法对上述用户提供的身份标识进行加密计算,以便得到能够在区块链中对用户身份进行标识且不会泄露用户身份信息的身份指纹。In the embodiment of the present application, when the verification node in the blockchain network verifies the identity provided by the user, after the verification is passed, the one-way encryption algorithm is used to encrypt and calculate the identity provided by the user in order to obtain An identity fingerprint that identifies the user's identity in the blockchain without revealing the user's identity information.
其中,上述单向加密算法为只能够对数据进行加密得到加密数据,但不能由加密数据得到数据的算法。即可以使用单向加密算法对身份标识进行加密得到身份指纹,然而不存在相应的解密算法来对上述身份指纹解密得到身份标识。上述单向加密算法可以包括信息-摘要算法(Message-Digest algorithm,MD)、算法和安全散列算法1(Secure Hash Algorithm,SHA-1)、散列消息鉴别码(Hash Message Authentication Code,HMAC)等。例如,上述单向加密算法为MD算法时,则对上述身份标识进行哈希运算,得到的哈希值便为上述身份指纹。The one-way encryption algorithm is an algorithm that can only encrypt data to obtain encrypted data, but cannot obtain data from encrypted data. That is, a one-way encryption algorithm can be used to encrypt the identity to obtain the identity fingerprint, but there is no corresponding decryption algorithm to decrypt the identity fingerprint to obtain the identity. The above one-way encryption algorithm may include Message-Digest Algorithm (MD), Algorithm and Secure Hash Algorithm 1 (SHA-1), Hash Message Authentication Code (HMAC) Wait. For example, when the one-way encryption algorithm is the MD algorithm, the identity is hashed, and the obtained hash value is the identity fingerprint.
在本申请实施例中,上述身份指纹是由的身份标识(例如,个人用户的姓名、身份证号等信息,或企业、单位等的名称、组织机构代码等信息)经过单向加密算法加密后生成的,上述身份标识是指持有与上述身份指纹和公钥对应的私钥的用户的真实身份信息。例如,对上述真实身份信息进行哈希得到其哈希值,将其哈希值作为上述身份指纹。可以理解的是,在本申请实施例中,不对上述验证节点作限制。上述验证节点可以是上述主账户运营节点,也可以是第三方信任机构,例如,对于个人用户的身份验证上述第三方信息机构可以是公安系统,对于企业或单位上述第三方信任机构可以是工商管理系统。In the embodiment of the present application, the above-mentioned identity fingerprint is an identity identifier (for example, information such as the name of an individual user, an ID number, or the name of an enterprise, an organization, or an organization code), which is encrypted by a one-way encryption algorithm The generated identity mentioned above refers to the real identity information of the user who holds the private key corresponding to the identity fingerprint and public key. For example, the real identity information is hashed to obtain a hash value, and the hash value is used as the identity fingerprint. It can be understood that, in the embodiment of the present application, the verification node is not limited. The verification node may be the above-mentioned main account operation node, or a third-party trust organization. For example, the above-mentioned third-party information organization may be a public security system for the identity verification of an individual user, and the enterprise or unit may be a business management organization system.
103:验证节点生成上述第一地址标识、上述第一公钥以及上述第一身份指 纹的映射关系作为第一身份映射信息,将上述第一身份映射信息添加到区块链中。103: The verification node generates a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as first identity mapping information, and adds the first identity mapping information to a blockchain.
在区块链网络中的验证节点对上述用户提供的用户地址标识、公钥以及身份标识的验证通过后,区块链网络中的验证节点便使用验证节点的私钥对该用户的用户地址标识、公钥以及身份指纹进行签名生成电子签名,然后将该用户的用户地址标识、公钥、身份指纹以及电子签名进行全网广播,并将该用户的用户地址标识、公钥、身份指纹写入本地区块中,等区块链的网络的各个节点经过共识机制达成共识后将包含有用户地址标识、公钥、身份指纹的区块连接到本地区块链的账本中。After the verification node in the blockchain network verifies the user address identification, public key, and identity provided by the user, the verification node in the blockchain network uses the verification node's private key to identify the user's user address. , Public key, and identity fingerprint to generate an electronic signature, and then broadcast the user ’s user address identification, public key, identity fingerprint, and electronic signature across the entire network, and write the user ’s user address identification, public key, and identity fingerprint In the local block, each node of the blockchain network, after reaching a consensus through a consensus mechanism, connects the block containing the user's address identification, public key, and identity fingerprint to the local blockchain's ledger.
在本申请实施例中,在区块链网络的其他网络节点接收到区块链网络中的验证节点广播的上述用户的用户地址标识、公钥、身份指纹以及电子签名信息后,使用上述用户的用户地址标识、公钥、身份指纹对该电子签名信息进行验证,验证通过后,将上述用户的用户地址标识、公钥、身份指纹写入本地当前区块中,等区块链的网络的各个节点经过共识机制达成共识后将包含有用户地址标识、公钥、身份指纹的区块连接到本地区块链的账本中。In the embodiment of the present application, after other network nodes of the blockchain network have received the user address identifier, public key, identity fingerprint, and electronic signature information of the user broadcasted by the verification node in the blockchain network, the user's The user address identifier, public key, and identity fingerprint verify the electronic signature information. After the verification is passed, the user address identifier, public key, and identity fingerprint of the user are written into the local current block, and each of the blockchain network After the node reaches a consensus through the consensus mechanism, it connects the block containing the user's address identification, public key, and identity fingerprint to the local blockchain's ledger.
举例来说,个人用户A通过区块链网络节点终端生成了自己的私钥和公钥以及用户地址标识,然后用户A通过线下的方式去公安系统将自己的公钥、用户地址标识以及自己的姓名和身份证号进行登记,并要求在区块链中分发自己的公钥。在公安系统对用户A的姓名和身份证号进行验证,并确认提交上述公钥、用户地址标识以及姓名和身份证号的用户为用户A本人之后,公安系统本对用户A的姓名和身份证号进行哈希运算得到用户A的身份指纹,并使用公安系统的私钥对用户A的用户地址标识、公钥以及身份指纹进行签名生成电子签名信息。然后,公安系统将用户A的用户地址标识、公钥、身份指纹以及电子签名信息进行全网广播,并将用户A的用户地址标识、公钥、身份指纹写入本地当前区块中,等区块链的网络的各个节点达成共识后将该本地当前区块加入到区块链中。以便后续使用区块链中用户A的用户地址标识、公钥以及身份指纹对用户A进行身份核实。For example, individual user A generates his private key and public key and user address identification through the blockchain network node terminal, and then user A goes to the public security system offline to publicize his public key, user address identification, and himself Register their names and ID numbers, and require their own public keys to be distributed in the blockchain. After the public security system verified User A's name and ID number, and confirmed that the user who submitted the above public key, user address identification, and name and ID number was User A himself, the public security system originally verified User A's name and ID A hash operation is performed to obtain the identity fingerprint of user A, and the private address of the public security system is used to sign the user address identification, public key, and identity fingerprint of user A to generate electronic signature information. Then, the public security system broadcasts the user address identification, public key, identity fingerprint, and electronic signature information of user A on the entire network, and writes the user address identification, public key, and identity fingerprint of user A into the local current block, etc. After the nodes of the blockchain network reach a consensus, the local current block is added to the blockchain. In order to subsequently use the user address identification, public key, and identity fingerprint of user A in the blockchain to verify the identity of user A.
作为一种可选的实施方式,为了确认提供上述公钥的用户是否真实持有该公钥对应的私钥,在上述区块链网络中的验证节点对用户提供的用户身份标识的验证通过后,区块链网络中的验证节点接收通过输入设备输入的第一随机数, 然后触发智能合约生成第二随机数,接着根据第一随机数和第二随机数生成第三随机数。再接着验证节点使用单向加密算法对上述第三随机数加密得到第一信息,例如对上述第三随机数的哈希值加密得到上述第一信息。再然后,上述验证节点使用上述用户的公钥对上述第一信息加密得到第一验证信息,并将上述第一验证信息全网广播,即向用户发送了上述第一验证信息。As an optional embodiment, in order to confirm whether the user who provided the public key actually holds the private key corresponding to the public key, after the verification of the user identity provided by the user by the verification node in the blockchain network is passed, The verification node in the blockchain network receives the first random number input through the input device, then triggers the smart contract to generate a second random number, and then generates a third random number according to the first random number and the second random number. Then, the verification node uses the one-way encryption algorithm to encrypt the third random number to obtain the first information, for example, encrypts the hash value of the third random number to obtain the first information. Then, the verification node uses the user's public key to encrypt the first information to obtain first verification information, and broadcasts the first verification information throughout the network, that is, the first verification information is sent to the user.
当上述用户节点接收到上述第一验证信息后,使用上述用户的私钥对上述第一验证信息进行解密得到上述第一信息。然后上述用户节点使用区块链网络中验证节点的公钥对上述第一信息加密得到第二信息,并将第二信息进行全网广播,即向验证节点发送上述第二信息。After the user node receives the first verification information, the user node uses the user's private key to decrypt the first verification information to obtain the first information. Then, the user node uses the public key of the verification node in the blockchain network to encrypt the first information to obtain the second information, and broadcasts the second information throughout the network, that is, sends the second information to the verification node.
区块链网络中的验证节点接收到上述第二信息后,使用区块链网络中的验证节点的私钥对上述第二信息解密得到第三信息。然后上述验证节点判断上述第三信息与上述第一信息是否相等,若上述第三信息和上述第一信息相等,则确定提供上述公钥的用户持有该公钥对应的私钥。然后执行使用第一单向加密算法对上述第一身份标识加密的步骤。After the verification node in the blockchain network receives the second information, the private information of the verification node in the blockchain network is used to decrypt the second information to obtain third information. The verification node then determines whether the third information is equal to the first information. If the third information is equal to the first information, it determines that the user who provided the public key holds a private key corresponding to the public key. Then, the step of encrypting the first identity using the first one-way encryption algorithm is performed.
可以看出,在本身申请实施例中,验证节点通过用户提供的用户地址标识、公钥和身份标识对用户的身份信息进行确认核实后,将通过单向加密算法对用户提供的身份标识进行加密计算得到用户的身份指纹。然后将用户的公钥、用户地址标识和上述身份指纹绑定生成身份映射信息,并将上述身份映射信息添加到区块链中。由于上述身份映射信息是通过验证节点对用户的身份核实后对并用户的用户地址标识、公钥以及身份指纹生成的,并确定了用户真实拥有上述用户地址表示和公钥对应的私钥,因此在区块链中,其他用户节点可以通过用户地址标识来准确的获取到用户的公钥和身份指纹。It can be seen that in the embodiment of the application itself, after the verification node verifies the user's identity information through the user address identifier, public key and identity provided by the user, it will encrypt the identity provided by the user through a one-way encryption algorithm. The user's identity fingerprint is calculated. Then bind the user's public key, user address identification and the above identity fingerprint to generate identity mapping information, and add the above identity mapping information to the blockchain. Since the above identity mapping information is generated by verifying the identity of the user with the verification node, the user's user address identifier, public key, and identity fingerprint are generated, and it is determined that the user actually owns the private key corresponding to the user address representation and the public key, so In the blockchain, other user nodes can accurately obtain the user's public key and identity fingerprint through user address identification.
在实际生活中,当第一用户和第二用户进行交易或传送文件时,假设第一用户确认了第二用户的身份,但第二用户没有确定第一用户的身份,即第二用户的身份不需要核实,而第二用户需要核实第一用户的身份,即第二用户想要知道他获取到的用户地址到底是不是真实的第一用户拥有的用户地址。对此本申请在上述实时例一的基础上提供了另一种身份认证方法。In real life, when the first user and the second user conduct transactions or transfer files, it is assumed that the first user confirms the identity of the second user, but the second user does not determine the identity of the first user, that is, the identity of the second user No verification is required, and the second user needs to verify the identity of the first user, that is, the second user wants to know whether the user address he obtained is actually a user address owned by the first user. For this purpose, this application provides another identity authentication method on the basis of the first real-time example.
参见图2,图2是本申请实施例提供的另一种身份认证方法的示意流程图,如图所示该方法可包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of another identity authentication method according to an embodiment of the present application. As shown in the figure, the method may include:
201:第二用户节点根据第一用户的第一用户地址标识从区块链中获取与上 述第一用户地址标识对应的第一身份映射信息,上述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹。201: The second user node obtains first identity mapping information corresponding to the first user address identifier from the blockchain according to the first user address identifier of the first user, where the first identity mapping information includes the first user address identifier, The first public key and the first identity fingerprint.
在本申请实施例中,当第二用户节点获取到了第一用户的用户地址标识。当第二用户想要对第一用户的身份进行核实验证时,上述第二用户节点可以根据事先获取到的第一用户地址标识从区块链中获取与上述第一用户地址标识对应的第一身份映射信息,该第一身份映射信息中包括第一用户地址标识、第一公钥和第一身份指纹。In the embodiment of the present application, when the second user node obtains the user address identifier of the first user. When the second user wants to verify the identity of the first user, the second user node may obtain the first user address identifier corresponding to the first user address identifier from the blockchain according to the first user address identifier obtained in advance. Identity mapping information. The first identity mapping information includes a first user address identifier, a first public key, and a first identity fingerprint.
其中,上述第一身份映射标识为区块链网络中的验证节点对上述第一用户的身份进行核实且对上述第一用户提供的公钥、用户地址标识和身份标识进行验证之后,将身份标识单向加密生成身份指纹。然后将验证后的第一用户的公钥、用户地址标识和身份指纹绑定生成的映射关系信息。The first identity mapping identifier is a verification node in a blockchain network that verifies the identity of the first user and verifies the public key, user address identifier, and identity identifier provided by the first user, and then the identity identifier is One-way encryption generates identity fingerprints. Then, the public key, the user address identifier, and the identity fingerprint of the first user after the verification are combined to generate the mapping relationship information.
202:第二用户节点使用上述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将上述身份验证请求全网广播;202: The second user node uses the first public key to encrypt the second public key of the second user to obtain an identity verification request, and broadcasts the identity verification request throughout the network;
在本申请实施例中,当第二用户节点获取到上述第一用户地址标识对应的身份指纹和公钥后,第二用户节点使用上述第一公钥对第二用户的第二公钥加密,生成身份验证请求,并将上述身份验证请求全网广播,即将上述身份验证请求通过广播的形式发送给了第一用户。In the embodiment of the present application, after the second user node obtains the identity fingerprint and the public key corresponding to the first user address identifier, the second user node uses the first public key to encrypt the second public key of the second user. Generate an identity verification request, and broadcast the identity verification request across the entire network, that is, send the identity verification request to the first user in a broadcast form.
203:第二用户节点接收身份反馈信息,上述身份反馈信息为使用上述第一用户的私钥对上述身份验证请求解密得到上述第二公钥后,使用上述第二公钥对第一用户的第一身份标识加密得到的信息;203: The second user node receives identity feedback information, where the identity feedback information is obtained by decrypting the authentication request using the private key of the first user to obtain the second public key, and then using the second public key to An identity encrypted information;
在本申请实施例中,区块链中的节点可以实时或在预设时长内检测在区块链中是否有本需要处理的消息。当上述第二用户节点将身份验证请求全网广播,且第一用户节点检测到上述身份验证请求需要处理后,上述第一用户节点便使用第一用户的私钥对上述身份验证请求进行解密,得到上述第二用户的第二公钥。然后上述第一用户节点将自己的第一身份标识使用上述第二公钥进行加密得到反馈信息,并将上述反馈信息全网广播,即将反馈信息发送给上述第二用户。其中上述第一用户的第一身份标识和第一用户向验证节点提供的身份标识相同。In the embodiment of the present application, the nodes in the blockchain can detect whether there are any messages that need to be processed in the blockchain in real time or within a preset time period. When the second user node broadcasts the authentication request on the entire network, and the first user node detects that the authentication request needs to be processed, the first user node uses the first user's private key to decrypt the authentication request, The second public key of the second user is obtained. Then, the first user node encrypts its first identity using the second public key to obtain feedback information, and broadcasts the feedback information throughout the network, that is, sends the feedback information to the second user. The first identity of the first user is the same as the identity provided by the first user to the verification node.
204:第二用户节点根据上述第二用户私钥和上述第一身份指纹对上述反馈信息进行验证,若验证通过,则确定上述第一用户地址标识为上述第一用户的 用户地址标识。204: The second user node verifies the feedback information according to the second user private key and the first identity fingerprint. If the verification succeeds, it is determined that the first user address identifier is the user address identifier of the first user.
在本申请实施例中,当第二用户接收到上述反馈信息后,第二用户使用第二用户的私钥对上述反馈信息进行解密得到第二身份标识;然后使用和上述验证节点生成身份指纹相同的单向加密算法对上述第二身份标识进行加密,得到第二身份指纹。最后判断上述第二身份指纹和从区块链中得到的第一身份指纹是否相等,若相等,则确定上述第二身份标识真实为上述第一用户地址标识对应用户的身份标识。即对上述第一用户的身份验证通过。在对上述第一用户的身份验证通过后,上述第二用户可以根据得到的上述第二身份标识来判断上述第一用户是否为上述第二用户想要验证的用户。In the embodiment of the present application, after the second user receives the feedback information, the second user uses the second user's private key to decrypt the feedback information to obtain a second identity; and then uses the same identity fingerprint as the verification node to generate the identity fingerprint. The one-way encryption algorithm encrypts the second identity identifier to obtain a second identity fingerprint. Finally, it is judged whether the second identity fingerprint and the first identity fingerprint obtained from the blockchain are equal. If they are equal, then it is determined that the second identity is truly the identity of the user corresponding to the first user address identity. That is, the identity verification of the first user is passed. After the identity verification of the first user is passed, the second user may determine whether the first user is a user that the second user wants to verify according to the obtained second identity.
例如,张三想要给王五发送一份机密文件,但是张三不能实际联到王五本人,只是获取到一个疑似王五的第三用户地址标识,此时张三就可以使用本申请提供的上述身份验证方法来对疑似王五的第三用户地址标识进行身份验证。首先张三从区块链中获取与上述第三用户地址标识对应的第三公钥和第三身份指纹。然后使用第三公钥将张三的公钥加密发送给第三用户地址标识的节点。当收到反馈信息后使用张三的私钥解密反馈信息得到身份标识,然后根据得到的身份标识得到身份指纹,并将其与上述第三身份指纹对比,若一样,则说明第三用户地址标识确实为上述得到的身份标识对应的用户。然后判断上述身份标识是否为王五的身份标识。若是则可以放心的将机密文件发送给上述第三用户地址标识对应的用户了。For example, Zhang San wants to send a confidential document to Wang Wu, but Zhang San cannot actually connect to Wang Wu himself, but only obtains a third user address identifier that is suspected to be Wang Wu. At this time, Zhang San can use this application to provide The above-mentioned identity verification method is used to perform identity verification on the third user address identifier that is suspected to be the fifth king. First, Zhang San obtains the third public key and the third identity fingerprint corresponding to the third user address identifier from the blockchain. Then use the third public key to encrypt and send Zhang San's public key to the node identified by the third user address. After receiving the feedback information, Zhang San's private key is used to decrypt the feedback information to obtain the identity, and then obtain the identity fingerprint based on the obtained identity, and compare it with the third identity fingerprint. If the same, the third user's address identification It is indeed the user corresponding to the identity obtained above. Then it is judged whether the above identity is the identity of Wang Wu. If so, the confidential document can be safely sent to the user corresponding to the third user address identifier.
作为一种可选的实施方式,当两个用户之间都不能确定对方的身份时也可以采用上述的身份验证方法来相互验证对方的身份。具体的:假设第一用户和第二用户进行交易和传送文件时,第一用户和第二用户均不能确认对方的身份,即第一用户和第二用户需要相互核实身份。As an optional implementation manner, when the identity of the other party cannot be determined between the two users, the identity authentication method described above may also be adopted to mutually verify the identity of the other party. Specifically: It is assumed that when the first user and the second user conduct transactions and transfer files, neither the first user nor the second user can confirm the identity of the other party, that is, the first user and the second user need to verify the identities of each other.
上述第二用户根据第一用户提供的第一用户地址标识从区块链中获取到第一用户地址标识对应的第一公钥以及第一身份指纹。然后第一用户使用第一公钥加密第二用户的第二公钥和第二用户的身份标识来生成身份核实请求,并将该身份核实请求进行全网广播。当上述第一用户接收到上述身份验证请求之后,上述第一用户使用自己的第一私钥对上述身份验证请求进行解密得到第二用户的第二公钥和第二用户的身份标识,然后根据第二用户的身份标识判断该第二身份标识是否真实为第二用户的身份标识;若是,则对上述第二用户的身份标 识单向加密得到第一用户的身份指纹,并根据第二公钥从区块链中获取第二公钥对应的第二身份指纹。然后第一用户判断上述第二身份指纹和上述第二用户的身份指纹是否相等,若相等,则第一用户确认第二用户的身份,即确认发身份核实请求的用户为真实的第二用户。The second user obtains the first public key corresponding to the first user address identifier and the first identity fingerprint from the blockchain according to the first user address identifier provided by the first user. Then the first user uses the first public key to encrypt the second public key of the second user and the identity of the second user to generate an identity verification request, and broadcasts the identity verification request across the network. After the first user receives the authentication request, the first user decrypts the authentication request by using the first private key of the first user to obtain the second public key of the second user and the identity of the second user. The identity of the second user determines whether the second identity is truly the identity of the second user; if so, the identity of the second user is unidirectionally encrypted to obtain the identity fingerprint of the first user, and according to the second public key Obtain a second identity fingerprint corresponding to the second public key from the blockchain. Then the first user judges whether the second identity fingerprint and the second user's identity fingerprint are equal. If they are equal, the first user confirms the identity of the second user, that is, confirms that the user who sent the identity verification request is a real second user.
在第一用户确认第二用户身份之后,第一用户使用解密得到的第二公钥对第一用户的身份标识进行加密得到反馈信息,并将该反馈信息进行全网广播。当第一用户接收到上述反馈信息后,第二用户使用第二私钥对上述反馈信息进行解密得到身份标识;然后根据得到的身份标识判断该身份标识是否为第二用户需要验证的第一用户的标识信息;若是,则继续对上述第一用户的身份标识单向加密得到第一用户的身份指纹,接着将上述第一用户的身份指纹和上述从区块链中获取的第一身份指纹对比,若两者相等,则确定上述从区块链中获取到的第一用户地址标识和公钥以及身份指纹是第一用户持有的,且第一用户真实持有上述第一用户地址标识对应的私钥。After the first user confirms the identity of the second user, the first user uses the decrypted second public key to encrypt the identity of the first user to obtain feedback information, and broadcasts the feedback information throughout the network. After the first user receives the feedback information, the second user uses the second private key to decrypt the feedback information to obtain an identity; and then determines whether the identity is the first user that the second user needs to verify based on the obtained identity. If yes, continue to unidirectionally encrypt the identity of the first user to obtain the identity fingerprint of the first user, and then compare the identity fingerprint of the first user with the first identity fingerprint obtained from the blockchain. If the two are equal, it is determined that the first user address identifier and the public key and the identity fingerprint obtained from the blockchain are held by the first user, and the first user actually holds the first user address identifier corresponding to Private key.
可以看出,在本申请实施例中,先通过验证节点将包括用户的用户地址标识、公钥和身份指纹的身份映射信息上传到区块链中,然后当需要进行用户身份验证时,可以通过获取区块链中的上述用户身份映射信息来对应用户进行身份验证,并确定验证的用户是真实为需要联系的用户。It can be seen that, in the embodiment of the present application, the identity mapping information including the user's user address identification, public key, and identity fingerprint is first uploaded to the blockchain through the verification node, and then when user identity verification is required, Obtain the above-mentioned user identity mapping information in the blockchain to perform identity verification corresponding to the user, and determine that the authenticated user is truly the user to be contacted.
请参阅图3,图3是本申请实施例提供的一种身份认证装置300的一种可能的功能单元组成框图,该身份认证装置应用于验证节点,包括:第一接收单元310、第一加密单元320、第一生成单元330以及第一添加单元340。Please refer to FIG. 3. FIG. 3 is a block diagram of a possible functional unit of an identity authentication device 300 provided by an embodiment of the present application. The identity authentication device is applied to a verification node and includes a first receiving unit 310 and a first encryption. The unit 320, the first generating unit 330, and the first adding unit 340.
第一接收单元310,用于接收已验证的第一用户信息,上述第一用户信息包括第一用户的第一地址标识、第一公钥、第一身份标识;A first receiving unit 310, configured to receive authenticated first user information, where the first user information includes a first address identifier, a first public key, and a first identity identifier of the first user;
第一加密单元320,用于使用预设的第一单向加密算法对上述第一身份标识加密,得到第一身份指纹;A first encryption unit 320, configured to encrypt the first identity by using a preset first unidirectional encryption algorithm to obtain a first identity fingerprint;
第一生成单元330,用于生成上述第一地址标识、上述第一公钥以及上述第一身份指纹的映射关系作为第一身份映射信息;A first generating unit 330, configured to generate a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as first identity mapping information;
第一添加单元340,用于将上述第一身份映射信息添加到区块链中。The first adding unit 340 is configured to add the first identity mapping information to the blockchain.
可选的,上述第一添加单元包括:Optionally, the first adding unit includes:
签名单元,用于对上述第一身份映射信息进行电子签名,得到第一电子签 名;A signature unit, configured to electronically sign the first identity mapping information to obtain a first electronic signature;
记录单元,用于将上述第一身份映射信息记录到本地区块链中,将上述第一身份映射信息以及上述第一电子签名全网广播;A recording unit, configured to record the first identity mapping information into a local blockchain, and broadcast the first identity mapping information and the first electronic signature on the entire network;
连接单元,用于将包含有上述第一身份映射信息的区块连接到本地区块链的账本中。The connection unit is configured to connect the block containing the first identity mapping information to a ledger of a local blockchain.
可选的,上述签名单元,用于对上述第一身份映射信息进行单向加密运算生成信息摘要,使用上述验证节点的私钥对上述信息摘要加密生成上述电子签名信息。Optionally, the signature unit is configured to perform a one-way encryption operation on the first identity mapping information to generate an information digest, and use the private key of the verification node to encrypt the information digest to generate the electronic signature information.
可选的,上述第一接收单元310,用于接收输入设备输入的第一随机数,触发第一智能合约生成第二随机数;Optionally, the first receiving unit 310 is configured to receive a first random number input by an input device, and trigger a first smart contract to generate a second random number;
上述第一生成单元330,用于根据上述第一随机数、上述第二随机数和预设规则生成第三随机数;The first generating unit 330 is configured to generate a third random number according to the first random number, the second random number, and a preset rule;
上述第一加密单元320,用于使用第二单向加密算法对上述第三随机数加密得到第一信息;The first encryption unit 320 is configured to use a second one-way encryption algorithm to encrypt the third random number to obtain first information;
上述第一加密单元320,还用于使用上述第一公钥对上述第一信息加密得到第一验证信息,将上述第一验证信息全网广播;The first encryption unit 320 is further configured to use the first public key to encrypt the first information to obtain first verification information, and broadcast the first verification information throughout the network;
上述第一接收单元310,用于接收第二信息,上述第二信息为使用上述第一用户的私钥对上述第一验证信息解密得到上述第一信息后,经上述验证节点的公钥对上述第一信息加密得到的信息;The first receiving unit 310 is configured to receive second information. The second information is obtained by decrypting the first verification information using the private key of the first user to obtain the first information, and then using the public key of the verification node to verify the first information. Information obtained by encrypting the first information;
上述身份认证装置还包括:The above identity authentication device further includes:
第一解密单元,用于使用上述验证节点的私钥对上述第二信息解密得到第三信息,判断上述第三信息和上述第一信息相等,则执行上述使用第一单向加密算法对上述第一身份标识加密的步骤。A first decryption unit, configured to decrypt the second information by using the private key of the verification node to obtain third information, and determine that the third information is equal to the first information, and execute the first one-way encryption algorithm An identity encryption step.
可选的,所述第一身份标识为能够证实所述第一用户真实身份的信息,当所述第一用户为个人用户时,所述第一身份标识包括所述第一用户的姓名和身份证号,当上述第一用户为企业用户时,所述第一身份标识信息包括企业名称和企业的组织结构代码。Optionally, the first identity is information that can verify the true identity of the first user. When the first user is an individual user, the first identity includes the name and identity of the first user Identification number, when the first user is an enterprise user, the first identity information includes an enterprise name and an organization structure code of the enterprise.
可以看出,在本身申请实施例中,验证节点通过用户提供的用户地址标识、公钥和身份标识对用户的身份信息进行确认核实后,将通过单向加密算法对用户提供的身份标识进行加密计算得到用户的身份指纹。然后将用户的公钥、用 户地址标识和上述身份指纹绑定生成身份映射信息,并将上述身份映射信息添加到区块链中。由于上述身份映射信息是通过验证节点对用户的身份核实后对并用户的用户地址标识、公钥以及身份指纹生成的,并确定了用户真实拥有上述用户地址表示和公钥对应的私钥,因此在区块链中,其他用户节点可以通过用户地址标识来准确的获取到用户的公钥和身份指纹。It can be seen that in the embodiment of the application itself, after the verification node verifies the user's identity information through the user address identifier, public key and identity provided by the user, it will encrypt the identity provided by the user through a one-way encryption algorithm. The user's identity fingerprint is calculated. Then bind the user's public key, user address identification and the above identity fingerprint to generate identity mapping information, and add the above identity mapping information to the blockchain. Since the above identity mapping information is generated by verifying the identity of the user with the verification node, the user's user address identifier, public key, and identity fingerprint are generated, and it is determined that the user actually owns the private key corresponding to the user address representation and the public key, so In the blockchain, other user nodes can accurately obtain the user's public key and identity fingerprint through user address identification.
请参阅图4,图4是本申请实施例提供的一种身份认证装置400的一种可能的功能单元组成框图,该身份认证装置应用于第二用户节点,包括:获取单元410、第二加密单元420、第二接收单元430以及验证单元440。Please refer to FIG. 4. FIG. 4 is a block diagram of a possible functional unit of an identity authentication device 400 according to an embodiment of the present application. The identity authentication device is applied to a second user node and includes an obtaining unit 410 and a second encryption. The unit 420, the second receiving unit 430, and the verification unit 440.
获取单元410,用于根据第一用户的第一用户地址标识从区块链中获取与上述第一用户地址标识对应的第一身份映射信息,上述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;The obtaining unit 410 is configured to obtain first identity mapping information corresponding to the first user address identifier from a blockchain according to a first user address identifier of a first user, where the first identity mapping information includes a first user address identifier, A first public key and a first identity fingerprint;
第二加密单元420,用于使用上述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将上述身份验证请求全网广播;A second encryption unit 420, configured to encrypt the second public key of the second user by using the first public key to obtain an identity verification request, and broadcast the identity verification request throughout the network;
第二接收单元430,用于接收身份反馈信息,上述身份反馈信息为使用上述第一用户的私钥对上述身份验证请求解密得到上述第二公钥后,使用上述第二公钥对第一用户的第一身份标识加密得到的信息;The second receiving unit 430 is configured to receive identity feedback information. The identity feedback information is obtained by decrypting the identity verification request by using the private key of the first user, and obtaining the second public key by using the second public key. Information obtained by encrypting the first identity identifier;
验证单元440,用于根据上述第二用户私钥和上述第一身份指纹对上述反馈信息进行验证,若验证通过,则确定上述第一用户地址标识为上述第一用户的用户地址标识。The verification unit 440 is configured to verify the feedback information according to the second user private key and the first identity fingerprint. If the verification is passed, it is determined that the first user address identifier is the user address identifier of the first user.
可选的,上述验证单元440包括:Optionally, the verification unit 440 includes:
第二解密单元,用于使用上述第二用户的私钥对上述身份反馈信息解密得到第二身份标识;A second decryption unit, configured to decrypt the identity feedback information by using the private key of the second user to obtain a second identity identifier;
第三加密单元,用于上述第二用户使用第一单向加密算法对上述第二身份标识加密得到第二身份指纹信息,判断上述第二身份指纹信息和上述第一身份指纹是否相等,若相等,则验证通过。A third encryption unit, configured to use the first one-way encryption algorithm to encrypt the second identity by the second user to obtain second identity fingerprint information, and determine whether the second identity fingerprint information is equal to the first identity fingerprint, and if they are equal , The verification is passed.
可选的,所述第二加密单元,用于使用所述第一公钥对第二用户的第二公钥和第二用户的第三身份标识加密,得到身份验证请求,将所述身份验证请求全网广播。Optionally, the second encryption unit is configured to use the first public key to encrypt the second public key of the second user and the third identity of the second user, obtain an identity verification request, and verify the identity Request a network-wide broadcast.
可选的,上述第一身份映射信息为区块链网络中的验证节点使用上述第一 单向加密算法对第一用户的第一身份标识加密生成上述第一身份指纹后,根据上述第一用户地址标识、上述第一公钥和上述第一身份指纹生成的映射关系信息。Optionally, the first identity mapping information is that the verification node in the blockchain network uses the first one-way encryption algorithm to encrypt the first identity of the first user to generate the first identity fingerprint, and then according to the first user, The address identification, the first public key, and the mapping relationship information generated by the first identity fingerprint.
可以看出,在本申请实施例中,先通过验证节点将包括用户的用户地址标识、公钥和身份指纹的身份映射信息上传到区块链中,然后当需要进行用户身份验证时,可以通过获取区块链中的上述用户身份映射信息来对应用户进行身份验证,并确定验证的用户是真实为需要联系的用户。It can be seen that, in the embodiment of the present application, the identity mapping information including the user's user address identification, public key, and identity fingerprint is first uploaded to the blockchain through the verification node, and then when user identity verification is required, Obtain the above-mentioned user identity mapping information in the blockchain to perform identity verification corresponding to the user, and determine that the authenticated user is truly the user to be contacted.
请参阅图5,图5是本申请实施例提供的一种身份认证装置500的结构示意图,如图5所示,身份认证装置500包括处理器、存储器、通信接口以及一个或多个程序,其中,上述一个或多个程序不同于上述一个或多个应用程序,且上述一个或多个程序被存储在上述存储器中,并且被配置由上述处理器执行。Please refer to FIG. 5. FIG. 5 is a schematic structural diagram of an identity authentication device 500 according to an embodiment of the present application. As shown in FIG. 5, the identity authentication device 500 includes a processor, a memory, a communication interface, and one or more programs. The one or more programs are different from the one or more application programs, and the one or more programs are stored in the memory and configured to be executed by the processor.
在身份认证装置500为服务器时,上述程序包括用于执行以下步骤的指令:接收已验证的第一用户信息,上述第一用户信息包括第一用户的第一地址标识、第一公钥、第一身份标识;使用第一单向加密算法对上述第一身份标识加密,得到第一身份指纹;生成上述第一地址标识、上述第一公钥以及上述第一身份指纹的映射关系作为第一身份映射信息;将上述第一身份映射信息添加到区块链中。When the identity authentication device 500 is a server, the program includes instructions for performing the following steps: receiving authenticated first user information, and the first user information includes a first address identifier, a first public key, and a first user information of the first user. An identity identifier; using a first one-way encryption algorithm to encrypt the first identity identifier to obtain a first identity fingerprint; generating a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as a first identity Mapping information; adding the above-mentioned first identity mapping information to the blockchain.
在身份认证装置500为电子设备时,上述程序包括用于执行以下步骤的指令:根据第一用户的第一用户地址标识从区块链中获取与上述第一用户地址标识对应的第一身份映射信息,上述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;使用上述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将上述身份验证请求全网广播;接收身份反馈信息,上述身份反馈信息为使用上述第一用户的私钥对上述身份验证请求解密得到上述第二公钥后,使用上述第二公钥对第一用户的第一身份标识加密得到的信息;根据上述第二用户私钥和上述第一身份指纹对上述反馈信息进行验证,若验证通过,则确定上述第一用户地址标识为上述第一用户的用户地址标识。When the identity authentication apparatus 500 is an electronic device, the above program includes instructions for performing the following steps: obtaining a first identity mapping corresponding to the first user address identifier from the blockchain according to the first user address identifier of the first user Information, the first identity mapping information includes a first user address identifier, a first public key, and a first identity fingerprint; the first public key is used to encrypt the second public key of the second user, an identity verification request is obtained, and the identity is obtained The authentication request is broadcast on the entire network. The identity feedback information is received. The identity feedback information is obtained by decrypting the authentication request using the private key of the first user to obtain the second public key, and then using the second public key to Information obtained by encrypting an identity identifier; verifying the feedback information according to the second user private key and the first identity fingerprint; if the verification is successful, determining that the first user address identifier is the user address identifier of the first user.
应当理解,在本申请实施例中,所称处理器可以是中央处理单元(Central Processing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated  Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present application, the processor may be a central processing unit (CPU), and the processor may also be another general-purpose processor, a digital signal processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
在本申请的另一实施例中提供一种计算机可读存储介质,上述计算机可读存储介质存储有计算机程序,上述计算机程序被处理器执行时实现:接收已验证的第一用户信息,上述第一用户信息包括第一用户的第一地址标识、第一公钥、第一身份标识;使用第一单向加密算法对上述第一身份标识加密,得到第一身份指纹;生成上述第一地址标识、上述第一公钥以及上述第一身份指纹的映射关系作为第一身份映射信息;将上述第一身份映射信息添加到区块链中。In another embodiment of the present application, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the computer program is implemented to receive authenticated first user information. A user information includes a first address identifier, a first public key, and a first identity identifier of the first user; the first identity identifier is encrypted using a first one-way encryption algorithm to obtain a first identity fingerprint; and the first address identifier is generated The mapping relationship between the first public key and the first identity fingerprint is used as first identity mapping information; the first identity mapping information is added to a blockchain.
或者上述计算机程序被处理器执行时实现:根据第一用户的第一用户地址标识从区块链中获取与上述第一用户地址标识对应的第一身份映射信息,上述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;使用上述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将上述身份验证请求全网广播;接收身份反馈信息,上述身份反馈信息为使用上述第一用户的私钥对上述身份验证请求解密得到上述第二公钥后,使用上述第二公钥对第一用户的第一身份标识加密得到的信息;根据上述第二用户私钥和上述第一身份指纹对上述反馈信息进行验证,若验证通过,则确定上述第一用户地址标识为上述第一用户的用户地址标识。Or when the computer program is executed by a processor, it is implemented: obtaining first identity mapping information corresponding to the first user address identifier from a blockchain according to a first user address identifier of a first user, where the first identity mapping information includes a first A user address identifier, a first public key, and a first identity fingerprint; using the first public key to encrypt the second public key of the second user to obtain an identity verification request, broadcasting the identity verification request throughout the network; receiving identity feedback information The identity feedback information is information obtained by decrypting the authentication request using the first user's private key to obtain the second public key, and then encrypting the first identity of the first user by using the second public key; The second user private key and the first identity fingerprint verify the feedback information. If the verification succeeds, it is determined that the first user address identifier is the user address identifier of the first user.
上述计算机可读存储介质可以是前述任一实施例上述的终端的内部存储单元,例如终端的硬盘或内存。上述计算机可读存储介质也可以是上述终端的外部存储设备,例如上述终端上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,上述计算机可读存储介质还可以既包括上述终端的内部存储单元也包括外部存储设备。上述计算机可读存储介质用于存储上述计算机程序以及上述终端所需的其他程序和数据。上述计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。The computer-readable storage medium may be an internal storage unit of the terminal described in any one of the foregoing embodiments, such as a hard disk or a memory of the terminal. The computer-readable storage medium may also be an external storage device of the terminal, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, and a flash memory card provided on the terminal. (Flash Card), etc. Further, the computer-readable storage medium may further include both an internal storage unit of the terminal and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by the terminal. The computer-readable storage medium described above may also be used to temporarily store data that has been or will be output.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、服务器和方法,可以通过其它的方式实现。例如,以上所描述的身份认证装置实施例仅仅是示意性的,例如,上述单元的划分,仅仅为一种逻辑功能划分,实际实现 时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、身份认证装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided in this application, it should be understood that the disclosed systems, servers, and methods may be implemented in other ways. For example, the embodiment of the identity authentication device described above is only schematic. For example, the division of the above units is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined. Or it can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, identity authentication devices or units, or may be electrical, mechanical, or other forms of connection.
上述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本申请实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, which may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions in the embodiments of the present application.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist separately physically, or two or more units may be integrated into one unit. The above integrated unit may be implemented in the form of hardware or in the form of software functional unit.
上述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例上述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。When the above integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application is essentially a part that contributes to the existing technology, or all or part of the technical solution may be embodied in the form of a software product, which is stored in a storage medium Included are several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the above method in each embodiment of the present application. The foregoing storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。The above is only a specific implementation of this application, but the scope of protection of this application is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed in this application. Modifications or replacements, and these modifications or replacements should be covered by the protection scope of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (20)

  1. 一种身份认证方法,其特征在于,应用于验证节点,包括:An identity authentication method, which is characterized in that it is applied to a verification node and includes:
    验证节点接收已验证的第一用户信息,所述第一用户信息包括第一用户的第一地址标识、第一公钥和第一身份标识;The verification node receives verified first user information, where the first user information includes a first address identifier, a first public key, and a first identity identifier of the first user;
    所述验证节点使用预设的第一单向加密算法对所述第一身份标识加密,得到第一身份指纹;The verification node encrypts the first identity using a preset first one-way encryption algorithm to obtain a first identity fingerprint;
    所述验证节点生成所述第一地址标识、所述第一公钥以及所述第一身份指纹的映射关系作为第一身份映射信息;Generating, by the verification node, a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as first identity mapping information;
    所述验证节点将所述第一身份映射信息添加到区块链中。The verification node adds the first identity mapping information to a blockchain.
  2. 根据权利要求1所述方法,其特征在于,所述验证节点将所述第一身份映射信息添加到区块链中包括:The method according to claim 1, wherein the verifying node adding the first identity mapping information to a blockchain comprises:
    所述验证节点对所述第一身份映射信息进行签名,得到第一电子签名;The verification node signs the first identity mapping information to obtain a first electronic signature;
    所述验证节点将所述第一身份映射信息记录到本地区块链中,将所述第一身份映射信息以及所述第一电子签名全网广播;The verification node records the first identity mapping information into a local blockchain, and broadcasts the first identity mapping information and the first electronic signature across the entire network;
    所述验证节点将包含有所述第一身份映射信息的区块连接到本地区块链的账本中。The verification node connects a block containing the first identity mapping information to a ledger of a local blockchain.
  3. 根据权利要求2所述方法,其特征在于,所述验证节点对所述第一身份映射信息电子签名,得到第一电子签名,包括:The method according to claim 2, wherein the verification node electronically signs the first identity mapping information to obtain a first electronic signature, comprising:
    所述验证节点对所述第一身份映射信息进行单向加密运算生成信息摘要;The verification node performs a one-way encryption operation on the first identity mapping information to generate an information digest;
    所述验证节点使用所述验证节点的私钥对所述信息摘要加密生成所述电子签名信息。The verification node uses the private key of the verification node to encrypt the message digest to generate the electronic signature information.
  4. 根据权利要求1至3任一项所述方法,其特征在于,在所述验证节点接收已验证的第一用户信息之后,在所述验证节点使用预设第一单向加密算法对所述第一身份标识加密之前,所述方法还包括:The method according to any one of claims 1 to 3, wherein after the verification node receives the verified first user information, the verification node uses a preset first one-way encryption algorithm to Before an identity is encrypted, the method further includes:
    所述验证节点接收输入设备输入的第一随机数,触发第一智能合约生成第二随机数;Receiving, by the verification node, a first random number input by an input device, and triggering a first smart contract to generate a second random number;
    所述验证节点根据所述第一随机数、所述第二随机数和预设规则生成第三随机数;Generating, by the verification node, a third random number according to the first random number, the second random number, and a preset rule;
    所述验证节点使用第二单向加密算法对所述第三随机数加密得到第一信息;The verification node uses a second one-way encryption algorithm to encrypt the third random number to obtain first information;
    所述验证节点使用所述第一公钥对所述第一信息加密得到第一验证信息,将所述第一验证信息全网广播;The verification node uses the first public key to encrypt the first information to obtain first verification information, and broadcasts the first verification information throughout the network;
    所述验证节点接收第二信息,所述第二信息为使用所述第一用户的私钥对所述第一验证信息解密得到所述第一信息后,经所述验证节点的公钥对所述第一信息加密得到的信息;The verification node receives second information, and the second information is obtained by decrypting the first verification information using the first user's private key to obtain the first information, and then using the public key of the verification node to The information obtained by encrypting the first information;
    所述验证节点使用所述验证节点的私钥对所述第二信息解密得到第三信息,若所述第三信息和所述第一信息相等,则触发所述第一单向加密算法对所述第一身份标识加密的步骤。The verification node uses the private key of the verification node to decrypt the second information to obtain third information. If the third information is equal to the first information, the first one-way encryption algorithm is triggered to decrypt the second information. The steps of encrypting the first identity are described.
  5. 根据权利要求4所述的方法,其特征在于,所述第一身份标识为能够证实所述第一用户真实身份的信息,当所述第一用户为个人用户时,所述第一身份标识包括所述第一用户的姓名和身份证号,当所述第一用户为企业用户时,所述第一身份标识信息包括企业名称和企业的组织结构代码。The method according to claim 4, wherein the first identity is information capable of confirming the true identity of the first user, and when the first user is an individual user, the first identity includes The name and ID number of the first user. When the first user is an enterprise user, the first identity information includes an enterprise name and an organization structure code of the enterprise.
  6. 一种身份认证方法,其特征在于,应用于用户节点,包括:An identity authentication method, which is characterized in that it is applied to a user node and includes:
    第二用户节点根据第一用户的第一用户地址标识从区块链中获取与所述第一用户地址标识对应的第一身份映射信息,所述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;The second user node obtains first identity mapping information corresponding to the first user address identifier from the blockchain according to the first user address identifier of the first user, where the first identity mapping information includes the first user address identifier, A first public key and a first identity fingerprint;
    所述第二用户节点使用所述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将所述身份验证请求全网广播;The second user node encrypts the second public key of the second user by using the first public key, obtains an authentication request, and broadcasts the authentication request across the network;
    所述第二用户节点接收身份反馈信息,所述身份反馈信息为使用所述第一用户的私钥对所述身份验证请求解密得到所述第二公钥后,使用所述第二公钥对第一用户的第一身份标识加密得到的信息;Receiving, by the second user node, identity feedback information, where the identity feedback information is decrypted by using the private key of the first user to obtain the second public key, and then using the second public key pair Information obtained by encrypting the first identity of the first user;
    所述第二用户节点根据所述第二用户私钥和所述第一身份指纹对所述反馈信息进行验证,若验证通过,则确定所述第一用户地址标识为所述第一用户的用户地址标识。Verifying, by the second user node, the feedback information based on the second user private key and the first identity fingerprint, and if the verification succeeds, determining that the first user address identifier is a user of the first user Address identification.
  7. 根据权利要求6所述的方法,其特征在于,所述第二用户节点根据所述第二用户的私钥和所述第一身份指纹对所述反馈信息进行验证,包括:The method according to claim 6, wherein the verifying the feedback information by the second user node according to the second user's private key and the first identity fingerprint comprises:
    所述第二用户节点使用所述第二用户的私钥对所述身份反馈信息解密得到第二身份标识;Decrypting, by the second user node, the identity feedback information by using the private key of the second user to obtain a second identity;
    所述第二用户节点使用第一单向加密算法对所述第二身份标识加密得到第二身份指纹信息,判断所述第二身份指纹信息和所述第一身份指纹是否相等,若相等,则验证通过。The second user node uses a first one-way encryption algorithm to encrypt the second identity to obtain second identity fingerprint information, and determines whether the second identity fingerprint information is equal to the first identity fingerprint. If they are equal, Passed.
  8. 根据权利要求7所述的方法,其特征在于,所述第二用户节点使用所述第一公钥对第二用户的第二公钥加密,得到身份验证请求,包括:The method according to claim 7, wherein the second user node uses the first public key to encrypt the second public key of the second user to obtain an identity verification request, comprising:
    所述第二用户使用所述第一公钥对第二用户的第二公钥和第二用户的第三身份标识加密,得到身份验证请求。The second user uses the first public key to encrypt the second public key of the second user and the third identity of the second user to obtain an identity verification request.
  9. 根据权利要求6-8任一项所述的方法,其特征在于,所述第一身份映射信息为区块链网络中的验证节点使用所述第一单向加密算法对第一用户的第一身份标识加密生成所述第一身份指纹后,根据所述第一用户地址标识、所述第一公钥和所述第一身份指纹生成的映射关系信息。The method according to any one of claims 6 to 8, wherein the first identity mapping information is a first verification of a first node by a verification node in a blockchain network to a first user. After the identity identifier is encrypted to generate the first identity fingerprint, the mapping relationship information generated according to the first user address identifier, the first public key, and the first identity fingerprint is generated.
  10. 一种身份认证装置,应用于验证节点,其特征在于,包括:An identity authentication device applied to a verification node is characterized in that it includes:
    第一接收单元,用于接收已验证的第一用户信息,所述第一用户信息包括第一用户的第一地址标识、第一公钥、第一身份标识;A first receiving unit, configured to receive verified first user information, where the first user information includes a first address identifier, a first public key, and a first identity identifier of the first user;
    第一加密单元,用于使用预设的第一单向加密算法对所述第一身份标识加密,得到第一身份指纹;A first encryption unit, configured to encrypt the first identity by using a preset first one-way encryption algorithm to obtain a first identity fingerprint;
    第一生成单元,用于生成所述第一地址标识、所述第一公钥以及所述第一身份指纹的映射关系作为第一身份映射信息;A first generating unit, configured to generate a mapping relationship between the first address identifier, the first public key, and the first identity fingerprint as first identity mapping information;
    第一添加单元,用于将所述第一身份映射信息添加到区块链中。A first adding unit is configured to add the first identity mapping information to a blockchain.
  11. 根据权利要求10所述的身份认证装置,其特征在于,所述第一添加单元包括:The identity authentication device according to claim 10, wherein the first adding unit comprises:
    签名单元,用于对所述第一身份映射信息进行电子签名,得到第一电子签名;A signature unit, configured to electronically sign the first identity mapping information to obtain a first electronic signature;
    记录单元,用于将所述第一身份映射信息记录到本地区块链中,将所述第一身份映射信息以及所述第一电子签名全网广播;A recording unit, configured to record the first identity mapping information into a local blockchain, and broadcast the first identity mapping information and the first electronic signature across the entire network;
    连接单元,用于将包含有所述第一身份映射信息的区块连接到本地区块链的账本中。A connecting unit is configured to connect a block containing the first identity mapping information to a ledger of a local blockchain.
  12. 根据权利要求11所述的身份认证装置,其特征在于,The identity authentication device according to claim 11, wherein:
    所述签名单元,具体用于对所述第一身份映射信息进行单向加密运算生成信息摘要,使用所述验证节点的私钥对所述信息摘要加密生成所述电子签名信 息。The signature unit is specifically configured to perform a one-way encryption operation on the first identity mapping information to generate an information digest, and use the private key of the verification node to encrypt the information digest to generate the electronic signature information.
  13. 根据权利要求10-12任一项所述的身份认证装置,其特征在于,The identity authentication device according to any one of claims 10 to 12, characterized in that:
    所述第一接收单元,用于接收输入设备输入的第一随机数,触发第一智能合约生成第二随机数;The first receiving unit is configured to receive a first random number input by an input device, and trigger a first smart contract to generate a second random number;
    所述第一生成单元,用于根据所述第一随机数、所述第二随机数和预设规则生成第三随机数;The first generating unit is configured to generate a third random number according to the first random number, the second random number, and a preset rule;
    所述第一加密单元,用于使用第二单向加密算法对所述第三随机数加密得到第一信息;The first encryption unit is configured to encrypt the third random number by using a second one-way encryption algorithm to obtain first information;
    所述第一加密单元,还用于使用所述第一公钥对所述第一信息加密得到第一验证信息,将所述第一验证信息全网广播;The first encryption unit is further configured to use the first public key to encrypt the first information to obtain first verification information, and broadcast the first verification information throughout the network;
    所述第一接收单元,用于接收第二信息,所述第二信息为使用所述第一用户的私钥对所述第一验证信息解密得到所述第一信息后,经所述验证节点的公钥对所述第一信息加密得到的信息;The first receiving unit is configured to receive second information, where the first information is decrypted by using the private key of the first user to obtain the first information, and then passed through the verification node. Information obtained by encrypting the first information with a public key of
    所述身份认证装置还包括:The identity authentication device further includes:
    第一解密单元,用于使用所述验证节点的私钥对所述第二信息解密得到第三信息,判断所述第三信息和所述第一信息相等,则触发所述第一加密单元执行所述使用第一单向加密算法对所述第一身份标识加密的步骤。A first decryption unit, configured to decrypt the second information using the private key of the verification node to obtain third information, and determine that the third information is equal to the first information, and then trigger the first encryption unit to execute The step of encrypting the first identity using a first one-way encryption algorithm.
  14. 根据权利要求13所述的身份认证装置,其特征在于,所述第一身份标识为能够证实所述第一用户真实身份的信息,当所述第一用户为个人用户时,所述第一身份标识包括所述第一用户的姓名和身份证号,当所述第一用户为企业用户时,所述第一身份标识信息包括企业名称和企业的组织结构代码。The identity authentication device according to claim 13, wherein the first identity is information capable of confirming the true identity of the first user, and when the first user is an individual user, the first identity The identifier includes the name and ID number of the first user. When the first user is an enterprise user, the first identity information includes an enterprise name and an organization structure code of the enterprise.
  15. 一种身份认证装置,其特征在于,包括:An identity authentication device, comprising:
    获取单元,用于根据第一用户的第一用户地址标识从区块链中获取与所述第一用户地址标识对应的第一身份映射信息,所述第一身份映射信息包括第一用户地址标识、第一公钥和第一身份指纹;An obtaining unit, configured to obtain first identity mapping information corresponding to the first user address identifier from a blockchain according to the first user address identifier of the first user, where the first identity mapping information includes the first user address identifier A first public key and a first identity fingerprint;
    第二加密单元,用于使用所述第一公钥对第二用户的第二公钥加密,得到身份验证请求,将所述身份验证请求全网广播;A second encryption unit, configured to encrypt the second public key of the second user by using the first public key, obtain an authentication request, and broadcast the authentication request across the network;
    第二接收单元,用于接收身份反馈信息,所述身份反馈信息为使用所述第一用户的私钥对所述身份验证请求解密得到所述第二公钥后,使用所述第二公钥对第一用户的第一身份标识加密得到的信息;The second receiving unit is configured to receive identity feedback information, where the identity feedback information is obtained by decrypting the authentication request using the private key of the first user, and then using the second public key. Information obtained by encrypting the first identity of the first user;
    验证单元,用于根据所述第二用户私钥和所述第一身份指纹对所述反馈信息进行验证,若验证通过,则确定所述第一用户地址标识为所述第一用户的用户地址标识。A verification unit, configured to verify the feedback information according to the second user private key and the first identity fingerprint; if the verification is passed, determine that the first user address identifier is the user address of the first user Logo.
  16. 根据权利要求15所述的身份认证装置,其特征在于,所述验证单元包括:The identity authentication device according to claim 15, wherein the verification unit comprises:
    第二解密单元,用于使用所述第二用户的私钥对所述身份反馈信息解密得到第二身份标识;A second decryption unit, configured to decrypt the identity feedback information by using the private key of the second user to obtain a second identity identifier;
    第三加密单元,用于所述第二用户使用第一单向加密算法对所述第二身份标识加密得到第二身份指纹信息,判断所述第二身份指纹信息和所述第一身份指纹是否相等,若相等,则验证通过。A third encryption unit, configured to use the first one-way encryption algorithm to encrypt the second identity by the second user to obtain second identity fingerprint information, and determine whether the second identity fingerprint information and the first identity fingerprint are Equal, if it is equal, the verification is passed.
  17. 根据权利要求16所述的身份认证装置,其特征在于,The identity authentication device according to claim 16, wherein:
    所述第二加密单元,用于使用所述第一公钥对第二用户的第二公钥和第二用户的第三身份标识加密,得到身份验证请求,将所述身份验证请求全网广播。The second encryption unit is configured to use the first public key to encrypt the second public key of the second user and the third identity of the second user, obtain an authentication request, and broadcast the authentication request across the network .
  18. 根据权利要求15-17任一项所述的身份认证装置,其特征在于,所述第一身份映射信息为区块链网络中的验证节点使用所述第一单向加密算法对第一用户的第一身份标识加密生成所述第一身份指纹后,根据所述第一用户地址标识、所述第一公钥和所述第一身份指纹生成的映射关系信息。The identity authentication device according to any one of claims 15 to 17, wherein the first identity mapping information is an authentication node in a blockchain network using the first one-way encryption algorithm for a first user. After the first identity fingerprint is encrypted to generate the first identity fingerprint, the mapping relationship information generated according to the first user address identity, the first public key, and the first identity fingerprint is generated.
  19. 一种身份认证装置,其特征在于,所述身份认证装置包括处理器、存储器和通信模块,其中,所述存储器用于存储程序代码,所述处理器用于调用所述程序代码来执行如权利要求1-5任一项所述的方法或权利要求6-9任一项所述的方法。An identity authentication device, characterized in that the identity authentication device comprises a processor, a memory, and a communication module, wherein the memory is used to store program code, and the processor is used to call the program code to execute a claim The method according to any one of 1-5 or the method according to any one of claims 6-9.
  20. 一种计算机可读存储介质,其特征在于,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-5任一项所述的方法或权利要求6-9任一项所述的方法。A computer-readable storage medium, characterized in that the computer storage medium stores a computer program, wherein the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the program according to claim 1 The method according to any one of -5 or the method according to any one of claims 6-9.
PCT/CN2018/123518 2018-09-29 2018-12-25 Identity authentication method, identity authentication device, and computer readable medium WO2020062668A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811153209.6A CN109067801B (en) 2018-09-29 2018-09-29 Identity authentication method, identity authentication device and computer readable medium
CN201811153209.6 2018-09-29

Publications (1)

Publication Number Publication Date
WO2020062668A1 true WO2020062668A1 (en) 2020-04-02

Family

ID=64766843

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/123518 WO2020062668A1 (en) 2018-09-29 2018-12-25 Identity authentication method, identity authentication device, and computer readable medium

Country Status (2)

Country Link
CN (1) CN109067801B (en)
WO (1) WO2020062668A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109687959B (en) * 2018-12-29 2021-11-12 上海唯链信息科技有限公司 Key security management system, key security management method, key security management medium, and computer program
CN109754226B (en) * 2019-01-03 2021-01-26 中国联合网络通信集团有限公司 Data management method, device and storage medium
CN109768865A (en) * 2019-01-18 2019-05-17 深圳市威赫科技有限公司 Block chain upper body part under credible performing environment digitizes realization method and system
CN110225017B (en) * 2019-05-30 2021-09-10 全链通有限公司 Identity authentication method, equipment and storage medium based on alliance block chain
US10791122B2 (en) 2019-07-04 2020-09-29 Alibaba Group Holding Limited Blockchain user account data
CN110474775B (en) * 2019-07-04 2020-09-01 阿里巴巴集团控股有限公司 User creating method, device and equipment in block chain type account book
CN110599653B (en) * 2019-09-11 2022-02-11 腾讯科技(深圳)有限公司 Access control unlocking method, device and storage medium
CN111010382B (en) * 2019-09-12 2021-06-01 腾讯科技(深圳)有限公司 Method and apparatus for processing data requests in a blockchain network
CN110620776B (en) * 2019-09-24 2021-11-26 腾讯科技(深圳)有限公司 Data transfer information transmission method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534273A (en) * 2016-10-31 2017-03-22 中金云金融(北京)大数据科技股份有限公司 Block chain metadata storage system, and storage method and retrieval method thereof
US20170149819A1 (en) * 2015-11-25 2017-05-25 International Business Machines Corporation Resisting replay attacks efficiently in a permissioned and privacy- preserving blockchain network
CN107579958A (en) * 2017-08-15 2018-01-12 中国联合网络通信集团有限公司 Data managing method, apparatus and system
CN108282339A (en) * 2018-01-25 2018-07-13 中国科学院合肥物质科学研究院 A kind of digital identity method for retrieving based on intelligent contract and from social media

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105701372B (en) * 2015-12-18 2019-04-09 布比(北京)网络技术有限公司 A kind of building of block chain identity and verification method
CN106022681A (en) * 2016-05-13 2016-10-12 杭州云象网络技术有限公司 Logistics tracking method based on block chain
EP3486817B1 (en) * 2016-09-18 2020-11-11 Cloudminds (Shenzhen) Robotics Systems Co., Ltd. Blockchain-based identity authentication methods, computer program products and nodes
US11115418B2 (en) * 2016-12-23 2021-09-07 Cloudminds (Shanghai) Robotics Co., Ltd. Registration and authorization method device and system
CN107196966B (en) * 2017-07-05 2020-04-14 北京信任度科技有限公司 Identity authentication method and system based on block chain multi-party trust
CN107579817A (en) * 2017-09-12 2018-01-12 广州广电运通金融电子股份有限公司 User ID authentication method, apparatus and system based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170149819A1 (en) * 2015-11-25 2017-05-25 International Business Machines Corporation Resisting replay attacks efficiently in a permissioned and privacy- preserving blockchain network
CN106534273A (en) * 2016-10-31 2017-03-22 中金云金融(北京)大数据科技股份有限公司 Block chain metadata storage system, and storage method and retrieval method thereof
CN107579958A (en) * 2017-08-15 2018-01-12 中国联合网络通信集团有限公司 Data managing method, apparatus and system
CN108282339A (en) * 2018-01-25 2018-07-13 中国科学院合肥物质科学研究院 A kind of digital identity method for retrieving based on intelligent contract and from social media

Also Published As

Publication number Publication date
CN109067801B (en) 2021-09-03
CN109067801A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
US20200328901A1 (en) Methods and apparatus for providing blockchain participant identity binding
US10917246B2 (en) System and method for blockchain-based cross-entity authentication
US20200328878A1 (en) System and method for blockchain-based cross-entity authentication
US20200084027A1 (en) Systems and methods for encryption of data on a blockchain
JP5680115B2 (en) Transaction auditing for data security devices
WO2018024061A1 (en) Method, device and system for licensing shared digital content
US7925023B2 (en) Method and apparatus for managing cryptographic keys
JP2019506103A (en) How to manage trusted identities
JP2013152757A (en) Intersystem single sign-on
GB2434724A (en) Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN108696358B (en) Digital certificate management method and device, readable storage medium and service terminal
US20130019093A1 (en) Certificate authority
WO2016155281A1 (en) Application identifier management method and device
JP2006525686A (en) Digital signature / verification system for conversational messages
WO2020042508A1 (en) Method, system and electronic device for processing claim incident based on blockchain
WO2021169107A1 (en) Internet identity protection method and apparatus, electronic device, and storage medium
CN101582876A (en) Method, device and system for registering user generated content (UGC)
Chalaemwongwan et al. A practical national digital ID framework on blockchain (NIDBC)
WO2020211481A1 (en) Method, device and system for generating blockchain authorization information
CN109981287B (en) Code signing method and storage medium thereof
JP2005020536A (en) Electronic data signature device and program for signature device
WO2016173211A1 (en) Application identifier management method and device
JP6742557B2 (en) Authentication system
CN109905360B (en) Data verification method and terminal equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18935250

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18935250

Country of ref document: EP

Kind code of ref document: A1