WO2024036644A1 - Method and apparatus for acquiring signature information - Google Patents

Method and apparatus for acquiring signature information Download PDF

Info

Publication number
WO2024036644A1
WO2024036644A1 PCT/CN2022/113778 CN2022113778W WO2024036644A1 WO 2024036644 A1 WO2024036644 A1 WO 2024036644A1 CN 2022113778 W CN2022113778 W CN 2022113778W WO 2024036644 A1 WO2024036644 A1 WO 2024036644A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
information
signature
terminal
fragment
Prior art date
Application number
PCT/CN2022/113778
Other languages
French (fr)
Chinese (zh)
Inventor
王东晖
刘斐
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2022/113778 priority Critical patent/WO2024036644A1/en
Publication of WO2024036644A1 publication Critical patent/WO2024036644A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present application relates to the field of communications, and in particular to methods and devices for obtaining signature information.
  • the terminal can access the network provided by the operator through the subscriber identity module (SIM) card. Specifically, the user selects an operator and purchases the corresponding SIM card.
  • SIM subscriber identity module
  • the root key of the SIM card is preset in the SIM card. Before the SIM card is used, the SIM card vendor can send the root key of the SIM card to the operator through the production network or offline. In this way, both the operator and the terminal have root keys that can be used for authentication.
  • the operator can perform authentication and authentication based on the root key of the SIM card, and provide network services to the terminal after successful authentication and authentication.
  • the SIM card is bound to the operator's network. If the user wants to switch networks, he needs to change the SIM card, which is very inconvenient and leads to poor user experience.
  • the embodiments of this application provide methods and devices for obtaining signature information, which can enable authentication between the terminal and the network based on the signature information without using the key in the SIM card for authentication, thus realizing the unbinding of the SIM card from the network.
  • a first aspect provides a method for obtaining signature information.
  • the communication device executing the method may be a first node; it may also be a module applied in the first node, such as a chip or a chip system.
  • the following description takes the execution subject as the first node as an example.
  • the method includes: obtaining the private key fragment of the first node and the key information of the terminal; signing the key information of the terminal according to the private key fragment of the first node to obtain the signature fragment of the first node, The signature fragment of the first node is used to determine signature information, and the signature information is used for authentication between the terminal and the first node.
  • the first node can obtain the private key fragment of the first node and the key information of the terminal, and sign the key information of the terminal according to the private key fragment of the first node to obtain the third A node’s signature shard. Since the signature fragment of the first node can determine the signature information used for authentication between the terminal and the first node, the terminal and the first node can be authenticated based on the signature information without using the key in the SIM card. Through authentication, the SIM card is unbound from the network. If the user wants to switch networks, there is no need to change the SIM card, allowing the terminal to flexibly access the network and improving the user experience.
  • the method further includes: obtaining N signature fragments, which correspond to Q nodes, and any signature fragment among the N signature fragments is generated using the signature fragment.
  • the private key fragment of the node corresponding to the fragment is obtained by signing the key information of the terminal.
  • N and Q are natural numbers, and Q is less than or equal to N; the signature fragment of the first node and the N signature fragments are used together. to determine the signature information.
  • the first node can obtain N signature fragments, and obtain the signature information based on the N signature fragments and the signature fragment of the first node, so that the first node can send the signature information to the terminal, or so that the third node can send the signature information to the terminal.
  • a node and terminal authenticate based on the signature information.
  • the signature information is also used for authentication between the terminal and the Q nodes.
  • the terminal and any one of the Q nodes can be authenticated based on the signature information.
  • the terminal can authenticate with Q nodes after obtaining the signature information once, which simplifies the authentication process between the terminal and the nodes.
  • obtaining N signature fragments includes: receiving the N signature fragments from the Q nodes.
  • the first node can obtain N signature fragments from Q nodes so that the first node can generate signature information.
  • the method before obtaining N signature fragments, further includes: sending first information to M nodes, where the first information includes the key information of the terminal, and the M nodes include the Q nodes, M is a natural number greater than or equal to Q.
  • the first node can send the key information of the terminal to M nodes, so that the M nodes generate corresponding signature fragments based on the key information of the terminal.
  • the method further includes: sending at least one of the following information to the M nodes: a verification result of the terminal's subscription information by the first node or a signature fragment of the first node.
  • the M nodes can determine whether the first node has successfully verified the terminal's subscription information based on the first node's verification result of the terminal's subscription information, and/or generate a signature based on the signature fragments of the first node. information.
  • N signature shards are stored in blockchain nodes.
  • N signature fragments can be uploaded to the chain to ensure that the N signature fragments are not tampered with and improve communication security.
  • the method before obtaining the N signature fragments, further includes: sending the terminal's key information and the signature fragment of the first node to the blockchain node.
  • the terminal's key information and the first node's signature fragments can be uploaded to the chain to ensure that the terminal's key information and the first node's signature fragments are not tampered with and improve communication security.
  • the method further includes: sending third information to the terminal, where the third information includes the signature information.
  • the terminal can obtain the signature information so that the terminal can authenticate with the node holding the signature information.
  • the method further includes: sending an identifier of the blockchain transaction corresponding to the signature information to the terminal.
  • the terminal can also obtain the identifier of the blockchain transaction corresponding to the signature information.
  • the terminal can carry the identifier when authenticating with the node holding the signature information, so that the node can query the blockchain to see whether the signature information corresponding to the identifier is the same as the signature information sent by the terminal to improve communication security.
  • obtaining the private key fragment of the first node includes: receiving the private key fragment of the first node from a third-party node.
  • the first node can obtain the private key fragment of the first node from the third party node, so that the first node signs the key information of the terminal based on the private key fragment of the first node.
  • the method further includes: receiving a first request from the terminal, the first request including the signature information and a first random number; and performing authentication with the terminal according to the first request.
  • the first node can authenticate with the terminal based on the signature information. In this way, there is no need to use the key in the SIM card for authentication between the first node and the terminal, thus realizing the unbinding of the SIM card from the network.
  • the first node is included in a node set, and the method further includes: obtaining a public key of the node set; authenticating with the terminal according to the first request, including: sending a third request to the terminal.
  • a message, the first message includes the certificate of the first node, first authentication information and a second random number, the first authentication information is obtained based on the private key of the first node and the first random number; received from The second message of the terminal, the second message includes second authentication information, the second authentication information is obtained according to the private key of the terminal and the second random number; according to the public key of the node set and the signature information, Obtain the key information of the terminal; authenticate the second authentication information according to the key information of the terminal.
  • double authentication can be performed between the first node and the terminal based on the public key and signature information of the node set to improve communication security.
  • the method further includes: sending a third message to the blockchain node, the third message being used to query the signature information; receiving the request from the terminal.
  • the fourth message of the blockchain node includes the signature information.
  • the first node can query the signature information in the blockchain, so that the first node can determine whether the signature information is the same as the signature information sent by the terminal, thereby improving communication security.
  • the second aspect provides a method for obtaining signature information.
  • the communication device that executes the method can be a terminal; it can also be a module applied in the terminal, such as a chip or a chip system.
  • the following description takes the execution subject as the terminal as an example.
  • the method includes: sending key information of the terminal to a first node; receiving third information from the first node, where the third information includes signature information, and the signature information is used for communication between the terminal and the first node.
  • the signature information is obtained based on N signature fragments and the signature fragment of the first node.
  • the signature fragment of the first node is the key information of the terminal using the private key of the first node.
  • the N signature fragments correspond to Q nodes, and any signature fragment among the N signature fragments is the key information of the terminal using the private key fragment of the node corresponding to the signature fragment.
  • N and Q are natural numbers, and Q is less than or equal to N.
  • the terminal can obtain the signature information.
  • the terminal and the first node can be authenticated based on the signature information without using the key in the SIM card for authentication. This realizes the unbinding of the SIM card from the network. If the user wants to switch networks, there is no need to change the SIM card. This enables terminals to flexibly access the network and improves user experience.
  • the method further includes: receiving an identifier of the blockchain transaction corresponding to the signature information from the first node.
  • the terminal can also obtain the identifier of the blockchain transaction corresponding to the signature information.
  • the terminal can carry the identifier when authenticating with the node holding the signature information, so that the node can query the blockchain to see whether the signature information corresponding to the identifier is the same as the signature information sent by the terminal to improve communication security.
  • the first node and the Q nodes are included in a node set
  • the method further includes: determining the node set according to a preset strategy, where the preset strategy includes at least one of the following: the terminal corresponds to The user's choice, the network access requirements of the nodes in the node set, the network scale of the network where the nodes in the node set are located, or the security level of the network where the nodes in the node set are located.
  • the terminal can determine the node set according to multiple methods, which improves the flexibility and diversity of the terminal in determining the node set.
  • the method further includes: sending a first request to the first node, the first request including the signature information and a first random number; and performing authentication with the first node according to the first request. .
  • the terminal and the first node can perform authentication based on the signature information. In this way, there is no need to use the key in the SIM card for authentication between the first node and the terminal, thus realizing the unbinding of the SIM card from the network.
  • performing authentication with the first node according to the first request includes: receiving a first message from the first node, the first message including a certificate of the first node, a first authentication information and a second random number.
  • the first authentication information is obtained based on the private key of the first node and the first random number; if the first authentication information is successfully authenticated, the second authentication information is sent to the first node.
  • the second message includes second authentication information, and the second authentication information is obtained according to the private key of the terminal and the second random number.
  • double authentication can be performed between the terminal and the first node to improve communication security.
  • a third aspect provides a communication device for implementing the method provided in the first aspect.
  • the communication device may be the first node in the above-mentioned first aspect, or a device including the above-mentioned first node.
  • the communication device includes modules, units, or means (means) corresponding to the method provided in the first aspect.
  • the modules, units, or means can be implemented by hardware, software, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • the communication device may include a processing module.
  • This processing module can be used to implement the processing functions in the above first aspect and any possible implementation manner thereof.
  • the processing module may be, for example, a processor.
  • the communication device further includes a transceiver module.
  • the transceiver module which may also be called a transceiver unit, is used to implement the sending and/or receiving functions in the above first aspect and any possible implementation thereof.
  • the transceiver module can be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface.
  • the transceiver module includes a sending module and a receiving module, respectively configured to implement the sending and receiving functions in the above-mentioned first aspect and any possible implementation thereof.
  • the processing module is used to obtain the private key fragments of the communication device and the key information of the terminal; the processing module is also used to obtain the private key fragments of the communication device and the terminal.
  • the key information is signed to obtain signature fragments of the communication device.
  • the signature fragments of the communication device are used to determine signature information.
  • the signature information is used for authentication between the terminal and the communication device.
  • the processing module is also used to obtain N signature fragments, which correspond to Q nodes, and any signature fragment among the N signature fragments is generated using the The private key fragment of the node corresponding to the signature fragment is obtained by signing the key information of the terminal.
  • N and Q are natural numbers, and Q is less than or equal to N; the signature fragment of the communication device and the N signature fragments are the same Used to determine the signature information.
  • the signature information is also used for authentication between the terminal and the Q nodes.
  • the processing module is specifically configured to receive the N signature fragments from the Q nodes through the transceiver module.
  • the transceiver module is also configured to send first information, where the first information includes the key information of the terminal, to M nodes, where the M nodes include the Q nodes, and M is greater than Or a natural number equal to Q.
  • the transceiver module is also configured to send at least one of the following information to the M nodes: the communication device's verification result of the terminal's subscription information or the communication device's signature fragment.
  • the N signature shards are stored in the blockchain node.
  • the transceiver module is also used to send the key information of the terminal and the signature fragment of the communication device to the blockchain node.
  • the transceiver module is also configured to send third information to the terminal, where the third information includes the signature information.
  • the transceiver module is also used to send the identifier of the blockchain transaction corresponding to the signature information to the terminal.
  • the processing module is also configured to receive the private key fragment of the communication device from the third-party node through the transceiver module.
  • the transceiver module is also configured to receive a first request from the terminal, where the first request includes the signature information and a first random number; the processing module is also configured to receive a first request based on the first random number. Requests authentication with this terminal.
  • the communication device is included in a node set, and the processing module is also used to obtain the public key of the node set; the processing module is specifically used to send the first message to the terminal through the transceiver module.
  • message the first message includes the certificate of the communication device, first authentication information and a second random number, the first authentication information is obtained based on the private key of the communication device and the first random number;
  • the processing module further Specifically used to receive a second message from the terminal through the transceiver module, the second message includes second authentication information, the second authentication information is obtained according to the private key of the terminal and the second random number;
  • the processing module is also specifically configured to obtain the key information of the terminal based on the public key of the node set and the signature information; the processing module is also specifically configured to authenticate the second authentication information based on the key information of the terminal.
  • the transceiver module is also used to send a third message to the blockchain node, and the third message is used to query the signature information; the transceiver module is also used to receive data from the blockchain node.
  • the fourth message of the node includes the signature information.
  • a fourth aspect provides a communication device for implementing the method provided in the second aspect.
  • the communication device may be the terminal in the above second aspect, or a device including the above second node.
  • the communication device includes modules, units, or means (means) corresponding to the method provided in the second aspect.
  • the modules, units, or means can be implemented by hardware, software, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • the communication device may include a transceiver module.
  • the transceiver module which may also be called a transceiver unit, is used to implement the sending and/or receiving functions in the above second aspect and any possible implementation thereof.
  • the transceiver module can be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface.
  • the communication device further includes a processing module.
  • This processing module can be used to implement the processing functions in the above second aspect and any possible implementation manner thereof.
  • the processing module may be, for example, a processor.
  • the transceiver module includes a sending module and a receiving module, respectively used to implement the sending and receiving functions in the above second aspect and any possible implementation thereof.
  • the transceiver module is used to send the key information of the communication device to the first node; the transceiver module is also used to receive third information from the first node.
  • the third information Including signature information, the signature information is used for authentication between the communication device and the first node.
  • the signature information is obtained based on N signature fragments and the signature fragments of the first node.
  • the signature of the first node The fragments are obtained by signing the key information of the communication device with the private key fragments of the first node.
  • the N signature fragments correspond to Q nodes. Any one of the N signature fragments is signed. It is obtained by signing the key information of the communication device with the private key fragment of the node corresponding to the signature fragment.
  • N and Q are natural numbers, and Q is less than or equal to N.
  • the transceiver module is also configured to receive the identifier of the blockchain transaction corresponding to the signature information from the first node.
  • the first node and the Q nodes are included in a node set
  • the processing module is configured to determine the node set according to a preset strategy, where the preset strategy includes at least one of the following: the The selection of the user corresponding to the communication device, the network access requirements of the nodes in the node set, the network scale of the network where the nodes in the node set are located, or the security level of the network where the nodes in the node set are located.
  • the transceiver module is also configured to send a first request to the first node, where the first request includes the signature information and a first random number; the processing module is also configured to send a first request to the first node according to the first random number. A request is made for authentication with the first node.
  • the processing module is specifically configured to receive a first message from the first node through the transceiver module.
  • the first message includes the certificate of the first node, the first authentication information and the second Random number, the first authentication information is obtained based on the private key of the first node and the first random number;
  • the processing module is also specifically configured to use the transceiver module when the first authentication information is authenticated successfully, A second message is sent to the first node, where the second message includes second authentication information, and the second authentication information is obtained according to the private key of the communication device and the second random number.
  • a fifth aspect provides a communication device, including: a processor; the processor is configured to be coupled to a memory, and after reading instructions in the memory, execute the method as described in any of the above aspects according to the instructions.
  • the communication device may be the first node in the first aspect, or a device including the first node; or the communication device may be a terminal in the second aspect, or a device including the terminal.
  • the communication device further includes a memory, and the memory is used to store necessary program instructions and data.
  • the communication device is a chip or a chip system.
  • the communication device when it is a chip system, it may be composed of a chip, or may include a chip and other discrete devices.
  • a sixth aspect provides a communication device, including: a processor and an interface circuit; the interface circuit is used to receive a computer program or instructions and transmit them to the processor; the processor is used to execute the computer program or instructions to enable the communication
  • the device performs the method described in any of the above aspects.
  • the communication device is a chip or a chip system.
  • the communication device when it is a chip system, it may be composed of a chip, or may include a chip and other discrete devices.
  • a computer-readable storage medium is provided. Instructions are stored in the computer-readable storage medium, and when run on a computer, the computer can perform the method described in any of the above aspects.
  • a computer program product containing instructions which, when run on a computer, enables the computer to execute the method described in any of the above aspects.
  • a ninth aspect provides a communication system, which includes a first node for performing the method described in the first aspect, and a terminal for performing the method described in the second aspect.
  • Figure 1 is a schematic diagram of the communication system architecture provided by an embodiment of the present application.
  • Figure 2 is a schematic diagram of the hardware structure of a communication device provided by an embodiment of the present application.
  • Figure 3 is a schematic flowchart 1 of a method for obtaining signature information provided by an embodiment of the present application
  • Figure 4 is a schematic flow chart of the authentication method provided by the embodiment of the present application.
  • Figure 5 is a schematic flowchart 2 of a method for obtaining signature information provided by an embodiment of the present application
  • Figure 6 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • Figure 7 is a schematic second structural diagram of a communication device provided by an embodiment of the present application.
  • the blockchain is a tamper-proof technology guaranteed by a cryptographic mechanism.
  • blockchain nodes can run on physical nodes, or they can also run in a virtual environment in physical nodes without restrictions.
  • blockchain is a ledger technology.
  • the ledger is distributed and can be maintained simultaneously through multiple nodes.
  • the multiple nodes can use cryptography mechanisms to prevent the ledger from being tampered with.
  • a blockchain is a chained data structure that combines data blocks in a chronological manner and is cryptographically guaranteed to be an untamperable and unforgeable distributed ledger.
  • a blockchain system has multiple blockchain nodes, and since there is no centralized management organization in the blockchain, the blockchain nodes must reach a consensus on each block of information, that is, Each blockchain node stores the same blockchain information.
  • blockchain can serve as a unified trusted platform to realize the tracing of historical events and/or automated network management.
  • Blockchain can realize at least one of the following functions: log auditing, automated settlement, or secure access and verification, etc.
  • the blockchain can also have other naming methods, such as distributed ledger or ledger, etc., which are not limited.
  • Threshold signature is a multi-party signature technology.
  • the group includes n participants, and the weight of the threshold signature is t, that is, the threshold signature scheme of (n, t), which can mean that any t or more participants among the n participants can represent the entire group (i.e. n participants), a scheme that generates valid signatures.
  • each of n participants can hold one public key shard and one private key shard.
  • the public key of the group can be obtained (the public key of the group can also be called the system public key).
  • the private key of the group can be obtained (the private key of the group can also be called the system private key). Participants greater than or equal to t among n participants each sign the information with the private key fragments they hold, and the signature fragments of each participant can be obtained. By calculating these signature fragments according to the threshold signature algorithm, the signature information of the group can be obtained (the signature information of the group can also be called system signature information). The group's signature information can be verified using the group's public key.
  • threshold signatures were introduced using the example of each participant holding one public key shard and one private key shard.
  • the embodiments of this application may not limit the number of public key shards and/or the number of private key shards held by each participant.
  • each participant may hold at least one public key shard and at least one private key shard.
  • the number of public key shards held by different participants can be the same or different.
  • the number of private key shards held by different participants can be the same or different.
  • the group includes n participants. Each participant holds at least one public key shard and at least one private key shard.
  • the threshold signature scheme with a threshold signature weight of s can refer to n participants.
  • any s or more private key shards can represent the entire group (that is, n participants) and generate a valid signature scheme.
  • a group includes 5 participants, participants 1 to 4 each hold 1 public key shard and 1 private key shard, and participant 5 holds 1 public key shard and 2 Taking private key sharding as an example, if the weight is 4, then the private key sharding of participant 1, the private key sharding of participant 2, the private key sharding of participant 3 and the private key sharding of participant 4 can be Get the signature information of the group. Alternatively, the signature information of the group can be obtained based on any two private key fragments among participants 1 to 4 and the two private key fragments of participant 5.
  • the terminal can obtain the signature information of the group, and the participants in the group can obtain the public key of the group. In this way, terminals and participants in the group can be authenticated based on the group's signature information and the group's public key.
  • the method provided by the embodiments of this application can be used in various communication systems that can support threshold signature technology.
  • the following uses the communication system 10 shown in Figure 1 as an example to describe the method provided by the embodiment of the present application.
  • Figure 1 is only a schematic diagram and does not constitute a limitation on the applicable scenarios of the technical solution provided by this application.
  • the communication system 10 may include a node 101 and a terminal 102 that may communicate with the node 101 .
  • the communication system 10 also includes a node 103, and/or a blockchain node 104, and/or a node 105.
  • node 101, node 103 or node 105 may provide services for terminal 102.
  • node 101, node 103 or node 105 is a node in a network, and the network is an operator's network.
  • Node 101, node 103 or node 105 can provide access services for the terminal 102.
  • the operators corresponding to node 101, node 103 or node 105 may be the same or different.
  • the network to which node 101, node 103 or node 105 belongs can also be other types of networks, such as wireless local area networks, or networks corresponding to vertical applications (such as the Internet of Things), etc., without limitation.
  • node 101, node 103 or node 105 can be any device with wireless transceiver function, for example, it can be any access network device or core network device.
  • access network equipment includes but is not limited to: evolutionary base stations (NodeB or eNB or e-NodeB, evolutionary Node B) in long term evolution (long term evolution, LTE), base stations in new radio (NR) (gNodeB or gNB) or transceiver point (transmission receiving point/transmission reception point, TRP), the subsequent evolved base station of the 3rd generation partnership project (3GPP), the access node in the Wi-Fi system, Wireless relay nodes, wireless backhaul nodes, etc.
  • the base station can be: macro base station, micro base station, pico base station, small station, relay station, or balloon station, etc.
  • the access network device can also be a wireless controller in a cloud radio access network (CRAN) scenario.
  • the access network equipment may also be a centralized unit (CU) and/or a distributed unit (DU).
  • the access network device can also be a server, wearable device, machine communication device, or vehicle-mounted device, etc.
  • Core network equipment includes but is not limited to: access and mobility management function (AMF) network elements, session management function (SMF) network elements, user plane function (UPF) Network element, unified data management (UDM) network element, unified data repository (UDR) network element, network exposure function (NEF) network element or policy control function , PCF) network elements, etc.
  • AMF access and mobility management function
  • SMF session management function
  • UPF user plane function
  • UDM unified data management
  • UDR unified data repository
  • NEF network exposure function
  • PCF policy control function
  • the terminal in the embodiment of the present application may be a device with a wireless transceiver function.
  • Terminals can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water (such as ships, etc.); they can also be deployed in the air (such as aircraft, balloons, satellites, etc.).
  • the terminal may also be called a terminal device, and the terminal device may be a user equipment (UE), where the UE includes a handheld device, a vehicle-mounted device, a wearable device or a computing device with wireless communication functions.
  • the UE may be a mobile phone, a tablet computer, or a computer with wireless transceiver functions.
  • the terminal device can also be a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal in industrial control, a wireless terminal in driverless driving, a wireless terminal in telemedicine, or a smart terminal.
  • VR virtual reality
  • AR augmented reality
  • the terminal may be a wearable device.
  • Wearable devices can also be called wearable smart devices. It is a general term for applying wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes, etc.
  • a wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories.
  • a wearable device is not only a hardware device, but also a device that achieves powerful functions through software support, data interaction, and cloud interaction.
  • wearable smart devices include devices that are full-featured, large in size, and can achieve complete or partial functions without relying on smartphones, such as smart watches or smart glasses, as well as devices that only focus on a certain type of application function and need to be integrated with other devices such as Devices used with smartphones, such as various smart bracelets, smart jewelry, etc. for monitoring physical signs.
  • the terminal can be a terminal in the Internet of things (IoT) system.
  • IoT Internet of things
  • Its main technical feature is to connect objects to the network through communication technology, thereby realizing the realization of human An intelligent network that interconnects machines and things.
  • the terminal in this application may be a terminal in machine type communication (MTC).
  • MTC machine type communication
  • the terminal of this application may be a vehicle-mounted module, vehicle-mounted module, vehicle-mounted component, vehicle-mounted chip or vehicle-mounted unit built into the vehicle as one or more components or units.
  • the vehicle uses the built-in vehicle-mounted module, vehicle-mounted module, vehicle-mounted component , vehicle-mounted chip or vehicle-mounted unit can implement the method of this application.
  • the blockchain node 104 may be a node capable of applying blockchain technology.
  • the blockchain node 104 can protect the information in the node from being tampered with through a cryptographic mechanism.
  • the blockchain node 104 is a blockchain network element in the core network, or the blockchain node 104 is a node that can communicate with a ledger anchor function (LAF) network element in the core network. .
  • LAF ledger anchor function
  • the communication system 10 shown in FIG. 1 is only used as an example and is not used to limit the technical solution of the present application. Those skilled in the art should understand that during specific implementation, the communication system 10 may also include other devices, and the number of nodes, terminals or blockchain nodes may also be determined according to specific needs without limitation.
  • each network element or device (such as node 101, node 103, node 105, terminal 102 or blockchain node 104, etc.) in Figure 1 of the embodiment of this application can also be called a communication device, which can be a It may be a general-purpose device or a special-purpose device, which is not specifically limited in the embodiments of this application.
  • each network element or device (such as node 101, node 103, node 105, terminal 102 or blockchain node 104, etc.) in Figure 1 of the embodiment of this application can be implemented by one device, or can be implemented by It can be jointly implemented by multiple devices, or it can also be implemented by one or more functional modules in one device, which is not specifically limited in the embodiments of the present application.
  • the above functions can be either network elements in hardware devices, software functions running on dedicated hardware, or a combination of hardware and software, or virtualization instantiated on a platform (for example, a cloud platform) Function.
  • each network element or device in Figure 1 of the embodiment of this application can adopt the composition structure shown in Figure 2. Or include the components shown in Figure 2.
  • FIG. 2 shows a schematic diagram of the hardware structure of a communication device applicable to embodiments of the present application.
  • the communication device 20 includes at least one processor 201 and at least one communication interface 204, which are used to implement the method provided by the embodiment of the present application.
  • the communication device 20 may also include a communication line 202 and a memory 203 .
  • the processor 201 can be a general central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors used to control the execution of the program of the present application. integrated circuit.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • Communication line 202 may include a path, such as a bus, that carries information between the above-mentioned components.
  • Communication interface 204 is used to communicate with other devices or communication networks.
  • the communication interface 204 can be any device such as a transceiver, such as an Ethernet interface, a radio access network (RAN) interface, a wireless local area networks (WLAN) interface, a transceiver, and pins , bus, or transceiver circuit, etc.
  • RAN radio access network
  • WLAN wireless local area networks
  • the memory 203 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory (RAM)) or other type that can store information and instructions.
  • a dynamic storage device can also be an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other medium for access, but not limited to this.
  • the memory may exist independently and be coupled to the processor 201 through a communication line 202.
  • the memory 203 may also be integrated with the processor 201.
  • the memory provided by the embodiment of the present application may generally be non-volatile.
  • the memory 203 is used to store computer execution instructions involved in executing the solutions provided by the embodiments of the present application, and the processor 201 controls the execution.
  • the processor 201 is used to execute computer execution instructions stored in the memory 203, thereby implementing the method provided by the embodiment of the present application.
  • the processor 201 may also perform processing-related functions in the methods provided in the following embodiments of the present application, and the communication interface 204 is responsible for communicating with other devices or communication networks. This application implements The example does not specifically limit this.
  • the computer-executed instructions in the embodiments of the present application may also be called application codes, which are not specifically limited in the embodiments of the present application.
  • the coupling in the embodiment of this application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information interaction between devices, units or modules.
  • the processor 201 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 2 .
  • the communication device 20 may include multiple processors, such as the processor 201 and the processor 207 in FIG. 2 .
  • processors may be a single-CPU processor or a multi-CPU processor.
  • a processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
  • the communication device 20 may also include an output device 205 and/or an input device 206.
  • Output device 205 is coupled to processor 201 and can display information in a variety of ways.
  • the output device 205 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector), etc.
  • the input device 206 is coupled to the processor 201 and can receive user input in a variety of ways.
  • the input device 206 may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.
  • composition structure shown in Figure 2 does not constitute a limitation on the communication device.
  • the communication device may include more or fewer components than shown in the figure, or a combination of certain components. components, or different component arrangements.
  • A/B may indicate A or B; "and/or” may be used to describe There are three relationships between associated objects.
  • a and/or B can represent three situations: A exists alone, A and B exist simultaneously, and B exists alone.
  • a and B can be singular or plural.
  • expressions similar to "at least one of A, B and C" or "at least one of A, B or C” are often used to mean any of the following: A alone; B alone; alone C exists; A and B exist simultaneously; A and C exist simultaneously; B and C exist simultaneously; A, B, and C exist simultaneously.
  • the above is an example of three elements A, B and C to illustrate the optional items of this project. When there are more elements in the expression, the meaning of the expression can be obtained according to the aforementioned rules.
  • words such as “first” and “second” may be used to distinguish technical features with the same or similar functions.
  • the words “first”, “second” and other words do not limit the quantity and execution order, and the words “first” and “second” do not limit the number and execution order.
  • words such as “exemplary” or “for example” are used to express examples, illustrations or illustrations, and any embodiment or design solution described as “exemplary” or “for example” shall not be interpreted. To be more preferred or advantageous than other embodiments or designs.
  • the use of words such as “exemplary” or “such as” is intended to present related concepts in a concrete manner that is easier to understand.
  • an embodiment means that a particular feature, structure, or characteristic associated with the embodiment is included in at least one embodiment of the present application. Therefore, various embodiments are not necessarily referred to the same embodiment throughout this specification. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments. It can be understood that in the various embodiments of the present application, the size of the sequence numbers of each process does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be determined by the execution order of the embodiments of the present application. The implementation process constitutes no limitation.
  • At the same time in this application can be understood as at the same point in time, within a period of time, or within the same cycle.
  • the first node and/or terminal and/or node 101 and/or node 103 and/or node 105 and/or terminal 102 can perform some or all of the steps in the embodiment of the present application, These steps are only examples, and the embodiments of the present application may also perform other steps or variations of various steps. In addition, various steps may be performed in a different order than those presented in the embodiments of the present application, and it may not be necessary to perform all the steps in the embodiments of the present application.
  • an embodiment of the present application provides a method for obtaining signature information.
  • the method may include the following steps:
  • the first node obtains the private key fragment of the first node and the key information of the terminal.
  • the first node may be the node 101 in the communication system 10 shown in FIG. 1
  • the terminal may be the terminal 102 in the communication system 10 shown in FIG. 1 .
  • the terminal's key information includes information that can be used for authentication with other nodes or devices, such as the terminal's public key.
  • the terminal's key information also includes the terminal's private key.
  • One possible implementation method is that the first node generates the first node's private key fragments by itself; or the first node pre-stores the first node's private key fragments, and the first node obtains the first node's private key fragments locally. key shard; alternatively, the first node receives the first node's private key shard from the third party node.
  • the third-party node is a trusted node and can generate the private key shards of the node for different nodes.
  • a third-party node can generate a private key shard for a node in a node collection.
  • a node set may include at least two nodes. At least two nodes include the first node.
  • a node set may also be called a node alliance or a node group, etc., without limitation.
  • the first node receives the key information of the terminal from the terminal; or, the first node receives the key of the terminal from other nodes in the node set except the first node (hereinafter referred to as other nodes). information; or, the first node obtains the terminal’s key information from the blockchain.
  • S302 The first node signs the key information of the terminal according to the private key fragment of the first node to obtain the signature fragment of the first node.
  • the first node uses the first node's private key fragment to sign the terminal's key information to obtain the first node's signature fragment.
  • the signature fragment of the first node can be used to determine the signature information of the node set (hereinafter referred to as signature information).
  • the signature information can be used for authentication between the terminal and the first node.
  • the signature fragment of the first node is used to determine the signature information together with the signature fragments of other nodes.
  • This signature information can also be used for authentication between the terminal and other nodes. It can be understood that the node holding the public key of the node set can authenticate with the terminal based on the signature information.
  • the actions of the first node in the above-mentioned S301-S302 can be executed by the processor 201 in the communication device 20 shown in FIG. 2 by calling the application code stored in the memory 203.
  • This embodiment of the present application does not impose any restrictions on this. .
  • the first node can obtain the private key fragment of the first node and the key information of the terminal, and sign the key information of the terminal according to the private key fragment of the first node to obtain the first The node’s signature shard. Since the signature fragment of the first node can determine the signature information used for authentication between the terminal and the first node, the terminal and the first node can be authenticated based on the signature information without using the key in the SIM card. Through authentication, the SIM card is unbound from the network. If the user wants to switch networks, there is no need to change the SIM card, allowing the terminal to flexibly access the network and improving the user experience.
  • the first node obtains N signature fragments.
  • the signature fragment of the first node and the N signature fragments are jointly used to determine the signature information.
  • N signature fragments correspond to Q nodes, and any signature fragment among the N signature fragments is obtained by signing the terminal's key information with the private key fragment of the node corresponding to the signature fragment.
  • N and Q are natural numbers, and Q is less than or equal to N.
  • Q nodes are included in the node set. That is to say, the nodes in the node set can use threshold signature to sign the key information of the terminal to obtain the signature information. This signature information can be verified using the public key of the node collection. Therefore, if a node in the node set holds the public key of the node set, the terminal can be authenticated. In other words, the signature information is also used for authentication between the terminal and Q nodes.
  • the weight of the threshold signature is less than or equal to N+1.
  • the first node obtains N signature shards directly from Q nodes; or, the first node obtains N signature shards through the blockchain.
  • the first node receives N signed shards from Q nodes.
  • N signature shards are stored in the blockchain node, and the first node obtains them from the blockchain node.
  • the blockchain node may be the blockchain node 104 in the communication system 10 shown in FIG. 1 .
  • node 1 uses its own The private key fragment signs the key information of the terminal, obtains the signature fragment of node 1, and sends the signature fragment of node 1 to the first node.
  • Node 2 uses its own private key fragment to sign the terminal's key information, obtains the signature fragment of node 2, and sends the signature fragment of node 2 to the first node.
  • Node 3 uses its two private key fragments to sign the key information of the terminal respectively, obtains signature fragment 1 of node 3 and signature fragment 2 of node 3, and sends signature fragment 1 and signature to the first node Shard 2.
  • the first node calculates the signature fragment of the first node, the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2 according to the threshold signature algorithm, and obtains Signature information.
  • node 1 and node 2 have one private key fragment
  • node 3 has two private key fragments
  • Node 2 and node 3 are both nodes in the blockchain.
  • node 1 uses its own private key fragment to sign the key information of the terminal to obtain the signature fragment of node 1.
  • Use the first node on the chain to The public key of node 1 encrypts the signature fragment and publishes the encrypted information on the chain.
  • Node 2 uses its own private key fragment to sign the key information of the terminal, and obtains the signature fragment of node 2. It uses the public key of the first node on the chain to encrypt the signature fragment of node 2, and then encrypts the signature fragment.
  • Node 3 uses its own two private key fragments to sign the key information of the terminal respectively, and obtains the signature fragment 1 of node 3 and the signature fragment 2 of node 3, and signs the pair with the public key of the first node on the chain.
  • Shard 1 and signature shard 2 are encrypted and the encrypted information is published on the chain.
  • the first node decrypts the information with its own private key on the chain. It can obtain the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2, and then use the threshold
  • the signature algorithm calculates the signature fragment of the first node, the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2 to obtain the signature information.
  • node 1 and node 2 have one private key shard
  • node 3 has two private key shards
  • node 1 and node 2 have one private key shard
  • node 3 has two private key shards
  • node 1 and node 2 have two private key shards
  • node 1 and node 2 have two private key shards
  • node 1 and node 2 have two private key shards
  • node 1 and node 2 Both node 3 and node 3 are nodes in the blockchain.
  • the first node may be a blockchain node or not a blockchain node.
  • node 1 uses its own private key shard to sign the terminal’s key information to obtain the node 1’s signature fragment
  • use the public key of the blockchain node on the chain to encrypt the signature fragment of node 1, and publish the encrypted information on the chain.
  • Node 2 uses its own private key fragment to sign the key information of the terminal to obtain the signature fragment of node 2.
  • Node 3 uses its own two private key fragments to sign the key information of the terminal respectively, and obtains the signature fragment 1 of node 3 and the signature fragment 2 of node 3, using the public key pair of the blockchain node on the chain.
  • Signature Shard 1 and Signature Shard 2 encrypt and publish the encrypted information on the chain.
  • the blockchain node uses its own private key on the chain to decrypt the information. It can obtain the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2, and send it to The first node sends these signed shards.
  • the first node uses the threshold signature algorithm to calculate the signature fragment of the first node, the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2, and obtain Signature information.
  • the first node sends the first information to M nodes.
  • the first information includes key information of the terminal.
  • M nodes include Q nodes, M is a natural number greater than or equal to Q, and M nodes are included in the node set. That is to say, the first node can send the terminal's key information to M nodes to trigger the M nodes to sign the terminal's key information according to their own private key fragments to obtain corresponding signature fragments.
  • the first node when the number of signature fragments obtained by the first node is greater than or equal to the authority of the threshold signature, the first node can obtain the signature information. Therefore, some of the M nodes can sign the terminal's key information based on their own private key fragments to obtain the corresponding signature fragments. It is possible that all M nodes do not need to obtain their own signature fragments.
  • the first node can directly send the first information to the M nodes, or send the first information to the M nodes through the blockchain.
  • the first node sends the first information to the blockchain node.
  • the blockchain node After receiving the first information, the blockchain node uploads the first information to the chain and sends the first information to M nodes.
  • the first node obtains the subscription information of the terminal and verifies the terminal according to the subscription information of the terminal.
  • the subscription information of the terminal may include information related to the terminal's subscription with the network to which the nodes in the node set belong.
  • the terminal's subscription information may include at least one of the following: the terminal's contract time, the validity period of the terminal's contract, information about the package contracted by the terminal, the terminal's identification, the identification of the SIM card in the terminal or the identification of the user corresponding to the terminal (such as user’s ID number).
  • the information on the package contracted by the terminal may include traffic information and/or call time, etc.
  • the first node can verify whether the terminal can register to the network based on the above information. For example, if the validity period of the terminal subscription has expired, the first node determines that the verification failed and the terminal cannot be registered in the network. For another example, if the identification of the SIM card is illegal, the first node determines that the verification failed and the terminal cannot be registered in the network.
  • the first node receives subscription information from a terminal of a terminal, or the first node receives subscription information from a terminal of another node.
  • the first node also sends at least one of the following information to the M nodes: the first node's verification result of the terminal's subscription information, the first node's signature fragment, or the terminal's subscription information.
  • the verification result may include verification success or verification failure. It can be understood that the above-mentioned at least one kind of information may be included in the first information, or may be included in other information and sent to M nodes, without limitation.
  • the first node sends the verification result of the terminal's subscription information by the first node to M nodes, so that the node that receives the verification result can determine whether the first node successfully verified the terminal.
  • the node that receives the verification result can sign the terminal's key information based on its own private key fragments to obtain the corresponding signature fragments; if the first node verifies the terminal If it fails, the node that receives the verification result may not generate signature fragments.
  • the first node sends the signature fragments of the first node to M nodes, so that the nodes that receive the signature fragments can obtain signature information based on the signature fragments.
  • the first node sends the terminal's subscription information to M nodes, so that the nodes that receive the subscription information can verify the terminal based on the subscription information.
  • the first node directly sends the above-mentioned at least one kind of information to the M nodes; or the first node sends the above-mentioned at least one kind of information to the M nodes through the blockchain.
  • the first node sends third information to the terminal.
  • the terminal receives the third information from the first node.
  • the third information includes signature information.
  • the terminal can obtain the signature information and perform authentication with the first node based on the signature information.
  • the first node also obtains the identifier of the blockchain transaction corresponding to the signature information.
  • the identification includes the address of the blockchain transaction corresponding to the signature information.
  • the first node also sends the identifier of the blockchain transaction corresponding to the signature information to the terminal.
  • the terminal receives the identifier of the blockchain transaction corresponding to the signature information from the first node.
  • the first node also sends signature information to other nodes.
  • other nodes receive the signature information from the first node. In this way, other nodes do not need to generate signature information themselves.
  • the first node can directly send signature information to other nodes, or the first node can send signature information to other nodes through the blockchain.
  • the following describes the specific process of authentication between the terminal and the first node based on the signature information.
  • an authentication method is provided in an embodiment of the present application.
  • the method may include the following steps:
  • S401 The first node obtains signature information.
  • the first node may be the node 101 in the communication system 10 shown in FIG. 1 .
  • the first node obtains the signature information through the method shown in Figure 3. For example, the first node obtains the signature information based on the signature fragment of the first node and N signature fragments; or, the first node obtains the signature information. Receive signature information from other nodes; alternatively, the first node receives signature information from the blockchain node. Alternatively, the first node obtains the signature information through other methods, which is not restricted.
  • S402 The terminal obtains signature information.
  • the terminal may be the terminal 102 in the communication system 10 shown in FIG. 1 .
  • the terminal obtains signature information through the method shown in Figure 3.
  • the terminal receives signature information from the first node or other nodes.
  • the terminal obtains the signature information through other methods, which is not restricted.
  • S401 may be executed first and then S402, or S402 may be executed first and then S401, or S401 and S402 may be executed simultaneously.
  • the terminal determines a node set according to a preset policy.
  • the preset strategy includes at least one of the following: selection of the user corresponding to the terminal, network access requirements of the nodes in the node set, the network scale of the network where the nodes in the node set are located, or the security level of the network where the nodes in the node set are located. .
  • the user selects a node set through software on the terminal, and in response to the user's operation, the terminal determines the node set.
  • the terminal determines the node set based on the network access requirements of the nodes in the node set, such as traffic requirements, and/or call time requirements, etc., for example, the terminal selects the node set where the node that best meets the user's needs is located. Or, the terminal selects the node set where the node with the largest network scale is located. Alternatively, the terminal selects a node set including a large number of nodes with a large network scale. Or, the terminal selects the node set where the node with the highest security level is located. Alternatively, the terminal selects a node set including a larger number of nodes with higher security levels.
  • S403 The terminal and the first node perform authentication based on the signature information.
  • the terminal and the first node can be authenticated through S4031-S4032.
  • S4031 The terminal sends the first request to the first node.
  • the first node receives the first request from the terminal.
  • the first request may include signature information and a first random number.
  • the first random number may be generated by the terminal, or obtained by the terminal from other devices.
  • the terminal also sends at least one of the following information to the first node: the identification of the terminal (such as the international mobile equipment identity (IMEI) or the serial number of the terminal), information about the signature algorithm supported by the terminal, or The identifier of the blockchain transaction corresponding to the signature information.
  • the first node receives at least one of the above information from the terminal.
  • At least one kind of information may be included in the first request and sent to the first node, or may be sent to the first node through other information, without limitation.
  • S4032 The first node authenticates with the terminal according to the first request.
  • the first node sends the first message to the terminal.
  • the first message may include the certificate of the first node, the first authentication information and the second random number.
  • the first authentication information is obtained based on the private key of the first node and the first random number.
  • the first node signs the first random number with the first node's private key to obtain the first authentication information.
  • the first node uses a signature algorithm supported by the terminal to sign the first random number with the private key of the first node to obtain the first authentication information.
  • the terminal sends the second message to the first node.
  • the second message includes second authentication information, and the second authentication information is obtained based on the terminal's private key and the second random number.
  • the terminal verifies the validity of the first node's certificate, verifies the first authentication information based on the first node's public key, and sends the first node to the first node when the first node's certificate is valid and the first authentication information is successfully verified.
  • Second news After receiving the second message, the first node obtains the key information of the terminal based on the public key and signature information of the node set, and authenticates the second authentication information based on the key information of the terminal. For example, the first node verifies the signature information according to the public key of the node set. If the verification is successful, the first node obtains the key information of the terminal, for example, obtains the public key of the terminal, and authenticates the second authentication information according to the public key of the terminal.
  • first authentication information and second random number of the first node may be included in the first message and sent to the terminal, or may be included in different messages and sent to the terminal, without limitation.
  • the first node sends the authentication result to the terminal.
  • the terminal receives the authentication result from the first node.
  • the authentication result includes authentication failure or authentication success.
  • the first node fails to verify the signature information based on the public key of the node set, the first node sends the authentication result to the terminal to indicate to the terminal that the first node has failed to authenticate the terminal. Or, if the first node fails to authenticate the second authentication information, the first node sends the authentication result to the terminal to indicate to the terminal that the first node fails to authenticate the terminal. Alternatively, if the first node successfully authenticates the second authentication information, the first node sends the authentication result to the terminal to indicate to the terminal that the first node successfully authenticates the terminal.
  • the first node also verifies the signature information through the blockchain.
  • the first node after receiving the identifier of the blockchain transaction corresponding to the signature information from the terminal, the first node sends the third message to the blockchain node.
  • the third message can be used to query signature information.
  • the third message includes the identification of the blockchain transaction corresponding to the signature information.
  • the blockchain node After receiving the third message, the blockchain node sends the fourth message to the first node.
  • the fourth message includes the signature information queried based on the above identification. In this way, the first node can verify whether the signature information sent by the terminal is correct based on the signature information included in the fourth message, so as to further improve communication security.
  • the actions of the first node or terminal in the above-mentioned S401-S403 can be executed by the processor 201 in the communication device 20 shown in FIG. 2 by calling the application code stored in the memory 203.
  • This embodiment of the present application does not do this. Any restrictions.
  • the terminal and the first node can be authenticated based on signature information without using the key in the SIM card for authentication. This realizes the unbinding of the SIM card from the network. If the user wants to switch networks, There is no need to replace the SIM card, allowing the terminal to flexibly access the network and improving user experience.
  • the terminal switches among nodes in the node set, for example, after the terminal switches from the first node to the second node, the terminal can still authenticate with the second node based on the signature information without needing to obtain the signature information again, which simplifies Certification process.
  • the nodes in the node set obtain their own private key fragments and the public key of the node set.
  • the third-party node determines the private key of the node set and the public key of the node set, determines the private key fragments of the nodes in the node set based on the private key of the node set, and sends the node's private key to the corresponding node.
  • the private key shard and the public key of the node collection It can be understood that the third-party node can encrypt the private key fragments and the public key of the node set before sending them, for example, encrypt them with the public key of the receiving node and then send them.
  • the third-party node determines the weight of the threshold signature and/or the corresponding weight of the node in the node set.
  • the third-party node determines the private key of the node set and the public key of the node set, it uses an algorithm to calculate the private key of the node set and obtains the node 1's private key.
  • the private key fragment, the private key fragment of node 2 and the private key fragment of node 3 determine the weight of the threshold signature based on the information of the node set, and send the private key fragment of node 1 and the public key of the node set to node 1 and the weight of the threshold signature, send the private key fragment of node 2, the public key of the node set and the weight of the threshold signature to node 2, and send the private key fragment of node 3, the public key of the node set and the threshold signature to node 3 Weights.
  • the third-party node also determines the weight corresponding to node 1, the weight corresponding to node 2, and the weight corresponding to node 3 based on the information of the node set, and sends the above weights to node 1, node 2, and node 3.
  • the information about the node set may include information about the network scale of the network where the nodes in the node set are located, and/or the information about the security level of the network where the nodes in the node set are located.
  • node 1 After node 1 receives the private key fragment of node 1, the public key of the node collection and the weight S of the threshold signature, it can know that it can obtain the signature information of the node collection using S signature fragments. According to the node collection The public key verifies the signed information. If node 1 also receives the weight Y corresponding to node 1, the weight Z corresponding to node 2, and the weight G corresponding to node 3, then node 1 can determine that the signature fragment of node 1 can be equivalent to Y signature fragments, and that of node 2 A signature shard can be equivalent to Z signature shards, and the signature shard of node 3 can be equivalent to G signature shards.
  • node 1 determines that the signature information can be obtained by using 2 signature fragments, for example, node 1
  • the signature information can be obtained based on the signature fragment of node 1 and the signature fragment of node 2, or the signature information can be obtained by node 1 based on the signature fragment of node 1 and the signature fragment of node 3.
  • node 1 determines that the signature information can be obtained by using 3 signature fragments. For example, node 1 can obtain the signature information based on the signature fragment of node 1 and the signature fragment of node 2. Signature information, or node 1 can obtain the signature information based on the signature fragment of node 1 and the signature fragment of node 3.
  • node 2 After node 2 receives the private key fragment of node 2, the public key of the node set, and the weight S of the threshold signature, it can perform similar operations to node 1. After receiving the private key fragment of node 3, the public key of the node set, and the weight S of the threshold signature, node 3 can perform similar operations to node 1. No further details will be given here.
  • the third-party node can also determine the public key shard of the node for the node in the node set.
  • the nodes in the node set determine their corresponding weights based on the network scale of the network where they are located and/or the security level of the network where they are located, and send the weights to third-party nodes.
  • the third-party node determines the private key of the node set and the public key of the node set, and after receiving the weight, determines the weight of the private key fragmentation and threshold signature of the nodes in the node set based on the weight, and sends the weight to the corresponding node.
  • the third-party node can also re-determine the weights corresponding to the nodes in the node set, and send the re-determined weights to the nodes in the node set.
  • the third-party node can also determine the public key shard of the node for the node in the node set.
  • the nodes in the node set generate the private key fragments and public key fragments of the node, and send their own public key fragments to the nodes in the node set. In this way, each node receives the public key fragments of other nodes and can obtain the public key of the node set.
  • the nodes in the node set determine the weight of the signature threshold based on the number of nodes in the node set. For example, if the node combination includes 10 nodes, the weight of the signature threshold can be greater than or equal to 5.
  • the nodes in the node set also determine their own corresponding weights, and the weight of the signature threshold is also determined based on the number of nodes in the node set and the weight corresponding to each node.
  • node 1 determines the private key fragment of node 1, the public key fragment of node 1 and the weight Y corresponding to node 1, and sends the information to node 2 and node 3.
  • Node 2 determines the private key fragment of node 2, the public key fragment of node 2 and the weight Z corresponding to node 2, and sends the public key fragment of node 2 and the weight Z corresponding to node 2 to node 1 and node 3.
  • Node 3 determines the private key fragment of node 3, the public key fragment of node 3 and the weight G corresponding to node 3, and sends the public key fragment of node 3 and the weight G corresponding to node 3 to node 1 and node 2.
  • the weight of the signature threshold can be determined to be 3, and the public key of the node set can be obtained based on the public key fragmentation of node 1 and the public key fragmentation of node 2, or based on the public key fragmentation of node 1 and the public key fragmentation of node 3. Get the public key of the node set.
  • the following takes the node set including node 101, node 103 and node 105 in Figure 1 as an example to introduce the method of obtaining signature information provided by the embodiment of the present application and the authentication method provided by the embodiment of the present application. Specifically, reference may be made to the method shown in Figure 5 below.
  • an embodiment of the present application provides a method for obtaining signature information.
  • the method may include the following steps:
  • Node 101 obtains the private key fragment of node 101, the public key of the node set, and the weight of the threshold signature.
  • Node 103 obtains the private key fragment of node 103, the public key of the node set, and the weight of the threshold signature.
  • Node 105 obtains the private key fragment of node 105, the public key of the node set, and the weight of the threshold signature.
  • the embodiment of the present application does not limit the execution order of S501-S503. For example, you can execute S501 first, then S502, and finally S503, or execute S502 first, then S503, and finally S501, or execute S503 first, then S502, and finally S501, or execute S503 first, and then S501. Finally execute S502, or execute S501-S503 at the same time and so on.
  • node 101, and/or node 103, and/or node 105 are nodes in the blockchain, or node 101, node 103, and node 105 are not nodes in the blockchain, No restrictions.
  • the terminal 102 sends the key information of the terminal 102 and the subscription information of the terminal 102 to the node 101.
  • the node 101 receives the key information of the terminal 102 and the subscription information of the terminal 102 from the terminal 102 .
  • the terminal 102 determines a node set according to a preset policy, and sends the key information of the terminal 102 and the subscription information of the terminal 102 to the nodes in the node set, such as the node 101.
  • the terminal 102 after determining the node set, obtains a subscription (profile) template corresponding to the node set, and fills in relevant information in the template in response to the user's input to obtain the subscription information of the terminal 102.
  • a subscription (profile) template corresponding to the node set
  • the terminal 102 generates the public key of the terminal 102 and the private key of the terminal 102.
  • the terminal 102 also sends the identifier of the node set to the node 101 to indicate to the node 101 the node set determined by the terminal 102.
  • the key information of the terminal 102, and/or the subscription information of the terminal 102, and/or the identity of the node set is sent by the terminal 102 to the node 101 through Wi-Fi or a traditional hard card. .
  • Node 101 signs the key information of terminal 102 according to the private key fragment of node 101, and obtains the signature fragment of node 101.
  • node 101 verifies terminal 102 based on the contract information of terminal 102. After successful verification, it signs the key information of terminal 102 based on the private key fragments of node 101 to obtain the signature fragments of node 101.
  • Node 101 sends the key information of terminal 102 to node 103 and node 105.
  • the node 103 and the node 105 receive the key information from the terminal 102 of the node 101.
  • the node 101 obtains the nodes in the node set, such as node 103 and node 105, based on the identifier of the node set, and sends the terminal to node 103 and node 105. 102 key information.
  • the node 101 also sends the subscription information of the terminal 102 to the node 103 and the node 105, and/or the verification result of the subscription information of the terminal 102 by the node 101, and/or the signature fragment of the node 101.
  • the key information of the terminal 102, and/or the subscription information of the terminal 102, and/or the verification results of the node 101 on the subscription information of the terminal 102, and/or the signature fragments of the node 101 can be stored in in the blockchain.
  • node 101 encrypts the above information with the public key of node 103 on the chain to obtain encrypted information 1, and publishes it on the blockchain Encrypted information 1.
  • Node 101 also encrypts the above information with the public key of node 105 on the chain to obtain encrypted information 2, and publishes encrypted information 2 on the blockchain.
  • node 103 receives the encrypted information 1
  • it decrypts the information according to the private key of node 103 on the chain to obtain the above information.
  • node 105 receives the encrypted information 2 it can decrypt the information according to the private key of node 105 on the chain to obtain the above information.
  • node 101 in addition to sending the above information to node 103 and node 105, also sends the above information to blockchain node 104, so that the blockchain Node 104 stores the above information in the blockchain.
  • Node 103 sends the signature fragment of node 103 to node 101.
  • node 101 receives node 103's signature fragment from node 103.
  • node 103 verifies terminal 102 based on the contract information of terminal 102. After successful verification, it signs the key information of terminal 102 based on the private key fragments of node 103 to obtain the signature fragments of node 103. And send the signature fragment of node 103 to node 101.
  • node 103 also sends the signature fragment of node 103 to node 105.
  • node 105 receives the signed fragment of node 103 from node 103 .
  • signature fragments of node 103 can also be stored in the blockchain.
  • Node 105 sends the signature fragment of node 105 to node 101.
  • node 101 receives the signed fragment of node 105 from node 105 .
  • the node 105 verifies the terminal 102 based on the contract information of the terminal 102. After the verification is successful, it signs the key information of the terminal 102 based on the private key fragments of the node 105 to obtain the signature fragments of the node 105. And send the signature fragment of node 105 to node 101.
  • node 105 also sends the signature fragment of node 105 to node 103.
  • node 103 receives the signed fragment of node 105 from node 105 .
  • signature fragments of node 105 can also be stored in the blockchain.
  • S507 may be executed first and then S508, or S508 may be executed first and then S507, or S507 and S508 may be executed simultaneously.
  • Node 101 obtains the signature information of the node set.
  • One possible implementation method is that if the weight of the threshold signature is 2, node 101 obtains the signature information based on the signature fragment of node 101 and the signature fragment of node 103, or node 101 obtains the signature information based on the signature fragment of node 101 and node 105. Signature fragments to obtain signature information.
  • the signature information can be stored in the blockchain. For example, if the node 101 is a node in the blockchain, the node 101 uploads the signature information to the blockchain. If the node 101 is not a node in the blockchain, the node 101 sends the signature information to the blockchain node 104.
  • Node 101 sends signature information to terminal 102.
  • the terminal 102 receives the signature information from the node 101.
  • the node 101 also sends the identifier of the blockchain transaction corresponding to the signature information to the terminal 102.
  • the terminal 102 can perform authentication with the nodes in the node set based on the signature information.
  • the following takes the authentication between terminal 102 and node 103 as an example to introduce, specifically including the following S511-S512:
  • S511 The terminal 102 sends the first request to the node 103.
  • node 103 receives the first request from terminal 102.
  • S512 The node 103 authenticates with the terminal 102 according to the first request.
  • the terminal 102 can perform authentication based on the signature information and the node.
  • the actions of the node 101 or the node 103 or the node 105 or the terminal 102 in the above-mentioned S501-S512 can be executed by the processor 201 in the communication device 20 shown in Figure 2 by calling the application code stored in the memory 203.
  • This application The embodiment does not impose any restrictions on this.
  • the terminal 102 can obtain signature information that can be authenticated with the nodes in the node set without using the key in the SIM card for authentication, thus unbinding the SIM card from the network. If the user If you want to switch networks, you don't need to change the SIM card, which allows the terminal to flexibly access the network and improves the user experience. In addition, if the terminal 102 switches among nodes in the node set, for example, after the terminal 102 switches from node 103 to node 105, the terminal 102 can still authenticate with the node 105 based on the signature information without needing to obtain the signature information again, which simplifies Certification process.
  • the methods and/or steps implemented by the first node can also be implemented by components (such as chips or circuits) available for the first node; the methods and/or steps implemented by the terminal, It can also be implemented by components (such as chips or circuits) that can be used in terminals.
  • embodiments of the present application also provide a communication device, which may be the first node in the above method embodiment, or a device including the above first node, or a component usable for the first node; or, the communication device
  • the communication device may be the terminal in the above method embodiment, or a device including the above terminal, or a component that can be used in the terminal.
  • the above-mentioned first node or terminal includes hardware structures and/or software modules corresponding to each function.
  • Embodiments of the present application can divide the first node or terminal into functional modules according to the above method examples.
  • each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module.
  • the above integrated modules can be implemented in the form of hardware or software function modules. It can be understood that the division of modules in the embodiment of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods.
  • FIG. 6 shows a schematic structural diagram of a communication device 60 .
  • the communication device 60 includes a processing module 601.
  • the communication device 60 also includes a transceiver module 602.
  • the processing module 601 which may also be called a processing unit, is used to perform operations other than sending and receiving operations, and may be, for example, a processing circuit or a processor.
  • the transceiver module 602, which may also be called a transceiver unit, is used to perform transceiver operations, and may be, for example, a transceiver circuit, transceiver, transceiver, or communication interface.
  • the communication device 60 may also include a storage module (not shown in FIG. 6) for storing program instructions and data.
  • the communication device 60 is used to implement the function of the first node.
  • the communication device 60 is, for example, the first node described in the embodiment shown in FIG. 3 , the embodiment shown in FIG. 4 or the embodiment shown in FIG. 5 .
  • the processing module 601 is used to obtain the private key fragments of the communication device 60 and the key information of the terminal.
  • the processing module 601 may be used to perform S301.
  • the processing module 601 is also configured to sign the key information of the terminal according to the private key fragment of the communication device 60 to obtain the signature fragment of the communication device 60 .
  • the signature fragment of the communication device 60 is used to determine signature information, and the signature information is used for authentication between the terminal and the communication device 60 .
  • the processing module 601 can also be used to perform S302.
  • the processing module 601 is also used to obtain N signature fragments, which correspond to Q nodes, and any signature fragment among the N signature fragments is generated using the The private key fragment of the node corresponding to the signature fragment is obtained by signing the key information of the terminal.
  • N and Q are natural numbers, and Q is less than or equal to N; the signature fragment of the communication device 60 and the N signature fragments are used together to determine the signature information.
  • the signature information is also used for authentication between the terminal and the Q nodes.
  • the processing module 601 is specifically configured to receive the N signature fragments from the Q nodes through the transceiver module 602.
  • the transceiver module 602 is also configured to send first information, where the first information includes the key information of the terminal, to M nodes, which include the Q nodes, and M is greater than Or a natural number equal to Q.
  • the transceiver module 602 is also configured to send at least one of the following information to the M nodes: the verification result of the terminal's subscription information by the communication device 60 or the signature fragment of the communication device 60 .
  • the N signature shards are stored in the blockchain node.
  • the transceiver module 602 is also used to send the terminal's key information and the signature fragment of the communication device 60 to the blockchain node.
  • the transceiving module 602 is also configured to send third information to the terminal, where the third information includes the signature information.
  • the transceiver module 602 is also configured to send the identifier of the blockchain transaction corresponding to the signature information to the terminal.
  • the processing module 601 is also configured to receive the private key fragment of the communication device 60 from a third-party node through the transceiver module 602.
  • the transceiver module 602 is also configured to receive a first request from the terminal, where the first request includes the signature information and a first random number; the processing module 601 is also configured to receive a request based on the first request. Requests authentication with this terminal.
  • the communication device 60 is included in the node set, and the processing module 601 is also used to obtain the public key of the node set; the processing module 601 is specifically used to send the first message to the terminal through the transceiver module 602. message, the first message includes the certificate of the communication device 60, first authentication information and a second random number, the first authentication information is obtained according to the private key of the communication device 60 and the first random number; processing module 601 , and is also specifically used to receive a second message from the terminal through the transceiver module 602. The second message includes second authentication information.
  • the second authentication information is obtained according to the private key of the terminal and the second random number; processing Module 601 is also specifically configured to obtain the key information of the terminal based on the public key of the node set and the signature information; the processing module 601 is also specifically configured to authenticate the second authentication information based on the key information of the terminal.
  • the transceiver module 602 is also used to send a third message to the blockchain node, where the third message is used to query the signature information; the transceiver module 602 is also used to receive messages from the blockchain node.
  • the fourth message of the node includes the signature information.
  • the communication device 60 can take the form shown in FIG. 2 .
  • the processor 201 in Figure 2 can cause the communication device 60 to execute the method described in the above method embodiment by calling the computer execution instructions stored in the memory 203.
  • the functions/implementation processes of the processing module 601 and the transceiver module 602 in Figure 6 can be implemented by the processor 201 in Figure 2 calling computer execution instructions stored in the memory 203.
  • the function/implementation process of the processing module 601 in Figure 6 can be implemented by the processor 201 in Figure 2 calling the computer execution instructions stored in the memory 203.
  • the function/implementation process of the transceiver module 602 in Figure 6 can be implemented by Figure 6 It is implemented by the communication interface 204 in 2.
  • FIG. 7 shows a schematic structural diagram of a communication device 70 .
  • the communication device 70 includes a transceiver module 701.
  • the communication device 70 also includes a processing module 702.
  • the transceiver module 701 which may also be called a transceiver unit, is used to perform transceiver operations.
  • it may be a transceiver circuit, a transceiver, a transceiver or a communication interface.
  • the processing module 702 which may also be called a processing unit, is used to perform operations other than sending and receiving operations, and may be, for example, a processing circuit or a processor.
  • the communication device 70 may also include a storage module (not shown in Figure 7) for storing program instructions and data.
  • the communication device 70 is used to implement the functions of the terminal.
  • the communication device 70 is, for example, the terminal described in the embodiment shown in FIG. 4 or the embodiment shown in FIG. 5 .
  • the transceiver module 701 is used to send the key information of the communication device 70 to the first node.
  • the transceiver module 701 is also used to receive the third information from the first node.
  • the third information includes signature information.
  • the signature information is used for authentication between the communication device 70 and the first node.
  • the signature information is obtained based on N signature fragments and the signature fragment of the first node.
  • the signature fragment of the first node is obtained by signing the key information of the communication device 70 with the private key fragment of the first node, the N signature fragments correspond to Q nodes, and the N signature fragments Any signature fragment in the slice is obtained by signing the key information of the communication device 70 with the private key fragment of the node corresponding to the signature fragment.
  • N and Q are natural numbers, and Q is less than or equal to N.
  • the transceiving module 701 is also configured to receive the identification of the blockchain transaction corresponding to the signature information from the first node.
  • the first node and the Q nodes are included in a node set.
  • the processing module 702 is configured to determine the node set according to a preset strategy.
  • the preset strategy includes at least one of the following: the user's selection corresponding to the communication device 70, the network access requirements of the nodes in the node set, and the location of the nodes in the node set.
  • the transceiver module 701 is also configured to send a first request to the first node, where the first request includes the signature information and the first random number; the processing module 702 is also configured to send a first request to the first node according to the first random number. A request is made for authentication with the first node.
  • the processing module 702 is specifically configured to receive a first message from the first node through the transceiver module 701.
  • the first message includes the certificate of the first node, the first authentication information and the second Random number, the first authentication information is obtained based on the private key of the first node and the first random number;
  • the processing module 702 is also specifically configured to use the transceiver module 701 when the first authentication information is authenticated successfully,
  • a second message is sent to the first node.
  • the second message includes second authentication information.
  • the second authentication information is obtained according to the private key of the communication device 70 and the second random number.
  • the communication device 70 may take the form shown in FIG. 2 .
  • the processor 201 in Figure 2 can cause the communication device 70 to execute the method described in the above method embodiment by calling the computer execution instructions stored in the memory 203.
  • the functions/implementation processes of the transceiver module 701 and the processing module 702 in Figure 7 can be implemented by the processor 201 in Figure 2 calling computer execution instructions stored in the memory 203.
  • the function/implementation process of the processing module 702 in Figure 7 can be implemented by the processor 201 in Figure 2 calling the computer execution instructions stored in the memory 203.
  • the function/implementation process of the transceiver module 701 in Figure 7 can be implemented by Figure 7 It is implemented by the communication interface 204 in 2.
  • the above modules or units can be implemented in software, hardware, or a combination of both.
  • the software exists in the form of computer program instructions and is stored in the memory.
  • the processor can be used to execute the program instructions and implement the above method flow.
  • the processor can be built into an SoC (System on a Chip) or ASIC, or it can be an independent semiconductor chip.
  • the processor can further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (programmable logic device) , or a logic circuit that implements dedicated logic operations.
  • FPGA field programmable gate array
  • PLD programmable logic device
  • the hardware can be a CPU, a microprocessor, a digital signal processing (DSP) chip, a microcontroller unit (MCU), an artificial intelligence processor, an ASIC, Any one or any combination of SoC, FPGA, PLD, dedicated digital circuits, hardware accelerators or non-integrated discrete devices, which can run the necessary software or not rely on software to perform the above method flow.
  • DSP digital signal processing
  • MCU microcontroller unit
  • embodiments of the present application also provide a chip system, including: at least one processor and an interface.
  • the at least one processor is coupled to the memory through the interface.
  • the at least one processor executes the computer program or instructions in the memory
  • the chip system further includes a memory.
  • the chip system may be composed of chips, or may include chips and other discrete devices, which is not specifically limited in the embodiments of the present application.
  • embodiments of the present application also provide a computer-readable storage medium. All or part of the processes in the above method embodiments can be completed by instructing relevant hardware through a computer program.
  • the program can be stored in the above computer-readable storage medium. When executed, the program can include the processes of the above method embodiments. .
  • the computer-readable storage medium may be an internal storage unit of the communication device of any of the aforementioned embodiments, such as a hard disk or memory of the communication device.
  • the above-mentioned computer-readable storage medium may also be an external storage device of the above-mentioned communication device, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card equipped on the above-mentioned communication device, Flash card, etc.
  • SMC smart media card
  • SD secure digital
  • the computer-readable storage medium may also include both an internal storage unit of the communication device and an external storage device.
  • the above-mentioned computer-readable storage medium is used to store the above-mentioned computer program and other programs and data required by the above-mentioned communication device.
  • the above-mentioned computer-readable storage media can also be used to temporarily store data that has been output or is to be output.
  • the embodiment of the present application also provides a computer program product. All or part of the processes in the above method embodiments can be completed by instructing relevant hardware through a computer program.
  • the program can be stored in the above computer program product. When executed, the program can include the processes of the above method embodiments.
  • the embodiment of the present application also provides a computer instruction. All or part of the processes in the above method embodiments can be completed by computer instructions to instruct related hardware (such as computers, processors, access network equipment, mobility management network elements or session management network elements, etc.).
  • the program may be stored in the above-mentioned computer-readable storage medium or in the above-mentioned computer program product.
  • this embodiment of the present application also provides a communication system, including: the first node and the terminal in the above embodiment.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of modules or units is only a logical function division.
  • there may be other division methods for example, multiple units or components may be The combination can either be integrated into another device, or some features can be omitted, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated.
  • the components shown as units may be one physical unit or multiple physical units, that is, they may be located in one place, or they may be distributed to multiple different places. . Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the above integrated units can be implemented in the form of hardware or software functional units.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present application relates to the field of communications. Disclosed are a method and apparatus for acquiring signature information. In the method, a first node can acquire a private-key fragment of the first node and key information of a terminal, and can sign the key information of the terminal according to the private key fragment of the first node, so as to obtain a signature fragment of the first node, wherein the signature fragment of the first node is used for determining signature information, the signature information being used for performing authentication between the terminal and the first node. By means of the method, authentication can be performed between a terminal and a first node according to signature information, without the need for using a key in a SIM card to perform authentication, such that the SIM card is unbound from a network, and if a user wants to perform network switching, it is not necessary to replace the SIM card, such that the terminal can flexibly access the network, thereby improving the user experience.

Description

获取签名信息的方法及装置Method and device for obtaining signature information 技术领域Technical field
本申请涉及通信领域,尤其涉及获取签名信息的方法及装置。The present application relates to the field of communications, and in particular to methods and devices for obtaining signature information.
背景技术Background technique
在通信系统中,终端可通过用户身份识别模块(subscriber identity module,SIM)卡接入运营商提供的网络。具体来说,用户选择运营商并购买对应的SIM卡。SIM卡中预置了该SIM卡的根密钥。SIM卡商在SIM卡被使用前,可通过生产网或者离线的方式将SIM卡的根密钥发送给运营商。如此,运营商和终端都有了可用于认证的根密钥。终端入网时,运营商可基于SIM卡的根密钥进行认证鉴权,并在认证鉴权成功后为终端提供网络服务。In the communication system, the terminal can access the network provided by the operator through the subscriber identity module (SIM) card. Specifically, the user selects an operator and purchases the corresponding SIM card. The root key of the SIM card is preset in the SIM card. Before the SIM card is used, the SIM card vendor can send the root key of the SIM card to the operator through the production network or offline. In this way, both the operator and the terminal have root keys that can be used for authentication. When a terminal connects to the network, the operator can perform authentication and authentication based on the root key of the SIM card, and provide network services to the terminal after successful authentication and authentication.
通过以上描述可知,SIM卡是与运营商的网络绑定的,若用户想切换网络,需要更换SIM卡,十分不便,用户体验差。As can be seen from the above description, the SIM card is bound to the operator's network. If the user wants to switch networks, he needs to change the SIM card, which is very inconvenient and leads to poor user experience.
发明内容Contents of the invention
本申请实施例提供获取签名信息的方法及装置,可以使得终端和网络之间根据签名信息进行认证,而不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑。The embodiments of this application provide methods and devices for obtaining signature information, which can enable authentication between the terminal and the network based on the signature information without using the key in the SIM card for authentication, thus realizing the unbinding of the SIM card from the network.
为达到上述目的,本申请的实施例采用如下技术方案:In order to achieve the above objectives, the embodiments of the present application adopt the following technical solutions:
第一方面,提供了一种获取签名信息的方法,执行该方法的通信装置可以为第一节点;也可以为应用于第一节点中的模块,例如芯片或芯片系统。下面以执行主体为第一节点为例进行描述。该方法包括:获取第一节点的私钥分片和终端的密钥信息;根据该第一节点的私钥分片对该终端的密钥信息进行签名,得到该第一节点的签名分片,该第一节点的签名分片用于确定签名信息,该签名信息用于该终端与该第一节点之间进行认证。A first aspect provides a method for obtaining signature information. The communication device executing the method may be a first node; it may also be a module applied in the first node, such as a chip or a chip system. The following description takes the execution subject as the first node as an example. The method includes: obtaining the private key fragment of the first node and the key information of the terminal; signing the key information of the terminal according to the private key fragment of the first node to obtain the signature fragment of the first node, The signature fragment of the first node is used to determine signature information, and the signature information is used for authentication between the terminal and the first node.
基于上述第一方面提供的方法,第一节点可获取第一节点的私钥分片和终端的密钥信息,并根据第一节点的私钥分片对终端的密钥信息进行签名,得到第一节点的签名分片。由于第一节点的签名分片能够确定用于终端与第一节点之间进行认证的签名信息,所以终端和第一节点之间可根据签名信息进行认证,而不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑,用户若想切换网络,不需要更换SIM卡,使得终端能够灵活入网,提高了用户体验。Based on the method provided in the first aspect, the first node can obtain the private key fragment of the first node and the key information of the terminal, and sign the key information of the terminal according to the private key fragment of the first node to obtain the third A node’s signature shard. Since the signature fragment of the first node can determine the signature information used for authentication between the terminal and the first node, the terminal and the first node can be authenticated based on the signature information without using the key in the SIM card. Through authentication, the SIM card is unbound from the network. If the user wants to switch networks, there is no need to change the SIM card, allowing the terminal to flexibly access the network and improving the user experience.
在一种可能的实现方式中,该方法还包括:获取N个签名分片,该N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对该终端的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N;该第一节点的签名分片和该N个签名分片共同用于确定该签名信息。In a possible implementation, the method further includes: obtaining N signature fragments, which correspond to Q nodes, and any signature fragment among the N signature fragments is generated using the signature fragment. The private key fragment of the node corresponding to the fragment is obtained by signing the key information of the terminal. N and Q are natural numbers, and Q is less than or equal to N; the signature fragment of the first node and the N signature fragments are used together. to determine the signature information.
基于上述可能的实现方式,第一节点可以获取N个签名分片,根据N个签名分片和第一节点的签名分片得到签名信息,以便第一节点将签名信息发送给终端,或者以 便第一节点和终端根据该签名信息进行认证。Based on the above possible implementation, the first node can obtain N signature fragments, and obtain the signature information based on the N signature fragments and the signature fragment of the first node, so that the first node can send the signature information to the terminal, or so that the third node can send the signature information to the terminal. A node and terminal authenticate based on the signature information.
在一种可能的实现方式中,该签名信息还用于该终端与该Q个节点之间进行认证。In a possible implementation, the signature information is also used for authentication between the terminal and the Q nodes.
基于上述可能的实现方式,终端与Q个节点中的任意一个节点都可以根据签名信息进行认证。这样,终端获取一次签名信息就可以和Q个节点进行认证,简化了终端与节点之间的认证流程。Based on the above possible implementation methods, the terminal and any one of the Q nodes can be authenticated based on the signature information. In this way, the terminal can authenticate with Q nodes after obtaining the signature information once, which simplifies the authentication process between the terminal and the nodes.
在一种可能的实现方式中,获取N个签名分片,包括:接收来自该Q个节点的该N个签名分片。In a possible implementation manner, obtaining N signature fragments includes: receiving the N signature fragments from the Q nodes.
基于上述可能的实现方式,第一节点可以从Q个节点上获取N个签名分片,以便第一节点生成签名信息。Based on the above possible implementation, the first node can obtain N signature fragments from Q nodes so that the first node can generate signature information.
在一种可能的实现方式中,在获取N个签名分片之前,该方法还包括:向M个节点发送第一信息,该第一信息包括该终端的密钥信息,该M个节点包括该Q个节点,M为大于或等于Q的自然数。In a possible implementation, before obtaining N signature fragments, the method further includes: sending first information to M nodes, where the first information includes the key information of the terminal, and the M nodes include the Q nodes, M is a natural number greater than or equal to Q.
基于上述可能的实现方式,第一节点可以向M个节点发送终端的密钥信息,以便M个节点根据终端的密钥信息生成对应的签名分片。Based on the above possible implementation manner, the first node can send the key information of the terminal to M nodes, so that the M nodes generate corresponding signature fragments based on the key information of the terminal.
在一种可能的实现方式中,该方法还包括:向M个节点发送以下至少一种信息:该第一节点对该终端的签约信息的验证结果或该第一节点的签名分片。In a possible implementation, the method further includes: sending at least one of the following information to the M nodes: a verification result of the terminal's subscription information by the first node or a signature fragment of the first node.
基于上述可能的实现方式,M个节点可以根据第一节点对终端的签约信息的验证结果确定第一节点对终端的签约信息是否验证成功,和/或,根据第一节点的签名分片生成签名信息。Based on the above possible implementation, the M nodes can determine whether the first node has successfully verified the terminal's subscription information based on the first node's verification result of the terminal's subscription information, and/or generate a signature based on the signature fragments of the first node. information.
在一种可能的实现方式中,N个签名分片存储在区块链节点中。In one possible implementation, N signature shards are stored in blockchain nodes.
基于上述可能的实现方式,可将N个签名分片上链,以确保N个签名分片不被篡改,提高通信安全。Based on the above possible implementation methods, N signature fragments can be uploaded to the chain to ensure that the N signature fragments are not tampered with and improve communication security.
在一种可能的实现方式中,在获取该N个签名分片之前,该方法还包括:向该区块链节点发送该终端的密钥信息和该第一节点的签名分片。In a possible implementation, before obtaining the N signature fragments, the method further includes: sending the terminal's key information and the signature fragment of the first node to the blockchain node.
基于上述可能的实现方式,可将终端的密钥信息和第一节点的签名分片上链,以确保终端的密钥信息和第一节点的签名分片不被篡改,提高通信安全。Based on the above possible implementation, the terminal's key information and the first node's signature fragments can be uploaded to the chain to ensure that the terminal's key information and the first node's signature fragments are not tampered with and improve communication security.
在一种可能的实现方式中,该方法还包括:向该终端发送第三信息,该第三信息包括该签名信息。In a possible implementation, the method further includes: sending third information to the terminal, where the third information includes the signature information.
基于上述可能的实现方式,终端可以获取到签名信息,以便终端与持有签名信息的节点进行认证。Based on the above possible implementation, the terminal can obtain the signature information so that the terminal can authenticate with the node holding the signature information.
在一种可能的实现方式中,若该签名信息存储在区块链节点中,该方法还包括:向终端发送该签名信息对应的区块链交易的标识。In a possible implementation, if the signature information is stored in the blockchain node, the method further includes: sending an identifier of the blockchain transaction corresponding to the signature information to the terminal.
基于上述可能的实现方式,终端还可以获取到签名信息对应的区块链交易的标识。这样,终端在与持有签名信息的节点进行认证时,可携带该标识,以便该节点在区块链中查询该标识对应的签名信息和终端发送的签名信息是否相同,以提高通信安全。Based on the above possible implementation methods, the terminal can also obtain the identifier of the blockchain transaction corresponding to the signature information. In this way, the terminal can carry the identifier when authenticating with the node holding the signature information, so that the node can query the blockchain to see whether the signature information corresponding to the identifier is the same as the signature information sent by the terminal to improve communication security.
在一种可能的实现方式中,获取第一节点的私钥分片,包括:接收来自第三方节点的该第一节点的私钥分片。In a possible implementation, obtaining the private key fragment of the first node includes: receiving the private key fragment of the first node from a third-party node.
基于上述可能的实现方式,第一节点可从第三方节点处获取到第一节点的私钥分片,以便第一节点基于第一节点的私钥分片对终端的密钥信息进行签名。Based on the above possible implementation manner, the first node can obtain the private key fragment of the first node from the third party node, so that the first node signs the key information of the terminal based on the private key fragment of the first node.
在一种可能的实现方式中,该方法还包括:接收来自该终端的第一请求,该第一请求包括该签名信息和第一随机数;根据该第一请求与该终端进行认证。In a possible implementation, the method further includes: receiving a first request from the terminal, the first request including the signature information and a first random number; and performing authentication with the terminal according to the first request.
基于上述可能的实现方式,第一节点可根据签名信息与终端认证。这样,第一节点和终端之间不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑。Based on the above possible implementation, the first node can authenticate with the terminal based on the signature information. In this way, there is no need to use the key in the SIM card for authentication between the first node and the terminal, thus realizing the unbinding of the SIM card from the network.
在一种可能的实现方式中,该第一节点包括在节点集合中,该方法还包括:获取该节点集合的公钥;根据该第一请求与该终端进行认证,包括:向该终端发送第一消息,该第一消息包括该第一节点的证书、第一认证信息和第二随机数,该第一认证信息是根据该第一节点的私钥和该第一随机数得到的;接收来自该终端的第二消息,该第二消息包括第二认证信息,该第二认证信息是根据该终端的私钥和该第二随机数得到的;根据该节点集合的公钥和该签名信息,得到该终端的密钥信息;根据该终端的密钥信息认证该第二认证信息。In a possible implementation, the first node is included in a node set, and the method further includes: obtaining a public key of the node set; authenticating with the terminal according to the first request, including: sending a third request to the terminal. A message, the first message includes the certificate of the first node, first authentication information and a second random number, the first authentication information is obtained based on the private key of the first node and the first random number; received from The second message of the terminal, the second message includes second authentication information, the second authentication information is obtained according to the private key of the terminal and the second random number; according to the public key of the node set and the signature information, Obtain the key information of the terminal; authenticate the second authentication information according to the key information of the terminal.
基于上述可能的实现方式,第一节点和终端之间可根据节点集合的公钥和签名信息进行双重认证,以提高通信安全。Based on the above possible implementation, double authentication can be performed between the first node and the terminal based on the public key and signature information of the node set to improve communication security.
在一种可能的实现方式中,在该接收来自该终端的第一请求之后,该方法还包括:向区块链节点发送第三消息,该第三消息用于查询该签名信息;接收来自该区块链节点的第四消息,该第四消息包括该签名信息。In a possible implementation, after receiving the first request from the terminal, the method further includes: sending a third message to the blockchain node, the third message being used to query the signature information; receiving the request from the terminal. The fourth message of the blockchain node includes the signature information.
基于上述可能的实现方式,第一节点可以在区块链中查询该签名信息,以便第一节点确定该签名信息与终端发送的签名信息是否相同,从而提高通信安全。Based on the above possible implementation, the first node can query the signature information in the blockchain, so that the first node can determine whether the signature information is the same as the signature information sent by the terminal, thereby improving communication security.
第二方面,提供了一种获取签名信息的方法,执行该方法的通信装置可以为终端;也可以为应用于终端中的模块,例如芯片或芯片系统。下面以执行主体为终端为例进行描述。该方法包括:向第一节点发送该终端的密钥信息;接收来自该第一节点的第三信息,该第三信息包括签名信息,该签名信息用于该终端与该第一节点之间进行认证,该签名信息是根据N个签名分片和该第一节点的签名分片得到的,该第一节点的签名分片是用该第一节点的私钥分片对该终端的密钥信息进行签名得到的,该N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对该终端的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N。The second aspect provides a method for obtaining signature information. The communication device that executes the method can be a terminal; it can also be a module applied in the terminal, such as a chip or a chip system. The following description takes the execution subject as the terminal as an example. The method includes: sending key information of the terminal to a first node; receiving third information from the first node, where the third information includes signature information, and the signature information is used for communication between the terminal and the first node. Authentication, the signature information is obtained based on N signature fragments and the signature fragment of the first node. The signature fragment of the first node is the key information of the terminal using the private key of the first node. Obtained by signing, the N signature fragments correspond to Q nodes, and any signature fragment among the N signature fragments is the key information of the terminal using the private key fragment of the node corresponding to the signature fragment. From the signature, N and Q are natural numbers, and Q is less than or equal to N.
基于上述第二方面提供的方法,终端可获得签名信息。这样,终端和第一节点之间可根据签名信息进行认证,而不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑,用户若想切换网络,不需要更换SIM卡,使得终端能够灵活入网,提高了用户体验。Based on the method provided in the second aspect above, the terminal can obtain the signature information. In this way, the terminal and the first node can be authenticated based on the signature information without using the key in the SIM card for authentication. This realizes the unbinding of the SIM card from the network. If the user wants to switch networks, there is no need to change the SIM card. This enables terminals to flexibly access the network and improves user experience.
在一种可能的实现方式中,该方法还包括:接收来自第一节点的该签名信息对应的区块链交易的标识。In a possible implementation, the method further includes: receiving an identifier of the blockchain transaction corresponding to the signature information from the first node.
基于上述可能的实现方式,终端还可以获取到签名信息对应的区块链交易的标识。这样,终端在与持有签名信息的节点进行认证时,可携带该标识,以便该节点在区块链中查询该标识对应的签名信息和终端发送的签名信息是否相同,以提高通信安全。Based on the above possible implementation methods, the terminal can also obtain the identifier of the blockchain transaction corresponding to the signature information. In this way, the terminal can carry the identifier when authenticating with the node holding the signature information, so that the node can query the blockchain to see whether the signature information corresponding to the identifier is the same as the signature information sent by the terminal to improve communication security.
在一种可能的实现方式中,第一节点和该Q个节点包括在节点集合中,该方法还包括:根据预设策略确定该节点集合,该预设策略包括以下至少一项:该终端对应的用户的选择、该节点集合中节点的入网需求、该节点集合中节点所在网络的组网规模 或该节点集合中节点所在网络的安全等级。In a possible implementation, the first node and the Q nodes are included in a node set, and the method further includes: determining the node set according to a preset strategy, where the preset strategy includes at least one of the following: the terminal corresponds to The user's choice, the network access requirements of the nodes in the node set, the network scale of the network where the nodes in the node set are located, or the security level of the network where the nodes in the node set are located.
基于上述可能的实现方式,终端可根据多种方式确定节点集合,提高了终端确定节点集合的灵活性和多样性。Based on the above possible implementation methods, the terminal can determine the node set according to multiple methods, which improves the flexibility and diversity of the terminal in determining the node set.
在一种可能的实现方式中,该方法还包括:向该第一节点发送第一请求,该第一请求包括该签名信息和第一随机数;根据该第一请求与该第一节点进行认证。In a possible implementation, the method further includes: sending a first request to the first node, the first request including the signature information and a first random number; and performing authentication with the first node according to the first request. .
基于上述可能的实现方式,终端和第一节点可根据签名信息进行认证。这样,第一节点和终端之间不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑。Based on the above possible implementation, the terminal and the first node can perform authentication based on the signature information. In this way, there is no need to use the key in the SIM card for authentication between the first node and the terminal, thus realizing the unbinding of the SIM card from the network.
在一种可能的实现方式中,根据该第一请求与该第一节点进行认证,包括:接收来自该第一节点的第一消息,该第一消息包括该第一节点的证书、第一认证信息和第二随机数,该第一认证信息是根据该第一节点的私钥和该第一随机数得到的;在该第一认证信息认证成功的情况下,向该第一节点发送第二消息,该第二消息包括第二认证信息,该第二认证信息是根据该终端的私钥和该第二随机数得到的。In a possible implementation, performing authentication with the first node according to the first request includes: receiving a first message from the first node, the first message including a certificate of the first node, a first authentication information and a second random number. The first authentication information is obtained based on the private key of the first node and the first random number; if the first authentication information is successfully authenticated, the second authentication information is sent to the first node. message, the second message includes second authentication information, and the second authentication information is obtained according to the private key of the terminal and the second random number.
基于上述可能的实现方式,终端和第一节点之间可进行双重认证,以提高通信安全。Based on the above possible implementation methods, double authentication can be performed between the terminal and the first node to improve communication security.
第三方面,提供了一种通信装置用于实现上述第一方面提供的方法。该通信装置可以为上述第一方面中的第一节点,或者包含上述第一节点的装置。该通信装置包括实现上述第一方面提供的方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。A third aspect provides a communication device for implementing the method provided in the first aspect. The communication device may be the first node in the above-mentioned first aspect, or a device including the above-mentioned first node. The communication device includes modules, units, or means (means) corresponding to the method provided in the first aspect. The modules, units, or means can be implemented by hardware, software, or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
在一种可能的实现方式中,该通信装置可以包括处理模块。该处理模块,可以用于实现上述第一方面及其任意可能的实现方式中的处理功能。该处理模块例如可以为处理器。In a possible implementation, the communication device may include a processing module. This processing module can be used to implement the processing functions in the above first aspect and any possible implementation manner thereof. The processing module may be, for example, a processor.
在一种可能的实现方式中,该通信装置还包括收发模块。该收发模块,也可以称为收发单元,用以实现上述第一方面及其任意可能的实现方式中的发送和/或接收功能。该收发模块可以由收发电路,收发机,收发器或者通信接口构成。In a possible implementation, the communication device further includes a transceiver module. The transceiver module, which may also be called a transceiver unit, is used to implement the sending and/or receiving functions in the above first aspect and any possible implementation thereof. The transceiver module can be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface.
在一种可能的实现方式中,收发模块包括发送模块和接收模块,分别用于实现上述第一方面及其任意可能的实现方式中的发送和接收功能。In a possible implementation, the transceiver module includes a sending module and a receiving module, respectively configured to implement the sending and receiving functions in the above-mentioned first aspect and any possible implementation thereof.
在一种可能的实现方式中,该处理模块,用于获取通信装置的私钥分片和终端的密钥信息;该处理模块,还用于根据该通信装置的私钥分片对该终端的密钥信息进行签名,得到该通信装置的签名分片,该通信装置的签名分片用于确定签名信息,该签名信息用于该终端与该通信装置之间进行认证。In a possible implementation, the processing module is used to obtain the private key fragments of the communication device and the key information of the terminal; the processing module is also used to obtain the private key fragments of the communication device and the terminal. The key information is signed to obtain signature fragments of the communication device. The signature fragments of the communication device are used to determine signature information. The signature information is used for authentication between the terminal and the communication device.
在一种可能的实现方式中,该处理模块,还用于获取N个签名分片,该N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对该终端的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N;该通信装置的签名分片和该N个签名分片共同用于确定该签名信息。In a possible implementation, the processing module is also used to obtain N signature fragments, which correspond to Q nodes, and any signature fragment among the N signature fragments is generated using the The private key fragment of the node corresponding to the signature fragment is obtained by signing the key information of the terminal. N and Q are natural numbers, and Q is less than or equal to N; the signature fragment of the communication device and the N signature fragments are the same Used to determine the signature information.
在一种可能的实现方式中,该签名信息还用于该终端与该Q个节点之间进行认证。In a possible implementation, the signature information is also used for authentication between the terminal and the Q nodes.
在一种可能的实现方式中,该处理模块,具体用于通过该收发模块接收来自该Q个节点的该N个签名分片。In a possible implementation manner, the processing module is specifically configured to receive the N signature fragments from the Q nodes through the transceiver module.
在一种可能的实现方式中,该收发模块,还用于向M个节点发送第一信息,该第 一信息包括该终端的密钥信息,该M个节点包括该Q个节点,M为大于或等于Q的自然数。In a possible implementation, the transceiver module is also configured to send first information, where the first information includes the key information of the terminal, to M nodes, where the M nodes include the Q nodes, and M is greater than Or a natural number equal to Q.
在一种可能的实现方式中,该收发模块,还用于向该M个节点发送以下至少一种信息:该通信装置对该终端的签约信息的验证结果或该通信装置的签名分片。In a possible implementation, the transceiver module is also configured to send at least one of the following information to the M nodes: the communication device's verification result of the terminal's subscription information or the communication device's signature fragment.
在一种可能的实现方式中,该N个签名分片存储在区块链节点中。In a possible implementation, the N signature shards are stored in the blockchain node.
在一种可能的实现方式中,该收发模块,还用于向该区块链节点发送该终端的密钥信息和该通信装置的签名分片。In a possible implementation, the transceiver module is also used to send the key information of the terminal and the signature fragment of the communication device to the blockchain node.
在一种可能的实现方式中,该收发模块,还用于向该终端发送第三信息,该第三信息包括该签名信息。In a possible implementation manner, the transceiver module is also configured to send third information to the terminal, where the third information includes the signature information.
在一种可能的实现方式中,该收发模块,还用于向终端发送该签名信息对应的区块链交易的标识。In a possible implementation manner, the transceiver module is also used to send the identifier of the blockchain transaction corresponding to the signature information to the terminal.
在一种可能的实现方式中,该处理模块,还用于通过该收发模块接收来自第三方节点的该通信装置的私钥分片。In a possible implementation, the processing module is also configured to receive the private key fragment of the communication device from the third-party node through the transceiver module.
在一种可能的实现方式中,该收发模块,还用于接收来自该终端的第一请求,该第一请求包括该签名信息和第一随机数;该处理模块,还用于根据该第一请求与该终端进行认证。In a possible implementation, the transceiver module is also configured to receive a first request from the terminal, where the first request includes the signature information and a first random number; the processing module is also configured to receive a first request based on the first random number. Requests authentication with this terminal.
在一种可能的实现方式中,该通信装置包括在节点集合中,该处理模块,还用于获取该节点集合的公钥;该处理模块,具体用于通过该收发模块向该终端发送第一消息,该第一消息包括该通信装置的证书、第一认证信息和第二随机数,该第一认证信息是根据该通信装置的私钥和该第一随机数得到的;该处理模块,还具体用于通过该收发模块接收来自该终端的第二消息,该第二消息包括第二认证信息,该第二认证信息是根据该终端的私钥和该第二随机数得到的;该处理模块,还具体用于根据该节点集合的公钥和该签名信息,得到该终端的密钥信息;该处理模块,还具体用于根据该终端的密钥信息认证该第二认证信息。In a possible implementation, the communication device is included in a node set, and the processing module is also used to obtain the public key of the node set; the processing module is specifically used to send the first message to the terminal through the transceiver module. message, the first message includes the certificate of the communication device, first authentication information and a second random number, the first authentication information is obtained based on the private key of the communication device and the first random number; the processing module further Specifically used to receive a second message from the terminal through the transceiver module, the second message includes second authentication information, the second authentication information is obtained according to the private key of the terminal and the second random number; the processing module , is also specifically configured to obtain the key information of the terminal based on the public key of the node set and the signature information; the processing module is also specifically configured to authenticate the second authentication information based on the key information of the terminal.
在一种可能的实现方式中,该收发模块,还用于向区块链节点发送第三消息,该第三消息用于查询该签名信息;该收发模块,还用于接收来自该区块链节点的第四消息,该第四消息包括该签名信息。In a possible implementation, the transceiver module is also used to send a third message to the blockchain node, and the third message is used to query the signature information; the transceiver module is also used to receive data from the blockchain node. The fourth message of the node includes the signature information.
第四方面,提供了一种通信装置用于实现上述第二方面提供的方法。该通信装置可以为上述第二方面中的终端,或者包含上述第二节点的装置。该通信装置包括实现上述第二方面提供的方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。A fourth aspect provides a communication device for implementing the method provided in the second aspect. The communication device may be the terminal in the above second aspect, or a device including the above second node. The communication device includes modules, units, or means (means) corresponding to the method provided in the second aspect. The modules, units, or means can be implemented by hardware, software, or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
在一种可能的实现方式中,该通信装置可以包括收发模块。该收发模块,也可以称为收发单元,用以实现上述第二方面及其任意可能的实现方式中的发送和/或接收功能。该收发模块可以由收发电路,收发机,收发器或者通信接口构成。In a possible implementation, the communication device may include a transceiver module. The transceiver module, which may also be called a transceiver unit, is used to implement the sending and/or receiving functions in the above second aspect and any possible implementation thereof. The transceiver module can be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface.
在一种可能的实现方式中,该通信装置还包括处理模块。该处理模块,可以用于实现上述第二方面及其任意可能的实现方式中的处理功能。该处理模块例如可以为处理器。In a possible implementation, the communication device further includes a processing module. This processing module can be used to implement the processing functions in the above second aspect and any possible implementation manner thereof. The processing module may be, for example, a processor.
在一种可能的实现方式中,收发模块包括发送模块和接收模块,分别用于实现上 述第二方面及其任意可能的实现方式中的发送和接收功能。In a possible implementation, the transceiver module includes a sending module and a receiving module, respectively used to implement the sending and receiving functions in the above second aspect and any possible implementation thereof.
在一种可能的实现方式中,该收发模块,用于向第一节点发送该通信装置的密钥信息;该收发模块,还用于接收来自该第一节点的第三信息,该第三信息包括签名信息,该签名信息用于该通信装置与该第一节点之间进行认证,该签名信息是根据N个签名分片和该第一节点的签名分片得到的,该第一节点的签名分片是用该第一节点的私钥分片对该通信装置的密钥信息进行签名得到的,该N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对该通信装置的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N。In a possible implementation, the transceiver module is used to send the key information of the communication device to the first node; the transceiver module is also used to receive third information from the first node. The third information Including signature information, the signature information is used for authentication between the communication device and the first node. The signature information is obtained based on N signature fragments and the signature fragments of the first node. The signature of the first node The fragments are obtained by signing the key information of the communication device with the private key fragments of the first node. The N signature fragments correspond to Q nodes. Any one of the N signature fragments is signed. It is obtained by signing the key information of the communication device with the private key fragment of the node corresponding to the signature fragment. N and Q are natural numbers, and Q is less than or equal to N.
在一种可能的实现方式中,该收发模块,还用于接收来自第一节点的该签名信息对应的区块链交易的标识。In a possible implementation manner, the transceiver module is also configured to receive the identifier of the blockchain transaction corresponding to the signature information from the first node.
在一种可能的实现方式中,该第一节点和该Q个节点包括在节点集合中,该处理模块,用于根据预设策略确定该节点集合,该预设策略包括以下至少一项:该通信装置对应的用户的选择、该节点集合中节点的入网需求、该节点集合中节点所在网络的组网规模或该节点集合中节点所在网络的安全等级。In a possible implementation, the first node and the Q nodes are included in a node set, and the processing module is configured to determine the node set according to a preset strategy, where the preset strategy includes at least one of the following: the The selection of the user corresponding to the communication device, the network access requirements of the nodes in the node set, the network scale of the network where the nodes in the node set are located, or the security level of the network where the nodes in the node set are located.
在一种可能的实现方式中,该收发模块,还用于向该第一节点发送第一请求,该第一请求包括该签名信息和第一随机数;该处理模块,还用于根据该第一请求与该第一节点进行认证。In a possible implementation, the transceiver module is also configured to send a first request to the first node, where the first request includes the signature information and a first random number; the processing module is also configured to send a first request to the first node according to the first random number. A request is made for authentication with the first node.
在一种可能的实现方式中,该处理模块,具体用于通过该收发模块接收来自该第一节点的第一消息,该第一消息包括该第一节点的证书、第一认证信息和第二随机数,该第一认证信息是根据该第一节点的私钥和该第一随机数得到的;该处理模块,还具体用于通过该收发模块在该第一认证信息认证成功的情况下,向该第一节点发送第二消息,该第二消息包括第二认证信息,该第二认证信息是根据该通信装置的私钥和该第二随机数得到的。In a possible implementation, the processing module is specifically configured to receive a first message from the first node through the transceiver module. The first message includes the certificate of the first node, the first authentication information and the second Random number, the first authentication information is obtained based on the private key of the first node and the first random number; the processing module is also specifically configured to use the transceiver module when the first authentication information is authenticated successfully, A second message is sent to the first node, where the second message includes second authentication information, and the second authentication information is obtained according to the private key of the communication device and the second random number.
第五方面,提供了一种通信装置,包括:处理器;该处理器用于与存储器耦合,并读取存储器中的指令之后,根据该指令执行如上述任一方面所述的方法。该通信装置可以为上述第一方面中的第一节点,或者包含上述第一节点的装置;或者,该通信装置可以为上述第二方面中的终端,或者包含上述终端的装置。A fifth aspect provides a communication device, including: a processor; the processor is configured to be coupled to a memory, and after reading instructions in the memory, execute the method as described in any of the above aspects according to the instructions. The communication device may be the first node in the first aspect, or a device including the first node; or the communication device may be a terminal in the second aspect, or a device including the terminal.
结合上述第五方面,在一种可能的实现方式中,该通信装置还包括存储器,该存储器,用于保存必要的程序指令和数据。In conjunction with the above fifth aspect, in a possible implementation manner, the communication device further includes a memory, and the memory is used to store necessary program instructions and data.
结合上述第五方面,在一种可能的实现方式中,该通信装置为芯片或芯片系统。可选的,该通信装置是芯片系统时,可以由芯片构成,也可以包含芯片和其他分立器件。In conjunction with the fifth aspect, in a possible implementation, the communication device is a chip or a chip system. Optionally, when the communication device is a chip system, it may be composed of a chip, or may include a chip and other discrete devices.
第六方面,提供了一种通信装置,包括:处理器和接口电路;接口电路,用于接收计算机程序或指令并传输至处理器;处理器用于执行所述计算机程序或指令,以使该通信装置执执行如上述任一方面所述的方法。A sixth aspect provides a communication device, including: a processor and an interface circuit; the interface circuit is used to receive a computer program or instructions and transmit them to the processor; the processor is used to execute the computer program or instructions to enable the communication The device performs the method described in any of the above aspects.
结合上述第六方面,在一种可能的实现方式中,该通信装置为芯片或芯片系统。可选的,该通信装置是芯片系统时,可以由芯片构成,也可以包含芯片和其他分立器件。In conjunction with the above sixth aspect, in a possible implementation manner, the communication device is a chip or a chip system. Optionally, when the communication device is a chip system, it may be composed of a chip, or may include a chip and other discrete devices.
第七方面,提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指 令,当其在计算机上运行时,使得计算机可以执行上述任一方面所述的方法。In a seventh aspect, a computer-readable storage medium is provided. Instructions are stored in the computer-readable storage medium, and when run on a computer, the computer can perform the method described in any of the above aspects.
第八方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述任一方面所述的方法。In an eighth aspect, a computer program product containing instructions is provided, which, when run on a computer, enables the computer to execute the method described in any of the above aspects.
其中,第三方面至第八方面中任一种可能的实现方式所带来的技术效果可参见上述第一方面至第二方面中任一方面或任一方面中不同可能的实现方式所带来的技术效果,此处不再赘述。Among them, the technical effects brought by any possible implementation method in the third aspect to the eighth aspect can be referred to the technical effects brought by any one of the above-mentioned first to second aspects or different possible implementation methods in any aspect. The technical effects will not be repeated here.
第九方面,提供了一种通信系统,该通信系统包括用于执行上述第一方面所述的方法的第一节点、以及用于执行上述第二方面所述的方法的终端。A ninth aspect provides a communication system, which includes a first node for performing the method described in the first aspect, and a terminal for performing the method described in the second aspect.
可以理解的是,在方案不矛盾的前提下,上述各个方面中的方案均可以结合。It is understandable that, on the premise that the solutions are not inconsistent, the solutions in each of the above aspects can be combined.
附图说明Description of drawings
图1为本申请实施例提供的通信系统架构示意图;Figure 1 is a schematic diagram of the communication system architecture provided by an embodiment of the present application;
图2为本申请实施例提供的通信装置的硬件结构示意图;Figure 2 is a schematic diagram of the hardware structure of a communication device provided by an embodiment of the present application;
图3为本申请实施例提供的获取签名信息的方法的流程示意图一;Figure 3 is a schematic flowchart 1 of a method for obtaining signature information provided by an embodiment of the present application;
图4为本申请实施例提供的认证方法的流程示意图;Figure 4 is a schematic flow chart of the authentication method provided by the embodiment of the present application;
图5为本申请实施例提供的获取签名信息的方法的流程示意图二;Figure 5 is a schematic flowchart 2 of a method for obtaining signature information provided by an embodiment of the present application;
图6为本申请实施例提供的通信装置的结构示意图一;Figure 6 is a schematic structural diagram of a communication device provided by an embodiment of the present application;
图7为本申请实施例提供的通信装置的结构示意图二。Figure 7 is a schematic second structural diagram of a communication device provided by an embodiment of the present application.
具体实施方式Detailed ways
在介绍本申请实施例之前,对本申请实施例涉及的相关技术术语进行解释说明。可以理解的是,这些解释说明是为了让本申请实施例更容易被理解,而不应该视为对本申请实施例所要求的保护范围的限定。Before introducing the embodiments of the present application, relevant technical terms involved in the embodiments of the present application will be explained. It can be understood that these explanations are intended to make the embodiments of the present application easier to understand and should not be regarded as limiting the scope of protection required by the embodiments of the present application.
一、区块链(block chain,BC)1. Blockchain (BC)
本申请实施例中,区块链是一种通过密码学机制保障的防篡改的技术。一般来说,区块链节点可以运行在物理节点上,或者,也可以运行在物理节点中的虚拟环境中,不予限制。In the embodiment of this application, the blockchain is a tamper-proof technology guaranteed by a cryptographic mechanism. Generally speaking, blockchain nodes can run on physical nodes, or they can also run in a virtual environment in physical nodes without restrictions.
一种可能的设计,区块链是一种账本技术。该账本是分布式的,可通过多个节点同步维护该账本。该多个节点在维护账本时,可采用密码学机制以防止账本被篡改。One possible design, blockchain is a ledger technology. The ledger is distributed and can be maintained simultaneously through multiple nodes. When maintaining the ledger, the multiple nodes can use cryptography mechanisms to prevent the ledger from being tampered with.
示例性的,区块链是一种按照时间顺序将数据区块以顺序相连的方式组合成的一种链式数据结构,并以密码学方式保证的不可篡改和不可伪造的分布式账本。一般来说,区块链系统具有多个区块链节点,而且由于在区块链当中,没有一个中心化的管理机构,因此,区块链节点对每一区块信息要达成一致共识,即每个区块链节点都存储有相同的区块链信息。依赖于区块链技术的特性,区块链可以作为统一的可信平台实现历史事件的追溯和/或自动化的网络管理。如:区块链可实现以下至少一项功能:日志的审计、自动化的结算或者安全的接入和验证等等。For example, a blockchain is a chained data structure that combines data blocks in a chronological manner and is cryptographically guaranteed to be an untamperable and unforgeable distributed ledger. Generally speaking, a blockchain system has multiple blockchain nodes, and since there is no centralized management organization in the blockchain, the blockchain nodes must reach a consensus on each block of information, that is, Each blockchain node stores the same blockchain information. Relying on the characteristics of blockchain technology, blockchain can serve as a unified trusted platform to realize the tracing of historical events and/or automated network management. For example: Blockchain can realize at least one of the following functions: log auditing, automated settlement, or secure access and verification, etc.
可以理解的,在本申请实施例中,区块链还可以有其他的命名方式,如分布式账本或账本等,不予限制。It can be understood that in the embodiment of this application, the blockchain can also have other naming methods, such as distributed ledger or ledger, etc., which are not limited.
二、门限签名2. Threshold signature
门限签名是一种多方签名的技术。例如,群体中包括n个参与者,门限签名的权 重为t,即(n,t)的门限签名方案,可指n个参与者中任意t个乃至更多的参与者可代表整个群体(即n个参与者),生成有效签名的方案。具体来说,n个参与者中的每个参与者可持有一个公钥分片和一个私钥分片。根据n个参与者持有的n个公钥分片,可得到该群体的公钥(该群体的公钥也可称为系统公钥)。根据n个参与者持有的n个私钥分片,可得到该群体的私钥(该群体的私钥也可称为系统私钥)。n个参与者中大于或等于t个参与者各自用自己持有的私钥分片对信息进行签名,可得到每个参与者的签名分片。根据门限签名算法对这些签名分片进行计算,可得到该群体的签名信息(该群体的签名信息也可称为系统签名信息)。该群体的签名信息可以用该群体的公钥来验证。Threshold signature is a multi-party signature technology. For example, the group includes n participants, and the weight of the threshold signature is t, that is, the threshold signature scheme of (n, t), which can mean that any t or more participants among the n participants can represent the entire group (i.e. n participants), a scheme that generates valid signatures. Specifically, each of n participants can hold one public key shard and one private key shard. According to the n public key shards held by n participants, the public key of the group can be obtained (the public key of the group can also be called the system public key). According to the n private key shards held by n participants, the private key of the group can be obtained (the private key of the group can also be called the system private key). Participants greater than or equal to t among n participants each sign the information with the private key fragments they hold, and the signature fragments of each participant can be obtained. By calculating these signature fragments according to the threshold signature algorithm, the signature information of the group can be obtained (the signature information of the group can also be called system signature information). The group's signature information can be verified using the group's public key.
在上一段中是以每个参与者持有一个公钥分片和一个私钥分片为例介绍门限签名的。但是,本申请实施例也可以不限制每个参与者持有的公钥分片的数量和/或私钥分片的数量。例如,在本申请实施例中,每个参与者可持有至少一个公钥分片和至少一个私钥分片。不同参与者持有的公钥分片的数量可以相同也可以不同。同样,不同参与者持有的私钥分片的数量可以相同也可以不同。In the previous paragraph, threshold signatures were introduced using the example of each participant holding one public key shard and one private key shard. However, the embodiments of this application may not limit the number of public key shards and/or the number of private key shards held by each participant. For example, in the embodiment of this application, each participant may hold at least one public key shard and at least one private key shard. The number of public key shards held by different participants can be the same or different. Likewise, the number of private key shards held by different participants can be the same or different.
一种可能的设计,群体包括n个参与者,每个参与者持有至少一个公钥分片和至少一个私钥分片,门限签名的权重为s的门限签名方案,可指n个参与者的多个私钥分片中,任意s个乃至更多的私钥分片可代表整个群体(即n个参与者),生成有效签名的方案。A possible design. The group includes n participants. Each participant holds at least one public key shard and at least one private key shard. The threshold signature scheme with a threshold signature weight of s can refer to n participants. Among the multiple private key shards, any s or more private key shards can represent the entire group (that is, n participants) and generate a valid signature scheme.
示例性的,以群体包括5个参与者,参与者1至参与者4各持有1个公钥分片和1个私钥分片,参与者5持有1个公钥分片和2个私钥分片为例,若权重为4,则根据参与者1的私钥分片、参与者2的私钥分片、参与者3的私钥分片和参与者4的私钥分片可得到群体的签名信息。或者,根据参与者1至参与者4中的任意两个私钥分片以及参与者5的两个私钥分片可得到群体的签名信息。For example, a group includes 5 participants, participants 1 to 4 each hold 1 public key shard and 1 private key shard, and participant 5 holds 1 public key shard and 2 Taking private key sharding as an example, if the weight is 4, then the private key sharding of participant 1, the private key sharding of participant 2, the private key sharding of participant 3 and the private key sharding of participant 4 can be Get the signature information of the group. Alternatively, the signature information of the group can be obtained based on any two private key fragments among participants 1 to 4 and the two private key fragments of participant 5.
在本申请实施例中,终端可获取群体的签名信息,群体中的参与者可获取群体的公钥。这样,终端和群体中的参与者可根据群体的签名信息和群体的公钥进行认证。In this embodiment of the present application, the terminal can obtain the signature information of the group, and the participants in the group can obtain the public key of the group. In this way, terminals and participants in the group can be authenticated based on the group's signature information and the group's public key.
下面结合附图对本申请实施例的实施方式进行详细描述。The implementation of the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
本申请实施例提供的方法可用于各种能够支持门限签名技术的通信系统。下面以图1所示通信系统10为例,对本申请实施例提供的方法进行描述。图1仅为示意图,并不构成对本申请提供的技术方案的适用场景的限定。The method provided by the embodiments of this application can be used in various communication systems that can support threshold signature technology. The following uses the communication system 10 shown in Figure 1 as an example to describe the method provided by the embodiment of the present application. Figure 1 is only a schematic diagram and does not constitute a limitation on the applicable scenarios of the technical solution provided by this application.
如图1所示,为本申请实施例提供的通信系统10的架构示意图。图1中,通信系统10可以包括节点101以及可以与节点101进行通信的终端102。可选的,通信系统10还包括节点103,和/或,区块链节点104,和/或,节点105。As shown in Figure 1, it is a schematic architectural diagram of a communication system 10 provided by an embodiment of the present application. In FIG. 1 , the communication system 10 may include a node 101 and a terminal 102 that may communicate with the node 101 . Optionally, the communication system 10 also includes a node 103, and/or a blockchain node 104, and/or a node 105.
在图1中,节点101、节点103或节点105可为终端102提供服务。例如,节点101、节点103或节点105为网络中的节点,该网络为运营商的网络,节点101、节点103或节点105可为终端102提供接入服务。节点101、节点103或节点105对应的运营商可以相同也可以不同。应理解,节点101、节点103或节点105所属的网络还可以是其他类型的网络,如无线局域网、或垂直应用对应的网络(如物联网)等,不予限制。In Figure 1, node 101, node 103 or node 105 may provide services for terminal 102. For example, node 101, node 103 or node 105 is a node in a network, and the network is an operator's network. Node 101, node 103 or node 105 can provide access services for the terminal 102. The operators corresponding to node 101, node 103 or node 105 may be the same or different. It should be understood that the network to which node 101, node 103 or node 105 belongs can also be other types of networks, such as wireless local area networks, or networks corresponding to vertical applications (such as the Internet of Things), etc., without limitation.
在图1中,节点101、节点103或节点105可以是任意一种具有无线收发功能的 设备,例如,可以是任意一种接入网设备或者核心网设备。In Figure 1, node 101, node 103 or node 105 can be any device with wireless transceiver function, for example, it can be any access network device or core network device.
其中,接入网设备包括但不限于:长期演进(long term evolution,LTE)中的演进型基站(NodeB或eNB或e-NodeB,evolutional Node B),新无线(new radio,NR)中的基站(gNodeB或gNB)或收发点(transmission receiving point/transmission reception point,TRP),第三代合作伙伴项目(the 3rd generation partnership project,3GPP)后续演进的基站,Wi-Fi系统中的接入节点,无线中继节点,无线回传节点等。基站可以是:宏基站,微基站,微微基站,小站,中继站,或,气球站等。接入网设备还可以是云无线接入网络(cloud radio access network,CRAN)场景下的无线控制器。接入网设备还可以是集中单元(centralized unit,CU),和/或,分布单元(distributed unit,DU)。接入网设备还可以是服务器,可穿戴设备,机器通信设备、或车载设备等。Among them, access network equipment includes but is not limited to: evolutionary base stations (NodeB or eNB or e-NodeB, evolutionary Node B) in long term evolution (long term evolution, LTE), base stations in new radio (NR) (gNodeB or gNB) or transceiver point (transmission receiving point/transmission reception point, TRP), the subsequent evolved base station of the 3rd generation partnership project (3GPP), the access node in the Wi-Fi system, Wireless relay nodes, wireless backhaul nodes, etc. The base station can be: macro base station, micro base station, pico base station, small station, relay station, or balloon station, etc. The access network device can also be a wireless controller in a cloud radio access network (CRAN) scenario. The access network equipment may also be a centralized unit (CU) and/or a distributed unit (DU). The access network device can also be a server, wearable device, machine communication device, or vehicle-mounted device, etc.
核心网设备包括但不限于:接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、用户面功能(user plane function,UPF)网元、统一数据管理(unified data management,UDM)网元、统一数据存储库(unified data repository,UDR)网元、网络开放功能(network exposure function,NEF)网元或策略控制功能(policy control function,PCF)网元等。Core network equipment includes but is not limited to: access and mobility management function (AMF) network elements, session management function (SMF) network elements, user plane function (UPF) Network element, unified data management (UDM) network element, unified data repository (UDR) network element, network exposure function (NEF) network element or policy control function , PCF) network elements, etc.
本申请实施例中的终端,例如,终端102可以是一种具有无线收发功能的设备。终端可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。终端还可以称为终端设备,终端设备可以是用户设备(user equipment,UE),其中,UE包括具有无线通信功能的手持式设备、车载设备、可穿戴设备或计算设备。示例性地,UE可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。终端设备还可以是虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制中的无线终端、无人驾驶中的无线终端、远程医疗中的无线终端、智能电网中的无线终端、智慧城市(smart city)中的无线终端、或智慧家庭(smart home)中的无线终端等等。The terminal in the embodiment of the present application, for example, the terminal 102 may be a device with a wireless transceiver function. Terminals can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water (such as ships, etc.); they can also be deployed in the air (such as aircraft, balloons, satellites, etc.). The terminal may also be called a terminal device, and the terminal device may be a user equipment (UE), where the UE includes a handheld device, a vehicle-mounted device, a wearable device or a computing device with wireless communication functions. For example, the UE may be a mobile phone, a tablet computer, or a computer with wireless transceiver functions. The terminal device can also be a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal in industrial control, a wireless terminal in driverless driving, a wireless terminal in telemedicine, or a smart terminal. Wireless terminals in the power grid, wireless terminals in smart cities, or wireless terminals in smart homes, etc.
作为示例而非限定,在本申请中,终端可以是可穿戴设备。可穿戴设备也可以称为穿戴式智能设备,是应用穿戴式技术对日常穿戴进行智能化设计、开发出可以穿戴的设备的总称,如眼镜、手套、手表、服饰及鞋等。可穿戴设备即直接穿在身上,或是整合到用户的衣服或配件的一种便携式设备。例如,可穿戴设备不仅仅是一种硬件设备,更是通过软件支持以及数据交互、云端交互来实现强大的功能的设备。广义穿戴式智能设备包括功能全、尺寸大、可不依赖智能手机实现完整或者部分的功能的设备,例如:智能手表或智能眼镜等,以及包括只专注于某一类应用功能,需要和其它设备如智能手机配合使用的设备,如各类进行体征监测的智能手环、智能首饰等。As an example and not a limitation, in this application, the terminal may be a wearable device. Wearable devices can also be called wearable smart devices. It is a general term for applying wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes, etc. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. For example, a wearable device is not only a hardware device, but also a device that achieves powerful functions through software support, data interaction, and cloud interaction. Broadly defined wearable smart devices include devices that are full-featured, large in size, and can achieve complete or partial functions without relying on smartphones, such as smart watches or smart glasses, as well as devices that only focus on a certain type of application function and need to be integrated with other devices such as Devices used with smartphones, such as various smart bracelets, smart jewelry, etc. for monitoring physical signs.
在本申请中,终端可以是物联网(internet of things,IoT)系统中的终端,IoT是未来信息技术发展的重要组成部分,其主要技术特点是将物品通过通信技术与网络连接,从而实现人机互连,物物互连的智能化网络。本申请中的终端可以是机器类型通信(machine type communication,MTC)中的终端。本申请的终端可以是作为一个或多个部件或者单元而内置于车辆的车载模块、车载模组、车载部件、车载芯片或者车 载单元,车辆通过内置的所述车载模块、车载模组、车载部件、车载芯片或者车载单元可以实施本申请的方法。In this application, the terminal can be a terminal in the Internet of things (IoT) system. IoT is an important part of the future development of information technology. Its main technical feature is to connect objects to the network through communication technology, thereby realizing the realization of human An intelligent network that interconnects machines and things. The terminal in this application may be a terminal in machine type communication (MTC). The terminal of this application may be a vehicle-mounted module, vehicle-mounted module, vehicle-mounted component, vehicle-mounted chip or vehicle-mounted unit built into the vehicle as one or more components or units. The vehicle uses the built-in vehicle-mounted module, vehicle-mounted module, vehicle-mounted component , vehicle-mounted chip or vehicle-mounted unit can implement the method of this application.
在图1中,区块链节点104可以是能够应用区块链技术的节点。例如,区块链节点104能够通过密码学机制保障该节点中的信息不被篡改。作为一种示例,区块链节点104为核心网中的区块链网元,或者区块链节点104为可与核心网中的账本锚点功能(ledger anchor function,LAF)网元通信的节点。In Figure 1, the blockchain node 104 may be a node capable of applying blockchain technology. For example, the blockchain node 104 can protect the information in the node from being tampered with through a cryptographic mechanism. As an example, the blockchain node 104 is a blockchain network element in the core network, or the blockchain node 104 is a node that can communicate with a ledger anchor function (LAF) network element in the core network. .
图1所示的通信系统10仅用于举例,并非用于限制本申请的技术方案。本领域的技术人员应当明白,在具体实现过程中,通信系统10还可以包括其他设备,同时也可根据具体需要来确定节点、终端或区块链节点的数量,不予限制。The communication system 10 shown in FIG. 1 is only used as an example and is not used to limit the technical solution of the present application. Those skilled in the art should understand that during specific implementation, the communication system 10 may also include other devices, and the number of nodes, terminals or blockchain nodes may also be determined according to specific needs without limitation.
可选的,本申请实施例图1中的各网元或设备(例如节点101、节点103、节点105、终端102或区块链节点104等)也可以称之为通信装置,其可以是一个通用设备或者是一个专用设备,本申请实施例对此不作具体限定。Optionally, each network element or device (such as node 101, node 103, node 105, terminal 102 or blockchain node 104, etc.) in Figure 1 of the embodiment of this application can also be called a communication device, which can be a It may be a general-purpose device or a special-purpose device, which is not specifically limited in the embodiments of this application.
可选的,本申请实施例图1中的各网元或设备(例如节点101、节点103、节点105、终端102或区块链节点104等)的相关功能可以由一个设备实现,也可以由多个设备共同实现,还可以是由一个设备内的一个或多个功能模块实现,本申请实施例对此不作具体限定。可以理解的是,上述功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行的软件功能,或者硬件与软件的结合,或者平台(例如,云平台)上实例化的虚拟化功能。Optionally, the relevant functions of each network element or device (such as node 101, node 103, node 105, terminal 102 or blockchain node 104, etc.) in Figure 1 of the embodiment of this application can be implemented by one device, or can be implemented by It can be jointly implemented by multiple devices, or it can also be implemented by one or more functional modules in one device, which is not specifically limited in the embodiments of the present application. It can be understood that the above functions can be either network elements in hardware devices, software functions running on dedicated hardware, or a combination of hardware and software, or virtualization instantiated on a platform (for example, a cloud platform) Function.
在具体实现时,本申请实施例图1中的各网元或设备(例如节点101、节点103、节点105、终端102或区块链节点104等)都可以采用图2所示的组成结构,或者包括图2所示的部件。图2所示为可适用于本申请实施例的通信装置的硬件结构示意图。该通信装置20包括至少一个处理器201和至少一个通信接口204,用于实现本申请实施例提供的方法。该通信装置20还可以包括通信线路202和存储器203。During specific implementation, each network element or device (such as node 101, node 103, node 105, terminal 102 or blockchain node 104, etc.) in Figure 1 of the embodiment of this application can adopt the composition structure shown in Figure 2. Or include the components shown in Figure 2. FIG. 2 shows a schematic diagram of the hardware structure of a communication device applicable to embodiments of the present application. The communication device 20 includes at least one processor 201 and at least one communication interface 204, which are used to implement the method provided by the embodiment of the present application. The communication device 20 may also include a communication line 202 and a memory 203 .
处理器201可以是一个通用中央处理器(central processing unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 201 can be a general central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors used to control the execution of the program of the present application. integrated circuit.
通信线路202可包括一通路,在上述组件之间传送信息,例如总线。Communication line 202 may include a path, such as a bus, that carries information between the above-mentioned components.
通信接口204,用于与其他设备或通信网络通信。通信接口204可以是任何收发器一类的装置,如可以是以太网接口、无线接入网(radio access network,RAN)接口、无线局域网(wireless local area networks,WLAN)接口、收发器、管脚、总线、或收发电路等。 Communication interface 204 is used to communicate with other devices or communication networks. The communication interface 204 can be any device such as a transceiver, such as an Ethernet interface, a radio access network (RAN) interface, a wireless local area networks (WLAN) interface, a transceiver, and pins , bus, or transceiver circuit, etc.
存储器203可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路202与处理器 201相耦合。存储器203也可以和处理器201集成在一起。本申请实施例提供的存储器通常可以具有非易失性。The memory 203 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory (RAM)) or other type that can store information and instructions. A dynamic storage device can also be an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other medium for access, but not limited to this. The memory may exist independently and be coupled to the processor 201 through a communication line 202. The memory 203 may also be integrated with the processor 201. The memory provided by the embodiment of the present application may generally be non-volatile.
其中,存储器203用于存储执行本申请实施例提供的方案所涉及的计算机执行指令,并由处理器201来控制执行。处理器201用于执行存储器203中存储的计算机执行指令,从而实现本申请实施例提供的方法。或者,可选的,本申请实施例中,也可以是处理器201执行本申请下述实施例提供的方法中的处理相关的功能,通信接口204负责与其他设备或通信网络通信,本申请实施例对此不作具体限定。Among them, the memory 203 is used to store computer execution instructions involved in executing the solutions provided by the embodiments of the present application, and the processor 201 controls the execution. The processor 201 is used to execute computer execution instructions stored in the memory 203, thereby implementing the method provided by the embodiment of the present application. Or, optionally, in this embodiment of the present application, the processor 201 may also perform processing-related functions in the methods provided in the following embodiments of the present application, and the communication interface 204 is responsible for communicating with other devices or communication networks. This application implements The example does not specifically limit this.
可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。Optionally, the computer-executed instructions in the embodiments of the present application may also be called application codes, which are not specifically limited in the embodiments of the present application.
本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。The coupling in the embodiment of this application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information interaction between devices, units or modules.
作为一种实施例,处理器201可以包括一个或多个CPU,例如图2中的CPU0和CPU1。As an embodiment, the processor 201 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 2 .
作为一种实施例,通信装置20可以包括多个处理器,例如图2中的处理器201和处理器207。这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。As an embodiment, the communication device 20 may include multiple processors, such as the processor 201 and the processor 207 in FIG. 2 . Each of these processors may be a single-CPU processor or a multi-CPU processor. A processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
作为一种实施例,通信装置20还可以包括输出设备205和/或输入设备206。输出设备205和处理器201耦合,可以以多种方式来显示信息。例如,输出设备205可以是液晶显示器(liquid crystal display,LCD),发光二极管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备206和处理器201耦合,可以以多种方式接收用户的输入。例如,输入设备206可以是鼠标、键盘、触摸屏设备或传感设备等。As an embodiment, the communication device 20 may also include an output device 205 and/or an input device 206. Output device 205 is coupled to processor 201 and can display information in a variety of ways. For example, the output device 205 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector), etc. The input device 206 is coupled to the processor 201 and can receive user input in a variety of ways. For example, the input device 206 may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.
可以理解的,图2中示出的组成结构并不构成对该通信装置的限定,除图2所示部件之外,该通信装置可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。It can be understood that the composition structure shown in Figure 2 does not constitute a limitation on the communication device. In addition to the components shown in Figure 2, the communication device may include more or fewer components than shown in the figure, or a combination of certain components. components, or different component arrangements.
下面将结合附图,对本申请实施例提供的方法进行描述。下述实施例中的各网元可以具备图2所示部件,不予赘述。The method provided by the embodiment of the present application will be described below with reference to the accompanying drawings. Each network element in the following embodiments may be equipped with the components shown in Figure 2, which will not be described again.
可以理解的是,本申请下述实施例中各个网元之间的消息名字或消息中各参数的名字等只是一个示例,具体实现中也可以是其他的名字,本申请实施例对此不作具体限定。It can be understood that in the following embodiments of the present application, the names of messages between network elements or the names of parameters in the messages are just examples, and other names may also be used in specific implementations. This is not specified in the embodiments of the present application. limited.
可以理解的是,在本申请实施例中,“/”可以表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;“和/或”可以用于描述关联对象存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。此外,类似于“A、B和C中的至少一项”或“A、B或C中的至少一项”的表述通常用于表示如下中任一项:单独存在A;单独存在B;单独存在C;同时存在A和B;同时存在A和C;同时存在B和C;同时存在A、B和C。以上是以A、B和C共三个元素进行举例来说明该项目的可选用条目,当表述中具有更多元素时,该表述的含义可以按照前述规则获得。It can be understood that in the embodiment of the present application, "/" may indicate that the related objects are in an "or" relationship. For example, A/B may indicate A or B; "and/or" may be used to describe There are three relationships between associated objects. For example, A and/or B can represent three situations: A exists alone, A and B exist simultaneously, and B exists alone. A and B can be singular or plural. In addition, expressions similar to "at least one of A, B and C" or "at least one of A, B or C" are often used to mean any of the following: A alone; B alone; alone C exists; A and B exist simultaneously; A and C exist simultaneously; B and C exist simultaneously; A, B, and C exist simultaneously. The above is an example of three elements A, B and C to illustrate the optional items of this project. When there are more elements in the expression, the meaning of the expression can be obtained according to the aforementioned rules.
为了便于描述本申请实施例的技术方案,在本申请实施例中,可以采用“第一”、“第二”等字样对功能相同或相似的技术特征进行区分。该“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。在本申请实施例中,“示例性的”或者“例如”等词用于表示例子、例证或说明,被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。In order to facilitate the description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" may be used to distinguish technical features with the same or similar functions. The words "first", "second" and other words do not limit the quantity and execution order, and the words "first" and "second" do not limit the number and execution order. In the embodiments of this application, words such as "exemplary" or "for example" are used to express examples, illustrations or illustrations, and any embodiment or design solution described as "exemplary" or "for example" shall not be interpreted. To be more preferred or advantageous than other embodiments or designs. The use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete manner that is easier to understand.
可以理解,说明书通篇中提到的“实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各个实施例未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。可以理解,在本申请的各种实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It will be understood that reference throughout this specification to "an embodiment" means that a particular feature, structure, or characteristic associated with the embodiment is included in at least one embodiment of the present application. Therefore, various embodiments are not necessarily referred to the same embodiment throughout this specification. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments. It can be understood that in the various embodiments of the present application, the size of the sequence numbers of each process does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be determined by the execution order of the embodiments of the present application. The implementation process constitutes no limitation.
可以理解,在本申请中,“当…时”和“若”均指在某种客观情况下会做出相应的处理,并非是限定时间,且也不要求实现时一定要有判断的动作,也不意味着存在其它限定。It can be understood that in this application, "when..." and "if" both refer to the corresponding processing under certain objective circumstances. They do not limit the time, and do not require that there must be a judgment action when implementing it. Nor does it imply the existence of other limitations.
本申请中的“同时”可以理解为在相同的时间点,也可以理解为在一段时间段内,还可以理解为在同一个周期内。“At the same time” in this application can be understood as at the same point in time, within a period of time, or within the same cycle.
可以理解,本申请实施例中的一些可选的特征,在某些场景下,可以不依赖于其他特征,比如其当前所基于的方案,而独立实施,解决相应的技术问题,达到相应的效果,也可以在某些场景下,依据需求与其他特征进行结合。相应的,本申请实施例中给出的装置也可以相应的实现这些特征或功能,在此不予赘述。It can be understood that some optional features in the embodiments of the present application, in certain scenarios, can be implemented independently without relying on other features, such as the solutions they are currently based on, to solve corresponding technical problems and achieve corresponding effects. , and can also be combined with other features according to needs in certain scenarios. Correspondingly, the devices provided in the embodiments of the present application can also implement these features or functions, which will not be described again here.
可以理解的,本申请实施例中同一个步骤或者具有相同功能的步骤或者技术特征在不同实施例之间可以互相参考借鉴。It can be understood that the same step or steps with the same function or technical features in the embodiments of the present application can be used as reference between different embodiments.
可以理解的,本申请实施例中,第一节点和/或终端和/或节点101和/或节点103和/或节点105和/或终端102可以执行本申请实施例中的部分或全部步骤,这些步骤仅是示例,本申请实施例还可以执行其它步骤或者各种步骤的变形。此外,各个步骤可以按照本申请实施例呈现的不同的顺序来执行,并且有可能并非要执行本申请实施例中的全部步骤。It can be understood that in the embodiment of the present application, the first node and/or terminal and/or node 101 and/or node 103 and/or node 105 and/or terminal 102 can perform some or all of the steps in the embodiment of the present application, These steps are only examples, and the embodiments of the present application may also perform other steps or variations of various steps. In addition, various steps may be performed in a different order than those presented in the embodiments of the present application, and it may not be necessary to perform all the steps in the embodiments of the present application.
如图3所示,为本申请实施例提供的一种获取签名信息的方法,该方法可以包括如下步骤:As shown in Figure 3, an embodiment of the present application provides a method for obtaining signature information. The method may include the following steps:
S301:第一节点获取第一节点的私钥分片和终端的密钥信息。S301: The first node obtains the private key fragment of the first node and the key information of the terminal.
其中,第一节点可以是图1所示通信系统10中的节点101,终端可以是图1所示通信系统10中的终端102。The first node may be the node 101 in the communication system 10 shown in FIG. 1 , and the terminal may be the terminal 102 in the communication system 10 shown in FIG. 1 .
一种可能的设计,终端的密钥信息包括可用于与其他节点或设备进行认证的信息,如:终端的公钥。可选的,终端的密钥信息还包括终端的私钥。In one possible design, the terminal's key information includes information that can be used for authentication with other nodes or devices, such as the terminal's public key. Optionally, the terminal's key information also includes the terminal's private key.
一种可能的实现方式,第一节点自己生成第一节点的私钥分片;或者,第一节点中预存储了第一节点的私钥分片,第一节点从本地获取第一节点的私钥分片;或者,第一节点接收来自第三方节点的第一节点的私钥分片。One possible implementation method is that the first node generates the first node's private key fragments by itself; or the first node pre-stores the first node's private key fragments, and the first node obtains the first node's private key fragments locally. key shard; alternatively, the first node receives the first node's private key shard from the third party node.
其中,第三方节点为可信节点,可为不同的节点生成该节点的私钥分片。例如,第三方节点可为节点集合中的节点生成该节点的私钥分片。节点集合可包括至少两个节点。至少两个节点包括第一节点。节点集合也可称为节点联盟或节点群组等,不予限制。Among them, the third-party node is a trusted node and can generate the private key shards of the node for different nodes. For example, a third-party node can generate a private key shard for a node in a node collection. A node set may include at least two nodes. At least two nodes include the first node. A node set may also be called a node alliance or a node group, etc., without limitation.
一种可能的实现方式,第一节点接收来自终端的终端的密钥信息;或者,第一节点接收来自节点集合中除第一节点之外的其他节点(以下简称其他节点)的终端的密钥信息;或者,第一节点从区块链上获取终端的密钥信息。In one possible implementation, the first node receives the key information of the terminal from the terminal; or, the first node receives the key of the terminal from other nodes in the node set except the first node (hereinafter referred to as other nodes). information; or, the first node obtains the terminal’s key information from the blockchain.
S302:第一节点根据第一节点的私钥分片对终端的密钥信息进行签名,得到第一节点的签名分片。S302: The first node signs the key information of the terminal according to the private key fragment of the first node to obtain the signature fragment of the first node.
一种可能的实现方式,第一节点用第一节点的私钥分片对终端的密钥信息进行签名,得到第一节点的签名分片。In one possible implementation, the first node uses the first node's private key fragment to sign the terminal's key information to obtain the first node's signature fragment.
其中,第一节点的签名分片可以用于确定节点集合的签名信息(以下简称签名信息)。该签名信息可以用于终端与第一节点之间进行认证。例如,第一节点的签名分片用于和其他节点的签名分片共同确定签名信息。该签名信息还可以用于终端和其他节点之间的认证。可以理解的,持有节点集合的公钥的节点可以与终端基于签名信息进行认证。Among them, the signature fragment of the first node can be used to determine the signature information of the node set (hereinafter referred to as signature information). The signature information can be used for authentication between the terminal and the first node. For example, the signature fragment of the first node is used to determine the signature information together with the signature fragments of other nodes. This signature information can also be used for authentication between the terminal and other nodes. It can be understood that the node holding the public key of the node set can authenticate with the terminal based on the signature information.
其中,上述S301-S302中的第一节点的动作可以由图2所示的通信装置20中的处理器201调用存储器203中存储的应用程序代码来执行,本申请实施例对此不做任何限制。The actions of the first node in the above-mentioned S301-S302 can be executed by the processor 201 in the communication device 20 shown in FIG. 2 by calling the application code stored in the memory 203. This embodiment of the present application does not impose any restrictions on this. .
基于图3所示的方法,第一节点可获取第一节点的私钥分片和终端的密钥信息,并根据第一节点的私钥分片对终端的密钥信息进行签名,得到第一节点的签名分片。由于第一节点的签名分片能够确定用于终端与第一节点之间进行认证的签名信息,所以终端和第一节点之间可根据签名信息进行认证,而不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑,用户若想切换网络,不需要更换SIM卡,使得终端能够灵活入网,提高了用户体验。Based on the method shown in Figure 3, the first node can obtain the private key fragment of the first node and the key information of the terminal, and sign the key information of the terminal according to the private key fragment of the first node to obtain the first The node’s signature shard. Since the signature fragment of the first node can determine the signature information used for authentication between the terminal and the first node, the terminal and the first node can be authenticated based on the signature information without using the key in the SIM card. Through authentication, the SIM card is unbound from the network. If the user wants to switch networks, there is no need to change the SIM card, allowing the terminal to flexibly access the network and improving the user experience.
可选的,在图3所示方法的一种可能的实施场景中,第一节点获取N个签名分片。第一节点的签名分片和该N个签名分片共同用于确定该签名信息。Optionally, in a possible implementation scenario of the method shown in Figure 3, the first node obtains N signature fragments. The signature fragment of the first node and the N signature fragments are jointly used to determine the signature information.
其中,N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对终端的密钥信息进行签名得到的。N和Q为自然数,Q小于或等于N。Q个节点包括在节点集合中。也就是说,节点集合中的节点可采用门限签名的方式对终端的密钥信息进行签名,以得到签名信息。该签名信息可以用节点集合的公钥进行验证。因此,若节点集合中的节点持有节点集合的公钥,就可以对终端进行认证。也就是说,签名信息还用于终端与Q个节点之间进行认证。Among them, N signature fragments correspond to Q nodes, and any signature fragment among the N signature fragments is obtained by signing the terminal's key information with the private key fragment of the node corresponding to the signature fragment. N and Q are natural numbers, and Q is less than or equal to N. Q nodes are included in the node set. That is to say, the nodes in the node set can use threshold signature to sign the key information of the terminal to obtain the signature information. This signature information can be verified using the public key of the node collection. Therefore, if a node in the node set holds the public key of the node set, the terminal can be authenticated. In other words, the signature information is also used for authentication between the terminal and Q nodes.
可以理解的,门限签名的权重小于或等于N+1。It can be understood that the weight of the threshold signature is less than or equal to N+1.
可选的,第一节点直接从Q个节点获取N个签名分片;或者,第一节点通过区块链获取N个签名分片。例如,第一节点接收来自Q个节点的N个签名分片。又例如,N个签名分片存储在区块链节点中,第一节点从区块链节点中获取。该区块链节点可以是图1所示的通信系统10中的区块链节点104。Optionally, the first node obtains N signature shards directly from Q nodes; or, the first node obtains N signature shards through the blockchain. For example, the first node receives N signed shards from Q nodes. For another example, N signature shards are stored in the blockchain node, and the first node obtains them from the blockchain node. The blockchain node may be the blockchain node 104 in the communication system 10 shown in FIG. 1 .
作为一种示例,若Q个节点分别为节点1、节点2和节点3,其中,节点1和节 点2有一个私钥分片,节点3有两个私钥分片,则节点1用自己的私钥分片对终端的密钥信息进行签名,得到节点1的签名分片,并向第一节点发送节点1的签名分片。节点2用自己的私钥分片对终端的密钥信息进行签名,得到节点2的签名分片,并向第一节点发送节点2的签名分片。节点3用自己的两个私钥分片分别对终端的密钥信息进行签名,得到节点3的签名分片1和节点3的签名分片2,并向第一节点发送签名分片1和签名分片2。第一节点接收到上述签名分片后,根据门限签名算法对第一节点的签名分片、节点1的签名分片、节点2签名分片、签名分片1和签名分片2进行计算,得到签名信息。As an example, if Q nodes are node 1, node 2 and node 3 respectively, node 1 and node 2 have one private key shard, and node 3 has two private key shards, then node 1 uses its own The private key fragment signs the key information of the terminal, obtains the signature fragment of node 1, and sends the signature fragment of node 1 to the first node. Node 2 uses its own private key fragment to sign the terminal's key information, obtains the signature fragment of node 2, and sends the signature fragment of node 2 to the first node. Node 3 uses its two private key fragments to sign the key information of the terminal respectively, obtains signature fragment 1 of node 3 and signature fragment 2 of node 3, and sends signature fragment 1 and signature to the first node Shard 2. After receiving the above signature fragment, the first node calculates the signature fragment of the first node, the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2 according to the threshold signature algorithm, and obtains Signature information.
作为另一种示例,若Q个节点分别为节点1、节点2和节点3,其中,节点1和节点2有一个私钥分片,节点3有两个私钥分片,第一节点、节点1、节点2和节点3都为区块链中的节点,则节点1用自己的私钥分片对终端的密钥信息进行签名,得到节点1的签名分片,用第一节点在链上的公钥对节点1的签名分片进行加密,并将加密后的信息发布在链上。节点2用自己的私钥分片对终端的密钥信息进行签名,得到节点2的签名分片,用第一节点在链上的公钥对节点2的签名分片进行加密,并将加密后的信息发布在链上。节点3用自己的两个私钥分片分别对终端的密钥信息进行签名,得到节点3的签名分片1和节点3的签名分片2,用第一节点在链上的公钥对签名分片1和签名分片2进行加密,并将加密后的信息发布在链上。第一节点接收到上述加密信息后,用自己在链上的私钥解密这些信息,可得到节点1的签名分片、节点2签名分片、签名分片1和签名分片2,再用门限签名算法对第一节点的签名分片、节点1的签名分片、节点2签名分片、签名分片1和签名分片2进行计算,得到签名信息。As another example, if Q nodes are node 1, node 2 and node 3 respectively, node 1 and node 2 have one private key fragment, node 3 has two private key fragments, the first node, node 1. Node 2 and node 3 are both nodes in the blockchain. Then node 1 uses its own private key fragment to sign the key information of the terminal to obtain the signature fragment of node 1. Use the first node on the chain to The public key of node 1 encrypts the signature fragment and publishes the encrypted information on the chain. Node 2 uses its own private key fragment to sign the key information of the terminal, and obtains the signature fragment of node 2. It uses the public key of the first node on the chain to encrypt the signature fragment of node 2, and then encrypts the signature fragment. The information is published on the chain. Node 3 uses its own two private key fragments to sign the key information of the terminal respectively, and obtains the signature fragment 1 of node 3 and the signature fragment 2 of node 3, and signs the pair with the public key of the first node on the chain. Shard 1 and signature shard 2 are encrypted and the encrypted information is published on the chain. After receiving the above encrypted information, the first node decrypts the information with its own private key on the chain. It can obtain the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2, and then use the threshold The signature algorithm calculates the signature fragment of the first node, the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2 to obtain the signature information.
作为另一种示例,若Q个节点分别为节点1、节点2和节点3,其中,节点1和节点2有一个私钥分片,节点3有两个私钥分片,节点1、节点2和节点3都为区块链中的节点,第一节点可以是区块链节点也可以不是区块链节点,则节点1用自己的私钥分片对终端的密钥信息进行签名,得到节点1的签名分片,用区块链节点在链上的公钥对节点1的签名分片进行加密,并将加密后的信息发布在链上。节点2用自己的私钥分片对终端的密钥信息进行签名,得到节点2的签名分片,用区块链节点在链上的公钥对节点2的签名分片进行加密,并将加密后的信息发布在链上。节点3用自己的两个私钥分片分别对终端的密钥信息进行签名,得到节点3的签名分片1和节点3的签名分片2,用区块链节点在链上的公钥对签名分片1和签名分片2进行加密,并将加密后的信息发布在链上。区块链节点接收到上述加密信息后,用自己在链上的私钥解密这些信息,可得到节点1的签名分片、节点2签名分片、签名分片1和签名分片2,并向第一节点发送这些签名分片。第一节点接收到这些签名分片后,用门限签名算法对第一节点的签名分片、节点1的签名分片、节点2签名分片、签名分片1和签名分片2进行计算,得到签名信息。As another example, if Q nodes are node 1, node 2 and node 3 respectively, node 1 and node 2 have one private key shard, node 3 has two private key shards, node 1, node 2 Both node 3 and node 3 are nodes in the blockchain. The first node may be a blockchain node or not a blockchain node. Then node 1 uses its own private key shard to sign the terminal’s key information to obtain the node 1’s signature fragment, use the public key of the blockchain node on the chain to encrypt the signature fragment of node 1, and publish the encrypted information on the chain. Node 2 uses its own private key fragment to sign the key information of the terminal to obtain the signature fragment of node 2. It uses the public key of the blockchain node on the chain to encrypt the signature fragment of node 2 and encrypts it. The final information is published on the chain. Node 3 uses its own two private key fragments to sign the key information of the terminal respectively, and obtains the signature fragment 1 of node 3 and the signature fragment 2 of node 3, using the public key pair of the blockchain node on the chain. Signature Shard 1 and Signature Shard 2 encrypt and publish the encrypted information on the chain. After the blockchain node receives the above encrypted information, it uses its own private key on the chain to decrypt the information. It can obtain the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2, and send it to The first node sends these signed shards. After receiving these signature fragments, the first node uses the threshold signature algorithm to calculate the signature fragment of the first node, the signature fragment of node 1, the signature fragment of node 2, the signature fragment 1 and the signature fragment 2, and obtain Signature information.
可选的,在第一节点获取N个签名分片之前,第一节点向M个节点发送第一信息。其中,第一信息包括终端的密钥信息。M个节点包括Q个节点,M为大于或等于Q的自然数,M个节点包括在节点集合中。也就是说,第一节点可以向M个节点发送终端的密钥信息,以触发M个节点根据自己的私钥分片对终端的密钥信息进行签名得到 对应的签名分片。Optionally, before the first node obtains N signature fragments, the first node sends the first information to M nodes. The first information includes key information of the terminal. M nodes include Q nodes, M is a natural number greater than or equal to Q, and M nodes are included in the node set. That is to say, the first node can send the terminal's key information to M nodes to trigger the M nodes to sign the terminal's key information according to their own private key fragments to obtain corresponding signature fragments.
可以理解的,在具体应用中,第一节点得到的签名分片的数量大于或等于门限签名的权限时,第一节点即可得到签名信息。因此,M个节点中的部分节点根据自己的私钥分片对终端的密钥信息进行签名得到对应的签名分片即可,有可能并不需要M个节点都获取自己的签名分片。It can be understood that in specific applications, when the number of signature fragments obtained by the first node is greater than or equal to the authority of the threshold signature, the first node can obtain the signature information. Therefore, some of the M nodes can sign the terminal's key information based on their own private key fragments to obtain the corresponding signature fragments. It is possible that all M nodes do not need to obtain their own signature fragments.
可以理解的,第一节点可以直接向M个节点发送第一信息,或者通过区块链向M个节点发送第一信息。It can be understood that the first node can directly send the first information to the M nodes, or send the first information to the M nodes through the blockchain.
例如,第一节点向区块链节点发送第一信息,区块链节点接收到第一信息后将第一信息上链,并向M个节点发送第一信息。For example, the first node sends the first information to the blockchain node. After receiving the first information, the blockchain node uploads the first information to the chain and sends the first information to M nodes.
可选的,在S302之前,第一节点获取终端的签约信息,根据终端的签约信息验证终端。其中,终端的签约信息可包括终端与节点集合中的节点所属的网络进行签约的相关信息。例如,终端的签约信息可包括以下至少一项:终端的签约时间、终端签约的有效期、终端签约的套餐的信息、终端的标识、终端中的SIM卡的标识或终端对应的用户的标识(如用户的身份证号)。终端签约的套餐的信息可包括流量信息和/或通话时间等等。Optionally, before S302, the first node obtains the subscription information of the terminal and verifies the terminal according to the subscription information of the terminal. The subscription information of the terminal may include information related to the terminal's subscription with the network to which the nodes in the node set belong. For example, the terminal's subscription information may include at least one of the following: the terminal's contract time, the validity period of the terminal's contract, information about the package contracted by the terminal, the terminal's identification, the identification of the SIM card in the terminal or the identification of the user corresponding to the terminal (such as user’s ID number). The information on the package contracted by the terminal may include traffic information and/or call time, etc.
可以理解的,第一节点可根据上述信息验证终端是否能够注册到网络。例如,若终端签约的有效期已超期,则第一节点确定验证失败,终端不能注册到网络中。又例如,若SIM卡的标识不合法,则第一节点确定验证失败,终端不能注册到网络中。It can be understood that the first node can verify whether the terminal can register to the network based on the above information. For example, if the validity period of the terminal subscription has expired, the first node determines that the verification failed and the terminal cannot be registered in the network. For another example, if the identification of the SIM card is illegal, the first node determines that the verification failed and the terminal cannot be registered in the network.
一种可能的实现方式,第一节点接收来自终端的终端的签约信息,或者,第一节点接收来自其他节点的终端的签约信息。In one possible implementation manner, the first node receives subscription information from a terminal of a terminal, or the first node receives subscription information from a terminal of another node.
可选的,第一节点还向M个节点发送以下至少一种信息:第一节点对终端的签约信息的验证结果、第一节点的签名分片或终端的签约信息。其中,该验证结果可包括验证成功或验证失败。可以理解的,上述至少一种信息可以包括在第一信息中,也可以包括在其他信息中发送给M个节点,不予限制。Optionally, the first node also sends at least one of the following information to the M nodes: the first node's verification result of the terminal's subscription information, the first node's signature fragment, or the terminal's subscription information. The verification result may include verification success or verification failure. It can be understood that the above-mentioned at least one kind of information may be included in the first information, or may be included in other information and sent to M nodes, without limitation.
可以理解的,第一节点向M个节点发送第一节点对终端的签约信息的验证结果,可使得接收到验证结果的节点确定第一节点是否对终端验证成功。可选的,若第一节点对终端验证成功,接收到验证结果的节点可根据自己的私钥分片对终端的密钥信息进行签名,得到对应的签名分片;若第一节点对终端验证失败,接收到验证结果的节点可以不生成签名分片。It can be understood that the first node sends the verification result of the terminal's subscription information by the first node to M nodes, so that the node that receives the verification result can determine whether the first node successfully verified the terminal. Optionally, if the first node successfully verifies the terminal, the node that receives the verification result can sign the terminal's key information based on its own private key fragments to obtain the corresponding signature fragments; if the first node verifies the terminal If it fails, the node that receives the verification result may not generate signature fragments.
可以理解的,第一节点向M个节点发送第一节点的签名分片,可使得接收到该签名分片的节点,根据该签名分片得到签名信息。It can be understood that the first node sends the signature fragments of the first node to M nodes, so that the nodes that receive the signature fragments can obtain signature information based on the signature fragments.
可以理解的,第一节点向M个节点发送终端的签约信息,可使得接收到该签约信息的节点根据该签约信息验证终端。It can be understood that the first node sends the terminal's subscription information to M nodes, so that the nodes that receive the subscription information can verify the terminal based on the subscription information.
可以理解的,第一节点直接向M个节点发送上述至少一种信息;或者,第一节点通过区块链向M个节点发送上述至少一种信息。It can be understood that the first node directly sends the above-mentioned at least one kind of information to the M nodes; or the first node sends the above-mentioned at least one kind of information to the M nodes through the blockchain.
可选的,第一节点向终端发送第三信息。相应的,终端接收来自第一节点的第三信息。其中,第三信息包括签名信息。这样,终端可以获取到签名信息,根据签名信息与第一节点进行认证。Optionally, the first node sends third information to the terminal. Correspondingly, the terminal receives the third information from the first node. The third information includes signature information. In this way, the terminal can obtain the signature information and perform authentication with the first node based on the signature information.
可选的,若N个签名分片存储在区块链节点中,则第一节点还获取签名信息对应 的区块链交易的标识。其中,该标识包括签名信息对应的区块链交易的地址。Optionally, if N signature shards are stored in the blockchain node, the first node also obtains the identifier of the blockchain transaction corresponding to the signature information. Among them, the identification includes the address of the blockchain transaction corresponding to the signature information.
可选的,第一节点还向终端发送签名信息对应的区块链交易的标识。相应的,终端接收来自第一节点的签名信息对应的区块链交易的标识。Optionally, the first node also sends the identifier of the blockchain transaction corresponding to the signature information to the terminal. Correspondingly, the terminal receives the identifier of the blockchain transaction corresponding to the signature information from the first node.
可选的,第一节点还向其他节点发送签名信息。相应的,其他节点接收来自第一节点的签名信息。这样,其他节点可以不用自己生成签名信息。Optionally, the first node also sends signature information to other nodes. Correspondingly, other nodes receive the signature information from the first node. In this way, other nodes do not need to generate signature information themselves.
可以理解的,第一节点可以直接向其他节点发送签名信息,或者,第一节点通过区块链向其他节点发送签名信息。It can be understood that the first node can directly send signature information to other nodes, or the first node can send signature information to other nodes through the blockchain.
下面介绍终端和第一节点之间根据签名信息进行认证的具体过程。The following describes the specific process of authentication between the terminal and the first node based on the signature information.
如图4所示,为本申请实施例提供的一种认证方法,该方法可以包括如下步骤:As shown in Figure 4, an authentication method is provided in an embodiment of the present application. The method may include the following steps:
S401:第一节点获取签名信息。S401: The first node obtains signature information.
其中,第一节点可以是图1所示通信系统10中的节点101。Wherein, the first node may be the node 101 in the communication system 10 shown in FIG. 1 .
一种可能的实现方式,第一节点通过图3所示的方法获取签名信息,例如,第一节点根据第一节点的签名分片和N个签名分片,得到签名信息;或者,第一节点接收来自其他节点的签名信息;或者,第一节点接收来自区块链节点的签名信息。或者,第一节点通过其他方式获取签名信息,不予限制。In one possible implementation, the first node obtains the signature information through the method shown in Figure 3. For example, the first node obtains the signature information based on the signature fragment of the first node and N signature fragments; or, the first node obtains the signature information. Receive signature information from other nodes; alternatively, the first node receives signature information from the blockchain node. Alternatively, the first node obtains the signature information through other methods, which is not restricted.
S402:终端获取签名信息。S402: The terminal obtains signature information.
其中,终端可以是图1所示通信系统10中的终端102。The terminal may be the terminal 102 in the communication system 10 shown in FIG. 1 .
一种可能的实现方式,终端通过图3所示的方法获取签名信息,例如,终端接收来自第一节点或其他节点的签名信息。或者,终端通过其他方式获取签名信息,不予限制。In one possible implementation, the terminal obtains signature information through the method shown in Figure 3. For example, the terminal receives signature information from the first node or other nodes. Or, the terminal obtains the signature information through other methods, which is not restricted.
可以理解的,本申请不限制S401和S402的执行顺序,例如,可以先执行S401,再执行S402,或者先执行S402,再执行S401,或者同时执行S401和S402。It can be understood that this application does not limit the execution order of S401 and S402. For example, S401 may be executed first and then S402, or S402 may be executed first and then S401, or S401 and S402 may be executed simultaneously.
可选的,在S401之前,终端根据预设策略确定节点集合。Optionally, before S401, the terminal determines a node set according to a preset policy.
一种可能的设计,预设策略包括以下至少一项:终端对应的用户的选择、节点集合中节点的入网需求、节点集合中节点所在网络的组网规模或节点集合中节点所在网络的安全等级。In one possible design, the preset strategy includes at least one of the following: selection of the user corresponding to the terminal, network access requirements of the nodes in the node set, the network scale of the network where the nodes in the node set are located, or the security level of the network where the nodes in the node set are located. .
示例性的,用户通过终端上的软件选择节点集合,响应于用户的操作,终端确定节点集合。或者,终端根据节点集合中节点的入网需求,如:流量需求,和/或,通话时间需求等,确定节点集合,如终端选择最符合用户需求的节点所在的节点集合。或者,终端选择组网规模最大的节点所在的节点集合。或者,终端选择包括较多组网规模大的节点的节点集合。或者,终端选择安全等级最高的节点所在的节点集合。或者,终端选择包括较多安全等级高的节点的节点集合。For example, the user selects a node set through software on the terminal, and in response to the user's operation, the terminal determines the node set. Alternatively, the terminal determines the node set based on the network access requirements of the nodes in the node set, such as traffic requirements, and/or call time requirements, etc., for example, the terminal selects the node set where the node that best meets the user's needs is located. Or, the terminal selects the node set where the node with the largest network scale is located. Alternatively, the terminal selects a node set including a large number of nodes with a large network scale. Or, the terminal selects the node set where the node with the highest security level is located. Alternatively, the terminal selects a node set including a larger number of nodes with higher security levels.
S403:终端和第一节点根据签名信息进行认证。S403: The terminal and the first node perform authentication based on the signature information.
一种可能的实现方式,终端和第一节点可通过S4031-S4032进行认证。In one possible implementation, the terminal and the first node can be authenticated through S4031-S4032.
S4031:终端向第一节点发送第一请求。相应的,第一节点接收来自终端的第一请求。S4031: The terminal sends the first request to the first node. Correspondingly, the first node receives the first request from the terminal.
其中,第一请求可以包括签名信息和第一随机数。第一随机数可以是终端生成的,或者终端从其他设备获取的。The first request may include signature information and a first random number. The first random number may be generated by the terminal, or obtained by the terminal from other devices.
可选的,终端还向第一节点发送以下至少一种信息:终端的标识(如国际移动设 备识别码(international mobile equipment identity,IMEI)或终端的序列号)、终端支持的签名算法的信息或签名信息对应的区块链交易的标识。相应的,第一节点接收来自终端的上述至少一种信息。Optionally, the terminal also sends at least one of the following information to the first node: the identification of the terminal (such as the international mobile equipment identity (IMEI) or the serial number of the terminal), information about the signature algorithm supported by the terminal, or The identifier of the blockchain transaction corresponding to the signature information. Correspondingly, the first node receives at least one of the above information from the terminal.
可以理解的,上述至少一种信息可包括在第一请求中发送给第一节点,也可通过其他信息发送给第一节点,不予限制。It can be understood that the above-mentioned at least one kind of information may be included in the first request and sent to the first node, or may be sent to the first node through other information, without limitation.
S4032:第一节点根据第一请求与终端进行认证。S4032: The first node authenticates with the terminal according to the first request.
一种可能的实现方式,第一节点向终端发送第一消息。其中,第一消息可以包括第一节点的证书、第一认证信息和第二随机数。第一认证信息是根据第一节点的私钥和第一随机数得到的。例如,第一节点用第一节点的私钥对第一随机数进行签名得到第一认证信息。又例如,第一节点采用终端支持的签名算法用第一节点的私钥对第一随机数进行签名得到第一认证信息。终端接收到第一消息后,向第一节点发送第二消息。其中,第二消息包括第二认证信息,第二认证信息是根据终端的私钥和第二随机数得到的。例如,终端验证第一节点的证书的有效性,根据第一节点的公钥验证第一认证信息,在第一节点的证书有效,并且第一认证信息验证成功的情况下,向第一节点发送第二消息。第一节点接收到第二消息后,根据节点集合的公钥和签名信息,得到终端的密钥信息,根据终端的密钥信息认证第二认证信息。例如,第一节点根据节点集合的公钥验证签名信息,若验证成功,则第一节点得到终端的密钥信息,例如得到终端的公钥,根据终端的公钥认证第二认证信息。In a possible implementation manner, the first node sends the first message to the terminal. Wherein, the first message may include the certificate of the first node, the first authentication information and the second random number. The first authentication information is obtained based on the private key of the first node and the first random number. For example, the first node signs the first random number with the first node's private key to obtain the first authentication information. For another example, the first node uses a signature algorithm supported by the terminal to sign the first random number with the private key of the first node to obtain the first authentication information. After receiving the first message, the terminal sends the second message to the first node. The second message includes second authentication information, and the second authentication information is obtained based on the terminal's private key and the second random number. For example, the terminal verifies the validity of the first node's certificate, verifies the first authentication information based on the first node's public key, and sends the first node to the first node when the first node's certificate is valid and the first authentication information is successfully verified. Second news. After receiving the second message, the first node obtains the key information of the terminal based on the public key and signature information of the node set, and authenticates the second authentication information based on the key information of the terminal. For example, the first node verifies the signature information according to the public key of the node set. If the verification is successful, the first node obtains the key information of the terminal, for example, obtains the public key of the terminal, and authenticates the second authentication information according to the public key of the terminal.
可以理解的,上述第一节点的证书、第一认证信息和第二随机数可以包括在第一消息中发送给终端,也可包括在不同的消息中发送给终端,不予限制。It can be understood that the above-mentioned certificate, first authentication information and second random number of the first node may be included in the first message and sent to the terminal, or may be included in different messages and sent to the terminal, without limitation.
可选的,第一节点向终端发送认证结果。相应的,终端接收来自第一节点的认证结果。其中,认证结果包括认证失败或认证成功。Optionally, the first node sends the authentication result to the terminal. Correspondingly, the terminal receives the authentication result from the first node. The authentication result includes authentication failure or authentication success.
示例性的,若第一节点根据节点集合的公钥验证签名信息失败,第一节点向终端发送认证结果,以向终端指示第一节点认证终端失败。或者,若第一节点认证第二认证信息失败,第一节点向终端发送认证结果,以向终端指示第一节点认证终端失败。或者,若第一节点认证第二认证信息成功,第一节点向终端发送认证结果,以向终端指示第一节点认证终端成功。For example, if the first node fails to verify the signature information based on the public key of the node set, the first node sends the authentication result to the terminal to indicate to the terminal that the first node has failed to authenticate the terminal. Or, if the first node fails to authenticate the second authentication information, the first node sends the authentication result to the terminal to indicate to the terminal that the first node fails to authenticate the terminal. Alternatively, if the first node successfully authenticates the second authentication information, the first node sends the authentication result to the terminal to indicate to the terminal that the first node successfully authenticates the terminal.
可选的,第一节点还通过区块链验证签名信息。Optionally, the first node also verifies the signature information through the blockchain.
例如,第一节点接收到来自终端的签名信息对应的区块链交易的标识后,向区块链节点发送第三消息。该第三消息可以用于查询签名信息。例如,第三消息包括签名信息对应的区块链交易的标识。区块链节点接收到第三消息后,向第一节点发送第四消息。第四消息包括根据上述标识查询到的签名信息。这样,第一节点可根据第四消息包括的签名信息验证终端发送的签名信息是否正确,以进一步提高通信安全。For example, after receiving the identifier of the blockchain transaction corresponding to the signature information from the terminal, the first node sends the third message to the blockchain node. The third message can be used to query signature information. For example, the third message includes the identification of the blockchain transaction corresponding to the signature information. After receiving the third message, the blockchain node sends the fourth message to the first node. The fourth message includes the signature information queried based on the above identification. In this way, the first node can verify whether the signature information sent by the terminal is correct based on the signature information included in the fourth message, so as to further improve communication security.
其中,上述S401-S403中的第一节点或终端的动作可以由图2所示的通信装置20中的处理器201调用存储器203中存储的应用程序代码来执行,本申请实施例对此不做任何限制。Among them, the actions of the first node or terminal in the above-mentioned S401-S403 can be executed by the processor 201 in the communication device 20 shown in FIG. 2 by calling the application code stored in the memory 203. This embodiment of the present application does not do this. Any restrictions.
基于图4所示的方法,终端和第一节点之间可基于签名信息进行认证,而不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑,用户若想切换网络,不需要更换SIM卡,使得终端能够灵活入网,提高了用户体验。另外,若终端在节点集合 中的节点中切换时,例如,终端从第一节点切换到第二节点后,终端仍可以根据签名信息与第二节点认证,而不需要再次获取签名信息,简化了认证流程。Based on the method shown in Figure 4, the terminal and the first node can be authenticated based on signature information without using the key in the SIM card for authentication. This realizes the unbinding of the SIM card from the network. If the user wants to switch networks, There is no need to replace the SIM card, allowing the terminal to flexibly access the network and improving user experience. In addition, if the terminal switches among nodes in the node set, for example, after the terminal switches from the first node to the second node, the terminal can still authenticate with the second node based on the signature information without needing to obtain the signature information again, which simplifies Certification process.
可选的,在图3所示方法或图4所示方法的一种可能的场景中,节点集合中的节点获取自己的私钥分片和节点集合的公钥。Optionally, in a possible scenario of the method shown in Figure 3 or the method shown in Figure 4, the nodes in the node set obtain their own private key fragments and the public key of the node set.
一种可能的实现方式,第三方节点确定节点集合的私钥和节点集合的公钥,根据节点集合的私钥,确定节点集合中的节点的私钥分片,向对应的节点发送该节点的私钥分片和节点集合的公钥。可以理解的,第三方节点可将私钥分片和节点集合的公钥加密后发送,例如,用接收节点的公钥加密后发送。One possible implementation method is that the third-party node determines the private key of the node set and the public key of the node set, determines the private key fragments of the nodes in the node set based on the private key of the node set, and sends the node's private key to the corresponding node. The private key shard and the public key of the node collection. It can be understood that the third-party node can encrypt the private key fragments and the public key of the node set before sending them, for example, encrypt them with the public key of the receiving node and then send them.
可选的,第三方节点确定门限签名的权重,和/或,节点集合中节点对应的权重。Optionally, the third-party node determines the weight of the threshold signature and/or the corresponding weight of the node in the node set.
作为一种示例,若节点集合包括节点1、节点2和节点3,第三方节点确定节点集合的私钥和节点集合的公钥后,用算法对节点集合的私钥进行计算,得到节点1的私钥分片、节点2的私钥分片和节点3的私钥分片,根据节点集合的信息确定门限签名的权重,并向节点1发送节点1的私钥分片、节点集合的公钥和门限签名的权重,向节点2发送节点2的私钥分片、节点集合的公钥和门限签名的权重,向节点3发送节点3的私钥分片、节点集合的公钥和门限签名的权重。第三方节点还根据节点集合的信息确定节点1对应的权重,节点2对应的权重和节点3对应的权重,并向节点1、节点2和节点3发送上述权重。其中,节点集合的信息可包括节点集合中节点所在网络的组网规模的信息,和/或,节点集合中节点所在网络的安全等级的信息。As an example, if the node set includes node 1, node 2 and node 3, after the third-party node determines the private key of the node set and the public key of the node set, it uses an algorithm to calculate the private key of the node set and obtains the node 1's private key. The private key fragment, the private key fragment of node 2 and the private key fragment of node 3 determine the weight of the threshold signature based on the information of the node set, and send the private key fragment of node 1 and the public key of the node set to node 1 and the weight of the threshold signature, send the private key fragment of node 2, the public key of the node set and the weight of the threshold signature to node 2, and send the private key fragment of node 3, the public key of the node set and the threshold signature to node 3 Weights. The third-party node also determines the weight corresponding to node 1, the weight corresponding to node 2, and the weight corresponding to node 3 based on the information of the node set, and sends the above weights to node 1, node 2, and node 3. The information about the node set may include information about the network scale of the network where the nodes in the node set are located, and/or the information about the security level of the network where the nodes in the node set are located.
可以理解的,节点1接收到节点1的私钥分片、节点集合的公钥和门限签名的权重S后,可知道自己用S个签名分片可得到节点集合的签名信息,根据节点集合的公钥可验证该签名信息。若节点1还接收到节点1对应的权重Y,节点2对应的权重Z和节点3对应的权重G,则节点1可确定节点1的签名分片可相当于Y个签名分片,节点2的签名分片可相当于Z个签名分片,节点3的签名分片可相当于G个签名分片。It can be understood that after node 1 receives the private key fragment of node 1, the public key of the node collection and the weight S of the threshold signature, it can know that it can obtain the signature information of the node collection using S signature fragments. According to the node collection The public key verifies the signed information. If node 1 also receives the weight Y corresponding to node 1, the weight Z corresponding to node 2, and the weight G corresponding to node 3, then node 1 can determine that the signature fragment of node 1 can be equivalent to Y signature fragments, and that of node 2 A signature shard can be equivalent to Z signature shards, and the signature shard of node 3 can be equivalent to G signature shards.
例如,若节点1接收到节点1的私钥分片、节点集合的公钥和门限签名的权重S,S为2,则节点1确定用2个签名分片可得到签名信息,例如,节点1根据节点1的签名分片和节点2的签名分片可得到签名信息,或者节点1根据节点1的签名分片和节点3的签名分片可得到签名信息。For example, if node 1 receives the private key fragment of node 1, the public key of the node set and the weight S of the threshold signature, S is 2, then node 1 determines that the signature information can be obtained by using 2 signature fragments, for example, node 1 The signature information can be obtained based on the signature fragment of node 1 and the signature fragment of node 2, or the signature information can be obtained by node 1 based on the signature fragment of node 1 and the signature fragment of node 3.
又例如,若节点1接收到节点1的私钥分片、节点集合的公钥、门限签名的权重S,节点1对应的权重Y,节点2对应的权重Z和节点3对应的权重G,S为3,Y为2,Z为1,G为1,则节点1确定用3个签名分片可得到签名信息,例如,节点1根据节点1的签名分片和节点2的签名分片可得到签名信息,或者节点1根据节点1的签名分片和节点3的签名分片可得到签名信息。For another example, if node 1 receives the private key fragment of node 1, the public key of the node set, and the weight S of the threshold signature, the weight Y corresponding to node 1, the weight Z corresponding to node 2, and the weight G, S corresponding to node 3 is 3, Y is 2, Z is 1, and G is 1, then node 1 determines that the signature information can be obtained by using 3 signature fragments. For example, node 1 can obtain the signature information based on the signature fragment of node 1 and the signature fragment of node 2. Signature information, or node 1 can obtain the signature information based on the signature fragment of node 1 and the signature fragment of node 3.
可以理解的,节点集合中节点所在网络的组网规模越大,该节点对应的权重越大;节点集合中节点所在网络的组网规模越小,该节点对应的权重越小。节点集合中节点所在网络的安全等级越低,该节点对应的权重越小。It can be understood that the larger the network scale of the network where the node is located in the node set, the greater the weight corresponding to the node; the smaller the network scale of the network where the node is located in the node set, the smaller the weight corresponding to the node is. The lower the security level of the network where the node is located in the node set, the smaller the weight corresponding to the node.
可以理解的,节点2接收到节点2的私钥分片、节点集合的公钥和门限签名的权重S后,可和节点1执行类似的操作。节点3接收到节点3的私钥分片、节点集合的公钥和门限签名的权重S后,可和节点1执行类似的操作。此处不做赘述。It can be understood that after node 2 receives the private key fragment of node 2, the public key of the node set, and the weight S of the threshold signature, it can perform similar operations to node 1. After receiving the private key fragment of node 3, the public key of the node set, and the weight S of the threshold signature, node 3 can perform similar operations to node 1. No further details will be given here.
可选的,第三方节点还可为节点集合中的节点确定该节点的公钥分片。Optionally, the third-party node can also determine the public key shard of the node for the node in the node set.
另一种可能的实现方式,节点集合中的节点根据自己所在网络的组网规模,和/或,自己所在网络的安全等级,确定自己对应的权重,并向第三方节点发送该权重。第三方节点确定节点集合的私钥和节点集合的公钥,并在接收到该权重后,根据该权重确定节点集合中的节点的私钥分片和门限签名的权重,向对应的节点发送该节点的私钥分片、节点集合的公钥和门限签名的权重。Another possible implementation method is that the nodes in the node set determine their corresponding weights based on the network scale of the network where they are located and/or the security level of the network where they are located, and send the weights to third-party nodes. The third-party node determines the private key of the node set and the public key of the node set, and after receiving the weight, determines the weight of the private key fragmentation and threshold signature of the nodes in the node set based on the weight, and sends the weight to the corresponding node. The node’s private key shard, the node set’s public key, and the weight of the threshold signature.
可选的,第三方节点还可重新确定节点集合中节点对应的权重,并向节点集合中的节点发送重新确定的权重。Optionally, the third-party node can also re-determine the weights corresponding to the nodes in the node set, and send the re-determined weights to the nodes in the node set.
可选的,第三方节点还可为节点集合中的节点确定该节点的公钥分片。Optionally, the third-party node can also determine the public key shard of the node for the node in the node set.
再一种可能的实现方式,节点集合中的节点生成该节点的私钥分片和公钥分片,并向节点集合中的节点发送自己的公钥分片。这样,每个节点接收到其他节点的公钥分片,可获得节点集合的公钥。In another possible implementation, the nodes in the node set generate the private key fragments and public key fragments of the node, and send their own public key fragments to the nodes in the node set. In this way, each node receives the public key fragments of other nodes and can obtain the public key of the node set.
可选的,节点集合中的节点根据节点集合中节点的数量确定签名门限的权重。例如,若节点结合中包括10节点,则签名门限的权重可大于或等于5。Optionally, the nodes in the node set determine the weight of the signature threshold based on the number of nodes in the node set. For example, if the node combination includes 10 nodes, the weight of the signature threshold can be greater than or equal to 5.
可选的,节点集合中的节点还确定自己对应的权重,还根据节点集合中的节点的数量,以及每个节点对应的权重确定签名门限的权重。Optionally, the nodes in the node set also determine their own corresponding weights, and the weight of the signature threshold is also determined based on the number of nodes in the node set and the weight corresponding to each node.
作为一种示例,若节点集合包括节点1、节点2和节点3,节点1确定节点1的私钥分片,节点1的公钥分片和节点1对应的权重Y,向节点2和节点3发送节点1的公钥分片和节点1对应的权重Y。节点2确定节点2的私钥分片,节点2的公钥分片和节点2对应的权重Z,向节点1和节点3发送节点2的公钥分片和节点2对应的权重Z。节点3确定节点3的私钥分片,节点3的公钥分片和节点3对应的权重G,向节点1和节点2发送节点3的公钥分片和节点3对应的权重G。As an example, if the node set includes node 1, node 2 and node 3, node 1 determines the private key fragment of node 1, the public key fragment of node 1 and the weight Y corresponding to node 1, and sends the information to node 2 and node 3. Send the public key fragment of node 1 and the weight Y corresponding to node 1. Node 2 determines the private key fragment of node 2, the public key fragment of node 2 and the weight Z corresponding to node 2, and sends the public key fragment of node 2 and the weight Z corresponding to node 2 to node 1 and node 3. Node 3 determines the private key fragment of node 3, the public key fragment of node 3 and the weight G corresponding to node 3, and sends the public key fragment of node 3 and the weight G corresponding to node 3 to node 1 and node 2.
可以理解的,若Y为2,Z为1,G为1,节点1接收到节点2的公钥分片、节点2对应的权重、节点3的公钥分片和节点3对应的权重后,可确定签名门限的权重为3,并根据节点1的公钥分片和节点2的公钥分片得到节点集合的公钥,或者,根据节点1的公钥分片和节点3的公钥分片得到节点集合的公钥。It can be understood that if Y is 2, Z is 1, and G is 1, after node 1 receives the public key fragment of node 2, the corresponding weight of node 2, the public key fragment of node 3, and the corresponding weight of node 3, The weight of the signature threshold can be determined to be 3, and the public key of the node set can be obtained based on the public key fragmentation of node 1 and the public key fragmentation of node 2, or based on the public key fragmentation of node 1 and the public key fragmentation of node 3. Get the public key of the node set.
下面以节点集合包括图1中的节点101、节点103和节点105为例介绍本申请实施例提供的获取签名信息的方法以及本申请实施例提供的认证方法。具体的,可参考下述图5所示的方法。The following takes the node set including node 101, node 103 and node 105 in Figure 1 as an example to introduce the method of obtaining signature information provided by the embodiment of the present application and the authentication method provided by the embodiment of the present application. Specifically, reference may be made to the method shown in Figure 5 below.
可以理解的,上述图3所示方法中对各个步骤或特征的解释说明,以及上述图4所示方法中对各个步骤或特征的解释说明都适用于图5所示的方法。同理,下述图5所示的方法中各个步骤或特征的解释说明也都适用于图3所示的方法和图4所示的方法。It can be understood that the explanations of each step or feature in the method shown in FIG. 3 and the explanations of each step or feature in the method shown in FIG. 4 are applicable to the method shown in FIG. 5 . In the same way, the following explanations of each step or feature in the method shown in Figure 5 are also applicable to the method shown in Figure 3 and the method shown in Figure 4 .
如图5所示,为本申请实施例提供的一种获取签名信息的方法,该方法可以包括如下步骤:As shown in Figure 5, an embodiment of the present application provides a method for obtaining signature information. The method may include the following steps:
S501:节点101获取节点101的私钥分片、节点集合的公钥和门限签名的权重。S501: Node 101 obtains the private key fragment of node 101, the public key of the node set, and the weight of the threshold signature.
S502:节点103获取节点103的私钥分片、节点集合的公钥和门限签名的权重。S502: Node 103 obtains the private key fragment of node 103, the public key of the node set, and the weight of the threshold signature.
S503:节点105获取节点105的私钥分片、节点集合的公钥和门限签名的权重。S503: Node 105 obtains the private key fragment of node 105, the public key of the node set, and the weight of the threshold signature.
可以理解的,本申请实施例不限制S501-S503的执行顺序。例如,可以先执行S501,再执行S502,最后执行S503,或者先执行S502,再执行S503,最后执行S501,或者 先执行S503,再执行S502,最后执行S501,或者先执行S503,再执行S501,最后执行S502,或者同时执行S501-S503等等。It can be understood that the embodiment of the present application does not limit the execution order of S501-S503. For example, you can execute S501 first, then S502, and finally S503, or execute S502 first, then S503, and finally S501, or execute S503 first, then S502, and finally S501, or execute S503 first, and then S501. Finally execute S502, or execute S501-S503 at the same time and so on.
在图5所示方法中,节点101,和/或,节点103,和/或,节点105为区块链中的节点,或者,节点101、节点103和节点105不是区块链中的节点,不予限制。In the method shown in Figure 5, node 101, and/or node 103, and/or node 105 are nodes in the blockchain, or node 101, node 103, and node 105 are not nodes in the blockchain, No restrictions.
S504:终端102向节点101发送终端102的密钥信息和终端102的签约信息。相应的,节点101接收来自终端102的终端102的密钥信息和终端102的签约信息。S504: The terminal 102 sends the key information of the terminal 102 and the subscription information of the terminal 102 to the node 101. Correspondingly, the node 101 receives the key information of the terminal 102 and the subscription information of the terminal 102 from the terminal 102 .
一种可能的实现方式,终端102根据预设策略确定节点集合,向节点集合中的节点,如节点101发送终端102的密钥信息和终端102的签约信息。In one possible implementation, the terminal 102 determines a node set according to a preset policy, and sends the key information of the terminal 102 and the subscription information of the terminal 102 to the nodes in the node set, such as the node 101.
可选的,终端102确定节点集合后,获取节点集合对应的签约(profile)模板,响应于用户的输入,在模板中填写相关信息,得到终端102的签约信息。Optionally, after determining the node set, the terminal 102 obtains a subscription (profile) template corresponding to the node set, and fills in relevant information in the template in response to the user's input to obtain the subscription information of the terminal 102.
可选的,终端102生成终端102的公钥和终端102的私钥。Optionally, the terminal 102 generates the public key of the terminal 102 and the private key of the terminal 102.
可选的,终端102还向节点101发送节点集合的标识,以向节点101指示终端102确定的节点集合。Optionally, the terminal 102 also sends the identifier of the node set to the node 101 to indicate to the node 101 the node set determined by the terminal 102.
一种可能的实现方式,终端102的密钥信息,和/或,终端102的签约信息,和/或,节点集合的标识是终端102通过wi-fi或者传统硬卡的方式发送给节点101的。In one possible implementation, the key information of the terminal 102, and/or the subscription information of the terminal 102, and/or the identity of the node set is sent by the terminal 102 to the node 101 through Wi-Fi or a traditional hard card. .
S505:节点101根据节点101的私钥分片对终端102的密钥信息进行签名,得到节点101的签名分片。S505: Node 101 signs the key information of terminal 102 according to the private key fragment of node 101, and obtains the signature fragment of node 101.
一种可能的实现方式,节点101根据终端102的签约信息验证终端102,在验证成功后,根据节点101的私钥分片对终端102的密钥信息进行签名,得到节点101的签名分片。In one possible implementation, node 101 verifies terminal 102 based on the contract information of terminal 102. After successful verification, it signs the key information of terminal 102 based on the private key fragments of node 101 to obtain the signature fragments of node 101.
S506:节点101向节点103和节点105发送终端102的密钥信息。相应的,节点103和节点105接收来自节点101的终端102的密钥信息。S506: Node 101 sends the key information of terminal 102 to node 103 and node 105. Correspondingly, the node 103 and the node 105 receive the key information from the terminal 102 of the node 101.
一种可能的实现方式,若终端102向节点101发送节点集合的标识,则节点101根据节点集合的标识获取节点集合中的节点,如节点103和节点105,并向节点103和节点105发送终端102的密钥信息。One possible implementation is that if the terminal 102 sends the identifier of the node set to the node 101, the node 101 obtains the nodes in the node set, such as node 103 and node 105, based on the identifier of the node set, and sends the terminal to node 103 and node 105. 102 key information.
可选的,节点101还向节点103和节点105发送终端102的签约信息,和/或,节点101对终端102的签约信息的验证结果,和/或,节点101的签名分片。Optionally, the node 101 also sends the subscription information of the terminal 102 to the node 103 and the node 105, and/or the verification result of the subscription information of the terminal 102 by the node 101, and/or the signature fragment of the node 101.
可以理解的,终端102的密钥信息,和/或,终端102的签约信息,和/或,节点101对终端102的签约信息的验证结果,和/或,节点101的签名分片可以存储在区块链中。It can be understood that the key information of the terminal 102, and/or the subscription information of the terminal 102, and/or the verification results of the node 101 on the subscription information of the terminal 102, and/or the signature fragments of the node 101 can be stored in in the blockchain.
作为一种示例,若节点101、节点103和节点105为区块链中的节点,则节点101将上述信息用节点103在链上的公钥加密得到加密信息1,并在区块链上发布加密信息1。节点101还将上述信息用节点105在链上的公钥加密得到加密信息2,并在区块链上发布加密信息2。后续,节点103接收到加密信息1后,根据节点103在链上的私钥解密该信息,可得到上述信息。同理,节点105接收到加密信息2后,根据节点105在链上的私钥解密该信息,可得到上述信息。As an example, if node 101, node 103 and node 105 are nodes in the blockchain, node 101 encrypts the above information with the public key of node 103 on the chain to obtain encrypted information 1, and publishes it on the blockchain Encrypted information 1. Node 101 also encrypts the above information with the public key of node 105 on the chain to obtain encrypted information 2, and publishes encrypted information 2 on the blockchain. Subsequently, after node 103 receives the encrypted information 1, it decrypts the information according to the private key of node 103 on the chain to obtain the above information. In the same way, after node 105 receives the encrypted information 2, it can decrypt the information according to the private key of node 105 on the chain to obtain the above information.
作为另一种示例,若节点103和节点105不是区块链中的节点,节点101除了向节点103和节点105发送上述信息之外,还向区块链节点104发送上述信息,以便区块链节点104将上述信息存储在区块链中。As another example, if node 103 and node 105 are not nodes in the blockchain, node 101, in addition to sending the above information to node 103 and node 105, also sends the above information to blockchain node 104, so that the blockchain Node 104 stores the above information in the blockchain.
S507:节点103向节点101发送节点103的签名分片。相应的,节点101接收来自节点103的节点103的签名分片。S507: Node 103 sends the signature fragment of node 103 to node 101. Correspondingly, node 101 receives node 103's signature fragment from node 103.
一种可能的实现方式,节点103根据终端102的签约信息验证终端102,在验证成功后,根据节点103的私钥分片对终端102的密钥信息进行签名,得到节点103的签名分片,并向节点101发送节点103的签名分片。One possible implementation is that node 103 verifies terminal 102 based on the contract information of terminal 102. After successful verification, it signs the key information of terminal 102 based on the private key fragments of node 103 to obtain the signature fragments of node 103. And send the signature fragment of node 103 to node 101.
可选的,节点103还向节点105发送节点103的签名分片。相应的,节点105接收来自节点103的节点103的签名分片。Optionally, node 103 also sends the signature fragment of node 103 to node 105. Correspondingly, node 105 receives the signed fragment of node 103 from node 103 .
可以理解的,节点103的签名分片也可存储在区块链中,具体的,可参考前文对应的描述。It can be understood that the signature fragments of node 103 can also be stored in the blockchain. For details, please refer to the corresponding description above.
S508:节点105向节点101发送节点105的签名分片。相应的,节点101接收来自节点105的节点105的签名分片。S508: Node 105 sends the signature fragment of node 105 to node 101. Correspondingly, node 101 receives the signed fragment of node 105 from node 105 .
一种可能的实现方式,节点105根据终端102的签约信息验证终端102,在验证成功后,根据节点105的私钥分片对终端102的密钥信息进行签名,得到节点105的签名分片,并向节点101发送节点105的签名分片。One possible implementation is that the node 105 verifies the terminal 102 based on the contract information of the terminal 102. After the verification is successful, it signs the key information of the terminal 102 based on the private key fragments of the node 105 to obtain the signature fragments of the node 105. And send the signature fragment of node 105 to node 101.
可选的,节点105还向节点103发送节点105的签名分片。相应的,节点103接收来自节点105的节点105的签名分片。Optionally, node 105 also sends the signature fragment of node 105 to node 103. Correspondingly, node 103 receives the signed fragment of node 105 from node 105 .
可以理解的,节点105的签名分片也可存储在区块链中,具体的,可参考前文对应的描述。It can be understood that the signature fragments of node 105 can also be stored in the blockchain. For details, please refer to the corresponding description above.
可以理解的,本申请实施例不限制S507和S508的执行顺序,例如,可以先执行S507,再执行S508,或者先执行S508,再执行S507,或者同时执行S507和S508。It can be understood that the embodiment of the present application does not limit the execution order of S507 and S508. For example, S507 may be executed first and then S508, or S508 may be executed first and then S507, or S507 and S508 may be executed simultaneously.
可以理解的,若门限签名的权重为2,则S507和S508中至少执行一个即可。It can be understood that if the weight of the threshold signature is 2, then at least one of S507 and S508 can be executed.
S509:节点101获取节点集合的签名信息。S509: Node 101 obtains the signature information of the node set.
一种可能的实现方式,若门限签名的权重为2,节点101根据节点101的签名分片和节点103的签名分片,得到签名信息,或者,节点101根据节点101的签名分片和节点105的签名分片,得到签名信息。One possible implementation method is that if the weight of the threshold signature is 2, node 101 obtains the signature information based on the signature fragment of node 101 and the signature fragment of node 103, or node 101 obtains the signature information based on the signature fragment of node 101 and node 105. Signature fragments to obtain signature information.
可以理解的,该签名信息可存储在区块链中。例如,若节点101为区块链中的节点,则节点101将该签名信息上链,若节点101不是区块链中的节点,则节点101向区块链节点104发送该签名信息。It is understood that the signature information can be stored in the blockchain. For example, if the node 101 is a node in the blockchain, the node 101 uploads the signature information to the blockchain. If the node 101 is not a node in the blockchain, the node 101 sends the signature information to the blockchain node 104.
S510:节点101向终端102发送签名信息。相应的,终端102接收来自节点101的签名信息。S510: Node 101 sends signature information to terminal 102. Correspondingly, the terminal 102 receives the signature information from the node 101.
可选的,若该签名信息可存储在区块链中,节点101还向终端102发送签名信息对应的区块链交易的标识。Optionally, if the signature information can be stored in the blockchain, the node 101 also sends the identifier of the blockchain transaction corresponding to the signature information to the terminal 102.
可以理解的,终端102接收到该签名信息后,即可根据该签名信息与节点集合中的节点进行认证。下面以终端102与节点103进行认证为例进行介绍,具体包括下述S511-S512:It can be understood that after receiving the signature information, the terminal 102 can perform authentication with the nodes in the node set based on the signature information. The following takes the authentication between terminal 102 and node 103 as an example to introduce, specifically including the following S511-S512:
S511:终端102向节点103发送第一请求。相应的,节点103接收来自终端102的第一请求。S511: The terminal 102 sends the first request to the node 103. Correspondingly, node 103 receives the first request from terminal 102.
S512:节点103根据第一请求与终端102进行认证。S512: The node 103 authenticates with the terminal 102 according to the first request.
可以理解的,在S512之后,若终端102想切换到节点集合中除节点103之外的节 点,如节点105,则终端可根据该签名信息和该节点进行认证。It can be understood that after S512, if the terminal 102 wants to switch to a node other than node 103 in the node set, such as node 105, the terminal can perform authentication based on the signature information and the node.
其中,上述S501-S512中的节点101或者节点103或者节点105或者终端102的动作可以由图2所示的通信装置20中的处理器201调用存储器203中存储的应用程序代码来执行,本申请实施例对此不做任何限制。Among them, the actions of the node 101 or the node 103 or the node 105 or the terminal 102 in the above-mentioned S501-S512 can be executed by the processor 201 in the communication device 20 shown in Figure 2 by calling the application code stored in the memory 203. This application The embodiment does not impose any restrictions on this.
基于图5所示的方法,终端102可获取到能够与节点集合中的节点进行认证的签名信息,而不需要使用SIM卡中的密钥进行认证,实现了SIM卡与网络解绑,用户若想切换网络,不需要更换SIM卡,使得终端能够灵活入网,提高了用户体验。另外,若终端102在节点集合中的节点中切换时,例如,终端102从节点103切换到节点105后,终端102仍可以根据签名信息与节点105认证,而不需要再次获取签名信息,简化了认证流程。Based on the method shown in Figure 5, the terminal 102 can obtain signature information that can be authenticated with the nodes in the node set without using the key in the SIM card for authentication, thus unbinding the SIM card from the network. If the user If you want to switch networks, you don't need to change the SIM card, which allows the terminal to flexibly access the network and improves the user experience. In addition, if the terminal 102 switches among nodes in the node set, for example, after the terminal 102 switches from node 103 to node 105, the terminal 102 can still authenticate with the node 105 based on the signature information without needing to obtain the signature information again, which simplifies Certification process.
本申请上文中提到的各个实施例之间在方案不矛盾的情况下,均可以进行结合,不作限制。The various embodiments mentioned above in this application can be combined without any limitation, as long as the solutions are not inconsistent.
可以理解的,以上各个实施例中,由第一节点实现的方法和/或步骤,也可以由可用于第一节点的部件(例如芯片或者电路)实现;由终端实现的方法和/或步骤,也可以由可用于终端的部件(例如芯片或者电路)实现。It can be understood that in the above embodiments, the methods and/or steps implemented by the first node can also be implemented by components (such as chips or circuits) available for the first node; the methods and/or steps implemented by the terminal, It can also be implemented by components (such as chips or circuits) that can be used in terminals.
上述主要从各个网元之间交互的角度对本申请实施例提供的方案进行了介绍。相应的,本申请实施例还提供了通信装置,该通信装置可以为上述方法实施例中的第一节点,或者包含上述第一节点的装置,或者为可用于第一节点的部件;或者,该通信装置可以为上述方法实施例中的终端,或者包含上述终端的装置,或者为可用于终端的部件。可以理解的是,上述第一节点或者终端等为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法操作,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The above mainly introduces the solution provided by the embodiment of the present application from the perspective of interaction between various network elements. Correspondingly, embodiments of the present application also provide a communication device, which may be the first node in the above method embodiment, or a device including the above first node, or a component usable for the first node; or, the communication device The communication device may be the terminal in the above method embodiment, or a device including the above terminal, or a component that can be used in the terminal. It can be understood that, in order to implement the above functions, the above-mentioned first node or terminal includes hardware structures and/or software modules corresponding to each function. Persons skilled in the art should easily realize that, with the units and algorithm operations of each example described in conjunction with the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法示例对第一节点或终端进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。可以理解的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。Embodiments of the present application can divide the first node or terminal into functional modules according to the above method examples. For example, each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module. The above integrated modules can be implemented in the form of hardware or software function modules. It can be understood that the division of modules in the embodiment of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods.
比如,以采用集成的方式划分各个功能模块的情况下,图6示出了一种通信装置60的结构示意图。通信装置60包括处理模块601。可选的,该通信装置60还包括收发模块602。处理模块601,也可以称为处理单元用于执行除了收发操作之外的操作,例如可以是处理电路或者处理器等。收发模块602,也可以称为收发单元用于执行收发操作,例如可以是收发电路,收发机,收发器或者通信接口等。For example, when each functional module is divided into integrated modules, FIG. 6 shows a schematic structural diagram of a communication device 60 . The communication device 60 includes a processing module 601. Optionally, the communication device 60 also includes a transceiver module 602. The processing module 601, which may also be called a processing unit, is used to perform operations other than sending and receiving operations, and may be, for example, a processing circuit or a processor. The transceiver module 602, which may also be called a transceiver unit, is used to perform transceiver operations, and may be, for example, a transceiver circuit, transceiver, transceiver, or communication interface.
在一些实施例中,该通信装置60还可以包括存储模块(图6中未示出),用于存储程序指令和数据。In some embodiments, the communication device 60 may also include a storage module (not shown in FIG. 6) for storing program instructions and data.
示例性地,通信装置60用于实现第一节点的功能。通信装置60例如为图3所示的实施例,图4所示的实施例或图5所示的实施例所述的第一节点。Illustratively, the communication device 60 is used to implement the function of the first node. The communication device 60 is, for example, the first node described in the embodiment shown in FIG. 3 , the embodiment shown in FIG. 4 or the embodiment shown in FIG. 5 .
其中,处理模块601,用于获取通信装置60的私钥分片和终端的密钥信息。例如,处理模块601可以用于执行S301。Among them, the processing module 601 is used to obtain the private key fragments of the communication device 60 and the key information of the terminal. For example, the processing module 601 may be used to perform S301.
处理模块601,还用于根据该通信装置60的私钥分片对该终端的密钥信息进行签名,得到该通信装置60的签名分片。该通信装置60的签名分片用于确定签名信息,该签名信息用于该终端与该通信装置60之间进行认证。例如,处理模块601还可以用于执行S302。The processing module 601 is also configured to sign the key information of the terminal according to the private key fragment of the communication device 60 to obtain the signature fragment of the communication device 60 . The signature fragment of the communication device 60 is used to determine signature information, and the signature information is used for authentication between the terminal and the communication device 60 . For example, the processing module 601 can also be used to perform S302.
在一种可能的实现方式中,处理模块601,还用于获取N个签名分片,该N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对该终端的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N;该通信装置60的签名分片和该N个签名分片共同用于确定该签名信息。In a possible implementation, the processing module 601 is also used to obtain N signature fragments, which correspond to Q nodes, and any signature fragment among the N signature fragments is generated using the The private key fragment of the node corresponding to the signature fragment is obtained by signing the key information of the terminal. N and Q are natural numbers, and Q is less than or equal to N; the signature fragment of the communication device 60 and the N signature fragments are used together to determine the signature information.
在一种可能的实现方式中,该签名信息还用于该终端与该Q个节点之间进行认证。In a possible implementation, the signature information is also used for authentication between the terminal and the Q nodes.
在一种可能的实现方式中,处理模块601,具体用于通过收发模块602接收来自该Q个节点的该N个签名分片。In a possible implementation, the processing module 601 is specifically configured to receive the N signature fragments from the Q nodes through the transceiver module 602.
在一种可能的实现方式中,收发模块602,还用于向M个节点发送第一信息,该第一信息包括该终端的密钥信息,该M个节点包括该Q个节点,M为大于或等于Q的自然数。In a possible implementation, the transceiver module 602 is also configured to send first information, where the first information includes the key information of the terminal, to M nodes, which include the Q nodes, and M is greater than Or a natural number equal to Q.
在一种可能的实现方式中,收发模块602,还用于向该M个节点发送以下至少一种信息:通信装置60对该终端的签约信息的验证结果或该通信装置60的签名分片。In a possible implementation, the transceiver module 602 is also configured to send at least one of the following information to the M nodes: the verification result of the terminal's subscription information by the communication device 60 or the signature fragment of the communication device 60 .
在一种可能的实现方式中,该N个签名分片存储在区块链节点中。In a possible implementation, the N signature shards are stored in the blockchain node.
在一种可能的实现方式中,收发模块602,还用于向该区块链节点发送该终端的密钥信息和该通信装置60的签名分片。In a possible implementation, the transceiver module 602 is also used to send the terminal's key information and the signature fragment of the communication device 60 to the blockchain node.
在一种可能的实现方式中,收发模块602,还用于向该终端发送第三信息,该第三信息包括该签名信息。In a possible implementation, the transceiving module 602 is also configured to send third information to the terminal, where the third information includes the signature information.
在一种可能的实现方式中,收发模块602,还用于向终端发送该签名信息对应的区块链交易的标识。In a possible implementation, the transceiver module 602 is also configured to send the identifier of the blockchain transaction corresponding to the signature information to the terminal.
在一种可能的实现方式中,处理模块601,还用于通过该收发模块602接收来自第三方节点的该通信装置60的私钥分片。In a possible implementation, the processing module 601 is also configured to receive the private key fragment of the communication device 60 from a third-party node through the transceiver module 602.
在一种可能的实现方式中,收发模块602,还用于接收来自该终端的第一请求,该第一请求包括该签名信息和第一随机数;处理模块601,还用于根据该第一请求与该终端进行认证。In a possible implementation, the transceiver module 602 is also configured to receive a first request from the terminal, where the first request includes the signature information and a first random number; the processing module 601 is also configured to receive a request based on the first request. Requests authentication with this terminal.
在一种可能的实现方式中,通信装置60包括在节点集合中,处理模块601,还用于获取该节点集合的公钥;处理模块601,具体用于通过收发模块602向该终端发送第一消息,该第一消息包括该通信装置60的证书、第一认证信息和第二随机数,该第一认证信息是根据该通信装置60的私钥和该第一随机数得到的;处理模块601,还具体用于通过收发模块602接收来自该终端的第二消息,该第二消息包括第二认证信息,该第二认证信息是根据该终端的私钥和该第二随机数得到的;处理模块601,还具体用于根据该节点集合的公钥和该签名信息,得到该终端的密钥信息;处理模块601,还具体用于根据该终端的密钥信息认证该第二认证信息。In a possible implementation, the communication device 60 is included in the node set, and the processing module 601 is also used to obtain the public key of the node set; the processing module 601 is specifically used to send the first message to the terminal through the transceiver module 602. message, the first message includes the certificate of the communication device 60, first authentication information and a second random number, the first authentication information is obtained according to the private key of the communication device 60 and the first random number; processing module 601 , and is also specifically used to receive a second message from the terminal through the transceiver module 602. The second message includes second authentication information. The second authentication information is obtained according to the private key of the terminal and the second random number; processing Module 601 is also specifically configured to obtain the key information of the terminal based on the public key of the node set and the signature information; the processing module 601 is also specifically configured to authenticate the second authentication information based on the key information of the terminal.
在一种可能的实现方式中,收发模块602,还用于向区块链节点发送第三消息, 该第三消息用于查询该签名信息;收发模块602,还用于接收来自该区块链节点的第四消息,该第四消息包括该签名信息。In a possible implementation, the transceiver module 602 is also used to send a third message to the blockchain node, where the third message is used to query the signature information; the transceiver module 602 is also used to receive messages from the blockchain node. The fourth message of the node includes the signature information.
当用于实现第一节点的功能时,关于通信装置60所能实现的其他功能,可参考图3所示的实施例,图4所示的方法实施例或图5所示的实施例的相关介绍,不多赘述。When used to implement the function of the first node, regarding other functions that the communication device 60 can implement, reference may be made to the embodiment shown in FIG. 3 , the method embodiment shown in FIG. 4 or the related information of the embodiment shown in FIG. 5 Introduction without going into details.
在一个简单的实施例中,本领域的技术人员可以想到通信装置60可以采用图2所示的形式。比如,图2中的处理器201可以通过调用存储器203中存储的计算机执行指令,使得通信装置60执行上述方法实施例中所述的方法。In a simple embodiment, those skilled in the art can imagine that the communication device 60 can take the form shown in FIG. 2 . For example, the processor 201 in Figure 2 can cause the communication device 60 to execute the method described in the above method embodiment by calling the computer execution instructions stored in the memory 203.
示例性的,图6中的处理模块601和收发模块602的功能/实现过程可以通过图2中的处理器201调用存储器203中存储的计算机执行指令来实现。或者,图6中的处理模块601的功能/实现过程可以通过图2中的处理器201调用存储器203中存储的计算机执行指令来实现,图6中的收发模块602的功能/实现过程可以通过图2中的通信接口204来实现。For example, the functions/implementation processes of the processing module 601 and the transceiver module 602 in Figure 6 can be implemented by the processor 201 in Figure 2 calling computer execution instructions stored in the memory 203. Alternatively, the function/implementation process of the processing module 601 in Figure 6 can be implemented by the processor 201 in Figure 2 calling the computer execution instructions stored in the memory 203. The function/implementation process of the transceiver module 602 in Figure 6 can be implemented by Figure 6 It is implemented by the communication interface 204 in 2.
比如,以采用集成的方式划分各个功能模块的情况下,图7示出了一种通信装置70的结构示意图。通信装置70包括收发模块701。可选的,该通信装置70还包括处理模块702。收发模块701,也可以称为收发单元用于执行收发操作,例如可以是收发电路,收发机,收发器或者通信接口等。处理模块702,也可以称为处理单元用于执行除了收发操作之外的操作,例如可以是处理电路或者处理器等。For example, when each functional module is divided in an integrated manner, FIG. 7 shows a schematic structural diagram of a communication device 70 . The communication device 70 includes a transceiver module 701. Optionally, the communication device 70 also includes a processing module 702. The transceiver module 701, which may also be called a transceiver unit, is used to perform transceiver operations. For example, it may be a transceiver circuit, a transceiver, a transceiver or a communication interface. The processing module 702, which may also be called a processing unit, is used to perform operations other than sending and receiving operations, and may be, for example, a processing circuit or a processor.
在一些实施例中,该通信装置70还可以包括存储模块(图7中未示出),用于存储程序指令和数据。In some embodiments, the communication device 70 may also include a storage module (not shown in Figure 7) for storing program instructions and data.
示例性地,通信装置70用于实现终端的功能。通信装置70例如为图4所示的实施例或图5所示的实施例所述的终端。Illustratively, the communication device 70 is used to implement the functions of the terminal. The communication device 70 is, for example, the terminal described in the embodiment shown in FIG. 4 or the embodiment shown in FIG. 5 .
其中,收发模块701,用于向第一节点发送通信装置70的密钥信息。Among them, the transceiver module 701 is used to send the key information of the communication device 70 to the first node.
收发模块701,还用于接收来自第一节点的第三信息。其中,该第三信息包括签名信息,该签名信息用于该通信装置70与该第一节点之间进行认证,该签名信息是根据N个签名分片和该第一节点的签名分片得到的,该第一节点的签名分片是用该第一节点的私钥分片对该通信装置70的密钥信息进行签名得到的,该N个签名分片对应Q个节点,该N个签名分片中的任意一个签名分片是用该签名分片对应的节点的私钥分片对通信装置70的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N。The transceiver module 701 is also used to receive the third information from the first node. The third information includes signature information. The signature information is used for authentication between the communication device 70 and the first node. The signature information is obtained based on N signature fragments and the signature fragment of the first node. , the signature fragment of the first node is obtained by signing the key information of the communication device 70 with the private key fragment of the first node, the N signature fragments correspond to Q nodes, and the N signature fragments Any signature fragment in the slice is obtained by signing the key information of the communication device 70 with the private key fragment of the node corresponding to the signature fragment. N and Q are natural numbers, and Q is less than or equal to N.
在一种可能的实现方式中,收发模块701,还用于接收来自第一节点的该签名信息对应的区块链交易的标识。In a possible implementation, the transceiving module 701 is also configured to receive the identification of the blockchain transaction corresponding to the signature information from the first node.
在一种可能的实现方式中,该第一节点和该Q个节点包括在节点集合中。处理模块702,用于根据预设策略确定该节点集合,该预设策略包括以下至少一项:该通信装置70对应的用户的选择、该节点集合中节点的入网需求、该节点集合中节点所在网络的组网规模或该节点集合中节点所在网络的安全等级。In a possible implementation, the first node and the Q nodes are included in a node set. The processing module 702 is configured to determine the node set according to a preset strategy. The preset strategy includes at least one of the following: the user's selection corresponding to the communication device 70, the network access requirements of the nodes in the node set, and the location of the nodes in the node set. The networking scale of the network or the security level of the network where the nodes in the node set are located.
在一种可能的实现方式中,收发模块701,还用于向该第一节点发送第一请求,该第一请求包括该签名信息和第一随机数;处理模块702,还用于根据该第一请求与该第一节点进行认证。In a possible implementation, the transceiver module 701 is also configured to send a first request to the first node, where the first request includes the signature information and the first random number; the processing module 702 is also configured to send a first request to the first node according to the first random number. A request is made for authentication with the first node.
在一种可能的实现方式中,处理模块702,具体用于通过收发模块701接收来自该第一节点的第一消息,该第一消息包括该第一节点的证书、第一认证信息和第二随 机数,该第一认证信息是根据该第一节点的私钥和该第一随机数得到的;处理模块702,还具体用于通过收发模块701在该第一认证信息认证成功的情况下,向该第一节点发送第二消息,该第二消息包括第二认证信息,该第二认证信息是根据该通信装置70的私钥和该第二随机数得到的。In a possible implementation, the processing module 702 is specifically configured to receive a first message from the first node through the transceiver module 701. The first message includes the certificate of the first node, the first authentication information and the second Random number, the first authentication information is obtained based on the private key of the first node and the first random number; the processing module 702 is also specifically configured to use the transceiver module 701 when the first authentication information is authenticated successfully, A second message is sent to the first node. The second message includes second authentication information. The second authentication information is obtained according to the private key of the communication device 70 and the second random number.
当用于实现终端的功能时,关于通信装置70所能实现的其他功能,可参考图4所示的方法实施例或图5所示的实施例的相关介绍,不多赘述。When used to implement terminal functions, regarding other functions that the communication device 70 can implement, reference may be made to the method embodiment shown in FIG. 4 or the relevant introduction to the embodiment shown in FIG. 5 , and will not be described again.
在一个简单的实施例中,本领域的技术人员可以想到通信装置70可以采用图2所示的形式。比如,图2中的处理器201可以通过调用存储器203中存储的计算机执行指令,使得通信装置70执行上述方法实施例中所述的方法。In a simple embodiment, those skilled in the art can imagine that the communication device 70 may take the form shown in FIG. 2 . For example, the processor 201 in Figure 2 can cause the communication device 70 to execute the method described in the above method embodiment by calling the computer execution instructions stored in the memory 203.
示例性的,图7中的收发模块701和处理模块702的功能/实现过程可以通过图2中的处理器201调用存储器203中存储的计算机执行指令来实现。或者,图7中的处理模块702的功能/实现过程可以通过图2中的处理器201调用存储器203中存储的计算机执行指令来实现,图7中的收发模块701的功能/实现过程可以通过图2中的通信接口204来实现。For example, the functions/implementation processes of the transceiver module 701 and the processing module 702 in Figure 7 can be implemented by the processor 201 in Figure 2 calling computer execution instructions stored in the memory 203. Alternatively, the function/implementation process of the processing module 702 in Figure 7 can be implemented by the processor 201 in Figure 2 calling the computer execution instructions stored in the memory 203. The function/implementation process of the transceiver module 701 in Figure 7 can be implemented by Figure 7 It is implemented by the communication interface 204 in 2.
可以理解的是,以上模块或单元的一个或多个可以软件、硬件或二者结合来实现。当以上任一模块或单元以软件实现的时候,所述软件以计算机程序指令的方式存在,并被存储在存储器中,处理器可以用于执行所述程序指令并实现以上方法流程。该处理器可以内置于SoC(片上系统)或ASIC,也可是一个独立的半导体芯片。该处理器内处理用于执行软件指令以进行运算或处理的核外,还可进一步包括必要的硬件加速器,如现场可编程门阵列(field programmable gate array,FPGA)、PLD(可编程逻辑器件)、或者实现专用逻辑运算的逻辑电路。It can be understood that one or more of the above modules or units can be implemented in software, hardware, or a combination of both. When any of the above modules or units is implemented in software, the software exists in the form of computer program instructions and is stored in the memory. The processor can be used to execute the program instructions and implement the above method flow. The processor can be built into an SoC (System on a Chip) or ASIC, or it can be an independent semiconductor chip. In addition to the core used to execute software instructions for calculation or processing, the processor can further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (programmable logic device) , or a logic circuit that implements dedicated logic operations.
当以上模块或单元以硬件实现的时候,该硬件可以是CPU、微处理器、数字信号处理(digital signal processing,DSP)芯片、微控制单元(microcontroller unit,MCU)、人工智能处理器、ASIC、SoC、FPGA、PLD、专用数字电路、硬件加速器或非集成的分立器件中的任一个或任一组合,其可以运行必要的软件或不依赖于软件以执行以上方法流程。When the above modules or units are implemented in hardware, the hardware can be a CPU, a microprocessor, a digital signal processing (DSP) chip, a microcontroller unit (MCU), an artificial intelligence processor, an ASIC, Any one or any combination of SoC, FPGA, PLD, dedicated digital circuits, hardware accelerators or non-integrated discrete devices, which can run the necessary software or not rely on software to perform the above method flow.
可选的,本申请实施例还提供了一种芯片系统,包括:至少一个处理器和接口,该至少一个处理器通过接口与存储器耦合,当该至少一个处理器执行存储器中的计算机程序或指令时,使得上述任一方法实施例中的方法被执行。在一种可能的实现方式中,该芯片系统还包括存储器。可选的,该芯片系统可以由芯片构成,也可以包含芯片和其他分立器件,本申请实施例对此不作具体限定。Optionally, embodiments of the present application also provide a chip system, including: at least one processor and an interface. The at least one processor is coupled to the memory through the interface. When the at least one processor executes the computer program or instructions in the memory When, the method in any of the above method embodiments is executed. In a possible implementation, the chip system further includes a memory. Optionally, the chip system may be composed of chips, or may include chips and other discrete devices, which is not specifically limited in the embodiments of the present application.
可选的,本申请实施例还提供了一种计算机可读存储介质。上述方法实施例中的全部或者部分流程可以由计算机程序来指令相关的硬件完成,该程序可存储于上述计算机可读存储介质中,该程序在执行时,可包括如上述各方法实施例的流程。计算机可读存储介质可以是前述任一实施例的通信装置的内部存储单元,例如通信装置的硬盘或内存。上述计算机可读存储介质也可以是上述通信装置的外部存储设备,例如上述通信装置上配备的插接式硬盘,智能存储卡(smart media card,SMC),安全数字(secure digital,SD)卡,闪存卡(flash card)等。进一步地,上述计算机可读存储介质还可以既包括上述通信装置的内部存储单元也包括外部存储设备。上述计算机可 读存储介质用于存储上述计算机程序以及上述通信装置所需的其他程序和数据。上述计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。Optionally, embodiments of the present application also provide a computer-readable storage medium. All or part of the processes in the above method embodiments can be completed by instructing relevant hardware through a computer program. The program can be stored in the above computer-readable storage medium. When executed, the program can include the processes of the above method embodiments. . The computer-readable storage medium may be an internal storage unit of the communication device of any of the aforementioned embodiments, such as a hard disk or memory of the communication device. The above-mentioned computer-readable storage medium may also be an external storage device of the above-mentioned communication device, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card equipped on the above-mentioned communication device, Flash card, etc. Furthermore, the computer-readable storage medium may also include both an internal storage unit of the communication device and an external storage device. The above-mentioned computer-readable storage medium is used to store the above-mentioned computer program and other programs and data required by the above-mentioned communication device. The above-mentioned computer-readable storage media can also be used to temporarily store data that has been output or is to be output.
可选的,本申请实施例还提供了一种计算机程序产品。上述方法实施例中的全部或者部分流程可以由计算机程序来指令相关的硬件完成,该程序可存储于上述计算机程序产品中,该程序在执行时,可包括如上述各方法实施例的流程。Optionally, the embodiment of the present application also provides a computer program product. All or part of the processes in the above method embodiments can be completed by instructing relevant hardware through a computer program. The program can be stored in the above computer program product. When executed, the program can include the processes of the above method embodiments.
可选的,本申请实施例还提供了一种计算机指令。上述方法实施例中的全部或者部分流程可以由计算机指令来指令相关的硬件(如计算机、处理器、接入网设备、移动性管理网元或会话管理网元等)完成。该程序可被存储于上述计算机可读存储介质中或上述计算机程序产品中。Optionally, the embodiment of the present application also provides a computer instruction. All or part of the processes in the above method embodiments can be completed by computer instructions to instruct related hardware (such as computers, processors, access network equipment, mobility management network elements or session management network elements, etc.). The program may be stored in the above-mentioned computer-readable storage medium or in the above-mentioned computer program product.
可选的,本申请实施例还提供了一种通信系统,包括:上述实施例中的第一节点和终端。Optionally, this embodiment of the present application also provides a communication system, including: the first node and the terminal in the above embodiment.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。Through the above description of the embodiments, those skilled in the art can clearly understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In actual applications, the above functions can be allocated as needed. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of modules or units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be The combination can either be integrated into another device, or some features can be omitted, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是一个物理单元或多个物理单元,即可以位于一个地方,或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated. The components shown as units may be one physical unit or multiple physical units, that is, they may be located in one place, or they may be distributed to multiple different places. . Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the present application shall be covered by the protection scope of the present application. . Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (24)

  1. 一种获取签名信息的方法,其特征在于,应用于第一节点,所述方法包括:A method for obtaining signature information, characterized in that, applied to the first node, the method includes:
    获取第一节点的私钥分片和终端的密钥信息;Obtain the private key fragment of the first node and the key information of the terminal;
    根据所述第一节点的私钥分片对所述终端的密钥信息进行签名,得到所述第一节点的签名分片,所述第一节点的签名分片用于确定签名信息,所述签名信息用于所述终端与所述第一节点之间进行认证。Sign the key information of the terminal according to the private key fragment of the first node to obtain the signature fragment of the first node. The signature fragment of the first node is used to determine the signature information. The signature information is used for authentication between the terminal and the first node.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1, further comprising:
    获取N个签名分片,所述N个签名分片对应Q个节点,所述N个签名分片中的任意一个签名分片是用所述签名分片对应的节点的私钥分片对所述终端的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N;Obtain N signature fragments, the N signature fragments correspond to Q nodes, and any signature fragment among the N signature fragments is obtained by using the private key fragment pair of the node corresponding to the signature fragment. Obtained by signing the key information of the above terminal, N and Q are natural numbers, Q is less than or equal to N;
    所述第一节点的签名分片和所述N个签名分片共同用于确定所述签名信息。The signature fragment of the first node and the N signature fragments are jointly used to determine the signature information.
  3. 根据权利要求2所述的方法,其特征在于,所述签名信息还用于所述终端与所述Q个节点之间进行认证。The method according to claim 2, characterized in that the signature information is also used for authentication between the terminal and the Q nodes.
  4. 根据权利要求2或3所述的方法,其特征在于,所述获取N个签名分片,包括:The method according to claim 2 or 3, characterized in that said obtaining N signature fragments includes:
    接收来自所述Q个节点的所述N个签名分片。The N signed shards from the Q nodes are received.
  5. 根据权利要求2-4中任一项所述的方法,其特征在于,The method according to any one of claims 2-4, characterized in that,
    在所述获取N个签名分片之前,所述方法还包括:Before obtaining N signature fragments, the method further includes:
    向M个节点发送第一信息,所述第一信息包括所述终端的密钥信息,所述M个节点包括所述Q个节点,M为大于或等于Q的自然数。Send first information to M nodes, where the first information includes key information of the terminal, where the M nodes include the Q nodes, and M is a natural number greater than or equal to Q.
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, further comprising:
    向所述M个节点发送以下至少一种信息:所述第一节点对所述终端的签约信息的验证结果或所述第一节点的签名分片。Send at least one of the following information to the M nodes: a verification result of the first node on the subscription information of the terminal or a signature fragment of the first node.
  7. 根据权利要求2或3所述的方法,其特征在于,所述N个签名分片存储在区块链节点中。The method according to claim 2 or 3, characterized in that the N signature fragments are stored in a blockchain node.
  8. 根据权利要求7所述的方法,其特征在于,在获取所述N个签名分片之前,所述方法还包括:The method according to claim 7, characterized in that, before obtaining the N signature fragments, the method further includes:
    向所述区块链节点发送所述终端的密钥信息和所述第一节点的签名分片。Send the key information of the terminal and the signature fragment of the first node to the blockchain node.
  9. 根据权利要求1-8中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-8, characterized in that the method further includes:
    向所述终端发送第三信息,所述第三信息包括所述签名信息。Send third information to the terminal, where the third information includes the signature information.
  10. 根据权利要求9所述的方法,其特征在于,若所述签名信息存储在区块链节点中,所述方法还包括:The method according to claim 9, characterized in that if the signature information is stored in a blockchain node, the method further includes:
    向终端发送所述签名信息对应的区块链交易的标识。Send the identifier of the blockchain transaction corresponding to the signature information to the terminal.
  11. 根据权利要求1-10中任一项所述的方法,其特征在于,所述获取第一节点的私钥分片,包括:The method according to any one of claims 1-10, characterized in that obtaining the private key fragment of the first node includes:
    接收来自第三方节点的所述第一节点的私钥分片。A private key shard of the first node is received from a third party node.
  12. 根据权利要求1-11中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-11, characterized in that the method further includes:
    接收来自所述终端的第一请求,所述第一请求包括所述签名信息和第一随机数;Receive a first request from the terminal, the first request including the signature information and a first random number;
    根据所述第一请求与所述终端进行认证。Perform authentication with the terminal according to the first request.
  13. 根据权利要求12所述的方法,其特征在于,所述第一节点包括在节点集合中,所述方法还包括:The method of claim 12, wherein the first node is included in a node set, and the method further includes:
    获取所述节点集合的公钥;Obtain the public key of the node set;
    所述根据所述第一请求与所述终端进行认证,包括:The authentication with the terminal according to the first request includes:
    向所述终端发送第一消息,所述第一消息包括所述第一节点的证书、第一认证信息和第二随机数,所述第一认证信息是根据所述第一节点的私钥和所述第一随机数得到的;Send a first message to the terminal, the first message including the certificate of the first node, first authentication information and a second random number, the first authentication information is based on the private key of the first node and The first random number is obtained;
    接收来自所述终端的第二消息,所述第二消息包括第二认证信息,所述第二认证信息是根据所述终端的私钥和所述第二随机数得到的;Receive a second message from the terminal, the second message including second authentication information, the second authentication information being obtained based on the private key of the terminal and the second random number;
    根据所述节点集合的公钥和所述签名信息,得到所述终端的密钥信息;Obtain the key information of the terminal according to the public key of the node set and the signature information;
    根据所述终端的密钥信息认证所述第二认证信息。The second authentication information is authenticated according to the key information of the terminal.
  14. 根据权利要求12或13所述的方法,其特征在于,在所述接收来自所述终端的第一请求之后,所述方法还包括:The method according to claim 12 or 13, characterized in that, after receiving the first request from the terminal, the method further includes:
    向区块链节点发送第三消息,所述第三消息用于查询所述签名信息;Send a third message to the blockchain node, the third message being used to query the signature information;
    接收来自所述区块链节点的第四消息,所述第四消息包括所述签名信息。A fourth message is received from the blockchain node, the fourth message including the signature information.
  15. 一种获取签名信息的方法,其特征在于,应用于终端,所述方法包括:A method for obtaining signature information, characterized in that it is applied to a terminal, and the method includes:
    向第一节点发送所述终端的密钥信息;Send the key information of the terminal to the first node;
    接收来自所述第一节点的第三信息,所述第三信息包括签名信息,所述签名信息用于所述终端与所述第一节点之间进行认证,所述签名信息是根据N个签名分片和所述第一节点的签名分片得到的,所述第一节点的签名分片是用所述第一节点的私钥分片对所述终端的密钥信息进行签名得到的,所述N个签名分片对应Q个节点,所述N个签名分片中的任意一个签名分片是用所述签名分片对应的节点的私钥分片对所述终端的密钥信息进行签名得到的,N和Q为自然数,Q小于或等于N。Receive third information from the first node, the third information includes signature information, the signature information is used for authentication between the terminal and the first node, the signature information is based on N signatures fragments and the signature fragments of the first node. The signature fragments of the first node are obtained by signing the key information of the terminal with the private key fragments of the first node, so The N signature fragments correspond to Q nodes, and any one of the N signature fragments uses the private key fragment of the node corresponding to the signature fragment to sign the key information of the terminal. Obtained, N and Q are natural numbers, Q is less than or equal to N.
  16. 根据权利要求15所述的方法,其特征在于,所述方法还包括:The method of claim 15, further comprising:
    接收来自第一节点的所述签名信息对应的区块链交易的标识。Receive the identification of the blockchain transaction corresponding to the signature information from the first node.
  17. 根据权利要求15或16所述的方法,其特征在于,所述第一节点和所述Q个节点包括在节点集合中,所述方法还包括:The method according to claim 15 or 16, characterized in that the first node and the Q nodes are included in a node set, and the method further includes:
    根据预设策略确定所述节点集合,所述预设策略包括以下至少一项:所述终端对应的用户的选择、所述节点集合中节点的入网需求、所述节点集合中节点所在网络的组网规模或所述节点集合中节点所在网络的安全等级。The node set is determined according to a preset strategy. The preset strategy includes at least one of the following: the selection of the user corresponding to the terminal, the network access requirements of the nodes in the node set, and the group of the network where the nodes in the node set are located. The network size or the security level of the network where the nodes in the node set are located.
  18. 根据权利要求15-17中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 15-17, characterized in that the method further includes:
    向所述第一节点发送第一请求,所述第一请求包括所述签名信息和第一随机数;Send a first request to the first node, where the first request includes the signature information and a first random number;
    根据所述第一请求与所述第一节点进行认证。Perform authentication with the first node according to the first request.
  19. 根据权利要求18所述的方法,其特征在于,所述根据所述第一请求与所述第一节点进行认证,包括:The method according to claim 18, wherein the authentication with the first node according to the first request includes:
    接收来自所述第一节点的第一消息,所述第一消息包括所述第一节点的证书、第一认证信息和第二随机数,所述第一认证信息是根据所述第一节点的私钥和所述第一随机数得到的;Receive a first message from the first node, the first message includes a certificate of the first node, first authentication information and a second random number, the first authentication information is based on the first node The private key and the first random number are obtained;
    在所述第一认证信息认证成功的情况下,向所述第一节点发送第二消息,所述第 二消息包括第二认证信息,所述第二认证信息是根据所述终端的私钥和所述第二随机数得到的。If the first authentication information is authenticated successfully, a second message is sent to the first node, where the second message includes second authentication information, and the second authentication information is based on the terminal's private key and The second random number is obtained.
  20. 一种通信装置,其特征在于,包括用于执行如权利要求1至14中任一项所述方法的单元或模块,或者用于执行如权利要求15至19中任一项所述方法的单元或模块。A communication device, characterized by comprising a unit or module for executing the method as claimed in any one of claims 1 to 14, or a unit for executing the method as claimed in any one of claims 15 to 19 or module.
  21. 一种通信装置,其特征在于,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得所述装置执行如权利要求1至14中任一项所述的方法,或者执行如权利要求15至19中任一项所述的方法。A communication device, characterized in that it includes: a processor, the processor is coupled to a memory, the memory is used to store programs or instructions, and when the programs or instructions are executed by the processor, the device causes the device to Perform a method as claimed in any one of claims 1 to 14, or perform a method as described in any one of claims 15 to 19.
  22. 一种芯片,其特征在于,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得所述芯片执行如权利要求1至14中任一项所述的方法或者如权利要求15至19中任一项所述的方法。A chip, characterized in that it includes: a processor, the processor is coupled to a memory, the memory is used to store programs or instructions, and when the programs or instructions are executed by the processor, the chip executes A method as claimed in any one of claims 1 to 14 or a method as claimed in any one of claims 15 to 19.
  23. 一种计算机可读存储介质,其上存储有计算机程序或指令,其特征在于,所述计算机程序或指令被执行时使得计算机执行如权利要求1至14中任一项所述的方法或者如权利要求15至19中任一项所述的方法。A computer-readable storage medium with computer programs or instructions stored thereon, characterized in that, when executed, the computer program or instructions cause the computer to perform the method as described in any one of claims 1 to 14 or as claimed in claim 1 The method of any one of claims 15 to 19.
  24. 一种计算机程序产品,所述计算机程序产品中包括计算机程序代码,其特征在于,当所述计算机程序代码在计算机上运行时,使得计算机实现权利要求1至14中任一项所述的方法或者实现权利要求15至19中任一项所述的方法。A computer program product, the computer program product includes computer program code, characterized in that when the computer program code is run on a computer, it causes the computer to implement the method described in any one of claims 1 to 14 or The method of any one of claims 15 to 19 is implemented.
PCT/CN2022/113778 2022-08-19 2022-08-19 Method and apparatus for acquiring signature information WO2024036644A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/113778 WO2024036644A1 (en) 2022-08-19 2022-08-19 Method and apparatus for acquiring signature information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/113778 WO2024036644A1 (en) 2022-08-19 2022-08-19 Method and apparatus for acquiring signature information

Publications (1)

Publication Number Publication Date
WO2024036644A1 true WO2024036644A1 (en) 2024-02-22

Family

ID=89940482

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/113778 WO2024036644A1 (en) 2022-08-19 2022-08-19 Method and apparatus for acquiring signature information

Country Status (1)

Country Link
WO (1) WO2024036644A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112446782A (en) * 2020-11-26 2021-03-05 中电金融设备系统(深圳)有限公司 Method for downloading initial key, computer equipment and storage medium
US20210083882A1 (en) * 2019-09-16 2021-03-18 Cisco Technology, Inc. Distributed certificate authority
CN114189343A (en) * 2020-09-14 2022-03-15 华为技术有限公司 Mutual authentication method and device
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210083882A1 (en) * 2019-09-16 2021-03-18 Cisco Technology, Inc. Distributed certificate authority
CN114189343A (en) * 2020-09-14 2022-03-15 华为技术有限公司 Mutual authentication method and device
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium
CN112446782A (en) * 2020-11-26 2021-03-05 中电金融设备系统(深圳)有限公司 Method for downloading initial key, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US20200195445A1 (en) Registration method and apparatus based on service-based architecture
US20220278831A1 (en) Discovery Method and Apparatus Based on Service-Based Architecture
JP7443541B2 (en) Key acquisition method and device
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
CN108012267A (en) A kind of method for network authorization, relevant device and system
WO2017160394A1 (en) System, apparatus and method for key provisioning delegation
WO2021047276A1 (en) Key generation method and device
WO2022028259A1 (en) User subscription data obtaining method and apparatus
WO2022001951A1 (en) Communication method and communication apparatus
CN110572268B (en) Anonymous authentication method and device
JP2023106509A (en) Information processing method, information processing program, information processing device, and information processing system
WO2024036644A1 (en) Method and apparatus for acquiring signature information
CN114205072A (en) Authentication method, device and system
WO2021237753A1 (en) Communication method and apparatus
WO2024036645A1 (en) Method and apparatus for obtaining key
CN114640992A (en) Method and device for updating user identity
CN108513289A (en) A kind of processing method of terminal iidentification, device and relevant device
CN108462681A (en) A kind of communication means of heterogeneous network, equipment and system
WO2024000428A1 (en) Security implementation method and apparatus, system, communication device, chip, and storage medium
JP7289111B2 (en) Communication device, authentication method and computer program
CN109963280A (en) Mutual authentication method, device and system, computer readable storage medium
US11343675B2 (en) Communication device authentication for multiple communication devices
WO2022217602A1 (en) Method for establishing device binding relationship, and device
CN109151816B (en) Network authentication method and system
CN117527260A (en) Multi-factor identity authentication method, device and equipment based on chaos zero knowledge

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22955424

Country of ref document: EP

Kind code of ref document: A1