[go: up one dir, main page]

CN108737436B - Cross-domain server identity authentication method based on trust alliance blockchain - Google Patents

Cross-domain server identity authentication method based on trust alliance blockchain Download PDF

Info

Publication number
CN108737436B
CN108737436B CN201810548516.8A CN201810548516A CN108737436B CN 108737436 B CN108737436 B CN 108737436B CN 201810548516 A CN201810548516 A CN 201810548516A CN 108737436 B CN108737436 B CN 108737436B
Authority
CN
China
Prior art keywords
domain
server
identity
certificate
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810548516.8A
Other languages
Chinese (zh)
Other versions
CN108737436A (en
Inventor
马文平
马晓婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201810548516.8A priority Critical patent/CN108737436B/en
Publication of CN108737436A publication Critical patent/CN108737436A/en
Application granted granted Critical
Publication of CN108737436B publication Critical patent/CN108737436B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了基于信任联盟区块链的跨域服务器身份认证方法,其步骤为:(1)构建信任联盟区块链;(2)认证公钥基础设施PKI域中用户访问服务器身份;(3)认证基于身份的密码体制IBC域中用户访问服务器的身份;(4)设置认证凭证的有效时间(5)重认证公钥基础设施PKI域中用户访问服务器身份;(6)重认证基于身份的密码体制IBC域中用户访问服务器的身份。本发明构建信任联盟区块链,通过信任联盟区块链中节点之间的相互认证实现域间相互认证,进而实现对服务器的跨域认证,减少了对桥中心系统的维护负担,降低了用户端的计算量和通信量,具有良好的实用性和可拓展性。

The invention discloses a cross-domain server identity authentication method based on a trust alliance block chain. ) authenticate the identity of the user accessing the server in the IBC domain of the identity-based cryptosystem; (4) set the valid time of the authentication credential; (5) re-authenticate the identity of the user accessing the server in the public key infrastructure PKI domain; (6) re-authenticate the identity-based The identity of the user accessing the server in the cryptosystem IBC domain. The invention constructs a trust alliance block chain, realizes inter-domain mutual authentication through mutual authentication between nodes in the trust alliance block chain, and then realizes cross-domain authentication for servers, reduces the maintenance burden on the bridge center system, and reduces users It has good practicability and scalability.

Description

基于信任联盟区块链的跨域服务器身份认证方法Cross-domain server identity authentication method based on trust alliance blockchain

技术领域technical field

本发明属于网络通信技术领域,更进一步涉及网络安全技术领域中的一种基于信任联盟区块链的跨域认证服务器身份的方法。本发明可应用于基于证书的公钥基础设施PKI(Public Key Infrastructure)与基于身份的密码体制IBC(Identity-BasedCryptography)域中用户请求跨域访问服务器时,对所访问服务器的身份进行认证的方法。The invention belongs to the technical field of network communication, and further relates to a method for cross-domain authentication server identity based on a trust alliance block chain in the technical field of network security. The present invention can be applied to a method for authenticating the identity of the accessed server when a user requests cross-domain access to the server in the certificate-based public key infrastructure PKI (Public Key Infrastructure) and the identity-based cryptosystem IBC (Identity-Based Cryptography) domain .

背景技术Background technique

目前基于公开密钥的信任域认证框架较多应用基于证书的公钥基础设施PKI和基于身份的密码体制IBC。当基于身份的密码体制IBC域用户访问公钥基础设施PKI域服务器、或公钥基础设施PKI域用户访问基于身份的密码体制IBC域服务器时,需要对所访问的服务器身份进行安全性认证,保证其提供安全的服务。此时会出现因公钥基础设施PKI与基于身份的密码体制IBC的认证结构不同,无法实现跨域身份认证等问题。At present, the trust domain authentication framework based on public key mostly uses certificate-based public key infrastructure PKI and identity-based cryptosystem IBC. When an identity-based cryptography IBC domain user accesses a public key infrastructure PKI domain server, or a public key infrastructure PKI domain user accesses an identity-based cryptography IBC domain server, the identity of the accessed server needs to be authenticated to ensure that It provides secure services. At this time, there will be problems such as the inability to achieve cross-domain identity authentication due to the difference in the authentication structure of the public key infrastructure PKI and the identity-based cryptography system IBC.

北京迪曼森科技有限公司在其申请的专利文献“一种基于标识的组合密钥跨域认证方法”(申请号201710647789.3,公开号CN 107395364A)中提出了一种基于标识的组合密钥跨域认证方法。该方法在各个标识密钥基础设施IKI(Identity Key Infrastructure)系统之外建立一个IKI系统,称为桥IKI,各个IKI系统与桥IKI分别相互签发矩阵标识,系统用户利用用户标识以及所属系统与桥IKI相互签发的矩阵标识的相互交换实现跨域认证。以上的交互认证基于桥IKI系统的可信性,因此需要进行信任安全性维护;用户认证时进行本系统矩阵标识和桥IKI矩阵标识的相互交换,需要对以上矩阵标识进行存储。该方法存在的不足之处是:第一,桥IKI系统的身份需要信任维护,增加维护负担;第二,当IKI系统增多时,桥IKI系统存储负担增大,如果设置多个桥IKI系统,增大用户的存储负担。Beijing Dimansen Technology Co., Ltd. proposed an identity-based combined key cross-domain authentication method in its patent document "An identification-based combined key cross-domain authentication method" (application number 201710647789.3, publication number CN 107395364A). Authentication method. In this method, an IKI system is established outside each identity key infrastructure IKI (Identity Key Infrastructure) system, which is called bridge IKI. Each IKI system and bridge IKI mutually issue matrix identifiers. The mutual exchange of matrix identifiers issued by IKIs realizes cross-domain authentication. The above interactive authentication is based on the trustworthiness of the bridge IKI system, so it is necessary to maintain trust security; during user authentication, the matrix identity of the system and the bridge IKI matrix identity are exchanged, and the above matrix identity needs to be stored. The shortcomings of this method are: first, the identity of the bridge IKI system needs to be maintained by trust, which increases the maintenance burden; second, when the number of IKI systems increases, the storage burden of the bridge IKI system increases. Increase the user's storage burden.

西南交通大学在其申请的专利文献“IBC域内的用户访问PKI域内的资源的认证密钥协商方法”(申请号201710081516.7,公开号CN 106789042 A)和“PKI域内的用户访问IBC域内的资源的认证密钥协商方法(申请号201710082835.X,公开号CN106877996A)”中公开了实现PKI与IBC域之间跨域访问的身份认证秘钥协商方法,以上系统包括用户、资源以及IBC和PKI域的认证服务器。在其实现方法中,用户需要首先向本域认证服务器发送验证申请,然后与外域认证服务器共同生成访问授权票据和会话秘钥,最后利用生成的授权票据申请资源端的身份验证。资源端验证用户身份合法后与用户实现安全通信。该方法存在的不足之处是:由于用户端在本次认证过程中,进行四次交互通信,通信前需要进行授权票据、会话秘钥和签名加密等运算,导致用户端承载的计算量和通信量较大,不适用于资源受限的轻量级移动用户终端。Southwest Jiaotong University's patent documents "Authentication Key Agreement Method for Users in the IBC Domain to Access Resources in the PKI Domain" (Application No. 201710081516.7, Publication No. CN 106789042 A) and "Authentication for Users in the PKI Domain to Access Resources in the IBC Domain" Key agreement method (application number 201710082835.X, public number CN106877996A)" discloses an identity authentication key agreement method for realizing cross-domain access between PKI and IBC domains. The above system includes authentication of users, resources, and IBC and PKI domains server. In its implementation method, the user needs to first send an authentication application to the authentication server in the local domain, then jointly generate an access authorization ticket and a session key with the authentication server in the foreign domain, and finally use the generated authorization ticket to apply for the authentication of the resource side. After the resource end verifies that the user's identity is legal, secure communication with the user is realized. The disadvantage of this method is that since the client performs four interactive communications during the authentication process, operations such as authorization tickets, session keys, and signature encryption are required before communication, resulting in the computational load and communication costs carried by the client. It is not suitable for lightweight mobile user terminals with limited resources.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于针对上述已有技术的不足,提出一种基于信任联盟区块链的服务器跨域认证方法,公钥基础设施PKI与基于身份的密码体制IBC域在平级关系上实现对服务器的跨域认证和安全高效重认证。The purpose of the present invention is to propose a cross-domain authentication method for servers based on trust alliance blockchain, aiming at the above-mentioned deficiencies of the prior art. cross-domain authentication and secure and efficient re-authentication.

实现本发明目的的思路是:将公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域中域代理服务器作为节点,构建信任联盟区块链;将所有信任联盟区块链中的节点服务器的证书和公钥基础设施PKI域内合法用户的证书,保存入信任联盟区块链,通过联盟信任模型中节点之间的相互认证实现域间相互认证;利用联盟信任模型实现对服务器身份的跨域认证,认证成功的信息作为认证凭证写入信任联盟区块链,利用认证凭证实现快速重认证。The idea of realizing the purpose of the present invention is as follows: the certificate server in the public key infrastructure PKI domain and the domain proxy server in the identity-based cryptosystem IBC domain are used as nodes to construct a trust alliance blockchain; all nodes in the trust alliance blockchain are used as nodes. The certificate of the server and the certificate of the legal user in the PKI domain of the public key infrastructure are stored in the trust alliance blockchain, and the mutual authentication between the nodes in the alliance trust model is used to realize the mutual authentication between the domains; Domain authentication, the information of successful authentication is written into the trust alliance blockchain as the authentication credential, and the authentication credential is used to realize fast re-authentication.

本发明的具体步骤如下:The concrete steps of the present invention are as follows:

(1)构建信任联盟区块链:(1) Build a trust alliance blockchain:

(1a)根据区块链通信能力可容纳的信任联盟中节点服务器的数量,分别设置公钥基础设施PKI域和基于身份的密码体制IBC域的数量;(1a) Set the number of public key infrastructure PKI domains and identity-based cryptosystem IBC domains respectively according to the number of node servers in the trust alliance that the blockchain communication capability can accommodate;

(1b)将每个公钥基础设施PKI域中的证书服务器和每个基于身份的密码体制IBC域中的域代理服务器,作为信任联盟区块链的节点服务器;(1b) Use the certificate server in each public key infrastructure PKI domain and the domain proxy server in each identity-based cryptography IBC domain as the node server of the trust alliance blockchain;

(1c)公钥基础设施PKI域中的证书服务器为基于身份的密码体制IBC域中域代理服务器颁发证书;(1c) The certificate server in the public key infrastructure PKI domain issues certificates for the domain proxy server in the identity-based cryptography IBC domain;

(1d)根据证书的大小选择哈希函数,生成证书的哈希值;(1d) Select a hash function according to the size of the certificate, and generate the hash value of the certificate;

(1e)将证书的哈希值作为第一个区块,在区块体内保存,得到信任联盟区块链;(1e) Take the hash value of the certificate as the first block and save it in the block to obtain the trust alliance blockchain;

(2)认证公钥基础设施PKI域中用户访问服务器的身份:(2) Authentication of the identity of the user accessing the server in the public key infrastructure PKI domain:

(2a)基于身份的密码体制IBC域中请求访问的用户,利用自身私钥和国产标识密码SM9签名算法,对自身身份标识ID计算生成的签名认证申请,将签名认证申请发送给向域代理服务器;(2a) The user requesting access in the IBC domain of the identity-based cryptosystem uses its own private key and the SM9 signature algorithm of the domestic identification password to calculate the signature authentication application generated by its own identification ID, and send the signature authentication application to the proxy server in the domain. ;

(2b)基于身份的密码体制IBC域中域代理服务器,验证请求访问的用户的身份是否合法,若是,则执行步骤(2c),否则,执行步骤(2f);(2b) The domain proxy server in the identity-based cryptosystem IBC domain verifies whether the identity of the user requesting access is legal, if so, execute step (2c), otherwise, execute step (2f);

(2c)判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则执行步骤(2d),否则执行步骤(2f);(2c) judge whether the certificate server in the public key infrastructure PKI domain and the identity-based cryptosystem IBC domain proxy server satisfy the mutual trust condition, if so, execute step (2d), otherwise execute step (2f);

(2d)采用颁发临时身份的方法,构建公钥基础设施PKI域中用户请求服务器与访问用户的安全通信;(2d) Use the method of issuing temporary identities to construct the secure communication between the user request server and the visiting user in the public key infrastructure PKI domain;

(2e)公钥基础设施PKI域中证书服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(2e) The certificate server in the PKI domain of the public key infrastructure stores the authentication credentials by writing the authentication credentials into the trust alliance blockchain;

(2f)结束认证;(2f) end the certification;

(3)认证基于身份的密码体制IBC域中用户访问服务器的身份:(3) Authentication of the identity of the user accessing the server in the IBC domain of the identity-based cryptosystem:

(3a)公钥基础设施PKI域中请求访问的用户,向证书服务器发送认证申请;(3a) The user requesting access in the PKI domain of the public key infrastructure sends an authentication application to the certificate server;

(3b)公钥基础设施PKI域证书服务器,在信任联盟区块链上查询访问用户的证书状态,如果证书状态为声明则执行步骤(3c),如果证书状态为撤销,则执行步骤(3f);(3b) The public key infrastructure PKI domain certificate server, query the certificate status of the visiting user on the trust alliance blockchain, if the certificate status is declared, execute step (3c), if the certificate status is revoked, execute step (3f) ;

(3c)判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则执行步骤(3d),否则执行步骤(3f);(3c) judge whether the certificate server in the public key infrastructure PKI domain and the identity-based cryptosystem IBC domain proxy server satisfy the mutual trust condition, if so, execute step (3d), otherwise execute step (3f);

(3d)采用颁发临时证书的方法,构建公钥基础设施PKI域中用户访问服务器和申请访问用户的安全通信;(3d) Use the method of issuing temporary certificates to construct secure communication between users accessing servers and requesting access users in the public key infrastructure PKI domain;

(3e)基于身份的密码体制IBC域域代理服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(3e) The identity-based cryptographic system IBC domain proxy server adopts the method of writing the authentication credentials into the trust alliance blockchain to store the authentication credentials;

(3f)结束认证;(3f) end the certification;

(4)设置认证凭证的有效时间:(4) Set the valid time of the authentication certificate:

(4a)根据公钥基础设施PKI域中用访问户服务器的安全等级,将其存储在信任联盟区块链上的认证凭证作为安全等级对应的有效时间;(4a) According to the security level of the user's server in the public key infrastructure PKI domain, the authentication credential stored on the trust alliance blockchain is used as the valid time corresponding to the security level;

(4b)根据基于身份的密码体制IBC域中用访问户服务器的安全等级,将其存储在信任联盟区块链上的认证凭证作为安全等级对应的有效时间;(4b) According to the security level of the user's server in the IBC domain of the identity-based cryptosystem, the authentication credential stored on the trust alliance blockchain is used as the valid time corresponding to the security level;

(5)重认证公钥基础设施PKI域中用户访问服务器的身份;(5) Re-authenticate the identity of the user accessing the server in the PKI domain of the public key infrastructure;

(5a)基于身份的密码体制IBC域中的其他用户,向域代理服务器发送身份签名申请和访问申请;(5a) Other users in the IBC domain of the identity-based cryptosystem send identity signature applications and access applications to the domain proxy server;

(5b)判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则执行(5c),否则,执行步骤(5g);(5b) judge whether the certificate server in the public key infrastructure PKI domain and the identity-based cryptosystem IBC domain proxy server satisfy the mutual trust condition, if so, execute (5c), otherwise, execute step (5g);

(5c)基于身份的密码体制IBC域域代理服务器,利用公钥基础设施PKI域中用户访问服务器的身份标识信息ID,生成认证凭证;(5c) The identity-based cryptosystem IBC domain proxy server uses the identity information ID of the user access server in the public key infrastructure PKI domain to generate authentication credentials;

(5d)基于身份的密码体制IBC域域代理服务器,在信任联盟区块链上查询认证凭证,如果查询到认证凭证,认证凭证在有效时间内,则允许本次访问,执行步骤(5g),否则执行步骤(5e);(5d) The IBC domain proxy server of the identity-based cryptography system queries the authentication credential on the trust alliance blockchain. If the authentication credential is queried and the authentication credential is within the valid time, the access is allowed, and step (5g) is executed, Otherwise, go to step (5e);

(5e)利用颁发临时身份的方法,构建公钥基础设施PKI域中用户访问服务器与访问用户的安全通信;(5e) Use the method of issuing temporary identities to construct the secure communication between the user access server and the access user in the public key infrastructure PKI domain;

(5f)公钥基础设施PKI域中证书服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(5f) The certificate server in the PKI domain of the public key infrastructure stores the authentication credentials by writing the authentication credentials into the trust alliance blockchain;

(5g)结束认证;(5g) end the certification;

(6)重认证基于身份的密码体制IBC域中用户访问服务器的身份:(6) Re-authenticate the identity of the user accessing the server in the IBC domain of the identity-based cryptosystem:

(6a)公钥基础设施PKI域中的其他用户,向证书服务器发送访问请求;(6a) Other users in the public key infrastructure PKI domain send access requests to the certificate server;

(6b)判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则执行(6c),否则执行步骤(6g);(6b) judge whether the certificate server in the public key infrastructure PKI domain and the identity-based cryptosystem IBC domain proxy server satisfy the mutual trust condition, if so, execute (6c), otherwise execute step (6g);

(6c)公钥基础设施PKI域中证书服务器,利用密码体制IBC域中用户访问服务器的身份标识信息ID,生成认证凭证;(6c) The certificate server in the public key infrastructure PKI domain, using the identity information ID of the user access server in the cryptographic system IBC domain, to generate the authentication certificate;

(6d)公钥基础设施PKI域中证书服务器,在信任联盟区块链上查询认证凭证,如果查询到认证凭证,认证凭证在有效时间内,则允许本次访问,否则采用执行(6e):(6d) The certificate server in the PKI domain of the public key infrastructure queries the authentication credential on the trust alliance blockchain. If the authentication credential is queried, and the authentication credential is within the valid time, the access is allowed, otherwise, execute (6e):

(6e)采用颁发临时证书的方法,构建基于身份的密码体制IBC域中用户访问服务器和访问用户的安全通信;(6e) Use the method of issuing temporary certificates to construct an identity-based cryptosystem for secure communication between users accessing the server and accessing users in the IBC domain;

(6f)基于身份的密码体制IBC域域代理服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(6f) An identity-based cryptographic system IBC domain proxy server, which uses the method of writing the authentication credentials into the trust alliance blockchain to store the authentication credentials;

(6g)结束认证。(6g) End authentication.

本发明与现有技术相比具有以下优点:Compared with the prior art, the present invention has the following advantages:

第一,由于本发明构建联盟信任区块链,通过联盟信任区块链中节点之间的相互信任实现域间相互认证,克服了现有技术因需要对桥中心系统进行信任维护,导致维护负担增加的问题,使得本发明在服务器跨域认证方法中具有更好的实用性和可扩展性的优点。First, since the present invention builds a consortium trust blockchain, and realizes inter-domain mutual authentication through mutual trust between nodes in the consortium trust blockchain, it overcomes the maintenance burden caused by the need to maintain trust in the bridge center system in the prior art. The added problem makes the present invention have the advantages of better practicability and scalability in the server cross-domain authentication method.

第二,由于本发明保存用户访问服务器的认证凭证,通过联盟信任区块链中节点服务器查询用户访问服务器的认证凭证实现重认证,克服了现有技术因需要多次访问相同服务器,导致重复认证时节点服务器计算和通信负担增加的问题,使得本发明在服务器跨域认证方法中具有效率更快的优点。Second, since the present invention saves the authentication credential of the user accessing the server, the node server in the consortium trust blockchain queries the authentication credential of the user accessing the server to realize re-authentication, which overcomes the need to access the same server multiple times in the prior art, resulting in repeated authentication. The problem of increased computing and communication burden on the node server makes the present invention have the advantage of faster efficiency in the server cross-domain authentication method.

第三,由于本发明构建联盟信任区块链,通过联盟信任区块链中节点之间的相互信任实现域间相互认证,克服了现有技术因需对访问用户进行域间身份认证,导致访问用户端承载较大计算和通信负担的问题,使得本发明在服务器跨域认证方法中具有更适用于主流的、资源受限的移动用户终端的优点。Third, since the present invention builds a consortium trust blockchain, and realizes inter-domain mutual authentication through mutual trust among nodes in the consortium trust blockchain, it overcomes the need to perform inter-domain identity authentication on visiting users in the prior art, which leads to access problems. The problem that the user end bears a large computational and communication burden makes the present invention more suitable for mainstream mobile user terminals with limited resources in the server cross-domain authentication method.

附图说明Description of drawings

图1是本发明的流程图。Figure 1 is a flow chart of the present invention.

具体实施方式Detailed ways

下面结合附图1对本发明做进一步描述。The present invention will be further described below in conjunction with FIG. 1 .

步骤1,构建信任联盟区块链。Step 1, build a trust alliance blockchain.

根据区块链通信能力可容纳的信任联盟中节点服务器的数量,分别设置公钥基础设施PKI域和基于身份的密码体制IBC域的数量。According to the number of node servers in the trust alliance that the blockchain communication capability can accommodate, the number of public key infrastructure PKI domains and identity-based cryptosystem IBC domains are set respectively.

将每个公钥基础设施PKI域中的证书服务器和每个基于身份的密码体制IBC域中的域代理服务器,作为信任联盟区块链的节点服务器。The certificate server in each public key infrastructure PKI domain and the domain proxy server in each identity-based cryptography IBC domain are used as node servers for trusting the consortium blockchain.

公钥基础设施PKI域中的证书服务器为基于身份的密码体制IBC域中域代理服务器颁发证书。The certificate server in the public key infrastructure PKI domain issues certificates for the domain proxy server in the identity-based cryptography IBC domain.

根据证书的大小选择哈希函数,生成证书的哈希值。Select a hash function based on the size of the certificate to generate the hash value of the certificate.

将证书的哈希值作为第一个区块,在区块体内保存,得到信任联盟区块链。The hash value of the certificate is taken as the first block and stored in the block to obtain the trust alliance blockchain.

步骤2,认证公钥基础设施PKI域中用户访问服务器的身份。Step 2: Authenticate the identity of the user accessing the server in the PKI domain of the public key infrastructure.

基于身份的密码体制IBC域中请求访问的用户,利用自身私钥和国产标识密码SM9签名算法,对自身身份标识ID计算生成的签名认证申请,将签名认证申请发送给向域代理服务器。The user requesting access in the IBC domain of the identity-based cryptosystem uses its own private key and the SM9 signature algorithm of the domestic identification password to calculate the signature authentication application generated by its own identification ID, and send the signature authentication application to the proxy server in the domain.

基于身份的密码体制IBC域中域代理服务器,验证请求访问的用户的身份是否合法,若是,判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,否则,认证结束。The domain proxy server in the IBC domain of the identity-based cryptosystem verifies whether the identity of the user requesting access is legal, and if so, judges whether the certificate server in the public key infrastructure PKI domain and the proxy server in the IBC domain of the identity-based cryptosystem meet the mutual trust conditions , otherwise, the authentication ends.

请求访问的用户的公钥,由国产标识密码SM9签名验证算法对签名认证申请进行验证,通过验证的签名认证申请为用户身份合法。For the public key of the user requesting access, the signature authentication application is verified by the domestic identification password SM9 signature verification algorithm, and the signature authentication application that has passed the verification is a legitimate user.

判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则采用颁发临时身份的方法,构建公钥基础设施PKI域中用户请求服务器与访问用户的安全通信,否则认证失败。Determine whether the certificate server in the PKI domain and the proxy server in the IBC domain of the identity-based cryptosystem meet the mutual trust conditions. If so, use the method of issuing a temporary identity to construct the user request server and access to the public key infrastructure PKI domain. User's secure communication, otherwise authentication fails.

所述的相互信任条件是指同时满足以下两个条件的情形:The mutual trust condition refers to a situation where both of the following conditions are satisfied simultaneously:

条件1,公钥基础设施PKI域证书服务器,在信任联盟区块链上查询基于身份的密码体制IBC域中域代理服务器的证书,证书状态为声明;Condition 1, the public key infrastructure PKI domain certificate server queries the certificate of the domain proxy server in the identity-based cryptosystem IBC domain on the trust alliance blockchain, and the certificate status is declared;

条件2,基于身份的密码体制IBC域中域代理服务器,在信任联盟区块链上查询公钥基础设施PKI域证书服务器的证书,证书状态为声明。Condition 2, the domain proxy server in the IBC domain of the identity-based cryptography system queries the certificate of the public key infrastructure PKI domain certificate server on the trust alliance blockchain, and the certificate status is declared.

公钥基础设施PKI域中证书服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证。The certificate server in the public key infrastructure PKI domain stores the authentication credentials by writing the authentication credentials into the trust consortium blockchain.

所述的颁发临时身份的方法的具体步骤如下:The specific steps of the method for issuing a temporary identity are as follows:

第1步,基于身份的密码体制IBC域的域代理服务器,生成公钥基础设施PKI域中用户访问服务器的临时身份信息,将临时身份信息发送至公钥基础设施PKI域证书服务器;Step 1, the domain proxy server in the IBC domain of the identity-based cryptosystem generates the temporary identity information of the user access server in the public key infrastructure PKI domain, and sends the temporary identity information to the public key infrastructure PKI domain certificate server;

第2步,公钥基础设施PKI域中证书服务器转发临时身份信息给用户访问的服务器;Step 2, the certificate server in the public key infrastructure PKI domain forwards the temporary identity information to the server accessed by the user;

第3步,公钥基础设施PKI域中提供服务的服务器保存临时身份信息,利用临时身份信息与基于身份的密码体制IBC域中请求服务用户进行安全通信。In the third step, the server providing the service in the public key infrastructure PKI domain saves the temporary identity information, and uses the temporary identity information to securely communicate with the user requesting the service in the identity-based cryptography IBC domain.

所述的将认证凭证写入信任联盟区块链的方法的具体步骤如下:The specific steps of the method for writing the authentication credential into the trust alliance blockchain are as follows:

第1步,信任联盟区块链中节点服务器将成功认证用户访问服务器的身份标识信息ID生成认证凭证;Step 1, the node server in the trust alliance blockchain will successfully authenticate the identity information ID of the user to access the server to generate an authentication certificate;

第2步,信任联盟区块链中节点服务器根据认证凭证的大小选择哈希函数,利用哈希运算,将认证凭证生成哈希值,将哈希值写入区块链。In the second step, the node server in the trust alliance blockchain selects the hash function according to the size of the authentication certificate, uses the hash operation to generate the hash value of the authentication certificate, and writes the hash value into the blockchain.

结束认证。End authentication.

步骤3,认证基于身份的密码体制IBC域中用户访问服务器的身份。Step 3, authenticate the identity of the user accessing the server in the identity-based cryptography IBC domain.

公钥基础设施PKI域中请求访问的用户,向证书服务器发送认证申请。A user who requests access in the PKI domain of the public key infrastructure sends an authentication request to the certificate server.

公钥基础设施PKI域证书服务器,在信任联盟区块链上查询访问用户的证书状态,如果证书状态为声明则判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,如果证书状态为撤销,则结束认证。The certificate server in the public key infrastructure PKI domain queries the certificate status of the visiting user on the trust alliance blockchain. If the certificate status is declared, it determines the certificate server in the public key infrastructure PKI domain and the proxy server in the identity-based cryptosystem IBC domain domain. Whether the mutual trust conditions are met, and if the certificate status is revoked, the authentication ends.

判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则采用颁发临时证书的方法,构建公钥基础设施PKI域中用户访问服务器和申请访问用户的安全通信,否则结束认证。Determine whether the certificate server in the public key infrastructure PKI domain and the proxy server in the IBC domain of the identity-based cryptosystem meet the mutual trust conditions. Access the user's secure communication, otherwise end the authentication.

所述的相互信任条件是指同时满足以下两个条件的情形:The mutual trust condition refers to a situation where both of the following conditions are satisfied simultaneously:

条件1,公钥基础设施PKI域证书服务器,在信任联盟区块链上查询基于身份的密码体制IBC域中域代理服务器的证书,证书状态为声明;Condition 1, the public key infrastructure PKI domain certificate server queries the certificate of the domain proxy server in the identity-based cryptosystem IBC domain on the trust alliance blockchain, and the certificate status is declared;

条件2,基于身份的密码体制IBC域中域代理服务器,在信任联盟区块链上查询公钥基础设施PKI域证书服务器的证书,证书状态为声明。Condition 2, the domain proxy server in the IBC domain of the identity-based cryptography system queries the certificate of the public key infrastructure PKI domain certificate server on the trust alliance blockchain, and the certificate status is declared.

所述的颁发临时证书的方法的具体步骤如下:The specific steps of the method for issuing a temporary certificate are as follows:

第1步,公钥基础设施PKI域证书服务器,生成基于身份的密码体制IBC域中用户访问服务器的临时证书,将临时证书发送给基于身份的密码体制IBC域域代理服务器;Step 1, the public key infrastructure PKI domain certificate server generates a temporary certificate for the user access server in the identity-based cryptosystem IBC domain, and sends the temporary certificate to the identity-based cryptosystem IBC domain domain proxy server;

第2步,基于身份的密码体制IBC域中,域代理服务器将临时证书转发至用户访问服务器;Step 2: In the identity-based cryptosystem IBC domain, the domain proxy server forwards the temporary certificate to the user access server;

第3步,基于身份的密码体制IBC域中,用户访问服务器保存临时证书,利用临时证书中的身份信息与公钥基础设施PKI域中请求服务用户实现安全通信。Step 3: In the identity-based cryptosystem IBC domain, the user accesses the server to save the temporary certificate, and uses the identity information in the temporary certificate to communicate securely with the requesting service user in the public key infrastructure PKI domain.

基于身份的密码体制IBC域域代理服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证。The identity-based cryptosystem IBC domain proxy server uses the method of writing the authentication credentials into the trust alliance blockchain to store the authentication credentials.

所述的将认证凭证写入信任联盟区块链的方法的具体步骤如下:The specific steps of the method for writing the authentication credential into the trust alliance blockchain are as follows:

第1步,信任联盟区块链中节点服务器将成功认证用户访问服务器的身份标识信息ID生成认证凭证;Step 1, the node server in the trust alliance blockchain will successfully authenticate the identity information ID of the user to access the server to generate an authentication certificate;

第2步,信任联盟区块链中节点服务器根据认证凭证的大小选择哈希函数,利用哈希运算,将认证凭证生成哈希值,将哈希值写入区块链。In the second step, the node server in the trust alliance blockchain selects the hash function according to the size of the authentication certificate, uses the hash operation to generate the hash value of the authentication certificate, and writes the hash value into the blockchain.

结束认证。End authentication.

步骤4,设置认证凭证的有效时间。Step 4: Set the valid time of the authentication credential.

根据公钥基础设施PKI域中用访问户服务器的安全等级,将其存储在信任联盟区块链上的认证凭证作为安全等级对应的有效时间。According to the security level of the user's server in the public key infrastructure PKI domain, the authentication credential stored on the trust alliance blockchain is used as the valid time corresponding to the security level.

根据基于身份的密码体制IBC域中用访问户服务器的安全等级,将其存储在信任联盟区块链上的认证凭证作为安全等级对应的有效时间。According to the security level of the user's server in the IBC domain of the identity-based cryptosystem, the authentication credential stored in the trust alliance blockchain is used as the valid time corresponding to the security level.

步骤5,重认证公钥基础设施PKI域中用户访问服务器的身份;Step 5, re-authenticate the identity of the user accessing the server in the public key infrastructure PKI domain;

基于身份的密码体制IBC域中的其他用户,向域代理服务器发送身份签名申请和访问申请。Other users in the IBC domain of the identity-based cryptosystem send identity signature requests and access requests to the domain proxy server.

判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,基于身份的密码体制IBC域域代理服务器,利用公钥基础设施PKI域中用户访问服务器的身份标识信息ID,生成认证凭证,否则,结束认证。Determine whether the certificate server in the PKI domain and the proxy server in the IBC domain of the identity-based cryptosystem meet the mutual trust conditions. ID of the server's identity information to generate authentication credentials, otherwise, end the authentication.

所述的相互信任条件是指同时满足以下两个条件的情形:The mutual trust condition refers to a situation where both of the following conditions are satisfied simultaneously:

条件1,公钥基础设施PKI域证书服务器,在信任联盟区块链上查询基于身份的密码体制IBC域中域代理服务器的证书,证书状态为声明;Condition 1, the public key infrastructure PKI domain certificate server queries the certificate of the domain proxy server in the identity-based cryptosystem IBC domain on the trust alliance blockchain, and the certificate status is declared;

条件2,基于身份的密码体制IBC域中域代理服务器,在信任联盟区块链上查询公钥基础设施PKI域证书服务器的证书,证书状态为声明。Condition 2, the domain proxy server in the IBC domain of the identity-based cryptography system queries the certificate of the public key infrastructure PKI domain certificate server on the trust alliance blockchain, and the certificate status is declared.

基于身份的密码体制IBC域域代理服务器,在信任联盟区块链上查询认证凭证,如果查询到认证凭证,认证凭证在有效时间内,则允许本次访问,认证结束,否则利用颁发临时身份的方法,构建公钥基础设施PKI域中用户访问服务器与访问用户的安全通信。Identity-based cryptographic system IBC domain domain proxy server queries the authentication certificate on the trust alliance blockchain. If the authentication certificate is queried and the authentication certificate is within the valid time, the access is allowed and the authentication is over. Otherwise, the temporary identity issued The method constructs the secure communication between the user access server and the access user in the public key infrastructure PKI domain.

所述的颁发临时身份的方法的具体步骤如下:The specific steps of the method for issuing a temporary identity are as follows:

第1步,基于身份的密码体制IBC域域代理服务器,生成公钥基础设施PKI域中用户访问服务器的临时身份信息,将临时身份信息发送至公钥基础设施PKI域证书服务器;Step 1: The proxy server in the IBC domain of the identity-based cryptosystem generates the temporary identity information of the user access server in the PKI domain of the public key infrastructure, and sends the temporary identity information to the certificate server in the PKI domain of the public key infrastructure;

第2步,公钥基础设施PKI域中证书服务器转发临时身份信息给用户访问的服务器;Step 2, the certificate server in the public key infrastructure PKI domain forwards the temporary identity information to the server accessed by the user;

第3步,公钥基础设施PKI域中提供服务的服务器保存临时身份信息,利用临时身份信息与基于身份的密码体制IBC域中请求服务用户进行安全通信。In the third step, the server providing the service in the public key infrastructure PKI domain saves the temporary identity information, and uses the temporary identity information to securely communicate with the user requesting the service in the identity-based cryptography IBC domain.

公钥基础设施PKI域中证书服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证。The certificate server in the public key infrastructure PKI domain stores the authentication credentials by writing the authentication credentials into the trust consortium blockchain.

所述的将认证凭证写入信任联盟区块链的方法的具体步骤如下:The specific steps of the method for writing the authentication credential into the trust alliance blockchain are as follows:

第1步,信任联盟区块链中节点服务器将成功认证用户访问服务器的身份标识信息ID生成认证凭证;Step 1, the node server in the trust alliance blockchain will successfully authenticate the identity information ID of the user to access the server to generate an authentication certificate;

第2步,信任联盟区块链中节点服务器根据认证凭证的大小选择哈希函数,利用哈希运算,将认证凭证生成哈希值,将哈希值写入区块链。In the second step, the node server in the trust alliance blockchain selects the hash function according to the size of the authentication certificate, uses the hash operation to generate the hash value of the authentication certificate, and writes the hash value into the blockchain.

结束认证。End authentication.

步骤6,重认证基于身份的密码体制IBC域中用户访问服务器的身份。Step 6, re-authenticate the identity of the user accessing the server in the identity-based cryptography IBC domain.

公钥基础设施PKI域中的其他用户,向证书服务器发送访问请求。Other users in the public key infrastructure PKI domain, send access requests to the certificate server.

判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域域代理服务器是否满足相互信任条件,若是,则公钥基础设施PKI域中证书服务器,利用密码体制IBC域中用户访问服务器的身份标识信息ID,生成认证凭证,否则执行结束认证。Determine whether the certificate server in the PKI domain and the proxy server in the IBC domain of the identity-based cryptosystem meet the mutual trust conditions. The identification information ID is used to generate an authentication credential; otherwise, the authentication is terminated.

所述的相互信任条件是指同时满足以下两个条件的情形:The mutual trust condition refers to a situation where both of the following conditions are satisfied simultaneously:

条件1,公钥基础设施PKI域证书服务器,在信任联盟区块链上查询基于身份的密码体制IBC域中域代理服务器的证书,证书状态为声明;Condition 1, the public key infrastructure PKI domain certificate server queries the certificate of the domain proxy server in the identity-based cryptosystem IBC domain on the trust alliance blockchain, and the certificate status is declared;

条件2,基于身份的密码体制IBC域中域代理服务器,在信任联盟区块链上查询公钥基础设施PKI域证书服务器的证书,证书状态为声明。Condition 2, the domain proxy server in the IBC domain of the identity-based cryptography system queries the certificate of the public key infrastructure PKI domain certificate server on the trust alliance blockchain, and the certificate status is declared.

公钥基础设施PKI域中证书服务器,在信任联盟区块链上查询认证凭证,如果查询到认证凭证,认证凭证在有效时间内,则允许本次访问,认证结束,否则采用颁发临时证书的方法,构建基于身份的密码体制IBC域中用户访问服务器和访问用户的安全通信。The certificate server in the PKI domain of the public key infrastructure queries the authentication certificate on the trust alliance blockchain. If the authentication certificate is queried and the authentication certificate is within the valid time, the access is allowed and the authentication is over. Otherwise, the method of issuing a temporary certificate is adopted. , to build an identity-based cryptosystem for secure communication between users accessing the server and accessing users in the IBC domain.

所述的颁发临时证书的方法的具体步骤如下:The specific steps of the method for issuing a temporary certificate are as follows:

第1步,公钥基础设施PKI域证书服务器,生成基于身份的密码体制IBC域中用户访问服务器的临时证书,将临时证书发送给基于身份的密码体制IBC域域代理服务器;Step 1, the public key infrastructure PKI domain certificate server generates a temporary certificate for the user access server in the identity-based cryptosystem IBC domain, and sends the temporary certificate to the identity-based cryptosystem IBC domain domain proxy server;

第2步,基于身份的密码体制IBC域中,域代理服务器将临时证书转发至用户访问服务器;Step 2: In the identity-based cryptosystem IBC domain, the domain proxy server forwards the temporary certificate to the user access server;

第3步,基于身份的密码体制IBC域中,用户访问服务器保存临时证书,利用临时证书中的身份信息与公钥基础设施PKI域中请求服务用户实现安全通信。Step 3: In the identity-based cryptosystem IBC domain, the user accesses the server to save the temporary certificate, and uses the identity information in the temporary certificate to communicate securely with the requesting service user in the public key infrastructure PKI domain.

基于身份的密码体制IBC域域代理服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证。The identity-based cryptosystem IBC domain proxy server uses the method of writing the authentication credentials into the trust alliance blockchain to store the authentication credentials.

所述的将认证凭证写入信任联盟区块链的方法的具体步骤如下:The specific steps of the method for writing the authentication credential into the trust alliance blockchain are as follows:

第1步,信任联盟区块链中节点服务器将成功认证用户访问服务器的身份标识信息ID生成认证凭证;Step 1, the node server in the trust alliance blockchain will successfully authenticate the identity information ID of the user to access the server to generate an authentication certificate;

第2步,信任联盟区块链中节点服务器根据认证凭证的大小选择哈希函数,利用哈希运算,将认证凭证生成哈希值,将哈希值写入区块链。In the second step, the node server in the trust alliance blockchain selects the hash function according to the size of the authentication certificate, uses the hash operation to generate the hash value of the authentication certificate, and writes the hash value into the blockchain.

结束认证。End authentication.

Claims (5)

1.一种基于信任联盟区块链的跨域服务器身份认证方法,其特征在于,构建信任联盟区块链,将所有信任联盟区块链中的节点服务器的证书和公钥基础设施PKI域内合法用户的证书,保存入信任联盟区块链,利用信任联盟区块链实现对服务器身份的跨域认证,将认证成功的信息作为认证凭证,保存入信任联盟区块链,利用认证凭证实现重认证;该方法的具体步骤包括如下:1. A cross-domain server identity authentication method based on trust consortium blockchain, characterized in that building a trust consortium blockchain, and validating the certificates of all node servers in the trust consortium blockchain and the public key infrastructure PKI domain. The user's certificate is stored in the trust consortium blockchain, and the trust consortium blockchain is used to realize cross-domain authentication of the server identity. The successful authentication information is used as the authentication credential, which is saved in the trust consortium blockchain, and the authentication credential is used to realize re-authentication ; The concrete steps of the method include the following: (1)构建信任联盟区块链:(1) Build a trust alliance blockchain: (1a)根据区块链通信能力可容纳的信任联盟中节点服务器的数量,分别设置公钥基础设施PKI域和基于身份的密码体制IBC域的数量;(1a) Set the number of public key infrastructure PKI domains and identity-based cryptosystem IBC domains respectively according to the number of node servers in the trust alliance that the blockchain communication capability can accommodate; (1b)将每个公钥基础设施PKI域中的证书服务器和每个基于身份的密码体制IBC域中的域代理服务器,作为信任联盟区块链的节点服务器;(1b) Use the certificate server in each public key infrastructure PKI domain and the domain proxy server in each identity-based cryptography IBC domain as the node server of the trust alliance blockchain; (1c)公钥基础设施PKI域中的证书服务器为基于身份的密码体制IBC域中的域代理服务器颁发证书;(1c) The certificate server in the public key infrastructure PKI domain issues certificates for the domain proxy server in the identity-based cryptography IBC domain; (1d)根据证书的大小选择哈希函数,生成证书的哈希值;(1d) Select a hash function according to the size of the certificate, and generate the hash value of the certificate; (1e)将证书的哈希值作为第一个区块,在区块体内保存,得到信任联盟区块链;(1e) Take the hash value of the certificate as the first block and save it in the block to obtain the trust alliance blockchain; (2)认证公钥基础设施PKI域中用户访问服务器的身份:(2) Authentication of the identity of the user accessing the server in the public key infrastructure PKI domain: (2a)基于身份的密码体制IBC域中请求访问的用户,利用自身私钥和国产标识密码SM9签名算法,对自身身份标识ID计算生成签名认证申请,将签名认证申请发送给域代理服务器;(2a) The user requesting access in the IBC domain of the identity-based cryptography system uses its own private key and the domestic identification password SM9 signature algorithm to calculate and generate a signature authentication application for its own identity ID, and send the signature authentication application to the domain proxy server; (2b)基于身份的密码体制IBC域中的域代理服务器,验证请求访问的用户的身份是否合法,若是,则执行步骤(2c),否则,执行步骤(2f);(2b) The domain proxy server in the identity-based cryptosystem IBC domain verifies whether the identity of the user requesting access is legal, if so, execute step (2c), otherwise, execute step (2f); (2c)判断公钥基础设施PKI域中证书服务器和基于身份的密码体制IBC域中的域代理服务器是否满足相互信任条件,若是,则执行步骤(2d),否则,执行步骤(2f);(2c) judge whether the certificate server in the public key infrastructure PKI domain and the domain proxy server in the identity-based cryptosystem IBC domain satisfy the mutual trust condition, if so, execute step (2d), otherwise, execute step (2f); (2d)采用颁发临时身份的方法,构建公钥基础设施PKI域中用户请求服务器与访问用户的安全通信;(2d) Use the method of issuing temporary identities to construct the secure communication between the user request server and the visiting user in the public key infrastructure PKI domain; (2e)公钥基础设施PKI域中的证书服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(2e) The certificate server in the PKI domain of the public key infrastructure stores the authentication credentials by writing the authentication credentials into the trust alliance blockchain; (2f)结束认证;(2f) end the certification; (3)认证基于身份的密码体制IBC域中用户访问服务器的身份:(3) Authentication of the identity of the user accessing the server in the IBC domain of the identity-based cryptosystem: (3a)公钥基础设施PKI域中请求访问的用户,向证书服务器发送认证申请;(3a) The user requesting access in the PKI domain of the public key infrastructure sends an authentication application to the certificate server; (3b)公钥基础设施PKI域中的证书服务器,在信任联盟区块链上查询访问用户的证书状态,如果证书状态为声明则执行步骤(3c),如果证书状态为撤销,则执行步骤(3f);(3b) The certificate server in the public key infrastructure PKI domain queries the certificate status of the visiting user on the trust alliance blockchain, and if the certificate status is declared, execute step (3c), and if the certificate status is revoked, execute step ( 3f); (3c)判断公钥基础设施PKI域中的证书服务器和基于身份的密码体制IBC域中的域代理服务器是否满足相互信任条件,若是,则执行步骤(3d),否则执行步骤(3f);(3c) judge whether the certificate server in the public key infrastructure PKI domain and the domain proxy server in the identity-based cryptosystem IBC domain satisfy the mutual trust condition, if so, execute step (3d), otherwise execute step (3f); (3d)采用颁发临时证书的方法,构建公钥基础设施PKI域中用户访问服务器和申请访问用户的安全通信;(3d) Use the method of issuing temporary certificates to construct secure communication between users accessing servers and requesting access users in the public key infrastructure PKI domain; (3e)基于身份的密码体制IBC域中的域代理服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(3e) The domain proxy server in the IBC domain of the identity-based cryptosystem adopts the method of writing the authentication credentials into the trust alliance blockchain to store the authentication credentials; (3f)结束认证;(3f) end the certification; (4)设置认证凭证的有效时间:(4) Set the valid time of the authentication certificate: (4a)根据公钥基础设施PKI域中用户访问服务器的安全等级,对应设置存储在信任联盟区块链上认证凭证的有效时间;(4a) According to the security level of the user accessing the server in the public key infrastructure PKI domain, the valid time of the authentication certificate stored on the trust alliance blockchain is correspondingly set; (4b)根据基于身份的密码体制IBC域中用户访问服务器的安全等级,对应设置存储在信任联盟区块链上认证凭证的有效时间;(4b) According to the security level of the user accessing the server in the IBC domain of the identity-based cryptosystem, the valid time of the authentication certificate stored on the trust alliance blockchain is correspondingly set; (5)重认证公钥基础设施PKI域中用户访问服务器的身份;(5) Re-authenticate the identity of the user accessing the server in the PKI domain of the public key infrastructure; (5a)基于身份的密码体制IBC域中的其他用户,向域代理服务器发送身份签名申请和访问申请;(5a) Other users in the IBC domain of the identity-based cryptosystem send identity signature applications and access applications to the domain proxy server; (5b)判断公钥基础设施PKI域中的证书服务器和基于身份的密码体制IBC域中的域代理服务器是否满足相互信任条件,若是,则执行步骤(5c),否则,执行步骤(5g);(5b) judge whether the certificate server in the public key infrastructure PKI domain and the domain proxy server in the identity-based cryptosystem IBC domain satisfy the mutual trust condition, if so, execute step (5c), otherwise, execute step (5g); (5c)基于身份的密码体制IBC域中的域代理服务器,利用公钥基础设施PKI域中用户访问服务器的身份标识信息ID,生成认证凭证;(5c) The domain proxy server in the IBC domain of the identity-based cryptosystem uses the identity information ID of the user access server in the public key infrastructure PKI domain to generate authentication credentials; (5d)基于身份的密码体制IBC域中的域代理服务器,在信任联盟区块链上查询认证凭证,如果查询到认证凭证,认证凭证在有效时间内,则允许本次访问,执行步骤(5g),否则执行步骤(5e);(5d) The domain proxy server in the IBC domain of the identity-based cryptography system queries the authentication credential on the trust alliance blockchain. If the authentication credential is queried and the authentication credential is within the valid time, the access is allowed, and the step (5g) is executed. ), otherwise go to step (5e); (5e)利用颁发临时身份的方法,构建公钥基础设施PKI域中用户访问服务器与访问用户的安全通信;(5e) Use the method of issuing temporary identities to construct the secure communication between the user access server and the access user in the public key infrastructure PKI domain; (5f)公钥基础设施PKI域中的证书服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(5f) The certificate server in the PKI domain of the public key infrastructure stores the authentication credentials by writing the authentication credentials into the trust alliance blockchain; (5g)结束认证;(5g) end the certification; (6)重认证基于身份的密码体制IBC域中用户访问服务器的身份:(6) Re-authenticate the identity of the user accessing the server in the IBC domain of the identity-based cryptosystem: (6a)公钥基础设施PKI域中的其他用户,向证书服务器发送访问请求;(6a) Other users in the public key infrastructure PKI domain send access requests to the certificate server; (6b)判断公钥基础设施PKI域中的证书服务器和基于身份的密码体制IBC域中的域代理服务器是否满足相互信任条件,若是,则允许本次访问,执行步骤(6c),否则执行步骤(6g);(6b) Determine whether the certificate server in the public key infrastructure PKI domain and the domain proxy server in the identity-based cryptosystem IBC domain satisfy the mutual trust condition, if so, allow this access, and execute step (6c), otherwise, execute step (6g); (6c)公钥基础设施PKI域中的证书服务器,利用密码体制IBC域中用户访问服务器的身份标识信息ID,生成认证凭证;(6c) The certificate server in the public key infrastructure PKI domain uses the identity information ID of the user access server in the cryptographic system IBC domain to generate authentication credentials; (6d)公钥基础设施PKI域中的证书服务器,在信任联盟区块链上查询认证凭证,如果查询到认证凭证,认证凭证在有效时间内,则允许本次访问,否则执行步骤(6e):(6d) The certificate server in the PKI domain of the public key infrastructure queries the authentication credential on the trust alliance blockchain. If the authentication credential is queried and the authentication credential is within the valid time, the access is allowed, otherwise, step (6e) is performed. : (6e)采用颁发临时证书的方法,构建基于身份的密码体制IBC域中用户访问服务器和访问用户的安全通信;(6e) Use the method of issuing temporary certificates to construct an identity-based cryptosystem for secure communication between users accessing the server and accessing users in the IBC domain; (6f)基于身份的密码体制IBC域中的域代理服务器,采用将认证凭证写入信任联盟区块链的方法存储认证凭证;(6f) The domain proxy server in the IBC domain of the identity-based cryptosystem adopts the method of writing the authentication credentials into the trust alliance blockchain to store the authentication credentials; (6g)结束认证;(6g) end the certification; 步骤(2e)、步骤(3e)、步骤(5f)和步骤(6f)中所述的将认证凭证写入信任联盟区块链的方法的具体步骤如下:The specific steps of the method for writing the authentication credential into the trust alliance blockchain described in step (2e), step (3e), step (5f) and step (6f) are as follows: 第一步,信任联盟区块链中节点服务器将成功认证用户访问服务器的身份标识信息ID生成认证凭证;The first step, the node server in the trust alliance blockchain will successfully authenticate the identity information ID of the user to access the server to generate an authentication certificate; 第二步,信任联盟区块链中节点服务器根据认证凭证的大小选择哈希函数,利用哈希运算,将认证凭证生成哈希值,将哈希值写入区块链。In the second step, the node server in the trust alliance blockchain selects the hash function according to the size of the authentication certificate, uses the hash operation to generate the hash value of the authentication certificate, and writes the hash value into the blockchain. 2.根据权利要求1所述的基于信任联盟区块链的跨域服务器身份认证方法,其特征在于,步骤(2b)中所述的用户身份合法是指,利用请求访问的用户的公钥,由国产标识密码SM9签名验证算法对签名认证申请进行验证,通过验证的签名认证申请为用户身份合法。2. the cross-domain server identity authentication method based on trust alliance block chain according to claim 1, is characterized in that, the user identity legality described in step (2b) refers to, utilizes the public key of the user who requests access, The signature verification application is verified by the domestic identification password SM9 signature verification algorithm, and the signature verification application that has passed the verification is a legitimate user identity. 3.根据权利要求1所述的基于信任联盟区块链的跨域服务器身份认证方法,其特征在于,步骤(2c)、步骤(3c)、步骤(5b)和步骤(6b)中所述的相互信任条件是指同时满足以下两个条件的情形:3. The cross-domain server identity authentication method based on trust consortium blockchain according to claim 1, characterized in that, described in step (2c), step (3c), step (5b) and step (6b) Mutual trust conditions refer to situations where both of the following conditions are met: 条件1,公钥基础设施PKI域中的证书服务器,在信任联盟区块链上查询基于身份的密码体制IBC域中的域代理服务器的证书,证书状态为声明;Condition 1, the certificate server in the public key infrastructure PKI domain queries the certificate of the domain proxy server in the identity-based cryptosystem IBC domain on the trust alliance blockchain, and the certificate status is declared; 条件2,基于身份的密码体制IBC域中的域代理服务器,在信任联盟区块链上查询公钥基础设施PKI域中的证书服务器的证书,证书状态为声明。Condition 2, the domain proxy server in the IBC domain of the identity-based cryptosystem queries the certificate of the certificate server in the public key infrastructure PKI domain on the trust alliance blockchain, and the certificate status is declared. 4.根据权利要求1所述的基于信任联盟区块链的跨域服务器身份认证方法,其特征在于,步骤(2d)、步骤(5e)中所述的颁发临时身份的方法的具体步骤如下:4. the cross-domain server identity authentication method based on trust alliance block chain according to claim 1, is characterized in that, the concrete steps of the method for issuing temporary identity described in step (2d), step (5e) are as follows: 第一步,基于身份的密码体制IBC域中的域代理服务器,生成公钥基础设施PKI域中用户访问服务器的临时身份信息,将临时身份信息发送至公钥基础设施PKI域证书服务器;In the first step, the domain proxy server in the IBC domain of the identity-based cryptosystem generates the temporary identity information of the user access server in the public key infrastructure PKI domain, and sends the temporary identity information to the public key infrastructure PKI domain certificate server; 第二步,公钥基础设施PKI域中的证书服务器转发临时身份信息给用户访问的服务器;In the second step, the certificate server in the PKI domain of the public key infrastructure forwards the temporary identity information to the server accessed by the user; 第三步,公钥基础设施PKI域中提供服务的服务器保存临时身份信息,利用临时身份信息与基于身份的密码体制IBC域中请求服务用户进行安全通信。In the third step, the server providing the service in the PKI domain of the public key infrastructure saves the temporary identity information, and uses the temporary identity information to securely communicate with the requesting service user in the IBC domain of the identity-based cryptosystem. 5.根据权利要求1所述的基于信任联盟区块链的跨域服务器身份认证方法,其特征在于,步骤(3d)、步骤(6e)中所述的颁发临时证书的方法的具体步骤如下:5. the cross-domain server identity authentication method based on trust alliance block chain according to claim 1, is characterized in that, the concrete steps of the method for issuing temporary certificate described in step (3d), step (6e) are as follows: 第一步,公钥基础设施PKI域中的证书服务器,生成基于身份的密码体制IBC域中用户访问服务器的临时证书,将临时证书发送给基于身份的密码体制IBC域中的域代理服务器;The first step, the certificate server in the public key infrastructure PKI domain, generates a temporary certificate for the user access server in the identity-based cryptography IBC domain, and sends the temporary certificate to the domain proxy server in the identity-based cryptography IBC domain; 第二步,基于身份的密码体制IBC域中,域代理服务器将临时证书转发至用户访问服务器;In the second step, in the identity-based cryptosystem IBC domain, the domain proxy server forwards the temporary certificate to the user access server; 第三步,基于身份的密码体制IBC域中,用户访问服务器保存临时证书,利用临时证书中的身份信息与公钥基础设施PKI域中请求服务用户实现安全通信。In the third step, in the identity-based cryptosystem IBC domain, the user accesses the server to save the temporary certificate, and uses the identity information in the temporary certificate to communicate securely with the requesting service user in the public key infrastructure PKI domain.
CN201810548516.8A 2018-05-31 2018-05-31 Cross-domain server identity authentication method based on trust alliance blockchain Active CN108737436B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810548516.8A CN108737436B (en) 2018-05-31 2018-05-31 Cross-domain server identity authentication method based on trust alliance blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810548516.8A CN108737436B (en) 2018-05-31 2018-05-31 Cross-domain server identity authentication method based on trust alliance blockchain

Publications (2)

Publication Number Publication Date
CN108737436A CN108737436A (en) 2018-11-02
CN108737436B true CN108737436B (en) 2020-02-21

Family

ID=63931512

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810548516.8A Active CN108737436B (en) 2018-05-31 2018-05-31 Cross-domain server identity authentication method based on trust alliance blockchain

Country Status (1)

Country Link
CN (1) CN108737436B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11811762B2 (en) * 2021-02-05 2023-11-07 Cisco Technology, Inc. Sponsor delegation for multi-factor authentication

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109523362B (en) * 2018-11-16 2020-08-18 大唐高鸿信息通信研究院(义乌)有限公司 Second-hand house transaction system and method based on 5G architecture and block chain
CN109460413B (en) * 2018-11-19 2022-05-13 众安信息技术服务有限公司 Method and system for establishing account across block chains
CN109829326B (en) * 2018-11-20 2023-04-07 西安电子科技大学 Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain
CN109743172B (en) * 2018-12-06 2021-10-15 国网山东省电力公司电力科学研究院 Based on the alliance blockchain V2G network cross-domain authentication method, information data processing terminal
CN109660330B (en) * 2018-12-28 2022-04-01 飞天诚信科技股份有限公司 Method and system for identity authentication on block chain
CN109727032A (en) * 2018-12-29 2019-05-07 杭州趣链科技有限公司 A kind of alliance's block chain access control method of identity-based id password
CN112215608B (en) 2019-01-18 2024-08-09 创新先进技术有限公司 Data processing method and device
CN109993531B (en) * 2019-04-01 2023-07-28 辽宁大学 Data verification method supporting cross-blockchain transaction
CN110069918B (en) * 2019-04-11 2020-12-04 苏州同济区块链研究院有限公司 Efficient double-factor cross-domain authentication method based on block chain technology
IT201900005876A1 (en) * 2019-04-16 2020-10-16 Roberto Griggio SYSTEM AND METHOD FOR MANAGING THE MULTI-DOMAIN ACCESS CREDENTIALS OF A USER ENABLED TO ACCESS A PLURALITY OF DOMAINS
CN110084045A (en) * 2019-04-25 2019-08-02 北京首汽智行科技有限公司 A kind of cross-domain authentication specifications JWT optimization method
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
KR102330012B1 (en) * 2019-11-07 2021-11-23 순천향대학교 산학협력단 Authentication System and Method based on anonymous protocol in Permissioned Blockchain, Recording Medium for Performing the Method
CN111132149B (en) * 2019-12-30 2023-11-21 全链通有限公司 Registration method of 5G user terminal, user terminal equipment and medium
CN111355745B (en) * 2020-03-12 2021-07-06 西安电子科技大学 Cross-domain identity authentication method based on edge computing network architecture
CN111555885B (en) * 2020-03-18 2021-11-30 西安电子科技大学 Credible identity authentication method, system, storage medium and cloud computing terminal
CN113972991B (en) * 2020-07-23 2024-07-12 南京理工大学 Cross-domain identity authentication method based on multi-stage alliance chain
CN112187712B (en) * 2020-08-18 2021-10-22 西安电子科技大学 An anonymous authentication method and system for trust in decentralized mobile crowdsourcing
CN114006699B (en) * 2020-10-28 2023-11-07 北京八分量信息科技有限公司 Certificate issuing method in zero trust architecture
CN112511553B (en) * 2020-12-08 2021-12-07 清华大学 Hierarchical Internet trust degree sharing method
CN112637189B (en) * 2020-12-18 2022-06-24 重庆大学 Multi-layer blockchain cross-domain authentication method in IoT application scenarios
CN112654042A (en) * 2020-12-24 2021-04-13 中国电子科技集团公司第三十研究所 Bidirectional identity authentication method based on lightweight CA, computer program and storage medium
CN112788117B (en) * 2020-12-30 2023-04-28 北京八分量信息科技有限公司 Authentication system, blockchain system and related products arranged on Internet node
CN112887308B (en) * 2021-01-26 2022-08-23 许少建 Non-inductive network identity authentication method and system
CN112883406B (en) * 2021-03-24 2022-10-21 南京邮电大学 Remote medical cross-domain authentication method based on alliance chain
CN113507458B (en) * 2021-06-28 2023-01-31 电子科技大学 Cross-domain identity authentication method based on block chain
CN114036472B (en) * 2021-11-05 2024-03-29 西北工业大学 Kerberos and PKI security inter-domain cross-domain authentication method based on alliance chain
CN114553527B (en) * 2022-02-22 2024-07-02 中国人民解放军31309部队 Identity authentication service system crossing CA trust domain based on block chain
CN114884698B (en) * 2022-04-12 2023-03-07 西北工业大学 Cross-domain authentication method between Kerberos and IBC security domains based on alliance chain
CN115776389B (en) * 2022-11-01 2023-11-07 龙应斌 Anti-theft data security access method and system based on trusted authentication link
CN116055055B (en) * 2022-11-29 2025-01-10 北京笔新互联网科技有限公司 Cross-domain authentication method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516119A (en) * 2015-12-03 2016-04-20 西北师范大学 Cross-domain identity authentication method based on proxy re-signature
CN106789042A (en) * 2017-02-15 2017-05-31 西南交通大学 User in IBC domains accesses the authentication key agreement method of the resource in PKI domains

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8050409B2 (en) * 2004-04-02 2011-11-01 University Of Cincinnati Threshold and identity-based key management and authentication for wireless ad hoc networks
CN101453476B (en) * 2009-01-06 2011-12-07 中国人民解放军信息工程大学 Cross domain authentication method and system
CN106877996B (en) * 2017-02-16 2019-09-24 西南交通大学 User in the domain PKI accesses the authentication key agreement method of the resource in the domain IBC
CN107395364B (en) * 2017-08-01 2021-02-02 北京迪曼森科技有限公司 Combined key cross-domain authentication method based on identification
CN107995197A (en) * 2017-12-04 2018-05-04 中国电子科技集团公司第三十研究所 A kind of method for realizing across management domain identity and authority information is shared

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516119A (en) * 2015-12-03 2016-04-20 西北师范大学 Cross-domain identity authentication method based on proxy re-signature
CN106789042A (en) * 2017-02-15 2017-05-31 西南交通大学 User in IBC domains accesses the authentication key agreement method of the resource in PKI domains

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11811762B2 (en) * 2021-02-05 2023-11-07 Cisco Technology, Inc. Sponsor delegation for multi-factor authentication

Also Published As

Publication number Publication date
CN108737436A (en) 2018-11-02

Similar Documents

Publication Publication Date Title
CN108737436B (en) Cross-domain server identity authentication method based on trust alliance blockchain
CN112073379B (en) Lightweight Internet of things security key negotiation method based on edge calculation
CN110138560B (en) Double-proxy cross-domain authentication method based on identification password and alliance chain
CN111245870B (en) Identity authentication method based on mobile terminal and related device
CN113507458B (en) Cross-domain identity authentication method based on block chain
CN101453476B (en) Cross domain authentication method and system
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
CN101902476B (en) Method for authenticating identity of mobile peer-to-peer user
CN110086821A (en) The authentication method of electric power things-internet gateway and the access of electric power internet-of-things terminal based on block chain
CN101697540B (en) Method for authenticating user identity through P2P service request
CN114629720B (en) A cross-domain authentication method for industrial Internet based on blockchain and Handle identification
CN109743172A (en) Based on the alliance blockchain V2G network cross-domain authentication method, information data processing terminal
US20090240941A1 (en) Method and apparatus for authenticating device in multi domain home network environment
CN108667616A (en) Identity-based cross-cloud security authentication system and method
CN110581854A (en) intelligent terminal safety communication method based on block chain
JP2011523520A (en) Station distributed identification method in network
CN105516119A (en) Cross-domain identity authentication method based on proxy re-signature
WO2020020008A1 (en) Authentication method and authentication system
WO2008002081A1 (en) Method and apparatus for authenticating device in multi domain home network environment
CN113055394A (en) Multi-service double-factor authentication method and system suitable for V2G network
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN116074019A (en) Identity authentication method, system and medium between mobile client and server
CN107248997A (en) Authentication method based on smart card under environment of multi-server
CN110891067B (en) A revocable multi-server privacy protection authentication method and system
CN113726523B (en) Multiple identity authentication method and device based on Cookie and DR identity cryptosystem

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant