[go: up one dir, main page]

TW201812630A - Block chain identity system - Google Patents

Block chain identity system Download PDF

Info

Publication number
TW201812630A
TW201812630A TW106131301A TW106131301A TW201812630A TW 201812630 A TW201812630 A TW 201812630A TW 106131301 A TW106131301 A TW 106131301A TW 106131301 A TW106131301 A TW 106131301A TW 201812630 A TW201812630 A TW 201812630A
Authority
TW
Taiwan
Prior art keywords
user
identity
random number
information
node network
Prior art date
Application number
TW106131301A
Other languages
Chinese (zh)
Other versions
TWI749061B (en
Inventor
陸揚
Original Assignee
大陸商上海鼎利信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大陸商上海鼎利信息科技有限公司 filed Critical 大陸商上海鼎利信息科技有限公司
Publication of TW201812630A publication Critical patent/TW201812630A/en
Application granted granted Critical
Publication of TWI749061B publication Critical patent/TWI749061B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A block chain identity system, comprising a client terminal and a cloud terminal, the client terminal being composed of a radio frequency reading module, a computing platform, a touch screen module, a communication module, and a smart identity card, and the cloud terminal being composed of a block chain multi-node network, the block chain multi-node network comprising a data block chain and a multi-node network, the multi-node network being responsible for coordinating with the client terminal to complete an identity generating process and an identity authentication process. The authentication system uses the smart identity card to ensure user identity security, and transmits information to be transmitted after encryption, ensuring that information does not leak during the transmission process, ensuring the effectiveness of two-step authentication, and preventing unnecessary attacks during the authentication process.

Description

區塊鏈身份系統Blockchain identity system

本發明係關於網際網路上的身份生成以及認證,一種區塊鏈身份系統。The invention relates to identity generation and authentication on the Internet, a blockchain identity system.

在網際網路中,區塊鏈身份需要依靠網路資料的形式進行頒發,與傳統的身份不同,網際網路上的身份對生成及認證過程的難度更大。對於目前廣泛使用的基於密碼的認證機制或基於簡訊的身份認證中,如果密碼一旦洩漏或者手機不慎丟失,其他用戶同樣可以使用該終端進行認證交易。另外近年來開始出現結合生物特徵資訊(例如指紋、虹膜等)來增加認證安全性的技術。然而就當前環境下,如果在要進行身份認證之前必須要先接受自己的指紋等生物特徵資訊被一協力廠商系統採集保存,對於一普通用戶來說尚不容易接受,用戶很可能因為擔心個人資訊洩漏。因此,現今極需一種安全性高、可操作性高、方便的區塊鏈身份系統。In the Internet, blockchain identities need to be issued in the form of network data. Unlike traditional identities, the generation and authentication of identity pairs on the Internet is more difficult. For currently widely used password-based authentication mechanisms or SMS-based authentication, if a password is leaked or the phone is accidentally lost, other users can also use the terminal for authentication transactions. In addition, in recent years, technologies that combine biometric information (such as fingerprints, irises, etc.) to increase authentication security have begun to appear. However, in the current environment, if biometric information such as fingerprints must be accepted before being authenticated by a third-party system, it is not easy for an ordinary user to accept, and users are likely to worry about personal information. leakage. Therefore, there is a great need for a blockchain identity system with high security, high operability and convenience.

有鑑於此,本發明提供一種解決或部分解決上述問題的區塊鏈身份系統。In view of this, the present invention provides a blockchain identity system that solves or partially solves the above problems.

為達到上述技術方案的效果,本發明的技術方案為:一種區塊鏈身份系統,包含用戶端、雲端,用戶端由射頻讀取模組、計算平臺、觸控式螢幕模組、通訊模組、智慧身份卡組成,雲端由區塊鏈多節點網路組成,區塊鏈多節點網路包括資料區塊鏈以及多節點網路,多節點網路負責與用戶端之間協調完成身份的生成過程以及身份認證過程;In order to achieve the effect of the above technical solution, the technical solution of the present invention is: a blockchain identity system, which includes a client, a cloud, and the client is a radio frequency reading module, a computing platform, a touch screen module, and a communication module. And smart identity cards. The cloud is composed of a blockchain multi-node network. The blockchain multi-node network includes a data blockchain and a multi-node network. The multi-node network is responsible for coordinating the identity generation with the client. Process and identity authentication process;

計算平臺的內部包含觸控式螢幕控制器、通訊控制器及微型計算晶片;The computing platform includes a touch screen controller, a communication controller, and a micro-computing chip;

觸控式螢幕控制器用於控制觸控式螢幕模組的顯示,將需要顯示的資訊發送給所述觸控式螢幕模組;The touch screen controller is used to control the display of the touch screen module, and sends information to be displayed to the touch screen module;

通訊控制器以串口通訊的方式調度射頻讀取模組、觸控式螢幕模組及通訊模塊之間的交互通訊;The communication controller dispatches the interactive communication between the RF reading module, the touch screen module and the communication module by means of serial communication;

微型計算晶片用於處理所述身份的生成過程以及身份認證過程中的資訊;A micro-computing chip is used to process information in the identity generation process and the identity authentication process;

智慧身份卡內含內建積體電路的晶片,晶片包含存有用戶ID編號,每個智慧身份卡的用戶ID編號都是唯一的,用於識別用戶身份,智慧身份卡由專門的廠商通過專門的設備生產,是不可複製的硬體,智慧身份卡由註冊過的合法用戶攜帶,認證時必須將智慧身份卡經過射頻讀取模組掃描讀入其中的用戶ID編號,以驗證用戶的身份;The smart ID card contains a chip with built-in integrated circuits. The chip contains a user ID number. The user ID number of each smart ID card is unique and is used to identify the user. The production of equipment is non-copyable hardware. The smart ID card is carried by registered legal users. During authentication, the smart ID card must be scanned into the user ID number read by the RF reader module to verify the user's identity;

觸控式螢幕模組採用五線電阻屏,依靠壓力感應原理,用於顯示以及輸入在身份的生成過程以及身份認證過程中所需的資訊;The touch screen module uses a five-wire resistive screen and relies on the principle of pressure sensing to display and enter the information required during the identity generation process and the identity authentication process;

通訊模組用於接收和發送相關資訊,內含網路傳輸篩檢程式及專用編碼晶片以實現計算平臺與雲端之間的通訊,並以資料幀的方式實現網路資料的接收和發送,並且還要在接收和發送時避免背景雜訊及干擾,資料幀的編碼方式為相位編碼,並採取同步時鐘編碼技術,在傳輸資料資訊的同時,也將時鐘同步信號一起傳輸到對方;The communication module is used to receive and send related information, including a network transmission screening program and a dedicated code chip to achieve communication between the computing platform and the cloud, and to receive and send network data in the form of data frames, and It is also necessary to avoid background noise and interference during reception and transmission. The coding method of the data frame is phase coding, and synchronous clock coding technology is adopted. When transmitting data information, the clock synchronization signal is also transmitted to the other party;

在雲端的所述區塊鏈多節點網路中,區塊鏈多節點網路中的資料區塊鏈由一串按創建的時間順序相連的資料區塊組成,區塊鏈多節點網路中的多節點網路是由多個節點構成的P2P網路,節點之間通過網路共用及互相傳輸資訊,資料區塊鏈對多節點網路中所有所述節點都是開放的,資料區塊由區塊頭以及區塊主體組成,區塊頭包含前一資料區塊的哈希值、時間戳、當前資料區塊的哈希值,前一資料區塊的哈希值用於不同資料區塊的連接,時間戳記錄當前資料區塊連接的時間,當前資料區塊的哈希值用於確保資料區塊的內容不會被篡改,區塊主體記錄了用戶身份的帳戶資訊,其中合法的用戶身份的帳戶資訊為:用戶名、用戶身份資訊、加密後的用戶密碼、加密後的用戶ID編號、用戶公鑰;In the blockchain multi-node network in the cloud, the data blockchain in the blockchain multi-node network is composed of a series of data blocks connected in chronological order of creation. In the blockchain multi-node network, Multi-node network is a P2P network composed of multiple nodes. Nodes share and transmit information to each other through the network. The data blockchain is open to all the nodes in the multi-node network. Data blocks It consists of a block header and a block body. The block header contains the hash value of the previous data block, the timestamp, and the hash value of the current data block. The hash value of the previous data block is used for different data blocks. Connection, the timestamp records the current connection time of the current data block, the hash value of the current data block is used to ensure that the content of the data block cannot be tampered with, the block body records the account information of the user identity, and the legal user identity Account information: user name, user identity information, encrypted user password, encrypted user ID number, user public key;

節點中包含偽亂數產生器;The node contains a pseudo-random number generator;

身份生成過程如下:The identity generation process is as follows:

1)用戶在觸控式螢幕模組上輸入用戶名、用戶身份資訊、用戶密碼,並將用戶名、用戶身份資訊、用戶密碼傳輸給多節點網路,多節點網路檢驗用戶名在資料區塊鏈中是否存在,如果用戶名不存在,進行下一步,如果用戶名存在,傳送回饋資訊經由通訊模組傳送給計算平臺,計算平臺將回饋資訊處理,在觸控式螢幕模組上顯示“用戶存在,重新輸入”,用戶在觸控式螢幕模組上重新輸入用戶名,多節點網路重新檢驗用戶名在資料區塊鏈是否存在;1) The user enters the user name, user identity information, and user password on the touch screen module, and transmits the user name, user identity information, and user password to the multi-node network. The multi-node network verifies that the user name is in the data area. If the block chain exists, if the user name does not exist, proceed to the next step. If the user name exists, send feedback information to the computing platform via the communication module. The computing platform will process the feedback information and display "on the touch screen module" User exists, re-enter ", the user re-enters the user name on the touch screen module, and the multi-node network re-checks whether the user name exists in the data blockchain;

2)計算平臺驗證所述用戶密碼是否符合要求,如果用戶密碼符合要求,進行下一步,如果不符合要求傳輸給觸控式螢幕模組,在觸控式螢幕模組上顯示“用戶密碼不符合要求,重新輸入”,用戶在觸控式螢幕模組上重新輸入用戶密碼;2) The computing platform verifies whether the user password meets the requirements. If the user password meets the requirements, proceed to the next step. If the user password does not meet the requirements, it is transmitted to the touch screen module, and the "touch screen does not match the user password" is displayed on the touch screen module. Request, re-enter ", the user re-enters the user password on the touch screen module;

3)多節點網路產生亂數S1,並且亂數S1經過IDEA加密演算法進行加密生成加密後的亂數S1,將加密後的亂數S1廣播給多節點網路中所有節點,所有節點利用IDEA解密演算法解密加密後的亂數S1,最先解密出亂數S1的節點作為負責構建資料區塊鏈的節點;3) The multi-node network generates random numbers S1, and the random numbers S1 are encrypted by the IDEA encryption algorithm to generate encrypted random numbers S1, and the encrypted random numbers S1 are broadcast to all nodes in the multi-node network. All nodes use The IDEA decryption algorithm decrypts the encrypted random number S1, and the node that first decrypts the random number S1 is used as the node responsible for building the data blockchain;

4)負責構建資料區塊鏈的節點分配給用戶一個用戶公鑰,並通過哈希演算法將用戶身份資訊生成唯一的身份標識,負責構建資料區塊鏈的節點將生成後的唯一的身份標識進行數位簽章生成唯一的用戶ID編號,將用戶ID編號寫入智慧身份卡,由用戶公鑰進行加密生成加密後的用戶ID編號,把當前時間保存為當前資料區塊的時間戳,前一資料區塊的哈希值通過安全散列演算法生成當前資料區塊的哈希值,並且生成加密後的用戶密碼,生成加密後的用戶密碼的具體過程為:使用負責構建資料區塊鏈的節點中的偽亂數產生器生成的亂數作為鹽值,將鹽值混入用戶密碼,並使用所述加密哈希函數進行加密,生成加密後的用戶密碼;將用戶名、用戶身份資訊、加密後的用戶密碼、加密後的用戶ID編號、用戶公鑰組成用戶身份的帳戶資訊,與產生的鹽值一起寫入當前資料區塊的區塊主體中;4) The node responsible for building the data blockchain assigns a user's public key to the user, and generates a unique identity through the hash algorithm, and the node responsible for building the data blockchain will generate the unique identity Digitally sign to generate a unique user ID number, write the user ID number into the smart identity card, encrypt the user's public key to generate an encrypted user ID number, and save the current time as the time stamp of the current data block. The hash value of the data block generates a hash value of the current data block through a secure hash algorithm, and generates an encrypted user password. The specific process of generating an encrypted user password is: The random number generated by the pseudo random number generator in the node is used as the salt value, the salt value is mixed into the user password, and encrypted using the cryptographic hash function to generate an encrypted user password; the user name, user identity information, encryption The user password, encrypted user ID number, and user public key constitute the account information of the user's identity, which is written into the current account along with the generated salt value. Data block block body;

偽亂數產生器的工作原理如下:The pseudo-random number generator works as follows:

偽亂數產生器基於資料加密標準,包含三重資料加密標準演算法,可以循環地產生亂數;用變數i表示第i輪亂數的產生計算,主要有3個組成部分:The pseudo random number generator is based on the data encryption standard and contains a triple data encryption standard algorithm that can generate random numbers cyclically; the variable i represents the i-th random number generation calculation, which mainly has 3 components:

1)輸入部分:輸入部分是兩個64位元的偽亂數Datei 及Vi ,其中,Datei 表示第i輪計算開始時的日期和時間,每產生一個亂數Ri後,Datei 需要更新一次,Vi 是產生第i個亂數時需要輸入的種子,其初值可任意設定,以後每輪計算都會自動更新;1) an input portion: an input section is two 64-bit pseudo random number and a Date i V i, where, i denotes a Date date and time at the beginning of the i-th wheel is calculated, for each generated after a random number Ri, Date i need updated, V i is the i-th generation seed to enter when using random number, which can be arbitrarily set initial value, it is automatically updated after each round of calculation;

2)密鑰產生器:用於每輪的具體計算,每輪計算都使用了三重資料演算法加密,每次加密使用兩個固定的56位元的密鑰K1和密鑰K2,這兩個密鑰必須保密,由偽亂數產生器指定;2) Key generator: used for each round of specific calculations. Each round of calculation uses triple data algorithm encryption. Each encryption uses two fixed 56-bit keys K1 and K2. These two The key must be kept secret and specified by a pseudo-random number generator;

3)輸出部分:輸出為一個64位元的偽亂數Ri和一個64位元的新種子Vi+1 ;偽亂數產生器具有很高的安全強度,因為其採用了總共112位元長的密鑰和3個密鑰加密的資料演算法加密,同時還由於有兩個偽亂數輸入驅動,兩個偽亂數輸入一個是當前的日期和時間Datei ,另一個是上一輪產生的種子Vi ,每輪都產生亂數Ri,但是每輪種子不同,產生的亂數都不相同,因此,為每個用戶產生的鹽值也不相同,所以無法通過上一輪產生的鹽值來推斷下一輪產生的鹽值;3) Output part: The output is a 64-bit pseudo-random number Ri and a 64-bit new seed Vi + 1 ; the pseudo-random number generator has a high security strength because it uses a total of 112 bits in length Key and 3 key-encrypted data algorithm encryption. At the same time, it is driven by two pseudo random number inputs. One of the two pseudo random number inputs is the current date and time, Date i , and the other is generated in the previous round. seed V i, each round generated random number Ri, but different round seeds, random number generator are not the same, and therefore, the salt value generated for each user is not the same, the salt value can not be generated by the round Infer the salt value produced in the next round;

身份認證過程如下:The authentication process is as follows:

第一步,用戶端向雲端發出認證請求,將智慧身份卡中所存的用戶ID編號經由射頻讀取模組讀入,多節點網路檢測在資料區塊鏈中是否存在,如果存在再進行第二步,如果不存在結束身份認證過程;In the first step, the client sends an authentication request to the cloud, reads the user ID number stored in the smart identity card through the radio frequency reading module, and the multi-node network detects whether it exists in the data blockchain. The second step is to end the identity authentication process if it does not exist;

第二步,初次認證,雲端經由通訊模組回饋給計算平臺開始認證的資訊,計算平臺處理開始認證的資訊,開始認證的資訊在觸控式螢幕模組顯示提示用戶輸入,用戶在觸控式螢幕模組輸入用戶名和用戶密碼後,初步驗證用戶,根據收到的用戶名,多節點網路判斷其合法性,如果是合法用戶,再檢驗用戶密碼是否正確,從區塊鏈多節點網路中取出用戶的鹽值,將鹽值混入用戶輸入的密碼,並且使用加密哈希函數進行加密,比較結果和對應資料區塊儲存的加密後的用戶密碼是否相同,如果相同那麼初步判斷用戶輸入的密碼正確,進入第三步,如果不相同則判斷用戶輸入的密碼不一致;The second step is initial authentication. The cloud feeds back to the computing platform the authentication information via the communication module. The computing platform processes the authentication information. The authentication information is displayed on the touch screen module to prompt the user to input. After the screen module enters the user name and user password, the user is initially verified. Based on the received user name, the multi-node network determines its legitimacy. If it is a legitimate user, it checks whether the user password is correct. Take out the user ’s salt value, mix the salt value into the password entered by the user, and use the cryptographic hash function to encrypt. The comparison result is the same as the encrypted user password stored in the corresponding data block. If they are the same, then the user ’s input is initially determined. If the password is correct, go to the third step. If they are not the same, judge that the passwords entered by the user are inconsistent;

第三步,二次認證,計算平臺選取大素數p及整數a,並將這兩個數公開,即這兩個數對用戶端與多節點網路都可見,多節點網路選取隨機的大素數x,大素數x滿足x<p-1,計算ax mod p,大素數x的值保密,只對多節點網路可見;用戶端將用戶密碼及用戶的鹽值級聯,計算散列值Z1,並生成亂數S1,將計算後的散列值Z1與計算後的ax mod p的值、亂數S1級聯再進行一次散列運算得到散列值Z2,用戶端連同亂數S1、將計算後的ax mod p的值和散列值Z2一起發送給多節點網路;The third step is secondary authentication. The computing platform selects the large prime number p and the integer a, and makes these two numbers public, that is, the two numbers are visible to the client and the multi-node network. Large prime number x, large prime number x satisfies x <p-1, calculate a x mod p, the value of large prime number x is confidential, and is only visible to multi-node networks; the user side cascades the user password and the user's salt value , Calculate the hash value Z1, and generate a random number S1, cascade the calculated hash value Z1 with the calculated a x mod p value, the random number S1, and perform a hash operation again to obtain a hash value Z2. The user The terminal sends the calculated value of a x mod p and the hash value Z2 to the multi-node network together with the random number S1;

第四步,多節點網路取出存儲在資料區塊鏈的加密後的用戶密碼;與收到的亂數S1、將計算後的ax mod p級聯再進行散列運算得到散列值Z3,與散列值Z2進行比較,相等則繼續,否則判斷不一致,多節點網路隨機選取大素數y,滿足y<q,計算ay mod p,並將大素數y的值保密;多節點網路將加密後的用戶密碼、亂數S1和計算後的ay mod p的值再次級聯進行散列運算得到散列值Z4,並且將散列值Z4、將計算後的ay mod p的值發送給用戶端;In the fourth step, the multi-node network takes out the encrypted user password stored in the data blockchain; cascades the received ax mod p with the received random number S1, and then performs a hash operation to obtain a hash value Z3 , Compare with the hash value Z2, continue if they are equal, otherwise the judgment is inconsistent. The multi-node network randomly selects a large prime y, satisfying y <q, calculates a y mod p, and keeps the value of the large prime y secret; more The node network cascades the encrypted user password, the random number S1, and the calculated a y mod p value again to obtain a hash value Z4, and the hash value Z4 and the calculated a y mod The value of p is sent to the client;

第五步,用戶端將在第三步得到的散列值Z1、將計算後的ay mod p和亂數S1級聯進行散列運算,將計算結果和第四步收到的消息中的散列值Z4進行比較,相等則回送給雲端一個認證成功的應答信號,否則返回認證失敗的消息;In the fifth step, the client will perform the hash operation on the hash value Z1 obtained in the third step, cascade the calculated a y mod p and the random number S1, and combine the calculation result with the message received in the fourth step. The hash value Z4 is compared. If they are equal, a response signal to the cloud is returned, otherwise a message of authentication failure is returned.

經過以上五個步驟,雲端與用戶端都成功地驗證了對方的身份;After the above five steps, the cloud and the client successfully verified the identity of each other;

區塊鏈身份系統採用的通訊模式是一種開放系統結構的網路方式,由用戶端首先向雲端提出請求,雲端對請求做相應的處理並執行請求中包含的任務,然後將結果返回給用戶端。The communication mode adopted by the blockchain identity system is an open system structured network method. The client first makes a request to the cloud, and the cloud processes the request accordingly and performs the tasks included in the request, and then returns the result to the client. .

本區塊鏈身份系統的優點如下:The advantages of this blockchain identity system are as follows:

(1)使用智慧身份卡,以保證用戶身份的安全性。(1) Use smart identity cards to ensure the security of user identity.

(2)將密碼資訊及智慧身份卡的ID資訊都加密,而不傳輸資訊明文,這樣即使入侵者通過網路偵聽等手段獲得通道的傳輸資訊,也無需擔心用戶密碼和身份證資訊被洩漏。(2) Encrypt the password information and the ID information of the smart ID card without transmitting the information in plain text. This way, even if an intruder obtains the transmission information of the channel through network listening and other means, there is no need to worry about the user password and ID information being leaked. .

(3)身份生成過程以及身份認證過程使用了複雜的加密過程,可以有效防止重放攻擊。而且用戶端和雲端採用了二次認證,提高了認證過程中的可靠性與安全性。(3) The identity generation process and identity authentication process use a complex encryption process, which can effectively prevent replay attacks. In addition, the client and the cloud use secondary authentication, which improves the reliability and security during the authentication process.

為了使本發明所要解決的技術問題、技術方案及有益效果更加清楚明白,以下結合附圖及實施例,對本發明進行詳細的說明。應當說明的是,此處所描述的具體實施例僅用以解釋本發明,並不用於限定本發明,能實現同樣功能的產品屬於等同替換和改進,均包含在本發明的保護範圍之內。具體方法如下:In order to make the technical problems, technical solutions, and beneficial effects to be more clearly understood by the present invention, the present invention is described in detail below with reference to the accompanying drawings and embodiments. It should be noted that the specific embodiments described here are only used to explain the present invention, and are not intended to limit the present invention. Products that can achieve the same function are equivalent replacements and improvements, and are included in the protection scope of the present invention. The specific method is as follows:

實施例1:認證系統的工作流程Example 1: Workflow of the authentication system

認證系統的工作過程如下:用戶在客戶終端的觸控式螢幕模組顯示的登入視窗上輸入用戶名密碼登入系統,進入認證系統後,觸控式螢幕模組上顯示讀卡認證介面,通過發送命令給射頻讀取模組,射頻讀取模組將用戶的智慧身份卡中的資訊讀取進來,智慧身份卡的身份讀入到計算平臺後,在處理平臺根據身份認證協議進行相應的密碼學運算,得到加密後的認證請求資訊,通訊模組通過網路通訊的方式將加密後的認證請求資訊傳送到雲端的認證伺服器,經過用戶端跟雲端的一系列的認證交互過程之後,雲端得到認證結果,並將相應的認證結果返回到用戶端進行顯示。The authentication system works as follows: The user enters the user name and password in the login window displayed on the touch screen module of the client terminal to log in to the system. After entering the authentication system, the touch screen module displays the card-reading authentication interface and sends The command is given to the RF reading module. The RF reading module reads the information in the user's smart identity card. After the identity of the smart identity card is read into the computing platform, the corresponding cryptography is performed on the processing platform according to the identity authentication protocol. After the calculation, the encrypted authentication request information is obtained. The communication module transmits the encrypted authentication request information to the cloud authentication server through network communication. After a series of authentication interaction processes between the client and the cloud, the cloud obtains Authentication results, and return the corresponding authentication results to the user terminal for display.

實施例2:身份認證協議設計Embodiment 2: Identity authentication protocol design

為身份認證系統安全與否的關鍵,身份認證協定的設計是整個系統的關鍵組成部分。首先介紹本文中所用符號約定:As the key to the security of the identity authentication system, the design of the identity authentication agreement is a key component of the entire system. First introduce the symbol conventions used in this article:

U表示用戶;U represents the user;

S表示第三方認證伺服器;S indicates a third-party authentication server;

ID表示射頻讀取模組讀入的身份資訊;ID represents the identity information read by the RF reading module;

UserN、Password分別代表用戶名和對應登入密碼;UserN and Password respectively represent the username and corresponding login password;

KuR、KuS分別代表移動用戶的公鑰和私鑰;KuR and KuS represent the public and private keys of mobile users, respectively;

KsR、Kss分別代表認證伺服器的公鑰和私鑰;KsR and Kss represent the public and private keys of the authentication server, respectively;

EK(m)表示用密鑰k對明文m加密;EK (m) means encrypt the plaintext m with the key k;

DK(C)表示用密鑰k對密文c解密;DK (C) means decrypt the ciphertext c with the key k;

Rl、N2為系統產生的亂數;Rl and N2 are random numbers generated by the system;

K作為雙方身份認證成功後的會話密鑰。K is used as the session key after both parties have successfully authenticated.

首先,用戶須在第三方註冊中心進行用戶資訊註冊。註冊的時候,要求第三方註冊中心具有射頻讀取模組,以便確認用戶身份資訊,並根據從射頻裝置讀出的資訊完成用戶的註冊。註冊過程是在這樣的一個前提下進行的:整個過程都是在一個用戶完全信賴的中心完成,且註冊資訊都是通過安全通道進行的。First, the user must register user information in a third-party registration center. When registering, a third-party registration center is required to have a radio frequency reading module in order to confirm the user's identity information and complete the user registration based on the information read from the radio frequency device. The registration process is performed on the premise that the entire process is completed in a center that the user fully trusts, and the registration information is carried out through a secure channel.

註冊過程如下:The registration process is as follows:

(1)用戶持自己的第二代居民身份證在官方指定的場所請求註冊。註冊中心人員採用認證系統的射頻裝置掃描用戶的智慧身份卡,讀取智慧身份卡中用戶的身份ID。在認證系統讀取用戶的ID後,系統會自動查詢用戶是否己經註冊過該系統。若用戶己經註冊過此系統返回提示資訊並結束使用者註冊子協定。(1) The user requests registration at an officially designated place with his second-generation resident identity card. The registration center staff uses the radio frequency device of the authentication system to scan the user's smart identity card and read the user's identity ID in the smart identity card. After the authentication system reads the user's ID, the system will automatically query whether the user has registered with the system. If the user has already registered, the system returns prompt information and ends the user registration sub-agreement.

(2)在確認用戶的ID沒有註冊而且符合註冊條件後,認證系統會請求用戶輸入登入密碼。使用者輸入完密碼後,系統首先使用用戶的密碼資訊生成對應於該ID的公鑰,然後根據橢圓曲線密碼演算法使用用戶公鑰加密用戶密碼,並將用戶的公鑰和用公鑰加密後的密碼和加密後的ID資訊存儲到第三方認證伺服器上。(2) After confirming that the user ID is not registered and meets the registration conditions, the authentication system will request the user to enter a login password. After the user enters the password, the system first uses the user's password information to generate a public key corresponding to the ID, and then uses the user's public key to encrypt the user's password according to the elliptic curve cryptographic algorithm, and then encrypts the user's public key and the public key. Password and encrypted ID information are stored on a third-party authentication server.

(3)在認證伺服器將用戶的身份資訊存儲到伺服器後。第三方註冊人員將認證系統安裝程式通過移動存放裝置或者安全通道傳送安裝到用戶的移動終端。(3) After the authentication server stores the user's identity information on the server. The third-party registered personnel transmits the installation program of the authentication system to the user's mobile terminal through a mobile storage device or a secure channel.

註冊成功之後即可使用移動終端進行身份認證,具體認證過程如下:After successful registration, you can use the mobile terminal for identity authentication. The specific authentication process is as follows:

步驟一:認證開始,首先需要在用戶端進行登入,驗證用戶身份和對應密碼,若雲端驗證無此用戶或者用戶名和密碼不符,則返回出錯資訊,用戶需要註冊或者重新輸入帳號和正確密碼。如用戶名和與之對應的密碼正確,則進入接下來認證過程。通訊模組中的網路通道傳輸的是驗證用戶的名稱與用戶的密碼資訊,雲端驗證從資料庫中提取這兩個資訊。Step 1: When authentication starts, you first need to log in at the client to verify the identity of the user and the corresponding password. If there is no such user in the cloud authentication or the username and password do not match, an error message is returned. The user needs to register or re-enter the account and correct password. If the user name and the corresponding password are correct, enter the next authentication process. The network channel in the communication module transmits the authentication user's name and user password information, and the cloud authentication extracts these two information from the database.

步驟二:登入成功之後,進入掃描智慧身份卡認證階段,用戶U使用移動終端設備將用戶身份證獲得身份卡ID資訊讀取到認證系統中,具體過程如下:Step 2: After logging in successfully, enter the scanning smart identity card authentication phase. User U uses the mobile terminal device to read the identity card ID information obtained by the user ’s ID card into the authentication system. The specific process is as follows:

(1)用戶通過射頻讀卡設備讀入身份卡資訊ID後,首先在移動設備終端進行以下計算:(1) After the user reads the ID card information ID through the RF card reader, the user first performs the following calculations on the mobile device terminal:

①使用用戶公鑰KuR加密身份ID得到加密後的用戶ID,利用隨機序列發生器產生亂數N1,並使用伺服器的公鑰計算認證請求,並暫存亂數Rl。① Use the user's public key KuR to encrypt the identity ID to obtain the encrypted user ID, use a random sequence generator to generate a random number N1, and use the server's public key to calculate the authentication request, and temporarily store the random number R1.

②發送消息認證請求,認證請求中包含加密後的用戶ID資訊及亂數N1,並且需要將亂數RI暫時保存。② Send a message authentication request. The authentication request contains the encrypted user ID information and the random number N1, and the random number RI needs to be temporarily stored.

(2)伺服器收到用戶發送的認證請求後:(2) After the server receives the authentication request from the user:

①雲端用私鑰根據橢圓曲線密碼演算法模組解密認證請求,得到用戶的ID加密後資訊和用戶發送的亂數Rl,然後伺服器查找該ID加密資訊是否跟認證資料庫中userN用戶所對應的EncipherID表項相符;若不相符,則返回出錯資訊,認證失敗,即每個用戶名跟其身份ID資訊是一對應綁定的,即使入侵者竊取到用戶名密碼登入系統由於不能掃入與之相對應的ID加密資訊,亦不能通過認證。① The private key in the cloud decrypts the authentication request according to the elliptic curve cryptographic algorithm module, and obtains the encrypted ID of the user and the random number Rl sent by the user, and then the server checks whether the encrypted ID information corresponds to the userN user in the authentication database. The EncipherID entries match; if they do not match, error information is returned, and authentication fails, that is, each user name is associated with its identity ID information. Even if the intruder steals the user name and password, the login system cannot scan in with The corresponding ID encrypted information cannot pass the authentication.

②若①中得到的ID加密資訊驗證正確,此時伺服器保存用戶發送的亂數N1。同時伺服器利用隨機序列發生器產生亂數N2,然後利用橢圓曲線密碼演算法模組和用戶的公鑰計算應答資訊,並發送至用戶端進行驗證。② If the ID encrypted information obtained in ① is correct, the server stores the random number N1 sent by the user. At the same time, the server uses a random sequence generator to generate a random number N2, and then uses the elliptic curve cryptographic algorithm module and the user's public key to calculate the response information and sends it to the client for verification.

(3)用戶收到伺服器的應答資訊,會進行一下計算:(3) The user receives the response information from the server and performs the following calculations:

①首先用戶用自己的私鑰解密應答資訊,此時用戶將獲得的N1與以前保存Rl相比較,若兩者不相等,則用戶對伺服器的認證失敗(伺服器可能被冒充),拒絕伺服器,認證結束。① First, the user decrypts the response information with his private key. At this time, the user compares the obtained N1 with the previously saved R1. If the two are not equal, the user's authentication to the server fails (the server may be impersonated) and the server is rejected. Device, authentication ends.

②若亂數N1相等,則用戶認證伺服器成功。同時用戶生成會話對稱密鑰K,計算伴隨著亂數N2的回應資訊,然後發送回應資訊至伺服器請求驗證。② If the random numbers N1 are equal, the user authentication server is successful. At the same time, the user generates a session symmetric key K, calculates the response information accompanied by the random number N2, and then sends the response information to the server to request verification.

(4)伺服器接收到用戶的回應資訊後,進行如下計算:(4) After receiving the user's response information, the server performs the following calculations:

①首先伺服器用自己的私鑰解密得到亂數N2。① First, the server decrypts with its private key to get the random number N2.

②伺服器首先比較亂數N2與保存的是否相等,若兩者不相等,則伺服器驗證用戶失敗。② The server first compares the random number N2 with the saved one. If the two are not equal, the server fails to verify the user.

本區塊鏈身份系統的優點如下:The advantages of this blockchain identity system are as follows:

(1)使用智慧身份卡,以保證用戶身份的安全性。(1) Use smart identity cards to ensure the security of user identity.

(2)將密碼資訊及智慧身份卡的ID資訊都加密,而不傳輸資訊明文,這樣即使入侵者通過網路偵聽等手段獲得通道的傳輸資訊,也無需擔心用戶密碼和身份證資訊被洩漏。(2) Encrypt the password information and the ID information of the smart ID card without transmitting the information in plain text. This way, even if an intruder obtains the transmission information of the channel through network listening and other means, there is no need to worry about the user password and ID information being leaked .

(3)身份生成過程以及身份認證過程使用了複雜的加密過程,可以有效防止重放攻擊。而且用戶端和雲端採用了二次認證,提高了認證過程中的可靠性與安全性。(3) The identity generation process and identity authentication process use a complex encryption process, which can effectively prevent replay attacks. In addition, the client and the cloud use secondary authentication, which improves the reliability and security during the authentication process.

以上所述僅為本發明之較佳實施例,並非用以限定本發明的申請專利範圍保護範圍。同時以上說明,對於相關技術領域的技術人員應可以理解及實施,因此其他基於本發明所揭示內容所完成的等同改變,均應包含在本申請專利範圍的涵蓋範圍內。The above description is only a preferred embodiment of the present invention, and is not intended to limit the protection scope of the patent application scope of the present invention. At the same time, the above description should be understood and implemented by those skilled in the relevant technical field, so other equivalent changes made based on the content disclosed in the present invention should be included in the scope of the patent scope of this application.

no

[圖1]為區塊鏈身份系統的結構圖。[Figure 1] is a block diagram of the blockchain identity system.

Claims (1)

一種區塊鏈身份系統,其特徵在於,包含用戶端、雲端,所述用戶端由射頻讀取模組、計算平臺、觸控式螢幕模組、通訊模組、智慧身份卡組成,所述雲端由區塊鏈多節點網路組成,所述區塊鏈多節點網路包括資料區塊鏈以及多節點網路,所述多節點網路負責與所述用戶端之間協調完成身份的生成過程以及身份認證過程,並且在其中調用所述資料區塊鏈; 所述計算平臺的內部包含觸控式螢幕控制器、通訊控制器及微型計算晶片; 所述觸控式螢幕控制器用於控制所述觸控式螢幕模組的顯示,將需要顯示的資訊發送給所述觸控式螢幕模組; 所述通訊控制器以串口通訊的方式調度所述射頻讀取模組、所述觸控式螢幕模組及所述通訊模組之間的交互通訊; 所述微型計算晶片用於處理所述身份的生成過程以及所述身份認證過程中的資訊; 所述智慧身份卡內建積體電路的晶片,所述晶片存有用戶ID編號,每個所述智慧身份卡的所述用戶ID編號都是唯一的,用於識別用戶身份,所述智慧身份卡由專門的廠商通過專門的設備生產,是不可複製的硬體,所述智慧身份卡由註冊過的合法用戶攜帶,認證時必須將所述智慧身份卡經過所述射頻讀取模組掃描讀入其中的所述用戶ID編號,以驗證用戶的身份; 所述觸控式螢幕模組採用五線電阻屏,依靠壓力感應原理,用於顯示以及輸入在所述身份的生成過程以及所述身份認證過程中所需的資訊; 所述通訊模組用於接收和發送相關資訊,內含網路傳輸篩檢程式及專用編碼晶片以實現所述計算平臺與所述雲端之間的通訊,並以資料幀的方式實現網路資料的接收和發送,並且還要在接收和發送時避免背景雜訊及干擾,所述資料幀的編碼方式為相位編碼,並採取同步時鐘編碼技術,在傳輸資料資訊的同時,也將時鐘同步信號一起傳輸到對方; 在所述區塊鏈多節點網路中,所述資料區塊鏈由一串按創建的時間順序相連的資料區塊組成,所述多節點網路是由多個節點構成的P2P網路,所述節點之間通過網路共用資訊及互相傳輸資訊,所述資料區塊鏈對所述多節點網路中所有所述節點都是開放的,所述資料區塊由區塊頭以及區塊主體組成,所述區塊頭包含前一資料區塊的哈希(Hash)值、時間戳、當前資料區塊的哈希值,所述前一資料區塊的哈希值用於不同所述資料區塊的連接,所述時間戳記錄當前所述資料區塊連接的時間,當前所述資料區塊的哈希值用於確保所述資料區塊的內容不會被篡改,所述區塊主體記錄了用戶身份的帳戶資訊,其中合法的所述用戶身份的帳戶資訊為:用戶名、用戶身份資訊、加密後的用戶密碼、加密後的所述用戶ID編號、用戶公鑰; 每個所述節點包含偽亂數產生器; 所述身份生成過程如下: 1)用戶在所述觸控式螢幕模組上輸入所述用戶名、所述用戶身份資訊、所述用戶密碼,並將所述用戶名、所述用戶身份資訊、所述用戶密碼傳輸給所述多節點網路,所述多節點網路檢驗所述用戶名在所述資料區塊鏈中是否存在,如果所述用戶名不存在,進行下一步,如果所述用戶名存在,傳送回饋資訊經由所述通訊模組傳送給所述計算平臺,所述計算平臺將所述回饋資訊處理,在所述觸控式螢幕模組上顯示“用戶存在,重新輸入”,用戶在所述觸控式螢幕模組上重新輸入所述用戶名,所述多節點網路重新檢驗用戶名在所述資料區塊鏈是否存在; 2)所述計算平臺驗證所述用戶密碼是否符合要求,如果所述用戶密碼符合要求,進行下一步,如果不符合要求傳輸給所述觸控式螢幕模組,在所述觸控式螢幕模組上顯示“用戶密碼不符合要求,重新輸入”,用戶在所述觸控式螢幕模組上重新輸入所述用戶密碼; 3)所述多節點網路產生亂數S1,並且所述亂數S1經過IDEA加密演算法進行加密生成加密後的所述亂數S1,將所述加密後的所述亂數S1廣播給所述多節點網路中所有所述節點,所有所述節點利用IDEA解密演算法解密加密後的所述亂數S1,最先解密出所述亂數S1的節點作為負責構建資料區塊鏈的節點; 4)所述負責構建資料區塊鏈的節點分配給用戶一個用戶公鑰,並通過哈希演算法將所述用戶身份資訊生成唯一的身份標識,所述負責構建資料區塊鏈的節點將生成後的所述唯一的身份標識進行數位簽章生成唯一的所述用戶ID編號,將所述用戶ID編號寫入所述智慧身份卡,由所述用戶公鑰進行加密生成所述加密後的所述用戶ID編號,把當前時間保存為所述當前資料區塊的時間戳,所述前一資料區塊的哈希值通過安全散列演算法生成所述當前資料區塊的哈希值,並且生成所述加密後的用戶密碼,所述生成所述加密後的用戶密碼的具體過程為:使用所述負責構建資料區塊鏈的節點,利用其包含的所述偽亂數產生器生成亂數,所述亂數作為用戶的鹽值,將所述用戶的鹽值混入所述用戶密碼,並使用加密哈希函數進行加密,生成所述加密後的用戶密碼;將所述用戶名、所述用戶身份資訊、所述加密後的用戶密碼、所述加密後的用戶ID編號、所述用戶公鑰組成所述用戶身份的帳戶資訊,與所述用戶的鹽值一起寫入所述當前資料區塊的所述區塊主體中; 所述偽亂數產生器的工作原理如下: 所述偽亂數產生器基於資料加密標準,包含三重資料加密標準演算法,可以循環地產生亂數;i為自然數的變量;用於表示第i輪亂數的產生計算,主要有3個組成部分: 1)輸入部分:所述輸入部分是兩個64位元的偽亂數Datei 及Vi ,其中,Datei 表示第i輪計算開始時的日期和時間,每產生一個亂數Ri後,Datei 需要更新一次,Vi 是產生第i個亂數時需要輸入的種子,其初值可任意設定,以後每輪計算都會自動更新; 2)密鑰產生器:所述用於每輪的具體計算,每輪計算都使用了三重資料演算法加密,每次加密使用兩個固定的56位元的密鑰K1和密鑰K2,這兩個密鑰必須保密,由所述偽亂數產生器指定; 3)輸出部分:輸出為一個64位元的亂數Ri和一個64位元的新種子Vi+1 ; 所述偽亂數產生器具有很高的安全強度,因為其採用了總共112位元長的密鑰和3個密鑰加密的資料演算法加密,同時還由於有兩個偽亂數輸入驅動,所述兩個偽亂數輸入一個是當前的日期和時間Datei ,另一個是上一輪產生的種子Vi ,每輪都產生亂數Ri,但是由於每輪種子不同,產生的亂數都不相同,因此,為每個用戶產生的亂數也不相同,所以無法通過上一輪產生的亂數來推斷下一輪產生的亂數; 所述身份認證過程如下: 第一步,所述用戶端向所述雲端發出認證請求,將所述智慧身份卡中所存的所述用戶ID編號經由所述射頻讀取模組讀入,所述多節點網路檢測其在所述資料區塊鏈中是否存在,如果存在再進行第二步,如果不存在結束所述身份認證過程; 第二步,初次認證,所述雲端經由所述通訊模組回饋給所述計算平臺開始認證的資訊,所述計算平臺處理所述開始認證的資訊,所述開始認證的資訊在所述觸控式螢幕模組顯示提示用戶輸入所述用戶名以及所述用戶密碼,用戶在所述觸控式螢幕模組輸入後,初步驗證用戶,根據收到的輸入的所述用戶名,所述多節點網路判斷其合法性,如果是合法用戶,再檢驗輸入的所述用戶密碼是否正確,從所述區塊鏈多節點網路中取出所述用戶的鹽值,將所述用戶的鹽值混入所述輸入的所述用戶密碼,並且使用所述加密哈希函數進行加密,比較結果和對應資料區塊儲存的所述加密後的用戶密碼是否相同,如果相同那麼初步判斷所述輸入的所述用戶密碼正確,進入第三步,如果不相同則判斷所述輸入的所述用戶密碼不正確; 第三步,二次認證,所述計算平臺選取大素數p及整數a,並將這兩個數公開,即這兩個數對所述用戶端與所述多節點網路都可見,所述多節點網路選取隨機的大素數x,所述大素數x滿足x<p-1,計算ax mod p,所述大素數x的值保密,只對所述多節點網路可見;所述用戶端將所述用戶密碼及所述用戶的鹽值級聯,計算散列值Z1,並生成亂數S1,將計算後的散列值Z1與計算後的所述ax mod p的值、所述亂數S1級聯再進行一次散列運算得到散列值Z2,所述用戶端連同所述亂數S1、計算後的所述ax mod p的值和所述散列值Z2一起發送給所述多節點網路; 第四步,所述多節點網路取出存儲在所述資料區塊鏈的所述加密後的用戶密碼;與收到的所述亂數S1、計算後的所述ax mod p的值級聯再進行散列運算得到散列值Z3,與所述散列值Z2進行比較,相等則繼續,否則判斷不一致,所述多節點網路隨機選取大素數y,滿足y<q,計算ay mod p,並將所述大素數y的值保密;所述多節點網路將所述加密後的用戶密碼、所述亂數S1和計算後的所述ay mod p的值再次級聯進行散列運算得到散列值Z4,並且將所述散列值Z4、計算後的所述ay mod p的值發送給所述用戶端; 第五步,所述用戶端將在第三步得到的所述散列值Z1、將計算後的所述ay mod p的值和所述亂數S1級聯並進行散列運算,將計算結果和第四步收到的消息中的所述散列值Z4進行比較,相等則回送給所述雲端一個認證成功的應答信號,否則返回認證失敗的消息; 經過以上五個步驟,所述雲端與所述用戶端都成功地驗證了對方的身份; 所述區塊鏈身份系統採用的通訊模式是一種開放系統結構的網路方式,由所述用戶端首先向所述雲端提出請求,所述雲端對所述請求做相應的處理並執行所述請求中包含的任務,然後將結果返回給所述用戶端。A blockchain identity system is characterized in that it includes a client and a cloud. The client is composed of a radio frequency reading module, a computing platform, a touch screen module, a communication module, and a smart identity card. The cloud It consists of a blockchain multi-node network, which includes a data blockchain and a multi-node network. The multi-node network is responsible for completing the identity generation process with the user terminal. And an identity authentication process, in which the data blockchain is invoked; the inside of the computing platform includes a touch screen controller, a communication controller, and a micro-computing chip; the touch screen controller is used to control the The display of the touch screen module sends information to be displayed to the touch screen module; the communication controller dispatches the radio frequency reading module and the touch screen in a serial communication manner. Interactive communication between the module and the communication module; the micro-computing chip is used to process information of the identity generation process and the identity authentication process; the smart identity card A chip for an integrated circuit, the chip stores a user ID number, and the user ID number of each of the smart identity cards is unique and is used to identify a user. The smart identity card is passed by a specialized manufacturer. Special equipment production is non-copyable hardware. The smart identity card is carried by a registered legal user. During authentication, the smart identity card must be scanned and read by the user through the radio frequency reading module. ID number to verify the identity of the user; the touch screen module uses a five-wire resistive screen and relies on the principle of pressure sensing for displaying and inputting the required information during the identity generation process and the identity authentication process Information; the communication module is used to receive and send related information, and includes a network transmission screening program and a dedicated code chip to implement communication between the computing platform and the cloud, and implement the network in the form of data frames To receive and send data, and to avoid background noise and interference when receiving and sending, the coding method of the data frame is phase coding, and synchronous clock coding is adopted. Technology, while transmitting data information, it also transmits clock synchronization signals to each other together; in the blockchain multi-node network, the data blockchain is composed of a series of data blocks connected in chronological order of creation Composition, the multi-node network is a P2P network composed of multiple nodes, the nodes share information and transmit information to each other through the network, and the data block chain connects all the nodes in the multi-node network. The nodes are all open. The data block is composed of a block header and a block body. The block header includes a hash value of the previous data block, a timestamp, and a hash value of the current data block. The hash value of the previous data block is used for connection of different data blocks, the timestamp records the current time when the data block is connected, and the current hash value of the data block is used for To ensure that the content of the data block cannot be tampered with, the block body records the account information of the user identity, and the legal account information of the user identity is: username, user identity information, encrypted user password ,encryption The user ID number and the user public key; each of the nodes includes a pseudo-random number generator; the identity generation process is as follows: 1) the user enters the user name, all addresses on the touch screen module The user identity information, the user password, and transmitting the user name, the user identity information, and the user password to the multi-node network, and the multi-node network verifies that the user name is in the Whether the data exists in the blockchain. If the user name does not exist, go to the next step. If the user name exists, send feedback information to the computing platform via the communication module. Feedback information processing, "user exists, re-enter" is displayed on the touch screen module, the user re-enters the user name on the touch screen module, and the multi-node network re-examines the user Whether the name exists in the data blockchain; 2) the computing platform verifies whether the user password meets the requirements, if the user password meets the requirements, proceed to the next step, and if it does not meet the requirements, Input to the touch screen module, "user password does not meet requirements, re-enter" is displayed on the touch screen module, and the user re-enters the user password on the touch screen module 3) the multi-node network generates a random number S1, and the random number S1 is encrypted by an IDEA encryption algorithm to generate the encrypted random number S1, and the encrypted random number S1 is broadcast to All the nodes in the multi-node network, all the nodes use the IDEA decryption algorithm to decrypt the encrypted random number S1, and the node that first decrypts the random number S1 is used to construct the data block chain. Nodes; 4) The node responsible for building the data blockchain assigns a user public key to the user, and generates a unique identity by the user identity information through a hash algorithm, and the node responsible for building the data blockchain Digitally sign the generated unique identity identifier to generate the unique user ID number, write the user ID number to the smart identity card, and encrypt the user public key to generate the encryption The place The user ID number, save the current time as the timestamp of the current data block, the hash value of the previous data block generates a hash value of the current data block by a secure hash algorithm, and Generating the encrypted user password, and the specific process of generating the encrypted user password is: using the node responsible for constructing the data blockchain and generating random numbers using the pseudo random number generator included therein The random number is used as the salt value of the user, and the salt value of the user is mixed into the user password, and encrypted using a cryptographic hash function to generate the encrypted user password; the user name, the The user identity information, the encrypted user password, the encrypted user ID number, and the user public key constitute account information of the user identity, and are written into the current data area together with the salt value of the user In the block body of the block, the working principle of the pseudo random number generator is as follows: The pseudo random number generator is based on a data encryption standard and includes a triple data encryption standard algorithm, which can cycle real estate Nonce; i is a natural number of variables; means for generating the i-th round denotes the nonce calculation, there are three main components: 1) an input section: the input section is two 64-bit pseudo-random number i a Date and V i, wherein, a date i represents the i-th round calculating date and time at the beginning, after each generate a random number Ri, date i need to be updated once, V i is to produce a seed to enter when the i-th random number, which The initial value can be set arbitrarily, and it will be automatically updated in each subsequent round of calculations; 2) Key generator: The specific calculations used for each round, each round of calculations uses triple data algorithm encryption, each encryption uses two fixed 56-bit key K1 and key K2, these two keys must be kept secret and specified by the pseudo-random number generator; 3) output part: the output is a 64-bit random number Ri and a 64-bit The new seed V i + 1 of the element; the pseudo-random number generator has a high security strength, because it uses a 112-bit long key and 3 key-encrypted data algorithm encryption, and also because There are two pseudo random number inputs driven, one of the two pseudo random number inputs is current And time Date i, and the other is on a seed produced V i, each round generated random number Ri, but due to the different round seeds, random number generator are not the same, therefore, a random number generated for each user It is also different, so the random number generated in the next round cannot be inferred from the random number generated in the previous round. The identity authentication process is as follows: In the first step, the client sends an authentication request to the cloud to identify the smart identity. The user ID number stored in the card is read in by the radio frequency reading module, and the multi-node network detects whether it exists in the data block chain, and if it exists, the second step is performed, and if it does not exist, Ending the identity authentication process; in the second step, initial authentication, the cloud sends back to the computing platform information for starting authentication via the communication module, the computing platform processes the information for starting authentication, and the authentication starts The information displayed on the touch screen module prompts the user to enter the user name and the user password. After the user enters the touch screen module, the user initially verifies the user. After receiving the input user name, the multi-node network judges its legitimacy. If it is a legitimate user, it checks whether the user password entered is correct, and takes out all the addresses from the blockchain multi-node network. The user's salt value, mixing the user's salt value into the input user password, and encrypting using the cryptographic hash function, comparing the result with the encrypted user password stored in the corresponding data block Whether they are the same, if they are the same, then it is judged that the entered user password is correct, and the process proceeds to the third step; if they are not the same, it is judged that the entered user password is incorrect; the third step, the second authentication, the calculation The platform selects a large prime number p and an integer a, and makes these two numbers public, that is, the two numbers are visible to the client and the multi-node network, and the multi-node network selects a random large prime number x, where the large prime number x satisfies x <p-1, calculate a x mod p, and the value of the large prime number x is confidential and only visible to the multi-node network; the user terminal sends the user password And the user's salt value cascade to calculate the hash Value Z1, and generate a random number S1. Cascade the calculated hash value Z1 with the calculated value of a x mod p and the random number S1, and perform a hash operation again to obtain a hash value Z2. The client sends the calculated value of the a x mod p and the hash value Z2 to the multi-node network together with the random number S1, the fourth step, the multi-node network fetches storage The encrypted user password in the data block chain; concatenating the received random number S1, the calculated value of a x mod p, and performing a hash operation to obtain a hash value Z3, Compare with the hash value Z2, continue if they are equal, otherwise the judgment is inconsistent. The multi-node network randomly selects a large prime y, satisfying y <q, calculates a y mod p, and compares the large prime y And the multi-node network cascades the encrypted user password, the random number S1, and the calculated value of a y mod p to perform a hash operation again to obtain a hash value Z4, and Z4 sends the hash value, the value of the calculation of a y mod p to the user terminal; a fifth step, the UE obtained in the third step of the Hash value Z1, the post-calculation of a y mod p concatenated value and the nonce S1 and hashed, the hash value calculation result and the fourth Z4 message received in step If the comparison is equal, an authentication response response signal is returned to the cloud, otherwise an authentication failure message is returned; after the above five steps, the cloud and the client successfully verify the identity of each other; the area The communication mode adopted by the blockchain identity system is a network system with an open system structure. The client first makes a request to the cloud, and the cloud processes the request accordingly and executes the request contained in the request. Task, and then return the result to the client.
TW106131301A 2016-09-12 2017-09-12 Blockchain identity system TWI749061B (en)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
CN201610818053.3 2016-09-12
CN201610818053 2016-09-12
??201610818054.8 2016-09-12
??201610818053.3 2016-09-12
CN201610815590.2 2016-09-12
CN201610818054 2016-09-12
??201610815590.2 2016-09-12
CN201610818054.8 2016-09-12
CN201610815590 2016-09-12

Publications (2)

Publication Number Publication Date
TW201812630A true TW201812630A (en) 2018-04-01
TWI749061B TWI749061B (en) 2021-12-11

Family

ID=61561350

Family Applications (2)

Application Number Title Priority Date Filing Date
TW106131301A TWI749061B (en) 2016-09-12 2017-09-12 Blockchain identity system
TW106131303A TWI750223B (en) 2016-09-12 2017-09-12 Blockchain encrypted radio frequency chip storage design method

Family Applications After (1)

Application Number Title Priority Date Filing Date
TW106131303A TWI750223B (en) 2016-09-12 2017-09-12 Blockchain encrypted radio frequency chip storage design method

Country Status (2)

Country Link
TW (2) TWI749061B (en)
WO (2) WO2018046008A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110516451A (en) * 2019-07-24 2019-11-29 杭州电子科技大学 Block chain-based method for notification of secret level changes and decryption reminders for deriving encrypted files
TWI707244B (en) * 2018-09-04 2020-10-11 香港商阿里巴巴集團服務有限公司 Block chain cross-chain authentication method, system, server and readable storage medium
TWI711000B (en) * 2019-09-30 2020-11-21 辰光能源科技有限公司 Environmental health and product quality establishment system
US10917230B2 (en) 2019-03-29 2021-02-09 Advanced New Technologies Co., Ltd. Managing sensitive data elements in a blockchain network
TWI727474B (en) * 2019-10-25 2021-05-11 李婷婷 Digital identity management system and method
TWI740234B (en) * 2019-10-16 2021-09-21 辰光能源科技有限公司 Real Food System

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108306896B (en) * 2018-03-29 2023-06-23 上海交通大学 A substation status monitoring system and method with data protection function
CN108768933B (en) * 2018-04-11 2020-11-03 深圳技术大学 Autonomous supervision digital identity authentication system on block chain platform
CN109255619A (en) * 2018-09-26 2019-01-22 北京亚联之星信息技术有限公司 A kind of identity identifying method and equipment based on block chain
CN109583215B (en) * 2018-09-28 2022-11-15 创新先进技术有限公司 Method and device for processing credit investigation data and block chain data sharing system
CN109598518A (en) 2018-09-30 2019-04-09 阿里巴巴集团控股有限公司 Method for anti-counterfeit and device, electronic equipment based on block chain
US10970372B2 (en) 2018-11-01 2021-04-06 Microsoft Technology Licensing, Llc Revocable biometric print based identification
CN109447029B (en) * 2018-11-12 2022-09-02 公安部第三研究所 Electronic identity card photo generation system and method
CN111224804B (en) * 2018-11-26 2022-12-09 中国移动通信集团辽宁有限公司 Initialization method and device of Internet of Things device, Internet of Things device and storage medium
CN109493058A (en) * 2018-12-14 2019-03-19 深圳壹账通智能科技有限公司 A kind of personal identification method and relevant device based on block chain
CN111327568B (en) * 2018-12-14 2022-04-01 中国电信股份有限公司 Identity authentication method and system
CN109861996B (en) * 2019-01-17 2023-06-02 深圳壹账通智能科技有限公司 Block chain-based relationship proving method, device, equipment and storage medium
CN111522809B (en) * 2019-02-02 2023-04-21 阿里巴巴集团控股有限公司 Data processing method, system and equipment
GB2581527B (en) * 2019-02-22 2023-02-08 Secure Thingz Ltd Security data processing device
CN110457954B (en) * 2019-07-29 2023-08-25 创新先进技术有限公司 Contract management device and method
CN110532293B (en) * 2019-09-02 2023-04-07 浪潮软件股份有限公司 Data stream life cycle management method and system based on block chain technology
CN110781140B (en) * 2019-09-06 2023-08-18 平安科技(深圳)有限公司 Method, device, computer equipment and storage medium for signing data in blockchain
CN110570309B (en) * 2019-09-16 2023-06-16 上海保险交易所股份有限公司 Method and system for replacing a leader of a blockchain network
CN111092851A (en) * 2019-09-23 2020-05-01 上海唯链信息科技有限公司 Data verification method and device for Internet of things temperature detection equipment based on blockchain
CN110990808B (en) * 2019-11-21 2022-04-01 杭州趣链科技有限公司 Notarization number shaking method based on block chain
CN111556007B (en) * 2020-03-03 2021-09-24 支付宝实验室(新加坡)有限公司 Identity verification method, device and equipment based on block chain and storage medium
CN111428253B (en) * 2020-03-24 2023-04-07 福建福链科技有限公司 Data protection method and system suitable for block chain
TWI729781B (en) * 2020-04-21 2021-06-01 麥睿資訊股份有限公司 Data authentication system and data authentication method thereof
CN111914270B (en) * 2020-07-08 2024-09-10 广西佳壹大数据科技股份有限公司 Programmable authentication service method and system based on block chain technology
CN112073661B (en) * 2020-08-03 2022-10-25 浙江旅游职业学院 Tamper-proof video monitoring system for sterile workshop
CN112184974B (en) * 2020-09-27 2022-06-07 江苏天创科技有限公司 Monitoring system based on 5G communication node
CN112447291B (en) * 2020-11-23 2023-03-28 四川大学华西医院 Block chain-based method for sharing hospital data
CN112561006B (en) * 2020-12-04 2023-08-29 中国联合网络通信集团有限公司 Electronic license plate management method, radio frequency identification reader-writer, node, equipment and medium
CN112749409B (en) * 2021-01-06 2024-03-08 上海零数众合信息科技有限公司 Encryption method based on random number in block chain
CN112819628B (en) * 2021-02-01 2024-02-02 网易(杭州)网络有限公司 Transaction replay prevention detection method, device and system, electronic equipment and storage medium
CN112989392B (en) * 2021-04-19 2022-08-30 河北科技大学 Battlefield situation perception method, system and terminal equipment
CN113570321B (en) * 2021-04-29 2022-12-16 国家能源集团新能源有限责任公司 Hydrogen energy data management system
CN113364596A (en) * 2021-05-27 2021-09-07 南方科技大学 Ore digging method and device based on block chain, mobile terminal and storage medium
CN114189388B (en) * 2021-12-17 2024-11-12 中国电子科技网络信息安全有限公司 A consortium chain key management system and method
CN114584343B (en) * 2022-01-24 2023-05-02 厦门理工学院 Data protection method and system for cloud computing center and readable storage medium
CN114900348B (en) * 2022-04-28 2024-01-30 福建福链科技有限公司 Block chain sensor data verification method and terminal
CN115174094B (en) * 2022-06-15 2024-12-03 桂林电子科技大学 Method for controlling and managing industrial Internet security access
CN115002779B (en) * 2022-07-29 2022-11-22 杭州宇链科技有限公司 Pseudo base station prevention and control method and system based on block chain and security chip
CN116132174B (en) * 2023-02-13 2024-04-16 华中师范大学 A remote secure communication method, system and terminal for 5G vehicle networking supply chain
CN116828457B (en) * 2023-08-30 2023-11-17 四川轻化工大学 Intelligent wireless monitoring methods, systems and media used in wine cellars

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061449A (en) * 1997-10-10 2000-05-09 General Instrument Corporation Secure processor with external memory using block chaining and block re-ordering
US6831982B1 (en) * 1999-11-19 2004-12-14 Storage Technology Corporation Encryption key management system using multiple smart cards
GB9930145D0 (en) * 1999-12-22 2000-02-09 Kean Thomas A Method and apparatus for secure configuration of a field programmable gate array
TWI351864B (en) * 2005-03-25 2011-11-01 Via Tech Inc Apparatus and method for employing cyrptographic f
CN101484904A (en) * 2006-07-07 2009-07-15 桑迪士克股份有限公司 Content control system and method using versatile control structure
KR101366243B1 (en) * 2006-12-04 2014-02-20 삼성전자주식회사 Method for transmitting data through authenticating and apparatus therefor
CN101308546B (en) * 2008-05-20 2011-04-20 上海华申智能卡应用系统有限公司 Radio frequency label data protection method of safe storage structure having multi-stage protection
CN102144371B (en) * 2008-09-10 2015-06-03 Lg电子株式会社 Method for selectively encrypting control signal
JP5813380B2 (en) * 2011-06-03 2015-11-17 株式会社東芝 Semiconductor memory device
US10102510B2 (en) * 2012-11-28 2018-10-16 Hoverkey Ltd. Method and system of conducting a cryptocurrency payment via a mobile device using a contactless token to store and protect a user's secret key
US10346814B2 (en) * 2014-06-04 2019-07-09 MONI Limited System and method for executing financial transactions
TWI528217B (en) * 2014-07-02 2016-04-01 柯呈翰 A method and system for adding dynamic labels to a file and encrypting the file
CN205003731U (en) * 2015-09-30 2016-01-27 深圳市招股科技有限公司 Digital cash hardware wallet based on two interfaces IC -card
CN105701372B (en) * 2015-12-18 2019-04-09 布比(北京)网络技术有限公司 A kind of building of block chain identity and verification method
CN105610578B (en) * 2016-01-25 2019-05-03 杭州复杂美科技有限公司 Block chain information deposits card and method for secret protection
CN105790954B (en) * 2016-03-02 2019-04-09 布比(北京)网络技术有限公司 A kind of method and system constructing electronic evidence
CN105871855B (en) * 2016-04-11 2019-09-13 杨鹏 The method and system that a kind of electronic equipment identification code is generated, stores and identified
CN105812126B (en) * 2016-05-19 2018-10-12 齐鲁工业大学 Lightweight backup and the efficient restoration methods of healthy block chain data encryption key

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI707244B (en) * 2018-09-04 2020-10-11 香港商阿里巴巴集團服務有限公司 Block chain cross-chain authentication method, system, server and readable storage medium
US10979231B2 (en) 2018-09-04 2021-04-13 Advanced New Technologies Co., Ltd. Cross-chain authentication method, system, server, and computer-readable storage medium
US10917230B2 (en) 2019-03-29 2021-02-09 Advanced New Technologies Co., Ltd. Managing sensitive data elements in a blockchain network
TWI720727B (en) * 2019-03-29 2021-03-01 開曼群島商創新先進技術有限公司 Computer-implemented method for managing sensitive data elements that are stored in a blockchain network, apparatus and system for managing sensitive data elements stored in a blockchain network
CN110516451A (en) * 2019-07-24 2019-11-29 杭州电子科技大学 Block chain-based method for notification of secret level changes and decryption reminders for deriving encrypted files
TWI711000B (en) * 2019-09-30 2020-11-21 辰光能源科技有限公司 Environmental health and product quality establishment system
TWI740234B (en) * 2019-10-16 2021-09-21 辰光能源科技有限公司 Real Food System
TWI727474B (en) * 2019-10-25 2021-05-11 李婷婷 Digital identity management system and method

Also Published As

Publication number Publication date
TW201812638A (en) 2018-04-01
WO2018046008A1 (en) 2018-03-15
TWI749061B (en) 2021-12-11
WO2018046009A1 (en) 2018-03-15
TWI750223B (en) 2021-12-21

Similar Documents

Publication Publication Date Title
TWI749061B (en) Blockchain identity system
CN106789047B (en) A kind of block chain identification system
CN108092776B (en) System based on identity authentication server and identity authentication token
Odelu et al. Provably secure authenticated key agreement scheme for distributed mobile cloud computing services
Tan et al. A PUF-based and cloud-assisted lightweight authentication for multi-hop body area network
CN105162772B (en) A kind of internet of things equipment certifiede-mail protocol method and apparatus
CN104579694B (en) A kind of identity identifying method and system
US9225717B1 (en) Event-based data signing via time-based one-time authentication passcodes
CN102026195B (en) Method and system for mobile terminal identity authentication based on one-time password
Ostad‐Sharif et al. An enhanced anonymous and unlinkable user authentication and key agreement protocol for TMIS by utilization of ECC
US20160080157A1 (en) Network authentication method for secure electronic transactions
US20020166048A1 (en) Use and generation of a session key in a secure socket layer connection
CN105553654B (en) Key information processing method and device, key information management system
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
CN105072110A (en) Two-factor remote identity authentication method based on smart card
Le et al. An anonymous key distribution scheme for group healthcare services in 5G-enabled multi-server environments
Das A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system
Amintoosi et al. TAMA: three-factor authentication for multi-server architecture
CN115348107A (en) Internet of things device security login method, device, computer equipment and storage medium
Long et al. Energy-efficient and intrusion-resilient authentication for ubiquitous access to factory floor information
Truong et al. Improved Chebyshev Polynomials‐Based Authentication Scheme in Client‐Server Environment
CN118174921A (en) Multi-factor SSH login authentication method based on national encryption algorithm and supporting bidirectional authentication
CN115883104B (en) Secure login method and device for terminal equipment and nonvolatile storage medium
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN112422534B (en) Credit evaluation method and equipment for electronic certificate