[go: up one dir, main page]

CN115883102A - Cross-domain identity authentication method and system based on identity credibility and electronic equipment - Google Patents

Cross-domain identity authentication method and system based on identity credibility and electronic equipment Download PDF

Info

Publication number
CN115883102A
CN115883102A CN202211498448.1A CN202211498448A CN115883102A CN 115883102 A CN115883102 A CN 115883102A CN 202211498448 A CN202211498448 A CN 202211498448A CN 115883102 A CN115883102 A CN 115883102A
Authority
CN
China
Prior art keywords
identity
credibility
user
domain
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211498448.1A
Other languages
Chinese (zh)
Other versions
CN115883102B (en
Inventor
陈晶
何琨
杨智
吴聪
加梦
杜瑞颖
吴云坤
陈华平
纪胜龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202211498448.1A priority Critical patent/CN115883102B/en
Publication of CN115883102A publication Critical patent/CN115883102A/en
Application granted granted Critical
Publication of CN115883102B publication Critical patent/CN115883102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a cross-domain identity authentication method, a system and electronic equipment based on identity credibility. The unique identity authorization module is used for converting the digital identity of the user into a publicly verifiable unique identity to realize the binding of the digital identity and the identity reliability; the privacy protection module based on homomorphic encryption and zero knowledge range certification is used for encrypting and verifying identity credibility records which are publicly stored in a federation chain account book, and the safety and the correctness of the public records are ensured; and the management and sharing module based on the identity credibility of the alliance chain is used for realizing dynamic maintenance and cross-domain identity authentication of the identity credibility. The invention provides a cross-domain unified management mode of identity credibility, and realizes the safe comparison of the identity credibility between the security domains on the premise of protecting the privacy of users.

Description

基于身份可信度的跨域身份认证方法、系统及电子设备Cross-domain identity authentication method, system and electronic device based on identity credibility

技术领域technical field

本发明属于应用密码学中具有隐私保护特性的跨域身份认证技术领域,涉及一种身份认证方法、系统及电子设备,具体涉及一种基于身份可信度的跨域身份认证方法、系统及电子设备。The invention belongs to the technical field of cross-domain identity authentication with privacy protection characteristics in applied cryptography, and relates to an identity authentication method, system and electronic equipment, in particular to a cross-domain identity authentication method, system and electronic device based on identity credibility. equipment.

背景技术Background technique

基于用户名和口令的身份认证是Web应用的一种通用鉴权方式。每个Web应用的身份认证服务都会形成一个独立的安全域,并且仅能识别本域中的数字身份。跨域身份认证允许用户只拥有一个安全域的身份,但是可以被其他安全域识别。然而各安全域由于缺乏可信的数据共享渠道,只能被动地接受来自域外的身份凭证,而难以对其身份风险进行评估。Identity authentication based on user name and password is a common authentication method for Web applications. The identity authentication service of each web application forms an independent security domain, and can only identify digital identities in this domain. Cross-domain authentication allows users to only have the identity of one security domain, but can be identified by other security domains. However, due to the lack of credible data sharing channels, each security domain can only passively accept identity credentials from outside the domain, making it difficult to assess its identity risk.

目前,日渐丰富的Web应用市场使得跨域请求数量增长迅速,用户和服务提供商均对跨域身份认证服务的功能和安全性有了更高的要求。一方面,在信用体系中存在着多方信用联合授信的场景;类似地,在身份认证中,同一用户在多个域的身份同样可以作为跨域身份认证的凭证来源;另一方面,为了减少系统风险,做好Web服务的安全防护,各企业和部门会根据系统安全策略和隐私需求,建立不同的身份可信度模型,评估本域用户身份的信用状态。身份可信度模型通过分析存储在身份认证服务器中的日志文件,获取本域用户的历史行为记录,从而根据特定的计算规则得到目标身份当前的信用等级;并且系统可以分析用户行为偏好,以动态地监控异常的身份认证行为。但是,在跨域场景下,现有的身份认证框架难以可靠地实现上述需求:首先,无论是集中式认证服务还是第三方认证服务,均属于中心化的服务节点,存在着单点失效的风险。其次,由于数据保密要求和用户隐私的考虑,各身份认证服务提供机构缺乏身份状态和身份风险相关数据的公开维护和共享的渠道,因此只能被动地接受来自第三方的身份凭证。最后,基于传统数据库的日志存储方式也无法提供可靠的数据全生命周期的回溯和审计方式。因此,如何在保护用户隐私的前提下,对身份可信度进行可靠地存储、共享和比较,以实现跨域身份认证是亟待解决的问题。At present, the increasingly rich web application market has led to a rapid increase in the number of cross-domain requests, and both users and service providers have higher requirements for the function and security of cross-domain identity authentication services. On the one hand, there are multi-party credit joint credit scenarios in the credit system; similarly, in identity authentication, the identity of the same user in multiple domains can also be used as a credential source for cross-domain identity authentication; on the other hand, in order to reduce system Risks, to do a good job in the security protection of Web services, each enterprise and department will establish different identity credibility models according to system security policies and privacy requirements, and evaluate the credit status of user identities in the domain. The identity credibility model obtains the historical behavior records of users in this domain by analyzing the log files stored in the identity authentication server, so as to obtain the current credit level of the target identity according to specific calculation rules; and the system can analyze user behavior preferences to dynamically Monitor abnormal identity authentication behaviors in a timely manner. However, in a cross-domain scenario, the existing identity authentication framework is difficult to reliably meet the above requirements: First, whether it is a centralized authentication service or a third-party authentication service, they all belong to centralized service nodes, and there is a risk of single point failure . Secondly, due to data confidentiality requirements and user privacy considerations, each identity authentication service provider lacks channels for public maintenance and sharing of identity status and identity risk-related data, so they can only passively accept identity credentials from third parties. Finally, the traditional database-based log storage method cannot provide a reliable way of backtracking and auditing the entire data life cycle. Therefore, under the premise of protecting user privacy, how to reliably store, share and compare identity credibility to achieve cross-domain identity authentication is an urgent problem to be solved.

基于中心化策略的认证方式过于依赖于单一信任中心,即使引入多服务节点构成的认证服务集群也仅能解决由物理因素导致的单点失效问题,并不能在逻辑上将信任分散,实现去中心化的身份认证。现有的分布式身份认证方案通常基于公共区块链技术,对身份认证数据进行公开维护,为跨域身份认证提供了解决思路,然而由于公共区块链吞吐量低并且缺少链上数据的访问控制机制,在存储效率和隐私保护方面存在着挑战性问题。The authentication method based on the centralized strategy is too dependent on a single trust center. Even if the authentication service cluster composed of multiple service nodes is introduced, it can only solve the problem of single point failure caused by physical factors, and cannot logically disperse trust and realize decentralization. standardized identity authentication. Existing distributed identity authentication schemes are usually based on public blockchain technology, which publicly maintains identity authentication data and provides solutions for cross-domain identity authentication. However, due to the low throughput of public blockchains and the lack of access to data on the chain control mechanism, there are challenging issues in terms of storage efficiency and privacy protection.

Hyperledger Fabric联盟链作为开源的企业级准入许可分布式账本技术,针对企业用户的上述需求做出了特殊的设计。首先,在身份管理方面,Fabric将区块链网络划分为由多个组织共同维护的联盟,并定义了组织中各种类型的参与者,比如Peer节点,排序服务节点,各组织的客户端应用程序以及各组织的联盟链管理员等。这些身份信息与根CA和中间CA分发的数字证书中的数字身份严格关联;因此,数字证书中定义的数字身份就与Fabric网络中的职责,以及特定资源的访问权限相对应。其次,在交易的确认和共识机制上,Fabric利用统一的透明治理模式和严格的准入机制,通过引入排序节点和背书机制实现了交易执行和排序的分离;通过支持可插拔的共识协议,在可信任的权威机构管理模式下采用确定性的共识算法,保证Peer节点验证的区块都是最终状态并且是正确的,从而避免了公开区块链中的分叉情况。最后,Fabric还支持智能合约技术。智能合约的定义是将企业业务之间的交互的数据、规则、概念定义和业务流程等组成的业务模型转化为添加到分布式账本中事实记录的可执行逻辑。为了更好地管理物理地存储在Peer节点上的智能合约,Fabric将特定的业务流程的智能合约打包到用于合约安装和实例化的专用技术容器中,该容器称为链码。Hyperledger Fabric alliance chain, as an open source enterprise-level access license distributed ledger technology, has made a special design for the above-mentioned needs of enterprise users. First of all, in terms of identity management, Fabric divides the blockchain network into alliances maintained by multiple organizations, and defines various types of participants in the organization, such as Peer nodes, sorting service nodes, and client applications of each organization Programs and alliance chain administrators of various organizations, etc. These identity information are strictly associated with the digital identities in the digital certificates distributed by the root CA and the intermediate CA; therefore, the digital identities defined in the digital certificates correspond to the responsibilities in the Fabric network and the access rights to specific resources. Secondly, in terms of transaction confirmation and consensus mechanism, Fabric uses a unified transparent governance model and strict access mechanism to realize the separation of transaction execution and sequencing by introducing sorting nodes and endorsement mechanisms; by supporting pluggable consensus protocols, A deterministic consensus algorithm is adopted under the trusted authority management mode to ensure that the blocks verified by Peer nodes are all final and correct, thereby avoiding forks in the public blockchain. Finally, Fabric also supports smart contract technology. The definition of smart contract is to transform the business model consisting of data, rules, concept definitions and business processes of the interaction between enterprise businesses into executable logic added to the fact records in the distributed ledger. In order to better manage the smart contracts physically stored on Peer nodes, Fabric packages the smart contracts of specific business processes into a dedicated technology container for contract installation and instantiation, which is called chain code.

虽然Fabric区块链提供了通道架构和私有数据实现了个别组织间的保密交易,但是在参与保密交易的组织间,仍然需要公开用于交易的数据。因此,针对数值信息在联盟链账本上的保密维护,可以采用同态加密密码体制来保证密文的可计算性,以及通过零知识证明中的范围证明来保证密文处于合法的范围区间。Although the Fabric blockchain provides channel architecture and private data to realize confidential transactions between individual organizations, the data used for transactions still needs to be disclosed between organizations participating in confidential transactions. Therefore, for the confidentiality maintenance of numerical information on the alliance chain ledger, the homomorphic encryption cryptosystem can be used to ensure the computability of the ciphertext, and the range proof in the zero-knowledge proof can be used to ensure that the ciphertext is in a legal range.

Paillier同态加密体制是基于离散对数和DCRA假设的加法同态加密方案,该方案的安全性假设可以归约到复合剩余类分解问题的计算困难性。为了减少解密运算的时间复杂度,Paillier同态加密体制能转换为基于部分离散对数问题的改进方案:通过选取具有较小阶的生成元g的子群,从而限制密文空间大小。改进的Paillier算法组成部分为密钥生成步骤、加密步骤、解密步骤。The Paillier homomorphic encryption system is an additive homomorphic encryption scheme based on discrete logarithm and DCRA assumptions. The security assumption of this scheme can be reduced to the computational difficulty of the composite residual class decomposition problem. In order to reduce the time complexity of the decryption operation, the Paillier homomorphic encryption system can be transformed into an improved scheme based on the partial discrete logarithm problem: by selecting a subgroup with a smaller order generator g, the size of the ciphertext space is limited. The components of the improved Paillier algorithm are key generation step, encryption step and decryption step.

基于Pederson向量承诺的范围证明的目标是证明给定数字v,证明v∈[0,2n),也即是说如果数字v满足区间要求,那么其二进制表示法的长度一定是n,并且二进制表示法对应的字符串只由0和1组成。在随机预言机模型下,Fiat-Shamir变换可将需要log(n)步骤的交互式协议转化为一个安全且完全零知识的非交互零知识证明系统。此外,还能通过将处于同一范围的m个数值的二进制表示字符串拼接起来,在仅增加2·log2(m)个证明元素的情况下,生成能一次证明n·m比特的聚合范围证明。The goal of range proof based on Pederson vector commitment is to prove that for a given number v, prove that v∈[0,2 n ), that is to say, if the number v satisfies the interval requirement, then the length of its binary representation must be n, and the binary The string corresponding to the notation consists only of 0 and 1. Under the random oracle model, the Fiat-Shamir transformation can transform an interactive protocol requiring log(n) steps into a secure and completely zero-knowledge non-interactive zero-knowledge proof system. In addition, by concatenating the binary representation strings of m values in the same range, an aggregated range proof that can prove n m bits at a time can be generated with only 2 log 2 (m) proof elements added .

发明内容Contents of the invention

鉴于以上提及的基于中心化策略的认证方式过于依赖于单一信任中心的弊端,以及公共区块链在存储身份认证相关数据需求下对效率和隐私保护方面的需求,本发明基于具有准入许可的联盟链账本,提供了一种身份可信度管理模型,在保护用户隐私的前提下实现了身份可信度的统一管理,并实现基于身份可信度安全比较的跨域身份认证方法、系统及电子设备。In view of the disadvantages of the above-mentioned centralized strategy-based authentication method relying too much on a single trust center, and the public blockchain’s need for efficiency and privacy protection under the requirement of storing identity authentication-related data, the present invention is based on having access permission The alliance chain account book provides an identity credibility management model, which realizes the unified management of identity credibility under the premise of protecting user privacy, and realizes a cross-domain identity authentication method and system based on security comparison of identity credibility and electronic equipment.

本发明的方法所采用的技术方案是:一种基于身份可信度的跨域身份认证方法,包括以下步骤:The technical solution adopted by the method of the present invention is: a cross-domain identity authentication method based on identity credibility, comprising the following steps:

步骤1:将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定;Step 1: Convert the user's digital identity into a publicly verifiable unique identity to realize the binding of digital identity and identity credibility;

权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用;用户使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;The authoritative identity source agency verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate to the user to generate the application; the user uses the identity dynamic identification certificate to register the digital identity, Provide verifiable dynamic identity credentials;

步骤2:加密和验证在联盟链账本中公开存储的身份可信度记录;Step 2: Encrypt and verify the identity credibility records publicly stored in the alliance chain ledger;

用户通过使用唯一身份标识注册数字身份后,身份认证服务将为每个数字身份分发同态加密密钥;在生成数字身份对应的身份可信度记录时,身份认证服务将生成相应的同态加密密文和零知识范围证明作为数据合法性的验证信息;After the user registers a digital identity by using a unique identity, the identity authentication service will distribute a homomorphic encryption key for each digital identity; when generating the identity credibility record corresponding to the digital identity, the identity authentication service will generate the corresponding homomorphic encryption Ciphertext and zero-knowledge range proofs are used as verification information for data legitimacy;

步骤3:身份可信度配置信息管理、身份可信度链上动态维护及身份可信度的可验证比较;Step 3: Identity credibility configuration information management, dynamic maintenance on the identity credibility chain and verifiable comparison of identity credibility;

由联盟链作为公共可验证的存储媒介和可信的联盟链链码执行环境,保证公共账本中的身份可信度相关信息未被篡改,并且能够诚实地执行链码定义的功能函数。The consortium chain is used as a public verifiable storage medium and a credible consortium chain chain code execution environment to ensure that the identity credibility related information in the public ledger has not been tampered with and can honestly execute the functions defined by the chain code.

本发明的系统所采用的技术方案是:一种基于身份可信度的跨域身份认证系统,包括唯一身份标识授权模块、基于同态加密和零知识范围证明的隐私保护模块和基于联盟链的身份可信度的管理和共享模块组成;The technical solution adopted by the system of the present invention is: a cross-domain identity authentication system based on identity credibility, including a unique identity identification authorization module, a privacy protection module based on homomorphic encryption and zero-knowledge range proof, and an alliance chain-based Identity credibility management and sharing modules;

所述唯一身份标识授权模块,用于将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定;The unique identity authorization module is used to convert the user's digital identity into a publicly verifiable unique identity, so as to realize the binding of digital identity and identity credibility;

权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用;用户使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;The authoritative identity source agency verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate to the user to generate the application; the user uses the identity dynamic identification certificate to register the digital identity, Provide verifiable dynamic identity credentials;

所述基于同态加密和零知识范围证明的隐私保护模块,用于加密和验证在联盟链账本中公开存储的身份可信度记录;The privacy protection module based on homomorphic encryption and zero-knowledge range proof is used to encrypt and verify the identity credibility records publicly stored in the alliance chain ledger;

用户通过使用唯一身份标识注册数字身份后,身份认证服务将为每个数字身份分发同态加密密钥;在生成数字身份对应的身份可信度记录时,身份认证服务将生成相应的同态加密密文和零知识范围证明作为数据合法性的验证信息;After the user registers a digital identity by using a unique identity, the identity authentication service will distribute a homomorphic encryption key for each digital identity; when generating the identity credibility record corresponding to the digital identity, the identity authentication service will generate the corresponding homomorphic encryption Ciphertext and zero-knowledge range proofs are used as verification information for data legitimacy;

所述基于联盟链的身份可信度的管理和共享模块,用于身份可信度配置信息管理、身份可信度链上动态维护及身份可信度的可验证比较;The management and sharing module of identity credibility based on the alliance chain is used for identity credibility configuration information management, dynamic maintenance of identity credibility on the chain, and verifiable comparison of identity credibility;

由联盟链作为公共可验证的存储媒介和可信的联盟链链码执行环境,保证公共账本中的身份可信度相关信息未被篡改,并且能够诚实地执行链码定义的功能函数。The consortium chain is used as a public verifiable storage medium and a credible consortium chain chain code execution environment to ensure that the identity credibility related information in the public ledger has not been tampered with and can honestly execute the functions defined by the chain code.

本发明的电子设备所采用的技术方案是:一种电子设备,包括:The technical solution adopted by the electronic equipment of the present invention is: an electronic equipment, comprising:

一个或多个处理器;one or more processors;

存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现所述的基于身份可信度的跨域身份认证方法。a storage device for storing one or more programs, when the one or more programs are executed by the one or more processors, causing the one or more processors to implement the identity-based credibility The cross-domain authentication method.

本发明相比现有技术,其优点和积极效果主要体现在以下几个方面:Compared with the prior art, the present invention has advantages and positive effects mainly in the following aspects:

(1)本发明提出了一种基于同态加密和非交互式零知识范围证明的身份可信度标准存储模式,在保证数据可计算性的前提下,构建了身份可信度安全共享渠道,实现了多元异构身份可信度的统一管理;(1) The present invention proposes a standard storage mode of identity credibility based on homomorphic encryption and non-interactive zero-knowledge scope proof, and builds a secure sharing channel of identity credibility under the premise of ensuring data computability. Realized the unified management of the credibility of multiple heterogeneous identities;

(2)本发明设计了高效的紧凑存储模式,通过设计结合默克尔哈希树和聚合范围证明的紧凑存储结构,实现了多个身份可信度状态记录的高效存储;(2) The present invention designs an efficient compact storage mode, and realizes efficient storage of multiple identity credibility state records by designing a compact storage structure combined with Merkle hash tree and aggregation range proof;

(3)本发明提出了基于身份可信度的跨域身份认证方法。各安全域在接受来自域外的身份凭证时,在密文鉴定链码作为可信第三方的监督下,使用密文证明、身份可信度状态密文记录和事先公开的身份可信度评价标准,执行身份可信度安全比较协议,得到用户身份可信度和本域身份可信度最小阈值要求的比较结果,从而决定是否接受此次跨域身份认证请求。在此过程中,本方案提供的协议能够有效地保护安全域和用户的隐私。(3) The present invention proposes a cross-domain identity authentication method based on identity credibility. When each security domain accepts identity credentials from outside the domain, under the supervision of the ciphertext authentication chain code as a trusted third party, it uses ciphertext certification, ciphertext records of identity credibility status and pre-disclosed identity credibility evaluation criteria , execute the identity credibility security comparison protocol, and obtain the comparison result between the user identity credibility and the minimum threshold requirement of the local identity credibility, so as to decide whether to accept the cross-domain identity authentication request. During this process, the protocol provided by this scheme can effectively protect the privacy of the security domain and users.

附图说明Description of drawings

图1为本发明实施例的系统整体框架图;Fig. 1 is the overall frame diagram of the system of the embodiment of the present invention;

图2为本发明实施例中基于唯一身份标识授权模块的原理图;FIG. 2 is a schematic diagram of an authorization module based on unique identity identification in an embodiment of the present invention;

图3为本发明实施例中基于同态加密和零知识范围证明的隐私保护模块的原理图;3 is a schematic diagram of a privacy protection module based on homomorphic encryption and zero-knowledge range proof in an embodiment of the present invention;

图4为本发明实施例中基于联盟链的身份可信度的管理和共享模块的安全域配置信息标准结构原理图;FIG. 4 is a schematic diagram of the standard structure of the security domain configuration information of the management and sharing module of the identity credibility based on the consortium chain in the embodiment of the present invention;

图5为本发明实施例中基于联盟链的身份可信度的管理和共享模块的身份可信度的可验证比较原理图。Fig. 5 is a verifiable comparison schematic diagram of identity credibility management and sharing modules based on consortium chains in an embodiment of the present invention.

具体实施方式Detailed ways

为了便于本领域普遍技术人员的理解和实施本发明,下面结合附图及实施例对本发明作为进一步的详细描述,应当理解,此处所描述的实施示例仅用于说明和解释本发明,并不用于限定本发明。In order to facilitate those skilled in the art to understand and implement the present invention, the present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the implementation examples described here are only used to illustrate and explain the present invention, not for limit the invention.

本实施例提供的一种基于身份可信度的跨域身份认证方法,包括以下步骤:A cross-domain identity authentication method based on identity credibility provided by this embodiment includes the following steps:

步骤1:将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定;Step 1: Convert the user's digital identity into a publicly verifiable unique identity to realize the binding of digital identity and identity credibility;

权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用;用户使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;The authoritative identity source agency verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate to the user to generate the application; the user uses the identity dynamic identification certificate to register the digital identity, Provide verifiable dynamic identity credentials;

步骤2:加密和验证在联盟链账本中公开存储的身份可信度记录;Step 2: Encrypt and verify the identity credibility records publicly stored in the alliance chain ledger;

用户通过使用唯一身份标识注册数字身份后,身份认证服务将为每个数字身份分发同态加密密钥;在生成数字身份对应的身份可信度记录时,身份认证服务将生成相应的同态加密密文和零知识范围证明作为数据合法性的验证信息;After the user registers a digital identity by using a unique identity, the identity authentication service will distribute a homomorphic encryption key for each digital identity; when generating the identity credibility record corresponding to the digital identity, the identity authentication service will generate the corresponding homomorphic encryption Ciphertext and zero-knowledge range proofs are used as verification information for data legitimacy;

步骤3:身份可信度配置信息管理、身份可信度链上动态维护及身份可信度的可验证比较;Step 3: Identity credibility configuration information management, dynamic maintenance on the identity credibility chain and verifiable comparison of identity credibility;

由联盟链作为公共可验证的存储媒介和可信的联盟链链码执行环境,保证公共账本中的身份可信度相关信息未被篡改,并且能够诚实地执行链码定义的功能函数。The consortium chain is used as a public verifiable storage medium and a credible consortium chain chain code execution environment to ensure that the identity credibility related information in the public ledger has not been tampered with and can honestly execute the functions defined by the chain code.

本发明提供的一种基于身份可信度的跨域身份认证系统,由唯一身份标识授权模块、基于同态加密和零知识范围证明的隐私保护模块、基于联盟链的身份可信度的管理和共享模块组成,完整的系统架构图请见图1。The present invention provides a cross-domain identity authentication system based on identity credibility, which consists of a unique identity identification authorization module, a privacy protection module based on homomorphic encryption and zero-knowledge range proof, management and identity credibility based on alliance chains. Composition of shared modules, see Figure 1 for a complete system architecture diagram.

本实施例的唯一身份标识授权模块,用于将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定;The unique identity authorization module of this embodiment is used to convert the user's digital identity into a publicly verifiable unique identity, and realize the binding of digital identity and identity credibility;

权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用;用户使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;The authoritative identity source agency verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate to the user to generate the application; the user uses the identity dynamic identification certificate to register the digital identity, Provide verifiable dynamic identity credentials;

本实施例的基于同态加密和零知识范围证明的隐私保护模块,用于加密和验证在联盟链账本中公开存储的身份可信度记录;The privacy protection module based on homomorphic encryption and zero-knowledge scope proof in this embodiment is used to encrypt and verify identity credibility records publicly stored in the alliance chain account book;

用户通过使用唯一身份标识注册数字身份后,身份认证服务将为每个数字身份分发同态加密密钥;在生成数字身份对应的身份可信度记录时,身份认证服务将生成相应的同态加密密文和零知识范围证明作为数据合法性的验证信息;After the user registers a digital identity by using a unique identity, the identity authentication service will distribute a homomorphic encryption key for each digital identity; when generating the identity credibility record corresponding to the digital identity, the identity authentication service will generate the corresponding homomorphic encryption Ciphertext and zero-knowledge range proofs are used as verification information for data legitimacy;

本实施例的基于联盟链的身份可信度的管理和共享模块,用于身份可信度配置信息管理、身份可信度链上动态维护及身份可信度的可验证比较;The identity credibility management and sharing module based on the consortium chain of this embodiment is used for identity credibility configuration information management, identity credibility chain dynamic maintenance and identity credibility verifiable comparison;

由联盟链作为公共可验证的存储媒介和可信的联盟链链码执行环境,保证公共账本中的身份可信度相关信息未被篡改,并且能够诚实地执行链码定义的功能函数。The consortium chain is used as a public verifiable storage medium and a credible consortium chain chain code execution environment to ensure that the identity credibility related information in the public ledger has not been tampered with and can honestly execute the functions defined by the chain code.

请见图2,本实施例基于唯一身份标识授权模块,具体工作过程包括以下步骤:Please see Fig. 2, this embodiment is based on the unique identity identification authorization module, and the specific working process includes the following steps:

步骤A1:用户唯一身份标识的生成过程涉及到三个实体:用户,权威身份来源机构和联盟链账本;Step A1: The generation process of the user's unique identity involves three entities: the user, the authoritative identity source organization and the alliance chain ledger;

权威身份来源机构向用户提供包含唯一识别码appid的认证应用程序。用户使用认证应用生成用户密钥(PrivKeyUser,PubKeyUser),计算个人信息哈希值并签名,向权威身份来源机构申请唯一身份标识uuidUserThe authoritative identity source institution provides the user with an authentication application including a unique identification code appid. The user uses the authentication application to generate the user key (PrivKey User , PubKey User ), calculates the hash value of the personal information and signs it, and applies for the unique identity identifier uuid User from the authoritative identity source organization;

步骤A1.1:由权威身份来源机构分发具有唯一识别码appid的认证应用程序给用户,利用非对称加密算法产生私钥PrivKeyUser和公钥PubKeyUser;随后用户将个人信息UserInfo整理成标准存储格式,并计算个人信息的摘要值H=Hash(UserInfo),并使用自己的私钥PrivKeyUser对个人信息摘要,应用程序识别码appid和身份生成时间戳进行签名SigUser(H|appid|Timestamp)。完成计算后,用户通过应用程序将公钥PubKeyUser,个人信息UserInfo,个人信息摘要H,应用程序识别码appid,签名SigUser通过安全信道传输给权威身份来源机构;Step A1.1: The authoritative identity source agency distributes the authentication application program with the unique identification code appid to the user, and uses an asymmetric encryption algorithm to generate the private key PrivKey User and the public key PubKey User ; then the user organizes the personal information UserInfo into a standard storage format , and calculate the summary value of personal information H=Hash(UserInfo), and use your own private key PrivKey User to sign the summary of personal information, application identification code appid and identity generation timestamp Sig User (H|appid|Timestamp). After the calculation is completed, the user transmits the public key PubKey User , personal information UserInfo, personal information summary H, application identification code appid, and signature Sig User to the authoritative identity source through the application program;

其中,非对称加密算法本实施例优选基于NIST P-256曲线的椭圆曲线加密算法,数字签名算法本实施例优选ECDSA(FIPS 186-3)签名算法。Among them, the asymmetric encryption algorithm in this embodiment is preferably an elliptic curve encryption algorithm based on the NIST P-256 curve, and the digital signature algorithm in this embodiment is preferably an ECDSA (FIPS 186-3) signature algorithm.

步骤A1.2:权威身份来源机构在收到来自用户应用的请求之后,根据同样的规则,计算用户的个人信息摘要H=Hash(UserInfo),并使用公钥PubKeyUser核验用户签名SigUser。在证实该请求的真实性和完整性之后,权威身份来源机构将个人信息摘要H,应用程序识别码appid,身份生成时间戳Timestamp和权威机构对上链信息的签名SigAuthority(H|appid|Timestamp)提交到联盟链账本中,得到身份地址addrUser,随后将addrUser作为用户的唯一身份标识uuidUser返回给认证应用程序。Step A1.2: After receiving the request from the user application, the authoritative identity source agency calculates the user's personal information digest H=Hash(UserInfo) according to the same rules, and uses the public key PubKey User to verify the user signature Sig User . After confirming the authenticity and completeness of the request, the authoritative identity source agency sends the personal information summary H, the application identification code appid, the identity generation timestamp Timestamp and the signature Sig Authority (H|appid|Timestamp ) is submitted to the alliance chain account book, and the identity address addr User is obtained, and then addr User is returned to the authentication application as the user's unique identity uuid User .

步骤A2:用户唯一身份标识的认证过程涉及到三个实体:用户,本地安全域认证服务器和联盟链账本;Step A2: The authentication process of the user's unique identity involves three entities: the user, the local security domain authentication server and the alliance chain ledger;

用户通过使用认证应用程序生成由从A1获得的唯一身份标识uuidUser、个人信息摘要值H、身份动态识别凭证生成时间戳Timestamp、申请访问的安全域和有效期组成的身份动态识别凭证Cert组成的动态识别凭证发送给目标认证服务器。The user uses the authentication application to generate a dynamic identity dynamic identification credential composed of the unique identity uuid User obtained from A1, the summary value of personal information H, the timestamp Timestamp generated by the dynamic identity identification credential, the security domain for applying for access, and the validity period. The identification credentials are sent to the target authentication server.

步骤A2.1:认证应用程序将生成由应用程序识别码appid,个人信息摘要值H,身份动态识别凭证生成时间戳Timestamp,申请访问的安全域和有效期组成的身份动态识别凭证Cert=(appid,H,Timestamp,targetDomain,LifeTime),并使用私钥PrivKeyUser对其签名,其中,TargetDomain为申请访问的安全域,LifeTime为有效期;随后将身份动态识别凭证Cert,签名SigUser,公钥PubKeyUser,个人信息摘要值H和唯一身份标识uuidUser组合成身份认证消息,发送给目标认证服务器;Step A2.1: The authentication application will generate the identity dynamic identification credential Cert=(appid, H, Timestamp, targetDomain, LifeTime), and use the private key PrivKey User to sign it, where TargetDomain is the security domain to apply for access, and LifeTime is the validity period; then dynamically identify the identity certificate Cert, sign Sig User , public key PubKey User , The personal information summary value H and the unique identity uuid User are combined into an identity authentication message and sent to the target authentication server;

在一次跨域身份认证过程中,本地安全域认证服务器需要对发起认证请求的用户身份进行验证;而目标认证服务器则需要对本地安全域服务器提供的跨域身份认证消息进行验证。During a cross-domain identity authentication process, the local security domain authentication server needs to verify the identity of the user who initiates the authentication request; and the target authentication server needs to verify the cross-domain identity authentication message provided by the local security domain server.

首先,本地安全域能校验用户的身份凭证,敌手需要拥有用户私钥才能通过本地安全域的身份认证。然后,本地安全域需要使用私钥构造合法的跨域认证消息,因此敌手难以伪造跨域身份认证请求。最后目标认证服务器通过本地安全域认证服务器的公钥和身份识别信息摘要的权威记录,即可验证该认证消息的真实性。First of all, the local security domain can verify the user's identity credentials, and the adversary needs to have the user's private key to pass the identity authentication of the local security domain. Then, the local security domain needs to use the private key to construct a legal cross-domain authentication message, so it is difficult for the adversary to forge the cross-domain authentication request. Finally, the target authentication server can verify the authenticity of the authentication message through the public key of the authentication server in the local security domain and the authoritative record of the identification information summary.

步骤A2.2:目标认证服务器在获取身份认证消息之后,将使用生成时间戳和有效期对身份认证消息进行时效性判断。随后使用用户公钥PubKeyUser和身份认证消息内容,对身份动态识别凭证Cert进行验证。身份动态识别凭证验证通过后,再根据唯一身份标识uuidUser获得身份识别信息摘要的权威记录,核验个人信息摘要值H。在用户侧提供的所有信息都是一致的情况下,目标认证服务器可以判定用户身份合法。最后,目标认证服务器记录该身份动态识别凭证的哈希值,并标记为已经使用。Step A2.2: After the target authentication server obtains the identity authentication message, it will use the generated timestamp and validity period to judge the timeliness of the identity authentication message. Then use the user public key PubKey User and the content of the identity authentication message to verify the identity dynamic identification credential Cert. After the identity dynamic identification credential is verified, the authoritative record of the identification information summary is obtained according to the unique identity uuid User , and the personal information summary value H is verified. When all the information provided by the user side is consistent, the target authentication server can determine that the user's identity is legitimate. Finally, the target authentication server records the hash value of the identity dynamic identification credential and marks it as used.

请见图3,本实施例基于同态加密和零知识范围证明的隐私保护模块,具体工作过程包括以下步骤:Please see Fig. 3, this embodiment is based on the privacy protection module of homomorphic encryption and zero-knowledge range proof, and the specific working process includes the following steps:

步骤B1:同态加密密钥分发;Step B1: Homomorphic encryption key distribution;

用户使用从A1获得的唯一身份标识uuidUser经过步骤A2通过本地安全域Web应用的认证。随后,本地安全域Web应用为用户的数字身份生成一对同态加密公私钥对公钥PKUser=(n,g),私钥SKUser=(p,q,α),将其私钥安全保存在本地,用于身份可信度比较结果的验证,并将公钥公开发送给系统中的所有参与方,用于身份可信度的加密。其中,p,q为随机的大素数,n为p,q的乘积,g为随机数,α为p-1,q-1最小公倍数的因子;The user uses the unique identity uuid User obtained from A1 to pass the authentication of the local security domain Web application through step A2. Subsequently, the local security domain web application generates a pair of homomorphic encryption public-private key pair public key PK User = (n, g) and private key SK User = (p, q, α) for the user's digital identity, and secures the private key It is stored locally for the verification of identity credibility comparison results, and the public key is publicly sent to all participants in the system for the encryption of identity credibility. Among them, p and q are random large prime numbers, n is the product of p and q, g is a random number, and α is a factor of the least common multiple of p-1 and q-1;

其中,同态加密算法本实施例优选基于部分离散对数问题(Partial DiscreteLogarithm Problem)的Paillier改进算法。Among them, the homomorphic encryption algorithm in this embodiment is preferably an improved Paillier algorithm based on a Partial Discrete Logarithm Problem (Partial Discrete Logarithm Problem).

步骤B2:身份可信度密文生成,本地安全域的Web应用评估用户数字身份对应的身份可信度之后,使用相应的同态加密公钥PKUser=(n,g)和随机数r生成身份可信度密文。Step B2: Identity credibility ciphertext generation, after the web application in the local security domain evaluates the identity credibility corresponding to the user's digital identity, use the corresponding homomorphic encryption public key PK User = (n, g) and random number r to generate Identity credibility ciphertext.

步骤B3:身份可信度范围证明生成,本地安全域的Web应用选取公开参数ParamsRP,生成身份可信度密文记录对应的范围证明。Step B3: Generation of identity credibility range proof, the web application in the local security domain selects the public parameter ParamsRP, and generates the range proof corresponding to the identity credibility level ciphertext record.

其中,零知识范围证明算法本实施例优选Bulletproof算法;Among them, the Bulletproof algorithm is preferred in this embodiment of the zero-knowledge range proof algorithm;

请见图4和图5,本实施例基于联盟链的身份可信度的管理和共享模块,具体工作过程包括以下步骤:Please see Figure 4 and Figure 5, this embodiment is based on the identity credibility management and sharing module of the alliance chain, and the specific working process includes the following steps:

步骤C1:身份可信度配置信息管理,各安全域事先将身份可信度配置信息以JSON标准存储结构形式存储在联盟链账本中,其中包括安全域Domain,同态加密公钥PHEKey,身份可信度最大值CreditMax,身份可信度最小值CreditMin,身份可信度评价标准TrustworthinessStandard,时间戳Timestamp,消息哈希值MessageHash,数字签名ConfigSig;Step C1: Identity credibility configuration information management. Each security domain stores the identity credibility configuration information in the alliance chain ledger in the form of a JSON standard storage structure in advance, including the security domain Domain, the homomorphic encryption public key PHEKey, and the identity can be Maximum reliability CreditMax, minimum identity credibility CreditMin, identity credibility evaluation standard TrustworthinessStandard, timestamp Timestamp, message hash value MessageHash, digital signature ConfigSig;

其中,数字签名算法本实施例优选ECDSA(FIPS 186-3)签名算法;Wherein, digital signature algorithm preferred ECDSA (FIPS 186-3) signature algorithm in this embodiment;

步骤C2:身份可信度链上动态维护,用户在安全域注册数字身份之后,安全域通过C1中的身份可信度评价标准TrustworthinessStandard生成数字身份的身份可信度状态信息,并采用标准存储模式或者紧凑存储模式将一个或多个身份可信度状态记录存储在联盟链账本中;Step C2: The identity credibility is dynamically maintained on the chain. After the user registers the digital identity in the security domain, the security domain generates the identity credibility status information of the digital identity through the identity credibility evaluation standard TrustworthinessStandard in C1, and adopts the standard storage mode Or the compact storage mode stores one or more identity credibility state records in the alliance chain ledger;

这里为了表述清晰,假设安全域以标准存储模式进行身份可信度的动态维护;For the sake of clarity, it is assumed that the security domain dynamically maintains identity credibility in a standard storage mode;

步骤C2.1:安全域采用标准存储模式,生成包含具有安全域Domain,时间戳Timestamp,前一身份可信度状态记录PreviousCreditAddress,身份可信度密文Credit,身份可信度范围证明CreditRangeProof,配置信息地址ConfigAddress,消息哈希值MessageHash,数字签名MessageSig等信息的加密存储结构的记录;Step C2.1: The security domain adopts the standard storage mode, and the generation contains the security domain Domain, the timestamp Timestamp, the previous identity credibility status record PreviousCreditAddress, the identity credibility ciphertext Credit, the identity credibility range certificate CreditRangeProof, configuration Records of the encrypted storage structure of information such as information address ConfigAddress, message hash value MessageHash, digital signature MessageSig, etc.;

步骤C2.2:联盟链链码对数字签名和范围证明进行验证,先检查安全域Web应用的签名的有效性,再计算VerifyRP(paramsRP,proofRP),其中,proofRP为身份可信度范围证明;如果验证通过,密文验证链码则将身份可信度状态存储到联盟链账本中,获得对应记录的交易地址addr;否则,将舍弃该身份可信度状态,联盟链账本无需更新;Step C2.2: The alliance chain chain code verifies the digital signature and the range certificate, first checks the validity of the signature of the security domain web application, and then calculates VerifyRP (paramsRP, proofRP), where proofRP is the identity credibility range certificate; If the verification is passed, the ciphertext verification chain code will store the identity credibility state in the alliance chain account book, and obtain the transaction address addr corresponding to the record; otherwise, the identity credibility state will be discarded, and the alliance chain account book does not need to be updated;

步骤C3:身份可信度的可验证比较,用户可以使用已有的数字身份进行跨域身份认证。接受跨域身份凭证的安全域可以根据提供身份的安全域事先公开的身份可信度评价标准TrustworthinessStandard,选取合适的身份可信度最小阈值要求t;在联盟链链码作为可信第三方的监督下,判断跨域身份凭证的身份可信度是否满足本域的最小要求,从而决定是否通过本次跨域身份认证请求。Step C3: Verifiable comparison of identity credibility, users can use existing digital identities for cross-domain identity authentication. The security domain that accepts cross-domain identity credentials can select an appropriate minimum threshold of identity credibility t according to the identity credibility evaluation standard TrustworthinessStandard disclosed in advance by the security domain that provides the identity; Next, judge whether the identity credibility of the cross-domain identity certificate meets the minimum requirements of the domain, so as to decide whether to pass the cross-domain identity authentication request.

步骤C3.1:外部安全域Ex根据本地安全域L的身份可信度配置信息选取比较参数θ(θ>CreditMaxL),计算比较参数θ的密文EncryptEx(θ,rθ);其中,CreditMaxL为身份可信度允许的最大值,rθ为加密θ时采用的随机数;Step C3.1: The external security domain Ex selects the comparison parameter θ(θ>CreditMax L ) according to the identity credibility configuration information of the local security domain L, and calculates the ciphertext Encrypt Ex (θ,r θ ) of the comparison parameter θ; where, CreditMax L is the maximum value allowed by identity credibility, and r θ is the random number used when encrypting θ;

步骤C3.2:外部安全域Ex计算v1=θ-t,并向密文鉴定链码申请证明C(Ex,v1),证明内容包括Sig(Hash(CertificateEx)),

Figure BDA0003965885490000081
PKEx,PKCC;其中,C(Ex,v1)为外部安全域Ex申请的密文v1的鉴定证明,CertificateEx为外部安全域Ex的证书,PKEx为外部安全域Ex的公钥,PKCC为密文鉴定链码CC的公钥;Step C3.2: Calculate v 1 = θ-t in the external security domain Ex, and apply for a certificate C(Ex,v 1 ) from the ciphertext authentication chain code, the content of the certificate includes Sig(Hash(Certificate Ex )),
Figure BDA0003965885490000081
PK Ex , PK CC ; among them, C(Ex, v 1 ) is the authentication certificate of the ciphertext v 1 applied for by the external security domain Ex, Certificate Ex is the certificate of the external security domain Ex, and PK Ex is the public key of the external security domain Ex , PK CC is the public key of the ciphertext authentication chain code CC;

步骤C3.3:外部安全域将EncryptEx(θ,rθ)和C(Ex,v1)一同发送给本地安全域;Step C3.3: The external security domain sends Encrypt Ex (θ,r θ ) and C(Ex,v 1 ) to the local security domain;

步骤C3.4:假设UserL的身份可信度为v2,本地安全域L随机选取线性变换参数k1,k2,并向密文鉴定链码申请证明C(L,k1·v2),证明内容包括Sig(Hash(CertificateL)),EncryptL(k1,rk),

Figure BDA0003965885490000091
Figure BDA0003965885490000092
PKL,PKCC;其中,CertificateL为本地安全域L的证书,rk为加密k时的随机数,/>
Figure BDA0003965885490000093
为密文v2在联盟链账本中的存储地址,PKL为本地安全域L的公钥;Step C3.4: Assuming that the identity credibility of User L is v 2 , the local security domain L randomly selects linear transformation parameters k 1 , k 2 , and applies for a certificate C(L,k 1 ·v 2 from the ciphertext authentication chain code ), the proof content includes Sig(Hash(Certificate L )), Encrypt L (k 1 ,r k ),
Figure BDA0003965885490000091
Figure BDA0003965885490000092
PK L , PK CC ; Among them, Certificate L is the certificate of the local security domain L, r k is the random number when encrypting k, />
Figure BDA0003965885490000093
is the storage address of the ciphertext v 2 in the ledger of the alliance chain, and PK L is the public key of the local security domain L;

步骤C3.5:本地安全域L获得密文证明之后,将计算用于比较的中间结果m1,m2Step C3.5: After the local security domain L obtains the ciphertext proof, it will calculate the intermediate results m 1 , m 2 for comparison,

Figure BDA0003965885490000094
Figure BDA0003965885490000094

本地安全域L还需计算用于验证的中间结果m3,m4,m5The local security domain L also needs to calculate intermediate results m 3 , m 4 , m 5 for verification,

Figure BDA0003965885490000095
Figure BDA0003965885490000095

步骤C3.6:得到所有中间结果后,本地安全域L将m1,m2,m3,m4,m5,C(L,k1·v2)发送给外部安全域Ex;Step C3.6: After obtaining all the intermediate results, the local security domain L sends m 1 , m 2 , m 3 , m 4 , m 5 , C(L,k 1 ·v 2 ) to the external security domain Ex;

步骤C3.7:外部安全域Ex首先查验证明C(L,k1·v2)中的

Figure BDA0003965885490000096
是否与
Figure BDA0003965885490000097
对应的身份可信度状态记录一致,若不一致则立即终止协议。然后,外部安全域将验证证明C(L,k1·v2)中的数字签名,若数字签名验证不通过则立即终止协议。在确保密文的真实性之后,外部安全域Ex解密并比较d1=Decryptex(m1)和d2=DecryptEx(m2),从而得到UserL在本地安全域中的数字身份对应的身份可信度和外部安全域的身份可信度最小阈值要求的比较结果。最后,外部安全域Ex解密d3=DecryptEx(m3)和d4=DecryptEx(m4),得到验证信息,随后计算并验证下列等式Step C3.7: The external security domain Ex first checks the certificate in C(L,k 1 ·v 2 )
Figure BDA0003965885490000096
whether with
Figure BDA0003965885490000097
The corresponding identity credibility status records are consistent, and if they are inconsistent, the agreement will be terminated immediately. Then, the external security domain will verify the digital signature in the certificate C(L,k 1 ·v 2 ), and if the digital signature verification fails, the agreement will be terminated immediately. After ensuring the authenticity of the ciphertext, the external security domain Ex decrypts and compares d 1 = Decrypt ex (m 1 ) and d 2 = Decrypt Ex (m 2 ), thereby obtaining the identity corresponding to the digital identity of UserL in the local security domain The result of the comparison of trustworthiness and the minimum threshold requirement for identity trustworthiness of the external security domain. Finally, the external security domain Ex decrypts d 3 =Decrypt Ex (m 3 ) and d 4 =Decrypt Ex (m 4 ) to obtain verification information, and then calculates and verifies the following equation

Figure BDA0003965885490000098
Figure BDA0003965885490000098

如果等式均成立,则证明本地安全域L诚实地执行了协议,外部安全域Ex从而接受本次身份可信度比较结果;否则,证明本地安全域L在协议执行过程中出现了欺诈行为。If the equations are all true, it proves that the local security domain L has implemented the agreement honestly, and the external security domain Ex accepts the identity credibility comparison result; otherwise, it proves that the local security domain L has fraudulent behavior during the protocol execution.

步骤C3.8:外部安全域Ex根据比较结果,判断是否通过用户本次跨域身份认证请求。Step C3.8: The external security domain Ex judges whether the cross-domain identity authentication request of the user is passed according to the comparison result.

步骤C3.9:最后,外部安全域Ex将此次身份可信度安全比较协议的执行日志记录在联盟链账本中。Step C3.9: Finally, the external security domain Ex records the execution log of the identity credibility security comparison protocol in the alliance chain ledger.

本发明能够提供:The present invention can provide:

1.数字身份与身份可信度的绑定:本方案将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定。权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用。用户随后可以使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;1. Binding of digital identity and identity credibility: This solution converts the user's digital identity into a publicly verifiable unique identity, realizing the binding of digital identity and identity credibility. The authoritative identity source organization verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate generation application to the user. Users can then use the identity dynamic identification credentials to register digital identities and provide verifiable dynamic identity credentials;

2.多元异构身份可信度的统一管理:本方案提供了身份可信度配置信息的标准存储结构,并以此为基础设计了基于同态加密和非交互式零知识范围证明的身份可信度标准存储模式和高效的紧凑存储模式,将具有准入许可的Fabric联盟链账本作为存储媒介,实现了在保护用户隐私的前提下,身份可信度记录的统一维护。2. Unified management of multiple heterogeneous identity credibility: This solution provides a standard storage structure for identity credibility configuration information, and based on this, an identity security system based on homomorphic encryption and non-interactive zero-knowledge scope proof is designed. The reliability standard storage mode and the efficient compact storage mode use the Fabric alliance chain ledger with access permission as the storage medium to realize the unified maintenance of identity credibility records under the premise of protecting user privacy.

3.基于身份可信度的跨域身份认证框架:各安全域在接受来自域外的身份凭证时,在联盟链链码作为可信第三方的监督下,使用密文证明和公开存储的身份可信度状态密文记录执行身份可信度安全比较协议,得到用户身份可信度和本域身份可信度最小阈值要求的比较结果,从而决定是否接受此次跨域身份认证请求。通过将现有的身份可信度管理模式与跨域身份认证结合,本方案实现了跨域场景下安全、可靠的身份认证机制。3. A cross-domain identity authentication framework based on identity credibility: When each security domain accepts identity credentials from outside the domain, under the supervision of the alliance chain chain code as a trusted third party, the identities certified by ciphertext and publicly stored can be verified. The ciphertext record of the credibility state executes the identity credibility security comparison protocol, and obtains the comparison result of the user identity credibility and the minimum threshold requirement of the domain identity credibility, so as to decide whether to accept the cross-domain identity authentication request. By combining the existing identity credibility management mode with cross-domain identity authentication, this solution realizes a safe and reliable identity authentication mechanism in cross-domain scenarios.

应当理解的是,上述针对较佳实施例的描述较为详细,并不能因此而认为是对本发明专利保护范围的限制,本领域的普通技术人员在本发明的启示下,在不脱离本发明权利要求所保护的范围情况下,还可以做出替换或变形,均落入本发明的保护范围之内,本发明的请求保护范围应以所附权利要求为准。It should be understood that the above-mentioned descriptions for the preferred embodiments are relatively detailed, and should not therefore be considered as limiting the scope of the patent protection of the present invention. Within the scope of protection, replacements or modifications can also be made, all of which fall within the protection scope of the present invention, and the scope of protection of the present invention should be based on the appended claims.

Claims (9)

1.一种基于身份可信度的跨域身份认证方法,其特征在于,包括以下步骤:1. A cross-domain identity authentication method based on identity credibility, characterized in that, comprising the following steps: 步骤1:将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定;Step 1: Convert the user's digital identity into a publicly verifiable unique identity to realize the binding of digital identity and identity credibility; 权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用;用户使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;The authoritative identity source agency verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate to the user to generate the application; the user uses the identity dynamic identification certificate to register the digital identity, Provide verifiable dynamic identity credentials; 步骤2:加密和验证在联盟链账本中公开存储的身份可信度记录;Step 2: Encrypt and verify the identity credibility records publicly stored in the alliance chain ledger; 用户通过使用唯一身份标识注册数字身份后,身份认证服务将为每个数字身份分发同态加密密钥;在生成数字身份对应的身份可信度记录时,身份认证服务将生成相应的同态加密密文和零知识范围证明作为数据合法性的验证信息;After the user registers a digital identity by using a unique identity, the identity authentication service will distribute a homomorphic encryption key for each digital identity; when generating the identity credibility record corresponding to the digital identity, the identity authentication service will generate the corresponding homomorphic encryption Ciphertext and zero-knowledge range proofs are used as verification information for data legitimacy; 步骤3:身份可信度配置信息管理、身份可信度链上动态维护及身份可信度的可验证比较;Step 3: Identity credibility configuration information management, dynamic maintenance on the identity credibility chain and verifiable comparison of identity credibility; 由联盟链作为公共可验证的存储媒介和可信的联盟链链码执行环境,保证公共账本中的身份可信度相关信息未被篡改,并且能够诚实地执行链码定义的功能函数。The consortium chain is used as a public verifiable storage medium and a credible consortium chain chain code execution environment to ensure that the identity credibility related information in the public ledger has not been tampered with and can honestly execute the functions defined by the chain code. 2.根据权利要求1所述的基于身份可信度的跨域身份认证方法,其特征在于:步骤1中,用户唯一身份标识的生成过程涉及到三个实体:用户,权威身份来源机构和联盟链账本;2. The cross-domain identity authentication method based on identity credibility according to claim 1, characterized in that: in step 1, the generation process of the user's unique identity involves three entities: the user, the authoritative identity source organization and the alliance Chain ledger; 用户唯一身份标识的生成过程具体包括以下子步骤:The process of generating the unique identity of a user specifically includes the following sub-steps: 步骤A1.1:用户通过权威身份来源机构提供的包含唯一识别码的认证应用程序,利用非对称加密算法产生一对公私钥对;随后用户将个人信息整理成标准存储格式,计算个人信息的摘要值,并使用自己的私钥对个人信息摘要,应用程序识别码和身份生成时间戳进行签名;用户通过应用程序将公钥、个人信息、个人信息摘要、应用程序识别码、签名通过安全信道传输给权威身份来源机构,向权威身份来源机构申请唯一身份标识;Step A1.1: The user uses the asymmetric encryption algorithm to generate a pair of public and private key pairs through the authentication application program provided by the authoritative identity source organization that contains the unique identification code; then the user organizes the personal information into a standard storage format and calculates the summary of the personal information value, and use their own private key to sign the personal information summary, application identification code and identity generation timestamp; the user transmits the public key, personal information, personal information summary, application identification code, and signature through the application through a secure channel To the authoritative identity source organization, apply for a unique identity identifier from the authoritative identity source organization; 步骤A1.2:权威身份来源机构在收到来自用户应用的请求之后,根据同样的规则,计算用户的个人信息摘要,并核验用户签名;在证实该请求的真实性和完整性之后,权威身份来源机构将个人信息摘要、应用程序识别码、身份生成时间戳和权威机构对上链信息的签名提交到联盟链账本中,得到交易地址;随后将该交易地址作为用户的唯一身份标识返回给认证应用程序。Step A1.2: After receiving the request from the user application, the authoritative identity source agency calculates the user's personal information summary according to the same rules, and verifies the user's signature; after confirming the authenticity and integrity of the request, the authoritative identity The source organization submits the summary of personal information, application identification code, identity generation time stamp and the signature of the authoritative organization on the chain information to the alliance chain account book, and obtains the transaction address; then returns the transaction address as the user's unique identity to the authentication application. 3.根据权利要求1所述的基于身份可信度的跨域身份认证方法,其特征在于:步骤1中,用户唯一身份标识的认证过程涉及到三个实体:用户,本地安全域认证服务器和联盟链账本;3. The cross-domain identity authentication method based on identity credibility according to claim 1, characterized in that: in step 1, the authentication process of the user's unique identity involves three entities: the user, the local security domain authentication server and Consortium chain ledger; 用户唯一身份标识的认证过程具体包括以下子步骤:The authentication process of the unique identity of the user specifically includes the following sub-steps: 步骤A2.1:用户进行身份认证时,认证应用程序将生成由应用程序识别码,个人信息摘要值,身份动态识别凭证生成时间戳,申请访问的安全域和有效期组成的身份动态识别凭证,并使用私钥对其签名;随后将身份动态识别凭证、签名、公钥、个人信息摘要值和唯一身份标识组合成身份认证消息,发送给目标认证服务器;Step A2.1: When the user performs identity authentication, the authentication application will generate an identity dynamic identification credential consisting of the application identification code, personal information summary value, generation time stamp of the identity dynamic identification credential, the security domain for which access is applied for and the validity period, and Use the private key to sign it; then combine the identity dynamic identification certificate, signature, public key, personal information digest value and unique identity into an identity authentication message, and send it to the target authentication server; 步骤A2.2:目标认证服务器在获取身份认证消息之后,将使用生成时间戳和有效期对身份认证消息进行时效性判断;随后使用用户公钥和身份认证消息内容,对身份动态识别凭证进行验证;身份动态识别凭证验证通过后,再根据唯一身份标识获得身份识别信息摘要的权威记录,核验个人信息摘要值;在用户侧提供的所有信息都是一致的情况下,目标认证服务器判定用户身份合法;最后目标认证服务器记录该身份动态识别凭证的哈希值,并标记为已经使用。Step A2.2: After the target authentication server obtains the identity authentication message, it will use the generated timestamp and validity period to judge the timeliness of the identity authentication message; then use the user's public key and the content of the identity authentication message to verify the identity dynamic identification certificate; After the verification of the identity dynamic identification certificate is passed, the authoritative record of the identification information summary is obtained according to the unique identity identifier, and the personal information summary value is verified; when all the information provided by the user side is consistent, the target authentication server determines that the user's identity is legal; Finally, the target authentication server records the hash value of the identity dynamic identification credential and marks it as used. 4.根据权利要求1所述的基于身份可信度的跨域身份认证方法,其特征在于:步骤2的具体实现包括以下子步骤:4. The cross-domain identity authentication method based on identity credibility according to claim 1, wherein the specific realization of step 2 includes the following sub-steps: 步骤B1:同态加密密钥分发;Step B1: Homomorphic encryption key distribution; 用户向本地安全域认证服务器提供个人身份信息和本地安全域中数字身份对应的用户名和口令创建数字身份,并使用唯一身份标识通过本地安全域认证服务器的认证;随后,本地安全域认证服务器为用户的数字身份生成一对同态加密公私钥对,将其私钥安全保存在本地,用于身份可信度比较结果的验证,并将公钥公开发送给系统中的所有参与方,用于身份可信度的加密;The user provides the local security domain authentication server with personal identity information and the user name and password corresponding to the digital identity in the local security domain to create a digital identity, and uses the unique identity to pass the authentication of the local security domain authentication server; The digital identity generates a pair of homomorphic encryption public-private key pairs, and stores the private key safely locally for verification of identity credibility comparison results, and publicly sends the public key to all participants in the system for identity verification. Encryption of credibility; 步骤B2:身份可信度密文生成;Step B2: Generation of identity credibility ciphertext; 本地安全域认证服务器评估用户数字身份对应的身份可信度之后,使用相应的同态加密公钥生成身份可信度密文;After the local security domain authentication server evaluates the identity credibility corresponding to the user's digital identity, it uses the corresponding homomorphic encryption public key to generate identity credibility ciphertext; 步骤B3:身份可信度范围证明生成;Step B3: Generation of identity credibility range proof; 本地安全域认证服务器选取公开参数,生成身份可信度密文记录对应的范围证明。The local security domain authentication server selects the public parameters and generates the range certificate corresponding to the identity credibility ciphertext record. 5.根据权利要求1所述的基于身份可信度的跨域身份认证方法,其特征在于:步骤3中所述身份可信度配置信息管理,各安全域事先将身份可信度配置信息以JSON标准存储结构形式存储在联盟链账本中,并对配置信息进行签名;5. The cross-domain identity authentication method based on identity credibility according to claim 1, characterized in that: the identity credibility configuration information management described in step 3, each security domain configures the identity credibility configuration information in advance The JSON standard storage structure is stored in the alliance chain ledger, and the configuration information is signed; 具体实现包括以下子步骤:The specific implementation includes the following sub-steps: 步骤C1.1:安全域选取由用户安全行为和从对应行为可获取的身份可信度最大值组成的身份可信度评价标准,身份可信度最大值和最小值,并生成一对同态加密密钥对;Step C1.1: The security domain selects the identity credibility evaluation standard consisting of the user security behavior and the maximum identity credibility obtained from the corresponding behavior, the maximum and minimum identity credibility, and generates a pair of homomorphisms encryption key pair; 步骤C1.2:安全域将安全域名称、同态加密公钥、身份可信度最大值和最小值、身份可信度评价标准、配置生成时间戳、配置消息哈希值以及数字签名,整理成JSON格式的标准存储结构;Step C1.2: The security domain organizes the security domain name, homomorphic encryption public key, maximum and minimum identity credibility, identity credibility evaluation criteria, configuration generation timestamp, configuration message hash value, and digital signature. into a standard storage structure in JSON format; 步骤C1.3:安全域将身份可信度配置信息提交给联盟链账本,并获取其存储位置。Step C1.3: The security domain submits the identity credibility configuration information to the alliance chain ledger and obtains its storage location. 6.根据权利要求1所述的基于身份可信度的跨域身份认证方法,其特征在于:步骤3中所述身份可信度链上动态维护,用户在安全域注册数字身份之后,安全域通过事先公开的身份可信度评价标准生成数字身份的身份可信度状态信息,并采用标准存储模式或者紧凑存储模式将一个或多个身份可信度状态记录存储在联盟链账本中;6. The cross-domain identity authentication method based on identity credibility according to claim 1, characterized in that: the identity credibility in step 3 is dynamically maintained on the chain, after the user registers a digital identity in the security domain, the security domain Generate identity credibility status information of digital identities through pre-disclosed identity credibility evaluation standards, and store one or more identity credibility status records in the alliance chain ledger in standard storage mode or compact storage mode; 具体实现包括以下子步骤:The specific implementation includes the following sub-steps: 步骤C2.1:安全域生成用户身份可信度的密文和对应的零知识范围证明记录,组成标准存储模式的加密存储结构或是紧凑存储模式的紧凑存储结构,并提交到联盟链账本中;Step C2.1: The security domain generates the ciphertext of the user's identity credibility and the corresponding zero-knowledge scope proof record, forms an encrypted storage structure in the standard storage mode or a compact storage structure in the compact storage mode, and submits it to the alliance chain ledger ; 步骤C2.2:在标准存储模式中,联盟链账本将对加密存储结构中的数字签名和范围证明进行验证;在紧凑存储模式中,联盟链账本将对紧凑存储结构中的默克尔哈希树树根和聚合范围证明进行验证。Step C2.2: In the standard storage mode, the alliance chain ledger will verify the digital signature and range proof in the encrypted storage structure; in the compact storage mode, the alliance chain ledger will verify the Merkel hash in the compact storage structure Tree root and aggregated range proofs are verified. 7.根据权利要求1所述的基于身份可信度的跨域身份认证方法,其特征在于:步骤3中所述身份可信度的可验证比较,接受跨域身份凭证的安全域根据提供身份的安全域事先公开的身份可信度评价标准,选取合适的身份可信度最小阈值要求;在联盟链链码作为可信第三方的监督下,判断跨域身份凭证的身份可信度是否满足本域的最小要求,从而决定是否通过本次跨域身份认证请求;7. The cross-domain identity authentication method based on identity credibility according to claim 1, characterized in that: the verifiable comparison of the identity credibility described in step 3, the security domain that accepts the cross-domain identity credential according to the provided identity The identity credibility evaluation standard disclosed in advance in the security domain, select the appropriate minimum threshold requirement of identity credibility; under the supervision of the alliance chain chain code as a trusted third party, judge whether the identity credibility of the cross-domain identity certificate meets the requirements The minimum requirements of this domain, so as to decide whether to pass this cross-domain identity authentication request; 具体实现包括以下子步骤:The specific implementation includes the following sub-steps: 步骤C3.1:用户请求使用已有的本地安全域中的数字身份通过外部安全域的身份认证;Step C3.1: The user requests to use the digital identity in the existing local security domain to pass the identity authentication of the external security domain; 步骤C3.2:外部安全域根据本地安全域在联盟链账本中事先公开的身份可信度评价标准,选取合适的身份可信度最小阈值要求,并向联盟链链码申请比较参数的密文证明;Step C3.2: The external security domain selects an appropriate minimum threshold for identity credibility according to the identity credibility evaluation criteria disclosed in advance by the local security domain in the alliance chain ledger, and applies for the cipher text of the comparison parameters from the alliance chain chain code prove; 步骤C3.3:本地安全域根据用户身份可信度的联盟链账本记录,向联盟链链码申请用户身份可信度的密文证明;Step C3.3: The local security domain applies to the alliance chain chain code for the ciphertext proof of the user identity credibility according to the alliance chain ledger record of the user identity credibility; 步骤C3.4:外部安全域向本地安全域提供比较参数和对应的密文证明;Step C3.4: The external security domain provides the comparison parameters and corresponding ciphertext proofs to the local security domain; 步骤C3.5:本地安全域使用外部安全域提供的比较参数和己方拥有的参数完成中间结果和验证信息的计算;Step C3.5: The local security domain uses the comparison parameters provided by the external security domain and its own parameters to complete the calculation of intermediate results and verification information; 步骤C3.6:外部安全域根据中间结果得到身份可信度和阈值比较的结果,并使用验证信息判断比较结果的真实性,并将本次比较日志提交到联盟链账本中。Step C3.6: The external security domain obtains the identity credibility and threshold comparison results based on the intermediate results, and uses the verification information to judge the authenticity of the comparison results, and submits the comparison log to the alliance chain ledger. 8.一种基于身份可信度的跨域身份认证系统,其特征在于:包括唯一身份标识授权模块、基于同态加密和零知识范围证明的隐私保护模块和基于联盟链的身份可信度的管理和共享模块组成;8. A cross-domain identity authentication system based on identity credibility, characterized in that: it includes a unique identity authorization module, a privacy protection module based on homomorphic encryption and zero-knowledge range proof, and a consortium chain-based identity credibility Management and sharing module composition; 所述唯一身份标识授权模块,用于将用户的数字身份转换为公开可验证的唯一身份标识,实现数字身份与身份可信度的绑定;The unique identity authorization module is used to convert the user's digital identity into a publicly verifiable unique identity, so as to realize the binding of digital identity and identity credibility; 权威身份来源机构对用户提供的身份信息进行验证,将合法的身份信息摘要提交到联盟链账本中,并向用户分发密钥和身份动态识别凭证生成应用;用户使用身份动态识别凭证注册数字身份,提供可验证的动态身份凭证;The authoritative identity source agency verifies the identity information provided by the user, submits the legal identity information summary to the alliance chain account book, and distributes the key and identity dynamic identification certificate to the user to generate the application; the user uses the identity dynamic identification certificate to register the digital identity, Provide verifiable dynamic identity credentials; 所述基于同态加密和零知识范围证明的隐私保护模块,用于加密和验证在联盟链账本中公开存储的身份可信度记录;The privacy protection module based on homomorphic encryption and zero-knowledge range proof is used to encrypt and verify the identity credibility records publicly stored in the alliance chain ledger; 用户通过使用唯一身份标识注册数字身份后,身份认证服务将为每个数字身份分发同态加密密钥;在生成数字身份对应的身份可信度记录时,身份认证服务将生成相应的同态加密密文和零知识范围证明作为数据合法性的验证信息;After the user registers a digital identity by using a unique identity, the identity authentication service will distribute a homomorphic encryption key for each digital identity; when generating the identity credibility record corresponding to the digital identity, the identity authentication service will generate the corresponding homomorphic encryption Ciphertext and zero-knowledge range proofs are used as verification information for data legitimacy; 所述基于联盟链的身份可信度的管理和共享模块,用于身份可信度配置信息管理、身份可信度链上动态维护及身份可信度的可验证比较;The management and sharing module of identity credibility based on the alliance chain is used for identity credibility configuration information management, dynamic maintenance of identity credibility on the chain, and verifiable comparison of identity credibility; 由联盟链作为公共可验证的存储媒介和可信的联盟链链码执行环境,保证公共账本中的身份可信度相关信息未被篡改,并且能够诚实地执行链码定义的功能函数。The consortium chain is used as a public verifiable storage medium and a credible consortium chain chain code execution environment to ensure that the identity credibility related information in the public ledger has not been tampered with and can honestly execute the functions defined by the chain code. 9.一种电子设备,其特征在于,包括:9. An electronic device, characterized in that it comprises: 一个或多个处理器;one or more processors; 存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现如权利要求1至7中任一项所述的基于身份可信度的跨域身份认证方法。A storage device for storing one or more programs, when the one or more programs are executed by the one or more processors, the one or more processors are configured to implement any one of claims 1 to 7 A cross-domain identity authentication method based on identity credibility.
CN202211498448.1A 2022-11-28 2022-11-28 Cross-domain identity authentication method, system and electronic device based on identity credibility Active CN115883102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211498448.1A CN115883102B (en) 2022-11-28 2022-11-28 Cross-domain identity authentication method, system and electronic device based on identity credibility

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211498448.1A CN115883102B (en) 2022-11-28 2022-11-28 Cross-domain identity authentication method, system and electronic device based on identity credibility

Publications (2)

Publication Number Publication Date
CN115883102A true CN115883102A (en) 2023-03-31
CN115883102B CN115883102B (en) 2024-04-19

Family

ID=85764208

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211498448.1A Active CN115883102B (en) 2022-11-28 2022-11-28 Cross-domain identity authentication method, system and electronic device based on identity credibility

Country Status (1)

Country Link
CN (1) CN115883102B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117478329A (en) * 2023-10-16 2024-01-30 武汉大学 Multi-user anti-collusion ciphertext retrieval method and equipment based on identity key encapsulation
CN117640102A (en) * 2023-11-28 2024-03-01 澳门科技大学 Digital identity authentication and user data sharing method
CN118400113A (en) * 2024-05-24 2024-07-26 上海迅傲信息科技有限公司 Information docking method, system, equipment and medium based on system security detection

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411384A (en) * 2021-06-10 2021-09-17 华中科技大学 System and method for privacy protection in data security sharing process of Internet of things
CN113645020A (en) * 2021-07-06 2021-11-12 北京理工大学 A Consortium Chain Privacy Protection Method Based on Secure Multi-Party Computation
CN113691361A (en) * 2021-08-25 2021-11-23 上海万向区块链股份公司 Consortium chain privacy protection method and system based on homomorphic encryption and zero-knowledge proof
WO2022007889A1 (en) * 2020-07-08 2022-01-13 浙江工商大学 Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
CN115002717A (en) * 2022-04-14 2022-09-02 河北师范大学 Internet of vehicles cross-domain authentication privacy protection model based on block chain technology
CN115277122A (en) * 2022-07-12 2022-11-01 云南财经大学 Blockchain-based cross-border data flow and supervision system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022007889A1 (en) * 2020-07-08 2022-01-13 浙江工商大学 Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
US20220368545A1 (en) * 2020-07-08 2022-11-17 Zhejiang University City College Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
CN113411384A (en) * 2021-06-10 2021-09-17 华中科技大学 System and method for privacy protection in data security sharing process of Internet of things
CN113645020A (en) * 2021-07-06 2021-11-12 北京理工大学 A Consortium Chain Privacy Protection Method Based on Secure Multi-Party Computation
CN113691361A (en) * 2021-08-25 2021-11-23 上海万向区块链股份公司 Consortium chain privacy protection method and system based on homomorphic encryption and zero-knowledge proof
CN115002717A (en) * 2022-04-14 2022-09-02 河北师范大学 Internet of vehicles cross-domain authentication privacy protection model based on block chain technology
CN115277122A (en) * 2022-07-12 2022-11-01 云南财经大学 Blockchain-based cross-border data flow and supervision system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JING CHEN ET AL.: "Process:privacy-preserving on-chain certificate status service", IEEE, 26 July 2021 (2021-07-26) *
周云;: "基于区块链的信息网络信任支撑环境构建研究", 信息安全与通信保密, no. 04, 10 April 2020 (2020-04-10) *
董贵山;张兆雷;李洪伟;白健;郝尧;陈宇翔;: "基于区块链的异构身份联盟与监管体系架构和关键机制", 通信技术, no. 02, 10 February 2020 (2020-02-10) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117478329A (en) * 2023-10-16 2024-01-30 武汉大学 Multi-user anti-collusion ciphertext retrieval method and equipment based on identity key encapsulation
CN117478329B (en) * 2023-10-16 2024-04-26 武汉大学 Multi-user collusion-resistant ciphertext retrieval method and equipment based on identity key encapsulation
CN117640102A (en) * 2023-11-28 2024-03-01 澳门科技大学 Digital identity authentication and user data sharing method
CN118400113A (en) * 2024-05-24 2024-07-26 上海迅傲信息科技有限公司 Information docking method, system, equipment and medium based on system security detection

Also Published As

Publication number Publication date
CN115883102B (en) 2024-04-19

Similar Documents

Publication Publication Date Title
CN114186248B (en) A zero-knowledge proof verifiable credential digital identity management system and method based on blockchain smart contracts
Zhang et al. BTCAS: A blockchain-based thoroughly cross-domain authentication scheme
Liu et al. Blockchain-cloud transparent data marketing: Consortium management and fairness
Camenisch et al. Concepts and languages for privacy-preserving attribute-based authentication
Toorani et al. LPKI-a lightweight public key infrastructure for the mobile environments
CN115883102B (en) Cross-domain identity authentication method, system and electronic device based on identity credibility
CN113014392A (en) Block chain-based digital certificate management method, system, equipment and storage medium
CN117081803B (en) Internet of Things Ciphertext Access Control Method Based on Blockchain
CN114254284B (en) Digital certificate generation and identity authentication method, quantum CA authentication center and system
CN116566660A (en) Identity authentication method based on medical blockchain
CN111614680B (en) CP-ABE-based traceable cloud storage access control method and system
Benantar The Internet public key infrastructure
CN117036027A (en) Green power consumption authentication data processing method based on block chain and related equipment
US20240430102A1 (en) Systems and methods for enforcing cryptographically secure actions in public, non-permissioned blockchains using bifurcated self-executing programs comprising shared digital signature requirements
Liu et al. Cross-heterogeneous domain authentication scheme based on blockchain
Perugini et al. On the integration of Self-Sovereign Identity with TLS 1.3 handshake to build trust in IoT systems
CN114866244A (en) Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption
Kwon Privacy preservation with X. 509 standard certificates
Zhang et al. NDN-MPS: supporting multiparty authentication over named data networking
Zhang et al. CKAA: Certificateless key‐agreement authentication scheme in digital twin telemedicine environment
CN115118431B (en) A cross-domain identity authentication ticket conversion method
Kaaniche et al. Id-based user-centric data usage auditing scheme for distributed environments
CN115760124A (en) Blockchain-based contract trust digital signature method and device
Yao et al. Compact and anonymous role-based authorization chain
Surya et al. Single sign on mechanism using attribute based encryption in distributed computer networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant