[go: up one dir, main page]

TWI749061B - Blockchain identity system - Google Patents

Blockchain identity system Download PDF

Info

Publication number
TWI749061B
TWI749061B TW106131301A TW106131301A TWI749061B TW I749061 B TWI749061 B TW I749061B TW 106131301 A TW106131301 A TW 106131301A TW 106131301 A TW106131301 A TW 106131301A TW I749061 B TWI749061 B TW I749061B
Authority
TW
Taiwan
Prior art keywords
user
random number
identity
encrypted
information
Prior art date
Application number
TW106131301A
Other languages
Chinese (zh)
Other versions
TW201812630A (en
Inventor
陸揚
Original Assignee
大陸商上海唯鏈信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大陸商上海唯鏈信息科技有限公司 filed Critical 大陸商上海唯鏈信息科技有限公司
Publication of TW201812630A publication Critical patent/TW201812630A/en
Application granted granted Critical
Publication of TWI749061B publication Critical patent/TWI749061B/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一種區塊鏈身份系統,包含用戶端、雲端,所述用戶端由射頻讀取模組、計算平臺、觸控式螢幕模組、通訊模組、智慧身份卡組成,雲端由區塊鏈多節點網路組成,區塊鏈多節點網路包括資料區塊鏈以及多節點網路,多節點網路負責與用戶端之間協調完成身份的生成過程以及身份認證過程。本認證系統使用智慧身份卡保證用戶身份的安全性,將傳輸的資訊加密後再進行傳輸,保證不會在傳輸的過程中洩漏資訊,保證兩次認證的有效性,避免認證過程中遭受不必要的攻擊。A blockchain identity system includes a client terminal and a cloud. The client terminal is composed of a radio frequency reading module, a computing platform, a touch screen module, a communication module, and a smart identity card. The cloud is composed of multiple blockchain nodes Network composition, the blockchain multi-node network includes a data blockchain and a multi-node network. The multi-node network is responsible for coordinating with the client to complete the identity generation process and the identity authentication process. This authentication system uses a smart ID card to ensure the security of the user’s identity. The transmitted information is encrypted before transmission to ensure that no information will be leaked during the transmission, to ensure the validity of the two authentications, and to avoid unnecessary exposure during the authentication process. s attack.

Description

區塊鏈身份系統Blockchain identity system

本發明係關於網際網路上的身份生成以及認證,一種區塊鏈身份系統。 The invention relates to identity generation and authentication on the Internet, a blockchain identity system.

在網際網路中,區塊鏈身份需要依靠網路資料的形式進行頒發,與傳統的身份不同,網際網路上的身份對生成及認證過程的難度更大。對於目前廣泛使用的基於密碼的認證機制或基於簡訊的身份認證中,如果密碼一旦洩漏或者手機不慎丟失,其他用戶同樣可以使用該終端進行認證交易。另外近年來開始出現結合生物特徵資訊(例如指紋、虹膜等)來增加認證安全性的技術。然而就當前環境下,如果在要進行身份認證之前必須要先接受自己的指紋等生物特徵資訊被一協力廠商系統採集保存,對於一普通用戶來說尚不容易接受,用戶很可能因為擔心個人資訊洩漏。因此,現今極需一種安全性高、可操作性高、方便的區塊鏈身份系統。 In the Internet, blockchain identities need to be issued in the form of network data. Unlike traditional identities, identities on the Internet are more difficult to generate and authenticate. For the currently widely used password-based authentication mechanism or SMS-based identity authentication, if the password is leaked or the mobile phone is accidentally lost, other users can also use the terminal to perform authentication transactions. In addition, in recent years, technologies that combine biometric information (such as fingerprints, iris, etc.) to increase authentication security have begun to appear. However, in the current environment, if you have to accept your fingerprints and other biometric information to be collected and saved by a third-party system before performing identity authentication, it is not easy for an ordinary user to accept it, and the user is likely to worry about personal information. leakage. Therefore, there is an urgent need for a blockchain identity system with high security, high operability, and convenience.

有鑑於此,本發明提供一種解決或部分解決上述問題的區塊鏈身份系統。 In view of this, the present invention provides a blockchain identity system that solves or partially solves the above-mentioned problems.

為達到上述技術方案的效果,本發明的技術方案為:一種區塊鏈身份系統,包含用戶端、雲端,用戶端由射頻讀取模組、計算平臺、觸控式螢幕模組、通訊模組、智慧身份卡組成,雲端由區塊鏈多節點網路 組成,區塊鏈多節點網路包括資料區塊鏈以及多節點網路,多節點網路負責與用戶端之間協調完成身份的生成過程以及身份認證過程;計算平臺的內部包含觸控式螢幕控制器、通訊控制器及微型計算晶片;觸控式螢幕控制器用於控制觸控式螢幕模組的顯示,將需要顯示的資訊發送給所述觸控式螢幕模組;通訊控制器以串口通訊的方式調度射頻讀取模組、觸控式螢幕模組及通訊模塊之間的交互通訊;微型計算晶片用於處理所述身份的生成過程以及身份認證過程中的資訊;智慧身份卡內含內建積體電路的晶片,晶片包含存有用戶ID編號,每個智慧身份卡的用戶ID編號都是唯一的,用於識別用戶身份,智慧身份卡由專門的廠商通過專門的設備生產,是不可複製的硬體,智慧身份卡由註冊過的合法用戶攜帶,認證時必須將智慧身份卡經過射頻讀取模組掃描讀入其中的用戶ID編號,以驗證用戶的身份;觸控式螢幕模組採用五線電阻屏,依靠壓力感應原理,用於顯示以及輸入在身份的生成過程以及身份認證過程中所需的資訊;通訊模組用於接收和發送相關資訊,內含網路傳輸篩檢程式及專用編碼晶片以實現計算平臺與雲端之間的通訊,並以資料幀的方式實現網路資料的接收和發送,並且還要在接收和發送時避免背景雜訊及干擾,資料幀的編碼方式為相位編碼,並採取同步時鐘編碼技術,在傳輸資料資訊的同時,也將時鐘同步信號一起傳輸到對方; 在雲端的所述區塊鏈多節點網路中,區塊鏈多節點網路中的資料區塊鏈由一串按創建的時間順序相連的資料區塊組成,區塊鏈多節點網路中的多節點網路是由多個節點構成的P2P網路,節點之間通過網路共用及互相傳輸資訊,資料區塊鏈對多節點網路中所有所述節點都是開放的,資料區塊由區塊頭以及區塊主體組成,區塊頭包含前一資料區塊的哈希值、時間戳、當前資料區塊的哈希值,前一資料區塊的哈希值用於不同資料區塊的連接,時間戳記錄當前資料區塊連接的時間,當前資料區塊的哈希值用於確保資料區塊的內容不會被篡改,區塊主體記錄了用戶身份的帳戶資訊,其中合法的用戶身份的帳戶資訊為:用戶名、用戶身份資訊、加密後的用戶密碼、加密後的用戶ID編號、用戶公鑰;節點中包含偽亂數產生器;身份生成過程如下:1)用戶在觸控式螢幕模組上輸入用戶名、用戶身份資訊、用戶密碼,並將用戶名、用戶身份資訊、用戶密碼傳輸給多節點網路,多節點網路檢驗用戶名在資料區塊鏈中是否存在,如果用戶名不存在,進行下一步,如果用戶名存在,傳送回饋資訊經由通訊模組傳送給計算平臺,計算平臺將回饋資訊處理,在觸控式螢幕模組上顯示“用戶存在,重新輸入”,用戶在觸控式螢幕模組上重新輸入用戶名,多節點網路重新檢驗用戶名在資料區塊鏈是否存在;2)計算平臺驗證所述用戶密碼是否符合要求,如果用戶密碼符合要求,進行下一步,如果不符合要求傳輸給觸控式螢幕模組,在觸控式螢幕模組上顯示“用戶密碼不符合要求,重新輸入”,用戶在觸控式 螢幕模組上重新輸入用戶密碼;3)多節點網路產生亂數S1,並且亂數S1經過IDEA加密演算法進行加密生成加密後的亂數S1,將加密後的亂數S1廣播給多節點網路中所有節點,所有節點利用IDEA解密演算法解密加密後的亂數S1,最先解密出亂數S1的節點作為負責構建資料區塊鏈的節點;4)負責構建資料區塊鏈的節點分配給用戶一個用戶公鑰,並通過哈希演算法將用戶身份資訊生成唯一的身份標識,負責構建資料區塊鏈的節點將生成後的唯一的身份標識進行數位簽章生成唯一的用戶ID編號,將用戶ID編號寫入智慧身份卡,由用戶公鑰進行加密生成加密後的用戶ID編號,把當前時間保存為當前資料區塊的時間戳,前一資料區塊的哈希值通過安全散列演算法生成當前資料區塊的哈希值,並且生成加密後的用戶密碼,生成加密後的用戶密碼的具體過程為:使用負責構建資料區塊鏈的節點中的偽亂數產生器生成的亂數作為鹽值,將鹽值混入用戶密碼,並使用所述加密哈希函數進行加密,生成加密後的用戶密碼;將用戶名、用戶身份資訊、加密後的用戶密碼、加密後的用戶ID編號、用戶公鑰組成用戶身份的帳戶資訊,與產生的鹽值一起寫入當前資料區塊的區塊主體中;偽亂數產生器的工作原理如下:偽亂數產生器基於資料加密標準,包含三重資料加密標準演算法,可以循環地產生亂數;用變數i表示第i輪亂數的產生計算,主要有3個組成部分:1)輸入部分:輸入部分是兩個64位元的偽亂數Datei及Vi, 其中,Datei表示第i輪計算開始時的日期和時間,每產生一個亂數Ri後,Datei需要更新一次,Vi是產生第i個亂數時需要輸入的種子,其初值可任意設定,以後每輪計算都會自動更新;2)密鑰產生器:用於每輪的具體計算,每輪計算都使用了三重資料演算法加密,每次加密使用兩個固定的56位元的密鑰K1和密鑰K2,這兩個密鑰必須保密,由偽亂數產生器指定;3)輸出部分:輸出為一個64位元的偽亂數Ri和一個64位元的新種子Vi+1;偽亂數產生器具有很高的安全強度,因為其採用了總共112位元長的密鑰和3個密鑰加密的資料演算法加密,同時還由於有兩個偽亂數輸入驅動,兩個偽亂數輸入一個是當前的日期和時間Datei,另一個是上一輪產生的種子Vi,每輪都產生亂數Ri,但是每輪種子不同,產生的亂數都不相同,因此,為每個用戶產生的鹽值也不相同,所以無法通過上一輪產生的鹽值來推斷下一輪產生的鹽值;身份認證過程如下:第一步,用戶端向雲端發出認證請求,將智慧身份卡中所存的用戶ID編號經由射頻讀取模組讀入,多節點網路檢測在資料區塊鏈中是否存在,如果存在再進行第二步,如果不存在結束身份認證過程;第二步,初次認證,雲端經由通訊模組回饋給計算平臺開始認證的資訊,計算平臺處理開始認證的資訊,開始認證的資訊在觸控式螢幕模組顯示提示用戶輸入,用戶在觸控式螢幕模組輸入用戶名和用戶密碼後,初步驗證用戶,根據收到的用戶名,多節點網路判斷其合法性,如果是合法用戶,再檢驗用戶密碼是否正確,從區塊鏈多節點網路中取出用 戶的鹽值,將鹽值混入用戶輸入的密碼,並且使用加密哈希函數進行加密,比較結果和對應資料區塊儲存的加密後的用戶密碼是否相同,如果相同那麼初步判斷用戶輸入的密碼正確,進入第三步,如果不相同則判斷用戶輸入的密碼不一致;第三步,二次認證,計算平臺選取大素數p及整數a,並將這兩個數公開,即這兩個數對用戶端與多節點網路都可見,多節點網路選取隨機的大素數x,大素數x滿足x<p-1,計算ax mod p,大素數x的值保密,只對多節點網路可見;用戶端將用戶密碼及用戶的鹽值級聯,計算散列值Z1,並生成亂數S1,將計算後的散列值Z1與計算後的ax mod p的值、亂數S1級聯再進行一次散列運算得到散列值Z2,用戶端連同亂數S1、將計算後的ax mod p的值和散列值Z2一起發送給多節點網路;第四步,多節點網路取出存儲在資料區塊鏈的加密後的用戶密碼;與收到的亂數S1、將計算後的ax mod p級聯再進行散列運算得到散列值Z3,與散列值Z2進行比較,相等則繼續,否則判斷不一致,多節點網路隨機選取大素數y,計算ay mod p,並將大素數y的值保密;多節點網路將加密後的用戶密碼、亂數S1和計算後的ay mod p的值再次級聯進行散列運算得到散列值Z4,並且將散列值Z4、將計算後的ay mod p的值發送給用戶端;第五步,用戶端將在第三步得到的散列值Z1、將計算後的ay mod p和亂數S1級聯進行散列運算,將計算結果和第四步收到的消息中的散列值Z4進行比較,相等則回送給雲端一個認證成功的應答信號,否則返回認證失敗的消息; 經過以上五個步驟,雲端與用戶端都成功地驗證了對方的身份;區塊鏈身份系統採用的通訊模式是一種開放系統結構的網路方式,由用戶端首先向雲端提出請求,雲端對請求做相應的處理並執行請求中包含的任務,然後將結果返回給用戶端。 In order to achieve the effect of the above technical solution, the technical solution of the present invention is: a blockchain identity system, including a user terminal, a cloud, and the user terminal is composed of a radio frequency reading module, a computing platform, a touch screen module, and a communication module. , Smart ID card, the cloud is composed of a blockchain multi-node network. The blockchain multi-node network includes a data blockchain and a multi-node network. The multi-node network is responsible for coordinating with the client to complete the identity generation Process and identity authentication process; the computing platform contains a touch screen controller, a communication controller and a micro-computing chip; the touch screen controller is used to control the display of the touch screen module and send the information that needs to be displayed to The touch screen module; the communication controller schedules the interactive communication between the radio frequency reading module, the touch screen module, and the communication module by means of serial communication; the micro computing chip is used to process the generation of the identity Information about the process and identity verification process; the smart ID card contains a chip with a built-in integrated circuit, and the chip contains a user ID number. The user ID number of each smart ID card is unique and is used to identify the user’s identity. Smart ID cards are produced by specialized manufacturers through special equipment. They are non-copyable hardware. Smart ID cards are carried by registered legal users. When authenticating, the smart ID card must be scanned and read into the user through the radio frequency reader module. ID number to verify the identity of the user; the touch screen module uses a five-wire resistive screen, relying on the principle of pressure sensing, to display and input the information required in the identity generation process and the identity authentication process; the communication module is used To receive and send related information, it contains a network transmission screening program and a dedicated code chip to realize the communication between the computing platform and the cloud, and realizes the reception and transmission of network data in the form of data frames, and also in the receiving To avoid background noise and interference when sending, the encoding method of the data frame is phase encoding, and the synchronous clock encoding technology is adopted. While transmitting the data information, the clock synchronization signal is also transmitted to the other party; the block in the cloud In the chain multi-node network, the data block chain in the block chain multi-node network is composed of a series of data blocks connected in the order of creation. The multi-node network in the block chain multi-node network is composed of A P2P network composed of multiple nodes. The nodes share and transmit information through the network. The data block chain is open to all the nodes in the multi-node network. The data block consists of a block header and a block body. The block header contains the hash value of the previous data block, the timestamp, and the hash value of the current data block. The hash value of the previous data block is used for the connection of different data blocks, and the timestamp records the current data When the block is connected, the hash value of the current data block is used to ensure that the content of the data block will not be tampered with. The main body of the block records the account information of the user identity, and the account information of the legal user identity is: username , User identity information, encrypted user password, encrypted user ID number, user public key; the node contains a pseudo random number generator; the identity generation process is as follows: 1) The user enters the user name on the touch screen module , User identity information, User password, and transmit the user name, user identity information, and user password to the multi-node network. The multi-node network checks whether the user name exists in the data blockchain. If the user name does not exist, proceed to the next step. Exist, send feedback information to the computing platform through the communication module, the computing platform will process the feedback information, display "User exists, re-enter" on the touch screen module, and the user re-enter the user on the touch screen module Name, the multi-node network re-checks whether the user name exists in the data blockchain; 2) The computing platform verifies whether the user password meets the requirements, if the user password meets the requirements, proceed to the next step, if it does not meet the requirements, transmit to the touch control The screen module displays "User password does not meet the requirements, re-enter" on the touch screen module, and the user re-enters the user password on the touch screen module; 3) The multi-node network generates a random number S1, and The random number S1 is encrypted by the IDEA encryption algorithm to generate an encrypted random number S1, and the encrypted random number S1 is broadcast to all nodes in the multi-node network. All nodes use the IDEA decryption algorithm to decrypt the encrypted random number S1. The node that first decrypts the random number S1 is used as the node responsible for building the data blockchain; 4) The node responsible for building the data blockchain assigns a user public key to the user, and generates a unique user identity information through a hash algorithm Identity identification, the node responsible for building the data blockchain will digitally sign the generated unique identification to generate a unique user ID number, write the user ID number into the smart identity card, and encrypt it by the user’s public key to generate the encrypted User ID number, save the current time as the timestamp of the current data block, the hash value of the previous data block is generated through the secure hash algorithm to generate the hash value of the current data block, and the encrypted user password is generated, The specific process of generating the encrypted user password is: use the random number generated by the pseudo random number generator in the node responsible for building the data blockchain as the salt value, mix the salt value into the user password, and use the encrypted hash function Encryption to generate an encrypted user password; the user name, user identity information, encrypted user password, encrypted user ID number, and user public key form the account information of the user identity, and the generated salt value is written into the current In the block body of the data block; the working principle of the pseudo random number generator is as follows: the pseudo random number generator is based on the data encryption standard, including the triple data encryption standard algorithm, which can generate random numbers cyclically; use the variable i to represent the i-th generating chaos calculating the number of rounds, there are three main components: 1) an input section: an input section is two 64-bit pseudo random number and a date i V i, where, i represents a date the date at the start of the i-th round of calculation and time, a random number is generated after each Ri, Date i need to be updated once, V i is the input needed to produce seed when the i-th random number, which can be arbitrarily set initial value, calculation is automatically updated after each round; 2) adhesion Key generator: used for each round of specific calculations, each round of calculation uses triple data algorithm encryption, each encryption uses two A fixed 56-bit key K1 and key K2, these two keys must be kept secret and specified by the pseudo random number generator; 3) Output part: the output is a 64-bit pseudo random number Ri and a 64 Bit new seed Vi +1 ; the pseudo random number generator has high security strength, because it uses a total of 112-bit long key and 3 key encryption data algorithm encryption, but also because of the driving two pseudo random number input, two inputs a pseudo-random number is the current date and time date i, and the other is on a seed produced V i, each round generated random number Ri, but is different each round seeds, producing The random number of is not the same, therefore, the salt value generated for each user is also different, so the salt value generated in the next round cannot be inferred from the salt value generated in the previous round; the identity authentication process is as follows: the first step, the user side Send an authentication request to the cloud, read the user ID number stored in the smart ID card through the radio frequency reading module, the multi-node network detects whether it exists in the data blockchain, if it exists, proceed to the second step, if it does not exist End the identity authentication process; the second step is the initial authentication. The cloud sends back the authentication information to the computing platform through the communication module. The computing platform processes the authentication information. The authentication information is displayed on the touch screen module to prompt the user to input. After the user enters the user name and user password on the touch screen module, the user is initially authenticated. According to the received user name, the multi-node network judges its legitimacy. If it is a legitimate user, check whether the user password is correct. From the block Take the user's salt value from the chain multi-node network, mix the salt value into the password entered by the user, and encrypt it with a cryptographic hash function. Whether the comparison result is the same as the encrypted user password stored in the corresponding data block, if the same, then Preliminarily judge that the password entered by the user is correct, enter the third step, if not the same, determine that the password entered by the user is inconsistent; the third step, the second authentication, the computing platform selects a large prime number p and an integer a, and makes these two numbers public , That is, these two numbers are visible to the client and the multi-node network. The multi-node network selects a random large prime number x, and the large prime number x satisfies x<p-1, calculate a x mod p, and the large prime number x The value of is kept secret and is only visible to the multi-node network; the client cascades the user password and the user’s salt value, calculates the hash value Z1, and generates a random number S1, and combines the calculated hash value Z1 with the calculated a The value of x mod p and the random number S1 are cascaded to obtain the hash value Z2. The user terminal together with the random number S1 and the calculated value of a x mod p and the hash value Z2 are sent to multiple nodes. Network; the fourth step, the multi-node network takes out the encrypted user password stored in the data blockchain; and the received random number S1, cascade the calculated a x mod p and then perform a hash operation to get the hash Compare the column value Z3 with the hash value Z2, if it is equal, continue, otherwise the judgment is inconsistent, the multi-node network randomly selects a large prime number y, calculates a y mod p, and keeps the value of the large prime number y secret; multi-node network Lu will encrypt the user password and random number S 1 and the calculated value of a y mod p are cascaded again to perform a hash operation to obtain the hash value Z4, and the hash value Z4 and the calculated value of a y mod p are sent to the client; the fifth step, The user terminal will cascade the calculated a y mod p and the random number S1 with the hash value Z1 obtained in the third step to perform a hash operation, and combine the calculated result with the hash value Z4 in the message received in the fourth step For comparison, if they are equal, a response signal of successful authentication will be sent back to the cloud, otherwise a message indicating that the authentication failed will be returned; After the above five steps, both the cloud and the client have successfully verified the identity of the other party; the communication mode adopted by the blockchain identity system It is a network method with an open system structure. The client first makes a request to the cloud. The cloud processes the request accordingly and executes the tasks contained in the request, and then returns the result to the client.

本區塊鏈身份系統的優點如下: The advantages of this blockchain identity system are as follows:

(1)使用智慧身份卡,以保證用戶身份的安全性。 (1) Use smart identity cards to ensure the security of user identity.

(2)將密碼資訊及智慧身份卡的ID資訊都加密,而不傳輸資訊明文,這樣即使入侵者通過網路偵聽等手段獲得通道的傳輸資訊,也無需擔心用戶密碼和身份證資訊被洩漏。 (2) Encrypt both the password information and the ID information of the smart ID card, instead of transmitting the information in plain text, so that even if the intruder obtains the transmission information of the channel through network interception and other means, there is no need to worry about the leakage of user password and ID information .

(3)身份生成過程以及身份認證過程使用了複雜的加密過程,可以有效防止重放攻擊。而且用戶端和雲端採用了二次認證,提高了認證過程中的可靠性與安全性。 (3) The identity generation process and the identity authentication process use a complex encryption process, which can effectively prevent replay attacks. In addition, secondary authentication is adopted on the client and the cloud, which improves the reliability and security of the authentication process.

[圖1]為區塊鏈身份系統的結構圖。 [Figure 1] is the structure diagram of the blockchain identity system.

為了使本發明所要解決的技術問題、技術方案及有益效果更加清楚明白,以下結合附圖及實施例,對本發明進行詳細的說明。應當說明的是,此處所描述的具體實施例僅用以解釋本發明,並不用於限定本發明,能實現同樣功能的產品屬於等同替換和改進,均包含在本發明的保護範圍之內。具體方法如下: In order to make the technical problems, technical solutions and beneficial effects to be solved by the present invention clearer, the following describes the present invention in detail with reference to the accompanying drawings and embodiments. It should be noted that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention. Products that can achieve the same function are equivalent replacements and improvements, and are all included in the protection scope of the present invention. The specific method is as follows:

實施例1:認證系統的工作流程 Example 1: Work flow of the authentication system

認證系統的工作過程如下:用戶在客戶終端的觸控式螢幕模組顯示的登入視窗上輸入用戶名密碼登入系統,進入認證系統後,觸控式螢幕模組上顯示讀卡認證介面,通過發送命令給射頻讀取模組,射頻讀取模組將用戶的智慧身份卡中的資訊讀取進來,智慧身份卡的身份讀入到計算平臺後,在處理平臺根據身份認證協議進行相應的密碼學運算,得到加密後的認證請求資訊,通訊模組通過網路通訊的方式將加密後的認證請求資訊傳送到雲端的認證伺服器,經過用戶端跟雲端的一系列的認證交互過程之後,雲端得到認證結果,並將相應的認證結果返回到用戶端進行顯示。 The working process of the authentication system is as follows: the user enters the user name and password on the login window displayed on the touch screen module of the client terminal to log in to the system. After entering the authentication system, the card reader authentication interface is displayed on the touch screen module. Commands are given to the radio frequency reading module. The radio frequency reading module reads the information in the user’s smart ID card. After the smart ID card’s identity is read into the computing platform, the processing platform performs corresponding cryptography according to the identity authentication protocol The encrypted authentication request information is obtained through network communication. The communication module sends the encrypted authentication request information to the authentication server in the cloud through network communication. After a series of authentication interaction processes between the client and the cloud, the cloud obtains The authentication result, and the corresponding authentication result is returned to the user terminal for display.

實施例2:身份認證協議設計 Embodiment 2: Identity authentication protocol design

為身份認證系統安全與否的關鍵,身份認證協定的設計是整個系統的關鍵組成部分。首先介紹本文中所用符號約定:U表示用戶;S表示第三方認證伺服器;ID表示射頻讀取模組讀入的身份資訊;UserN、Password分別代表用戶名和對應登入密碼;KuR、KuS分別代表移動用戶的公鑰和私鑰;KsR、Kss分別代表認證伺服器的公鑰和私鑰;EK(m)表示用密鑰k對明文m加密;DK(C)表示用密鑰k對密文c解密;R1、N2為系統產生的亂數;K作為雙方身份認證成功後的會話密鑰。 As the key to the security of the identity authentication system, the design of the identity authentication protocol is a key component of the entire system. First introduce the symbolic conventions used in this article: U means user; S means third-party authentication server; ID means the identity information read by the radio frequency reading module; UserN and Password respectively represent the user name and corresponding login password; KuR and KuS respectively represent mobile The public and private keys of the user; KsR and Kss represent the public and private keys of the authentication server respectively; EK(m) means that the plaintext m is encrypted with the key k; DK(C) means the ciphertext c is encrypted with the key k Decryption; R1 and N2 are random numbers generated by the system; K is used as the session key after successful identity authentication of both parties.

首先,用戶須在第三方註冊中心進行用戶資訊註冊。註冊的時候,要求第三方註冊中心具有射頻讀取模組,以便確認用戶身份資訊,並根據從射頻裝置讀出的資訊完成用戶的註冊。註冊過程是在這樣的一個前提下進行的:整個過程都是在一個用戶完全信賴的中心完成,且註冊資訊都是通過安全通道進行的。 First, users must register for user information in a third-party registration center. When registering, a third-party registration center is required to have a radio frequency reading module to confirm user identity information and complete user registration based on the information read from the radio frequency device. The registration process is carried out on the premise that the entire process is completed in a center that users fully trust, and the registration information is carried out through a secure channel.

註冊過程如下: The registration process is as follows:

(1)用戶持自己的第二代居民身份證在官方指定的場所請求註冊。註冊中心人員採用認證系統的射頻裝置掃描用戶的智慧身份卡,讀取智慧身份卡中用戶的身份ID。在認證系統讀取用戶的ID後,系統會自動查詢用戶是否己經註冊過該系統。若用戶己經註冊過此系統返回提示資訊並結束使用者註冊子協定。 (1) The user holds his second-generation resident ID to request registration at an officially designated place. The registration center personnel use the radio frequency device of the authentication system to scan the user's smart ID card and read the user's ID in the smart ID card. After the authentication system reads the user's ID, the system will automatically inquire whether the user has registered with the system. If the user has already registered, the system will return prompt information and end the user registration sub-agreement.

(2)在確認用戶的ID沒有註冊而且符合註冊條件後,認證系統會請求用戶輸入登入密碼。使用者輸入完密碼後,系統首先使用用戶的密碼資訊生成對應於該ID的公鑰,然後根據橢圓曲線密碼演算法使用用戶公鑰加密用戶密碼,並將用戶的公鑰和用公鑰加密後的密碼和加密後的ID資訊存儲到第三方認證伺服器上。 (2) After confirming that the user's ID is not registered and meets the registration conditions, the authentication system will request the user to enter the login password. After the user enters the password, the system first uses the user’s password information to generate the public key corresponding to the ID, and then encrypts the user’s password with the user’s public key according to the elliptic curve cryptographic algorithm, and encrypts the user’s public key and the public key. The password and the encrypted ID information are stored on a third-party authentication server.

(3)在認證伺服器將用戶的身份資訊存儲到伺服器後。第三方註冊人員將認證系統安裝程式通過移動存放裝置或者安全通道傳送安裝到用戶的移動終端。 (3) After the authentication server stores the user's identity information on the server. Third-party registrants send and install the authentication system installation program to the user's mobile terminal through a mobile storage device or a secure channel.

註冊成功之後即可使用移動終端進行身份認證,具體認證過程如下: After successful registration, the mobile terminal can be used for identity authentication. The specific authentication process is as follows:

步驟一:認證開始,首先需要在用戶端進行登入,驗證用 戶身份和對應密碼,若雲端驗證無此用戶或者用戶名和密碼不符,則返回出錯資訊,用戶需要註冊或者重新輸入帳號和正確密碼。如用戶名和與之對應的密碼正確,則進入接下來認證過程。通訊模組中的網路通道傳輸的是驗證用戶的名稱與用戶的密碼資訊,雲端驗證從資料庫中提取這兩個資訊。 Step 1: The authentication starts, you first need to log in on the client side to verify If there is no such user or the user name and password do not match in the cloud authentication, an error message will be returned, and the user needs to register or re-enter the account and the correct password. If the user name and the corresponding password are correct, enter the next authentication process. The network channel in the communication module transmits authentication user name and user password information, and cloud authentication extracts these two information from the database.

步驟二:登入成功之後,進入掃描智慧身份卡認證階段,用戶U使用移動終端設備將用戶身份證獲得身份卡ID資訊讀取到認證系統中,具體過程如下: Step 2: After the login is successful, enter the authentication stage of scanning the smart ID card, and the user U uses the mobile terminal device to read the ID information of the ID card obtained by the user ID into the authentication system. The specific process is as follows:

(1)用戶通過射頻讀卡設備讀入身份卡資訊ID後,首先在移動設備終端進行以下計算: (1) After the user reads the identity card information ID through the radio frequency card reader device, first perform the following calculations on the mobile device terminal:

Figure 106131301-A0305-02-0011-1
使用用戶公鑰KuR加密身份ID得到加密後的用戶ID,利用隨機序列發生器產生亂數N1,並使用伺服器的公鑰計算認證請求,並暫存亂數R1。
Figure 106131301-A0305-02-0011-1
Use the user public key KuR to encrypt the identity ID to obtain the encrypted user ID, use the random sequence generator to generate the random number N1, and use the server's public key to calculate the authentication request, and temporarily store the random number R1.

Figure 106131301-A0305-02-0011-2
發送消息認證請求,認證請求中包含加密後的用戶ID資訊及亂數N1,並且需要將亂數RI暫時保存。
Figure 106131301-A0305-02-0011-2
Send a message authentication request. The authentication request contains the encrypted user ID information and the random number N1, and the random number RI needs to be temporarily stored.

(2)伺服器收到用戶發送的認證請求後: (2) After the server receives the authentication request sent by the user:

Figure 106131301-A0305-02-0011-3
雲端用私鑰根據橢圓曲線密碼演算法模組解密認證請求,得到用戶的ID加密後資訊和用戶發送的亂數R1,然後伺服器查找該ID加密資訊是否跟認證資料庫中userN用戶所對應的EncipherID表項相符;若不相符,則返回出錯資訊,認證失敗,即每個用戶名跟其身份ID資訊是一對應綁定的,即使入侵者竊取到用戶名密碼登入系統由於不能掃入與之相對應的ID加密資訊,亦不能通過認證。
Figure 106131301-A0305-02-0011-3
The cloud uses the private key to decrypt the authentication request according to the elliptic curve cryptographic algorithm module, and obtains the user ID encrypted information and the random number R1 sent by the user, and then the server checks whether the ID encrypted information corresponds to the userN user in the authentication database EncipherID entries match; if they do not match, an error message will be returned, and the authentication will fail, that is, each username is bound to its identity ID information, even if the intruder steals the username and password to log in to the system because it cannot be scanned in. The corresponding ID encrypted information cannot be authenticated.

Figure 106131301-A0305-02-0012-4
Figure 106131301-A0305-02-0012-5
中得到的ID加密資訊驗證正確,此時伺服器保存用戶發送的亂數N1。同時伺服器利用隨機序列發生器產生亂數N2,然後利用橢圓曲線密碼演算法模組和用戶的公鑰計算應答資訊,並發送至用戶端進行驗證。
Figure 106131301-A0305-02-0012-4
like
Figure 106131301-A0305-02-0012-5
The ID encryption information obtained in the verification is correct. At this time, the server saves the random number N1 sent by the user. At the same time, the server uses a random sequence generator to generate a random number N2, then uses the elliptic curve cryptographic algorithm module and the user's public key to calculate the response information, and sends it to the client for verification.

(3)用戶收到伺服器的應答資訊,會進行一下計算: (3) When the user receives the response information from the server, the following calculation will be performed:

Figure 106131301-A0305-02-0012-6
首先用戶用自己的私鑰解密應答資訊,此時用戶將獲得的N1與以前保存R1相比較,若兩者不相等,則用戶對伺服器的認證失敗(伺服器可能被冒充),拒絕伺服器,認證結束。
Figure 106131301-A0305-02-0012-6
First, the user decrypts the response information with his private key. At this time, the user compares the obtained N1 with the previously saved R1. If the two are not equal, the user's authentication to the server fails (the server may be impersonated) and the server is rejected , The certification is over.

Figure 106131301-A0305-02-0012-7
若亂數N1相等,則用戶認證伺服器成功。同時用戶生成會話對稱密鑰K,計算伴隨著亂數N2的回應資訊,然後發送回應資訊至伺服器請求驗證。
Figure 106131301-A0305-02-0012-7
If the random numbers N1 are equal, the user authentication server succeeds. At the same time, the user generates the session symmetric key K, calculates the response information accompanied by the random number N2, and then sends the response information to the server for verification.

(4)伺服器接收到用戶的回應資訊後,進行如下計算: (4) After the server receives the user's response information, it performs the following calculations:

Figure 106131301-A0305-02-0012-8
首先伺服器用自己的私鑰解密得到亂數N2。
Figure 106131301-A0305-02-0012-8
First, the server decrypts with its own private key to get the random number N2.

Figure 106131301-A0305-02-0012-9
伺服器首先比較亂數N2與保存的是否相等,若兩者不相等,則伺服器驗證用戶失敗。
Figure 106131301-A0305-02-0012-9
The server first compares whether the random number N2 is equal to the stored one. If the two are not equal, the server fails to authenticate the user.

本區塊鏈身份系統的優點如下: The advantages of this blockchain identity system are as follows:

(1)使用智慧身份卡,以保證用戶身份的安全性。 (1) Use smart identity cards to ensure the security of user identity.

(2)將密碼資訊及智慧身份卡的ID資訊都加密,而不傳輸資訊明文,這樣即使入侵者通過網路偵聽等手段獲得通道的傳輸資訊,也無需擔心用戶密碼和身份證資訊被洩漏。 (2) Encrypt both the password information and the ID information of the smart ID card, instead of transmitting the information in plain text, so that even if the intruder obtains the transmission information of the channel through network interception and other means, there is no need to worry about the leakage of user password and ID information .

(3)身份生成過程以及身份認證過程使用了複雜的加密過程,可以有效防止重放攻擊。而且用戶端和雲端採用了二次認證,提高了 認證過程中的可靠性與安全性。 (3) The identity generation process and the identity authentication process use a complex encryption process, which can effectively prevent replay attacks. Moreover, the client and the cloud adopt secondary authentication, which improves Reliability and safety in the certification process.

以上所述僅為本發明之較佳實施例,並非用以限定本發明的申請專利範圍保護範圍。同時以上說明,對於相關技術領域的技術人員應可以理解及實施,因此其他基於本發明所揭示內容所完成的等同改變,均應包含在本申請專利範圍的涵蓋範圍內。 The foregoing descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the patent application of the present invention. At the same time, the above description should be understood and implemented by those skilled in the relevant technical fields. Therefore, other equivalent changes made based on the disclosure of the present invention should be included in the scope of the patent scope of this application.

Claims (1)

一種區塊鏈身份系統,其特徵在於,包含用戶端、雲端,所述用戶端由射頻讀取模組、計算平臺、觸控式螢幕模組、通訊模組、智慧身份卡組成,所述雲端由區塊鏈多節點網路組成,所述區塊鏈多節點網路包括資料區塊鏈以及多節點網路,所述多節點網路負責與所述用戶端之間協調完成身份的生成過程以及身份認證過程,並且在其中調用所述資料區塊鏈;所述計算平臺的內部包含觸控式螢幕控制器、通訊控制器及微型計算晶片;所述觸控式螢幕控制器用於控制所述觸控式螢幕模組的顯示,將需要顯示的資訊發送給所述觸控式螢幕模組;所述通訊控制器以串口通訊的方式調度所述射頻讀取模組、所述觸控式螢幕模組及所述通訊模組之間的交互通訊;所述微型計算晶片用於處理所述身份的生成過程以及所述身份認證過程中的資訊;所述智慧身份卡內建積體電路的晶片,所述晶片存有用戶ID編號,每個所述智慧身份卡的所述用戶ID編號都是唯一的,用於識別用戶身份,所述智慧身份卡由專門的廠商通過專門的設備生產,是不可複製的硬體,所述智慧身份卡由註冊過的合法用戶攜帶,認證時必須將所述智慧身份卡經過所述射頻讀取模組掃描讀入其中的所述用戶ID編號,以驗證用戶的身份;所述觸控式螢幕模組採用五線電阻屏,依靠壓力感應原理,用於顯示以及輸入在所述身份的生成過程以及所述身份認證過程中所需的資訊;所述通訊模組用於接收和發送相關資訊,內含網路傳輸篩檢程式及專用 編碼晶片以實現所述計算平臺與所述雲端之間的通訊,並以資料幀的方式實現網路資料的接收和發送,並且還要在接收和發送時避免背景雜訊及干擾,所述資料幀的編碼方式為相位編碼,並採取同步時鐘編碼技術,在傳輸資料資訊的同時,也將時鐘同步信號一起傳輸到對方;在所述區塊鏈多節點網路中,所述資料區塊鏈由一串按創建的時間順序相連的資料區塊組成,所述多節點網路是由多個節點構成的P2P網路,所述節點之間通過網路共用資訊及互相傳輸資訊,所述資料區塊鏈對所述多節點網路中所有所述節點都是開放的,所述資料區塊由區塊頭以及區塊主體組成,所述區塊頭包含前一資料區塊的哈希(Hash)值、時間戳、當前資料區塊的哈希值,所述前一資料區塊的哈希值用於不同所述資料區塊的連接,所述時間戳記錄當前所述資料區塊連接的時間,當前所述資料區塊的哈希值用於確保所述資料區塊的內容不會被篡改,所述區塊主體記錄了用戶身份的帳戶資訊,其中合法的所述用戶身份的帳戶資訊為:用戶名、用戶身份資訊、加密後的用戶密碼、加密後的所述用戶ID編號、用戶公鑰;每個所述節點包含偽亂數產生器;所述身份生成過程如下:1)用戶在所述觸控式螢幕模組上輸入所述用戶名、所述用戶身份資訊、所述用戶密碼,並將所述用戶名、所述用戶身份資訊、所述用戶密碼傳輸給所述多節點網路,所述多節點網路檢驗所述用戶名在所述資料區塊鏈中是否存在,如果所述用戶名不存在,進行下一步,如果所述用戶名存在,傳送回饋資訊經由所述通訊模組傳送給所述計算平臺,所述計算平臺將所述回饋資訊處理,在所述觸控式螢幕模組上顯示“用戶存在,重新輸入”,用戶在所 述觸控式螢幕模組上重新輸入所述用戶名,所述多節點網路重新檢驗用戶名在所述資料區塊鏈是否存在;2)所述計算平臺驗證所述用戶密碼是否符合要求,如果所述用戶密碼符合要求,進行下一步,如果不符合要求傳輸給所述觸控式螢幕模組,在所述觸控式螢幕模組上顯示“用戶密碼不符合要求,重新輸入”,用戶在所述觸控式螢幕模組上重新輸入所述用戶密碼;3)所述多節點網路產生亂數S1,並且所述亂數S1經過IDEA加密演算法進行加密生成加密後的所述亂數S1,將所述加密後的所述亂數S1廣播給所述多節點網路中所有所述節點,所有所述節點利用IDEA解密演算法解密加密後的所述亂數S1,最先解密出所述亂數S1的節點作為負責構建資料區塊鏈的節點;4)所述負責構建資料區塊鏈的節點分配給用戶一個用戶公鑰,並通過哈希演算法將所述用戶身份資訊生成唯一的身份標識,所述負責構建資料區塊鏈的節點將生成後的所述唯一的身份標識進行數位簽章生成唯一的所述用戶ID編號,將所述用戶ID編號寫入所述智慧身份卡,由所述用戶公鑰進行加密生成所述加密後的所述用戶ID編號,把當前時間保存為所述當前資料區塊的時間戳,所述前一資料區塊的哈希值通過安全散列演算法生成所述當前資料區塊的哈希值,並且生成所述加密後的用戶密碼,所述生成所述加密後的用戶密碼的具體過程為:使用所述負責構建資料區塊鏈的節點,利用其包含的所述偽亂數產生器生成亂數,所述亂數作為用戶的鹽值,將所述用戶的鹽值混入所述用戶密碼,並使用加密哈希函數進行加密,生成所述加密後的用戶密碼;將所述用戶名、所述用戶身份資訊、所述加密後的用戶密碼、所 述加密後的用戶ID編號、所述用戶公鑰組成所述用戶身份的帳戶資訊,與所述用戶的鹽值一起寫入所述當前資料區塊的所述區塊主體中;所述偽亂數產生器的工作原理如下:所述偽亂數產生器基於資料加密標準,包含三重資料加密標準演算法,可以循環地產生亂數;i為自然數的變量;用於表示第i輪亂數的產生計算,主要有3個組成部分:1)輸入部分:所述輸入部分是兩個64位元的偽亂數Datei及Vi,其中,Datei表示第i輪計算開始時的日期和時間,每產生一個亂數Ri後,Datei需要更新一次,Vi是產生第i個亂數時需要輸入的種子,其初值可任意設定,以後每輪計算都會自動更新;2)密鑰產生器:所述用於每輪的具體計算,每輪計算都使用了三重資料演算法加密,每次加密使用兩個固定的56位元的密鑰K1和密鑰K2,這兩個密鑰必須保密,由所述偽亂數產生器指定;3)輸出部分:輸出為一個64位元的亂數Ri和一個64位元的新種子Vi+1;所述偽亂數產生器具有很高的安全強度,因為其採用了總共112位元長的密鑰和3個密鑰加密的資料演算法加密,同時還由於有兩個偽亂數輸入驅動,所述兩個偽亂數輸入一個是當前的日期和時間Datei,另一個是上一輪產生的種子Vi,每輪都產生亂數Ri,但是由於每輪種子不同,產生的亂數都不相同,因此,為每個用戶產生的亂數也不相同,所以無法通過上一輪產生的亂數來推斷下一輪產生的亂數;所述身份認證過程如下:第一步,所述用戶端向所述雲端發出認證請求,將所述智慧身份卡中所 存的所述用戶ID編號經由所述射頻讀取模組讀入,所述多節點網路檢測其在所述資料區塊鏈中是否存在,如果存在再進行第二步,如果不存在結束所述身份認證過程;第二步,初次認證,所述雲端經由所述通訊模組回饋給所述計算平臺開始認證的資訊,所述計算平臺處理所述開始認證的資訊,所述開始認證的資訊在所述觸控式螢幕模組顯示提示用戶輸入所述用戶名以及所述用戶密碼,用戶在所述觸控式螢幕模組輸入後,初步驗證用戶,根據收到的輸入的所述用戶名,所述多節點網路判斷其合法性,如果是合法用戶,再檢驗輸入的所述用戶密碼是否正確,從所述區塊鏈多節點網路中取出所述用戶的鹽值,將所述用戶的鹽值混入所述輸入的所述用戶密碼,並且使用所述加密哈希函數進行加密,比較結果和對應資料區塊儲存的所述加密後的用戶密碼是否相同,如果相同那麼初步判斷所述輸入的所述用戶密碼正確,進入第三步,如果不相同則判斷所述輸入的所述用戶密碼不正確;第三步,二次認證,所述計算平臺選取大素數p及整數a,並將這兩個數公開,即這兩個數對所述用戶端與所述多節點網路都可見,所述多節點網路選取隨機的大素數x,所述大素數x滿足x<p-1,計算ax mod p,所述大素數x的值保密,只對所述多節點網路可見;所述用戶端將所述用戶密碼及所述用戶的鹽值級聯,計算散列值Z1,並生成亂數S1,將計算後的散列值Z1與計算後的所述ax mod p的值、所述亂數S1級聯再進行一次散列運算得到散列值Z2,所述用戶端連同所述亂數S1、計算後的所述ax mod p的值和所述散列值Z2一起發送給所述多節點網路;第四步,所述多節點網路取出存儲在所述資料區塊鏈的所述加密後的用 戶密碼;與收到的所述亂數S1、計算後的所述ax mod p的值級聯再進行散列運算得到散列值Z3,與所述散列值Z2進行比較,相等則繼續,否則判斷不一致,所述多節點網路隨機選取大素數y,計算ay mod p,並將所述大素數y的值保密;所述多節點網路將所述加密後的用戶密碼、所述亂數S1和計算後的所述ay mod p的值再次級聯進行散列運算得到散列值Z4,並且將所述散列值Z4、計算後的所述ay mod p的值發送給所述用戶端;第五步,所述用戶端將在第三步得到的所述散列值Z1、將計算後的所述ay mod p的值和所述亂數S1級聯並進行散列運算,將計算結果和第四步收到的消息中的所述散列值Z4進行比較,相等則回送給所述雲端一個認證成功的應答信號,否則返回認證失敗的消息;經過以上五個步驟,所述雲端與所述用戶端都成功地驗證了對方的身份;所述區塊鏈身份系統採用的通訊模式是一種開放系統結構的網路方式,由所述用戶端首先向所述雲端提出請求,所述雲端對所述請求做相應的處理並執行所述請求中包含的任務,然後將結果返回給所述用戶端。 A blockchain identity system, which is characterized by comprising a client terminal and a cloud. The client terminal is composed of a radio frequency reading module, a computing platform, a touch screen module, a communication module, and a smart identity card. Composed of a blockchain multi-node network, the blockchain multi-node network includes a data blockchain and a multi-node network, and the multi-node network is responsible for coordinating with the client to complete the identity generation process And the identity authentication process, and the data blockchain is called therein; the computing platform includes a touch screen controller, a communication controller, and a micro computing chip; the touch screen controller is used to control the For the display of the touch screen module, the information that needs to be displayed is sent to the touch screen module; the communication controller dispatches the radio frequency reading module and the touch screen by means of serial communication The interactive communication between the module and the communication module; the micro-computing chip is used to process the identity generation process and the information in the identity authentication process; the smart identity card has an integrated circuit built-in chip , The chip stores a user ID number, the user ID number of each smart identity card is unique, and is used to identify the user's identity, and the smart identity card is produced by a special manufacturer through special equipment, Non-copyable hardware, the smart ID card is carried by a registered legal user, and the smart ID card must be scanned and read into the user ID number by the radio frequency reading module during authentication to verify the user The touch screen module uses a five-wire resistive screen, relying on the principle of pressure sensing, used to display and input the information required in the identity generation process and the identity authentication process; the communication module The group is used to receive and send related information. It contains a network transmission screening program and a dedicated code chip to realize the communication between the computing platform and the cloud, and realizes the reception and transmission of network data in the form of data frames , And also to avoid background noise and interference when receiving and sending. The encoding method of the data frame is phase encoding, and adopts synchronous clock encoding technology. While transmitting data information, the clock synchronization signal is also transmitted to the other party. ; In the blockchain multi-node network, the data blockchain is composed of a series of data blocks connected in the order of creation time, and the multi-node network is a P2P network composed of multiple nodes , The nodes share and transmit information through the network, the data block chain is open to all the nodes in the multi-node network, and the data block consists of a block header and a block The main body composition, the block header includes the hash value of the previous data block, the timestamp, and the hash value of the current data block. The hash value of the previous data block is used for different data Block connection, the time stamp records the current connection time of the data block, the current hash value of the data block is used to ensure that the content of the data block will not be tampered with, the block body The account information of the user’s identity is recorded, where the legal account information of the user’s identity is: user name, user identity information, encrypted The user password, the encrypted user ID number, and the user public key; each node includes a pseudo random number generator; the identity generation process is as follows: 1) The user inputs all information on the touch screen module The user name, the user identity information, and the user password, and transmit the user name, the user identity information, and the user password to the multi-node network, and the multi-node network verifies the Whether the user name exists in the data blockchain, if the user name does not exist, proceed to the next step, if the user name exists, send feedback information to the computing platform via the communication module, and The computing platform processes the feedback information, displays "user exists, re-enter" on the touch-sensitive screen module, the user re-enters the user name on the touch-sensitive screen module, and the multi-node The network re-checks whether the user name exists in the data block chain; 2) The computing platform verifies whether the user password meets the requirements, if the user password meets the requirements, proceed to the next step, and if it does not meet the requirements, transmit it to the In the touch screen module, the “user password does not meet the requirements, re-enter” is displayed on the touch screen module, and the user re-enters the user password on the touch screen module; 3) The multi-node network generates a random number S1, and the random number S1 is encrypted by the IDEA encryption algorithm to generate the encrypted random number S1, and the encrypted random number S1 is broadcast to the multi-node network. All the nodes in the node network, all the nodes use the IDEA decryption algorithm to decrypt the encrypted random number S1, and the node that decrypts the random number S1 first is the node responsible for building the data blockchain; 4 ) The node responsible for constructing the data blockchain assigns a user public key to the user, and generates a unique identity from the user identity information through a hash algorithm. The node responsible for constructing the data blockchain will generate The unique identification is digitally signed to generate the unique user ID number, the user ID number is written into the smart identity card, and the user public key is encrypted to generate the encrypted User ID number, save the current time as the timestamp of the current data block, the hash value of the previous data block is generated by a secure hash algorithm, and the hash value of the current data block is generated The encrypted user password, the specific process of generating the encrypted user password is: using the node responsible for building the data blockchain to generate random numbers using the pseudo random number generator contained therein, The random number is used as the user’s salt value, the user’s salt value is mixed into the user password, and encrypted with a cryptographic hash function to generate the encrypted user password; combining the user name and the user The identity information, the encrypted user password, the encrypted user ID number, and the user public key constitute the account information of the user identity, and are written into the current data block together with the user's salt value The block body; the working principle of the pseudo random number generator is as follows: the pseudo random number generator is based on Data encryption standard, including triple data encryption standard algorithm, can generate random numbers cyclically; i is a variable of natural number; used to represent the generation calculation of the i-th random number, there are three main components: 1) Input part: the input section is two 64-bit pseudo random number and a date i V i, where, i denotes the i-th round a date calculating date and time at the beginning, after generating a random number each Ri, date i need to be updated once, V i is the seed to enter when the i-th random number is generated, which can be arbitrarily set initial value, calculation is automatically updated after each round; 2) a key generator: said means for calculating the specific round and round calculated Both use triple data encryption algorithm, each encryption uses two fixed 56-bit key K1 and key K2, these two keys must be kept secret, specified by the pseudo random number generator; 3) output Part: The output is a 64-bit random number Ri and a 64-bit new seed Vi +1 ; the pseudo random number generator has high security strength, because it uses a total of 112 bits of encryption The data is encrypted by the key and 3 keys. At the same time, it is driven by two pseudo-random number inputs. One of the two pseudo-random number inputs is the current date and time Date i , and the other is generated in the previous round seeds V i, each round has produced random number Ri, but due to different seed round, random number generator is not the same, therefore, random number generated for each user is not the same, it is not random number generated by the last round To infer the random number generated in the next round; the identity authentication process is as follows: in the first step, the user terminal sends an authentication request to the cloud, and transmits the user ID number stored in the smart identity card through the radio frequency The reading module reads in, the multi-node network detects whether it exists in the data blockchain, if it exists, proceed to the second step, if it does not exist, terminate the identity authentication process; the second step, the first authentication , The cloud feeds back the authentication start information to the computing platform via the communication module, the computing platform processes the authentication start information, and the authentication start information displays a prompt on the touch screen module The user enters the user name and the user password. After the user enters the touch screen module, the user initially authenticates the user. According to the received input of the user name, the multi-node network judges its legitimacy If it is a legitimate user, check whether the entered user password is correct, take the user’s salt value from the blockchain multi-node network, and mix the user’s salt value into the input The user password is encrypted using the encrypted hash function, and the comparison result is the same as the encrypted user password stored in the corresponding data block. If they are the same, it is preliminarily judged that the entered user password is correct, and enters the first Three steps, if they are not the same, it is judged that the input user password is incorrect; the third step is a second authentication, the computing platform selects a large prime number p and an integer a, and makes these two numbers public, that is, this Both numbers are visible to both the client and the multi-node network, and the multi-node The network selects a random large prime number x, and the large prime number x satisfies x<p-1, and calculates a x mod p. The value of the large prime number x is kept secret and is only visible to the multi-node network; The user terminal cascades the user password and the user's salt value, calculates a hash value Z1, and generates a random number S1, and compares the calculated hash value Z1 with the calculated value of a x mod p , The random number S1 is cascaded to perform another hash operation to obtain a hash value Z2, and the user terminal together with the random number S1, the calculated value of a x mod p and the hash value Z2 Sent to the multi-node network; the fourth step, the multi-node network retrieves the encrypted user password stored in the data blockchain; and the received random number S1, calculated The value of a x mod p is cascaded and then hashed to obtain a hash value Z3, which is compared with the hash value Z2, and if they are equal, continue, otherwise the judgment is inconsistent, and the multi-node network randomly selects a large prime number y, calculate a y mod p, and keep the value of the large prime number y secret; the multi-node network keeps the encrypted user password, the random number S1, and the calculated a y mod p The value of is cascaded again to perform a hash operation to obtain a hash value Z4, and the hash value Z4 and the calculated value of a y mod p are sent to the user terminal; the fifth step, the user terminal The hash value Z1 obtained in the third step is concatenated with the calculated value of a y mod p and the random number S1 and a hash operation is performed, and the calculation result is compared with the value received in the fourth step The hash value Z4 in the message is compared, and if it is equal, a response signal of successful authentication is returned to the cloud, otherwise a message of authentication failure is returned; after the above five steps, the cloud and the client are both successfully The identity of the other party is verified; the communication mode adopted by the blockchain identity system is a network method with an open system structure. The client first makes a request to the cloud, and the cloud responds to the request. Process and execute the tasks contained in the request, and then return the result to the client.
TW106131301A 2016-09-12 2017-09-12 Blockchain identity system TWI749061B (en)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
CN201610818054 2016-09-12
CN201610818053.3 2016-09-12
CN201610818053 2016-09-12
??201610815590.2 2016-09-12
??201610818054.8 2016-09-12
CN201610815590 2016-09-12
CN201610815590.2 2016-09-12
CN201610818054.8 2016-09-12
??201610818053.3 2016-09-12

Publications (2)

Publication Number Publication Date
TW201812630A TW201812630A (en) 2018-04-01
TWI749061B true TWI749061B (en) 2021-12-11

Family

ID=61561350

Family Applications (2)

Application Number Title Priority Date Filing Date
TW106131301A TWI749061B (en) 2016-09-12 2017-09-12 Blockchain identity system
TW106131303A TWI750223B (en) 2016-09-12 2017-09-12 Blockchain encrypted radio frequency chip storage design method

Family Applications After (1)

Application Number Title Priority Date Filing Date
TW106131303A TWI750223B (en) 2016-09-12 2017-09-12 Blockchain encrypted radio frequency chip storage design method

Country Status (2)

Country Link
TW (2) TWI749061B (en)
WO (2) WO2018046009A1 (en)

Families Citing this family (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108306896B (en) * 2018-03-29 2023-06-23 上海交通大学 A substation status monitoring system and method with data protection function
CN108768933B (en) * 2018-04-11 2020-11-03 深圳技术大学 Autonomous supervision digital identity authentication system on block chain platform
CN109257342B (en) * 2018-09-04 2020-05-26 阿里巴巴集团控股有限公司 Block chain cross-chain authentication method, system, server and readable storage medium
CN109255619A (en) * 2018-09-26 2019-01-22 北京亚联之星信息技术有限公司 A kind of identity identifying method and equipment based on block chain
CN109583215B (en) * 2018-09-28 2022-11-15 创新先进技术有限公司 Method and device for processing credit investigation data and block chain data sharing system
CN109598518A (en) * 2018-09-30 2019-04-09 阿里巴巴集团控股有限公司 Method for anti-counterfeit and device, electronic equipment based on block chain
US10970372B2 (en) 2018-11-01 2021-04-06 Microsoft Technology Licensing, Llc Revocable biometric print based identification
CN109447029B (en) * 2018-11-12 2022-09-02 公安部第三研究所 Electronic identity card photo generation system and method
CN111224804B (en) * 2018-11-26 2022-12-09 中国移动通信集团辽宁有限公司 Initialization method and device of Internet of Things device, Internet of Things device and storage medium
CN109493058A (en) * 2018-12-14 2019-03-19 深圳壹账通智能科技有限公司 A kind of personal identification method and relevant device based on block chain
CN111327568B (en) * 2018-12-14 2022-04-01 中国电信股份有限公司 Identity authentication method and system
CN109861996B (en) * 2019-01-17 2023-06-02 深圳壹账通智能科技有限公司 Block chain-based relationship proving method, device, equipment and storage medium
CN111522809B (en) * 2019-02-02 2023-04-21 阿里巴巴集团控股有限公司 Data processing method, system and equipment
GB2581527B (en) * 2019-02-22 2023-02-08 Secure Thingz Ltd Security data processing device
EP3610606B1 (en) * 2019-03-29 2022-09-21 Advanced New Technologies Co., Ltd. Managing sensitive data elements in a blockchain network
CN110516451B (en) * 2019-07-24 2021-03-02 杭州电子科技大学 Block chain-based derived ciphertext piece secret level change and decryption reminding notification method
CN110457954B (en) * 2019-07-29 2023-08-25 创新先进技术有限公司 Contract management device and method
CN110532293B (en) * 2019-09-02 2023-04-07 浪潮软件股份有限公司 Data stream life cycle management method and system based on block chain technology
CN110781140B (en) * 2019-09-06 2023-08-18 平安科技(深圳)有限公司 Method, device, computer equipment and storage medium for signing data in blockchain
CN110570309B (en) * 2019-09-16 2023-06-16 上海保险交易所股份有限公司 Method and system for replacing a leader of a blockchain network
CN111092851A (en) * 2019-09-23 2020-05-01 上海唯链信息科技有限公司 Data verification method and device for Internet of things temperature detection equipment based on blockchain
TWI711000B (en) * 2019-09-30 2020-11-21 辰光能源科技有限公司 Environmental health and product quality establishment system
TWI740234B (en) * 2019-10-16 2021-09-21 辰光能源科技有限公司 Real Food System
TWI727474B (en) * 2019-10-25 2021-05-11 李婷婷 Digital identity management system and method
CN110990808B (en) * 2019-11-21 2022-04-01 杭州趣链科技有限公司 Notarization number shaking method based on block chain
CN114143041A (en) * 2020-03-03 2022-03-04 支付宝实验室(新加坡)有限公司 Identity verification method, device and equipment based on block chain and storage medium
CN111428253B (en) * 2020-03-24 2023-04-07 福建福链科技有限公司 Data protection method and system suitable for block chain
TWI729781B (en) * 2020-04-21 2021-06-01 麥睿資訊股份有限公司 Data authentication system and data authentication method thereof
CN111914270B (en) * 2020-07-08 2024-09-10 广西佳壹大数据科技股份有限公司 Programmable authentication service method and system based on block chain technology
CN112073661B (en) * 2020-08-03 2022-10-25 浙江旅游职业学院 Tamper-proof video monitoring system for sterile workshop
CN112184974B (en) * 2020-09-27 2022-06-07 江苏天创科技有限公司 Monitoring system based on 5G communication node
CN112447291B (en) * 2020-11-23 2023-03-28 四川大学华西医院 Block chain-based method for sharing hospital data
CN112561006B (en) * 2020-12-04 2023-08-29 中国联合网络通信集团有限公司 Electronic license plate management method, radio frequency identification reader, node, device and medium
CN112749409B (en) * 2021-01-06 2024-03-08 上海零数众合信息科技有限公司 An encryption method based on random numbers in blockchain
CN112819628B (en) * 2021-02-01 2024-02-02 网易(杭州)网络有限公司 Transaction replay prevention detection method, device and system, electronic equipment and storage medium
CN112989392B (en) * 2021-04-19 2022-08-30 河北科技大学 Battlefield situation perception method, system and terminal equipment
CN113570321B (en) * 2021-04-29 2022-12-16 国家能源集团新能源有限责任公司 Hydrogen energy data management system
CN113364596A (en) * 2021-05-27 2021-09-07 南方科技大学 Ore digging method and device based on block chain, mobile terminal and storage medium
CN114189388B (en) * 2021-12-17 2024-11-12 中国电子科技网络信息安全有限公司 A consortium chain key management system and method
CN114584343B (en) * 2022-01-24 2023-05-02 厦门理工学院 Data protection method and system for cloud computing center and readable storage medium
CN114900348B (en) * 2022-04-28 2024-01-30 福建福链科技有限公司 Block chain sensor data verification method and terminal
CN115051796A (en) * 2022-06-06 2022-09-13 江苏南工科技集团有限公司 Data encryption authentication and security analysis method based on block chain technology
CN115174094B (en) * 2022-06-15 2024-12-03 桂林电子科技大学 Method for controlling and managing industrial Internet security access
CN115002779B (en) * 2022-07-29 2022-11-22 杭州宇链科技有限公司 Pseudo base station prevention and control method and system based on block chain and security chip
CN116389019A (en) * 2022-09-05 2023-07-04 国网浙江省电力有限公司杭州供电公司 Blockchain-based power system terminal identity authentication method
CN116132174B (en) * 2023-02-13 2024-04-16 华中师范大学 A remote secure communication method, system and terminal for 5G vehicle networking supply chain
CN116828457B (en) * 2023-08-30 2023-11-17 四川轻化工大学 Intelligent wireless monitoring method, system and medium applied to cellar
CN118784233B (en) * 2024-09-10 2025-02-11 无锡台翔电子技术发展有限公司 Wireless terminal encryption authentication method and system based on hearing and tactile interaction
CN119941272B (en) * 2025-01-07 2025-12-02 山东齐鲁公共安全研究院有限公司 A method and application for generating and authenticating trusted business travel codes for online rental and homestays.

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150356524A1 (en) * 2014-06-04 2015-12-10 MONI Limited System and method for executing financial transactions
TW201602830A (en) * 2014-07-02 2016-01-16 柯呈翰 A method and system for adding dynamic labels to a file and encrypting the file
CN105701372A (en) * 2015-12-18 2016-06-22 布比(北京)网络技术有限公司 Block chain identity construction and verification method
CN105790954A (en) * 2016-03-02 2016-07-20 布比(北京)网络技术有限公司 Method and system for constructing electronic evidence
US20160261411A1 (en) * 2012-11-28 2016-09-08 Hoverkey Ltd. Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061449A (en) * 1997-10-10 2000-05-09 General Instrument Corporation Secure processor with external memory using block chaining and block re-ordering
US6831982B1 (en) * 1999-11-19 2004-12-14 Storage Technology Corporation Encryption key management system using multiple smart cards
GB9930145D0 (en) * 1999-12-22 2000-02-09 Kean Thomas A Method and apparatus for secure configuration of a field programmable gate array
TWI351864B (en) * 2005-03-25 2011-11-01 Via Tech Inc Apparatus and method for employing cyrptographic f
CN101490687B (en) * 2006-07-07 2012-04-18 桑迪士克股份有限公司 Control system and method using identity objects
KR101366243B1 (en) * 2006-12-04 2014-02-20 삼성전자주식회사 Method for transmitting data through authenticating and apparatus therefor
CN101308546B (en) * 2008-05-20 2011-04-20 上海华申智能卡应用系统有限公司 Radio frequency label data protection method of safe storage structure having multi-stage protection
CN102144371B (en) * 2008-09-10 2015-06-03 Lg电子株式会社 Method for selectively encrypting control signal
JP5813380B2 (en) * 2011-06-03 2015-11-17 株式会社東芝 Semiconductor memory device
CN205003731U (en) * 2015-09-30 2016-01-27 深圳市招股科技有限公司 Digital cash hardware wallet based on two interfaces IC -card
CN105610578B (en) * 2016-01-25 2019-05-03 杭州复杂美科技有限公司 Block chain information deposits card and method for secret protection
CN105871855B (en) * 2016-04-11 2019-09-13 杨鹏 The method and system that a kind of electronic equipment identification code is generated, stores and identified
CN105812126B (en) * 2016-05-19 2018-10-12 齐鲁工业大学 Lightweight backup and the efficient restoration methods of healthy block chain data encryption key

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160261411A1 (en) * 2012-11-28 2016-09-08 Hoverkey Ltd. Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors
US20150356524A1 (en) * 2014-06-04 2015-12-10 MONI Limited System and method for executing financial transactions
TW201602830A (en) * 2014-07-02 2016-01-16 柯呈翰 A method and system for adding dynamic labels to a file and encrypting the file
CN105701372A (en) * 2015-12-18 2016-06-22 布比(北京)网络技术有限公司 Block chain identity construction and verification method
CN105790954A (en) * 2016-03-02 2016-07-20 布比(北京)网络技术有限公司 Method and system for constructing electronic evidence

Also Published As

Publication number Publication date
TW201812638A (en) 2018-04-01
WO2018046008A1 (en) 2018-03-15
TWI750223B (en) 2021-12-21
TW201812630A (en) 2018-04-01
WO2018046009A1 (en) 2018-03-15

Similar Documents

Publication Publication Date Title
TWI749061B (en) Blockchain identity system
CN106789047B (en) A kind of block chain identification system
US9225717B1 (en) Event-based data signing via time-based one-time authentication passcodes
CN102026195B (en) Method and system for mobile terminal identity authentication based on one-time password
US8689290B2 (en) System and method for securing a credential via user and server verification
US8438385B2 (en) Method and apparatus for identity verification
EP2905719B1 (en) Device and method certificate generation
CN100459488C (en) Portable one-time dynamic password generator and security authentication system using the same
US9185111B2 (en) Cryptographic authentication techniques for mobile devices
CN101777983B (en) Trading signature method, authentication server and system
CN102017578A (en) Network helper for authentication between a token and verifiers
CN103684798B (en) Authentication method used in distributed user service
CN115883104B (en) Secure login method and device for terminal equipment and nonvolatile storage medium
CN110659467A (en) Remote user identity authentication method, device, system, terminal and server
CN119402205A (en) A lightweight dynamic security authentication method and system based on PUF
CN101340289A (en) Anti-replay attack method and system thereof
CN114424496A (en) Computer-implemented method and system for securely identifying disconnected objects and their locations
TW201328280A (en) Instant communication identity authentication system and method
EP4661343A1 (en) Method, apparatus and system for accessing group
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
Sood Dynamic identity based authentication protocol for two-server architecture
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN115103356A (en) Computer security verification system, method, mobile terminal and readable storage medium
US8850518B2 (en) Method and device for user authentication
Ying et al. Privacy Protection for E-Health Systems using Three-Factor User Authentication