CN113569210B - Distributed identity authentication method, device access method and device - Google Patents
Distributed identity authentication method, device access method and device Download PDFInfo
- Publication number
- CN113569210B CN113569210B CN202110778279.6A CN202110778279A CN113569210B CN 113569210 B CN113569210 B CN 113569210B CN 202110778279 A CN202110778279 A CN 202110778279A CN 113569210 B CN113569210 B CN 113569210B
- Authority
- CN
- China
- Prior art keywords
- user
- service provider
- cloud service
- value
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
本申请公开了一种分布式身份认证方法、设备访问方法及装置。其中,该分布式身份认证方法包括:终端设备获取用户信息;终端设备基于用户信息从区块链获取到用户的加密信息;终端设备基于加密信息和用户信息进行计算,得到第一值;终端设备将第一值发送给认证云服务商,以让认证云服务商基于第一值对用户的身份进行验证。本申请基于区块链存储的用户对应的加密信息就可完成用户的身份认证,避免了集中式注册中心导致的数据泄露和单点故障问题。
The present application discloses a distributed identity authentication method, a device access method and a device. The distributed identity authentication method includes: a terminal device obtains user information; the terminal device obtains the user's encrypted information from the blockchain based on the user information; the terminal device calculates based on the encrypted information and the user information to obtain a first value; the terminal device sends the first value to the authentication cloud service provider, so that the authentication cloud service provider verifies the user's identity based on the first value. The present application can complete the user's identity authentication based on the encrypted information corresponding to the user stored in the blockchain, avoiding data leakage and single point failure problems caused by the centralized registration center.
Description
Technical Field
The present application relates to the field of blockchain technologies, and in particular, to a distributed identity authentication method, a device access method and an apparatus.
Background
Mobile cloud computing provides additional computing resource capacity for resource-constrained terminal devices. However, in order to use services provided by different cloud service providers, a mobile user must register a user identity at the different cloud service providers, and must remember multiple identities and credentials to access the various cloud service providers, which is a complex and cumbersome authentication method.
Currently, although many single sign-on schemes have emerged to eliminate multiple re-registrations of mobile users accessing cloud service providers. But most of these schemes rely on a trusted third party registry, which is a centralized entity that manages the identity information of all mobile users registered with it. The centralized registry has complete control over the data it owns, resulting in an increased likelihood of user data leakage and a risk of single point failure.
Disclosure of Invention
The application provides a distributed identity authentication method, a device access method and a device, which can finish the identity authentication of a user based on encryption information corresponding to the user stored by a blockchain, and avoid the problems of data leakage and single-point fault caused by a centralized registration center.
In order to achieve the above object, the present application provides a distributed identity authentication method, which includes:
the terminal equipment acquires user information;
the terminal equipment acquires encryption information of a user from a blockchain based on the user information;
the terminal equipment calculates based on the encryption information and the user information to obtain a first value;
and the terminal equipment sends the first value to the authentication cloud service provider so that the authentication cloud service provider can verify the identity of the user based on the first value.
In order to achieve the above object, the present application provides a distributed identity authentication method, which includes:
The authentication cloud service provider obtains a first value from the terminal equipment, wherein the first value is obtained by the terminal equipment through calculation based on user encryption information and user information, and the user encryption information is obtained from a blockchain by the terminal equipment based on the user information;
Authenticating the cloud service provider to verify the first value;
if the authentication is passed, the identity authentication message is sent to the terminal equipment to complete the identity authentication.
To achieve the above object, the present application provides a device access method, including:
The authentication cloud service provider obtains an access request and a first value sent by the terminal equipment, wherein the first value is obtained by the terminal equipment through calculation based on user encryption information and user information, and the user encryption information is obtained from a blockchain by the terminal equipment based on the user information;
Authenticating the cloud service provider to verify the first value;
and if the authentication is passed, the authentication cloud service provider grants the authority of accessing the authentication cloud service provider to the terminal equipment.
In order to achieve the above object, the present application also provides an electronic device, which includes a processor; the processor is configured to execute instructions to implement the above-described method.
To achieve the above object, the present application also provides a computer-readable storage medium storing instructions/program data capable of being executed to implement the above method.
When the terminal equipment performs identity authentication, user information is acquired firstly, then encryption information of a user is acquired from the blockchain based on the user information, then the terminal equipment can calculate based on the encryption information of the user and the user information to obtain a first value, and then the first value is sent to an authentication cloud service provider so that the authentication cloud service provider can complete user identity authentication under the condition that the first value is authenticated, and therefore the identity authentication of the user can be completed based on the encryption information corresponding to the user stored in the blockchain, different servers registered to the blockchain can authenticate the user identity based on the encryption information corresponding to the user on the blockchain, and a centralized server is not required to manage the information of the user, so that the problems of data leakage and single-point faults are avoided.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an embodiment of a blockchain-based user registration method of the present application;
FIG. 2 is a flow chart of another embodiment of a blockchain-based user registration method of the present application;
FIG. 3 is a flow chart of an embodiment of a distributed identity authentication method according to the present application;
FIG. 4 is a schematic diagram of a workflow of a terminal device in the distributed identity authentication method of the present application;
FIG. 5 is a schematic diagram of a workflow for authenticating a cloud facilitator in a distributed identity authentication method of the present application;
FIG. 6 is a flow chart of another embodiment of a distributed identity authentication method of the present application;
FIG. 7 is a schematic diagram of an embodiment of an electronic device of the present application;
fig. 8 is a schematic diagram of a computer-readable storage medium according to an embodiment of the present application.
Detailed Description
The description and drawings illustrate the principles of the application. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the application and are included within its scope. Moreover, all examples herein are primarily intended explicitly for pedagogical purposes to aid the reader in understanding the principles of the application and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. In addition, the term "or" as used herein refers to a non-exclusive "or" (i.e., "and/or") unless otherwise indicated (e.g., "or otherwise" or in the alternative "). Also, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments may be combined with one or more other embodiments to form new embodiments.
The method aims to solve the problems of user data leakage and single point of failure existing in the prior technical scheme for managing the user identity through a centralized registry.
The application provides a blockchain-based user registration method, when a user registers to a cloud service provider through terminal equipment, the cloud service provider can process user information into encryption information and upload the encryption information to the blockchain, so that other cloud service providers can also use the encryption information stored in the blockchain to carry out user identity authentication, so that the user does not need to register identities in different cloud service providers, and the blockchain is used for managing the user identity information without a centralized registration center, thereby avoiding the problems of data leakage and single-point faults.
The block chain-based user registration method of the present application will be described in detail below, wherein a flowchart of an embodiment of the block chain-based user registration method is shown in fig. 1 and fig. 2, and the block chain-based user registration method of the present embodiment includes the following steps. The application field of the blockchain-based user registration method is not limited, and the blockchain-based user registration method can be applicable to the cross-border trade field or the Internet of things equipment management field. It should be noted that the following step numbers are only for simplifying the description, and are not intended to limit the execution order of the steps, and the steps of this embodiment may be arbitrarily replaced without departing from the technical idea of the present application.
S101: the registration cloud service provider obtains a registration request of a user carrying user information.
In an implementation manner, the terminal device may directly send the registration request of the user carrying the user information to the registration cloud service provider, so that the registration cloud service provider may obtain the registration request of the user carrying the user information.
In another implementation, the user and the registration cloud service provider are nodes in the blockchain which are commonly maintained by the user and the registration cloud service provider, the user can interact data with the registration cloud service provider through the blockchain, so that the registration cloud service provider can only provide service according to the received registration request and the user information of the user, and can not know who the user provided with the service is, and the privacy of the user can be protected.
In addition, the terminal device can encrypt the registration request of the user carrying the user information and send the encrypted data to the registration cloud service provider so as to improve the security of the user information. The terminal device may first select a cloud service provider as the cloud service provider (i.e. the registration cloud service provider) that receives the registration request of the user, then encrypt the registration request of the user carrying the user information with the public key of the registration cloud service provider, and then send the encrypted registration request of the user to the registration cloud service provider, so that only the registration cloud service provider can decrypt the encrypted registration request of the user with its own private key, thereby ensuring the security of the user information.
The public key of the registration cloud service provider can be uploaded to the blockchain by the registration cloud service provider when the registration cloud service provider registers into the blockchain, so that the terminal device can acquire the public key of the registration cloud service provider from the blockchain. In other embodiments, the registered cloud service may send the public key to some of its selected blockchain nodes, or may broadcast the public key directly across the network for transmission to all blockchain nodes.
The calculation process of registering the public key of the cloud service provider can be: the registration cloud service provider first selects at least one private key, such as x, y; the public key is then calculated using the private key. The public key Q may be calculated, for example, using the formula q= (x+y) ·p; wherein x and y are private keys selected by a registered cloud service provider, and P is a base point of an elliptic curve equation.
In addition, the user can select the registration cloud service provider nearby, and then sends the registration request of the user carrying the user information to the registration cloud service provider nearby so that the registration cloud service provider nearby can process the user information, and each cloud service provider in the blockchain is responsible for the registration request of the user node adjacent to the cloud service provider nearby to realize partition processing.
S102: the registration cloud service provider calculates at least one piece of encryption information based on the secret key and the user information.
After the registration cloud service provider obtains the registration request of the user carrying the user information, the registration cloud service provider can process the user information in response to the registration request of the user so that the subsequent registration cloud service provider can upload the processed at least one piece of encrypted information to the blockchain to finish the registration of the user, and the user and other cloud service providers can obtain the at least one piece of encrypted information corresponding to the user from the blockchain so as to authenticate the identity of the user when the user logs in or accesses the user, so that the user can access and log in a plurality of cloud service providers only by one time of registration, and the centralized registration center is not required to manage the identity information of the user, thereby avoiding the problems of data leakage and single point fault.
Optionally, the registration cloud service provider may perform reversible calculation on the user information based on the key thereof to obtain the first encrypted information, so that after the registration cloud service provider issues the first encrypted information onto the blockchain, the user may obtain the first encrypted information of the user from the blockchain, and the user may calculate the calculated value of the key of the registration cloud service provider through the user information and the first encrypted information obtained from the blockchain, and if the user information is correct, the calculated value of the key of the registration cloud service provider is equal to the true value of the key of the registration cloud service provider, so that user identity authentication may pass.
The user information may include association information, where the association information is obtained by processing a biometric feature of the user by the user terminal. The registration cloud service provider can perform reversible calculation on the associated information based on the key of the registration cloud service provider to obtain the first encrypted information, so that if the biological characteristics of the user collected by the terminal equipment when the user logs in are matched with the biological characteristics collected when the identity registration is performed, the terminal equipment can calculate the correct associated information based on the biological characteristics of the user collected when the user logs in, and further calculate the true value of the key of the registration cloud service provider so as to complete the identity authentication of the user, and therefore the terminal equipment does not need to store the biological characteristics of the user and also does not need to send the biological characteristics of the user to other equipment (such as the registration cloud service provider or the authentication cloud service provider), and the biological characteristic information security of the user can be ensured.
Further, the association information of the user may be obtained by associating the user biometric with the initial identification of the user. Specifically, the terminal device of the user may perform fuzzy extraction on the biometric feature of the user to obtain a key string; then, the key string is associated with the initial user identifier to obtain an association value; and then carrying out hash processing on the association value to obtain association information.
Specifically, the calculation formula of the association information is as follows: gen (BIO i)=>(Bi,BF);
B1=h(IDi||Bi);
Wherein Gen (-) is the parent function of the fuzzy extractor; b i is a key string obtained by fuzzy extraction of biological characteristics; b F is a public replication string obtained by fuzzy extraction of biological characteristics; the I is an association operation; is an exclusive or operation; h () is a one-way hash function; ID i is the initial identity of the user.
In an implementation manner, after user identity registration is completed based on the embodiment, and when a user logs in, the terminal device can send the calculated calculation value of the key of the registration cloud service provider to the authentication cloud service provider, so that the authentication cloud service provider verifies the calculation value of the key, and if the verification is passed, the authentication cloud service provider verifies the user identity.
In another implementation, because the authentication cloud facilitator may be different from the registration cloud facilitator, and the authentication cloud facilitator may not know the true value of the key of the registration cloud facilitator, in order to facilitate the authentication cloud facilitator to verify the identity of the user, the registration cloud facilitator may set two keys, i.e. a first key and a second key, the registration cloud facilitator calculates the user information based on the first key to obtain first encrypted information, and the registration cloud facilitator calculates the first identifier of the registration cloud facilitator based on the second key to obtain second encrypted information; in addition, the registered cloud service provider can also multiply the first secret key with a preset value to obtain third encryption information; the registered cloud service provider can also multiply the preset value by using the second secret key to obtain fourth encryption information; then in step S103, the first encryption information, the second encryption information, the third encryption information and the fourth encryption information are uploaded to the blockchain, so that the terminal device used by the user can calculate the first key based on the user information and the first encryption information acquired from the blockchain when the user logs in, and the first value is obtained by multiplying the first key and the fourth encryption information acquired from the blockchain, in addition, the authentication cloud service provider can acquire information such as the first identification of the registration cloud service provider, and the second key is calculated by multiplying the first identification of the registration cloud service provider and the second encryption information acquired from the blockchain, and the second value is obtained by multiplying the second key and the third encryption information acquired from the blockchain, and if the user information used by the terminal device when the first value is calculated is correct and the calculation process is correct, the second value is identical to the first value. Wherein, for convenience of description of the first encryption information, the second encryption information, the third encryption information and the fourth encryption information, the first encryption information, the second encryption information, the third encryption information and the fourth encryption information may be referred to as encryption information corresponding to the user, and the first encryption information and the fourth encryption information may be collectively referred to as encryption information of the user, and the second encryption information and the third encryption information may be collectively referred to as encryption information of the registered cloud service provider.
The preset value may be a random number generated randomly, or may be a value obtained by processing user information and/or identification information of the registered cloud service provider. Specifically, the user information may include a user identifier, and the preset value may be calculated from the user identifier and a second identifier of the registered cloud service provider. Further, in order to ensure the user information and the cloud service provider information, the identity of the user information and the cloud service provider information can be hidden by using equations such as elliptic curves, and specifically, the preset value can be obtained by calculating the elliptic curves of the sum of the user identifier and the second identifier by the registered cloud service provider. The user identifier may be an initial identifier of the user, or may be a value obtained by performing hash processing on the initial identifier of the user.
The specific calculation formula of the first encryption information may be:
Wherein A 4 is the first encryption information of the user, B 1 is the association information of the user, n A is the first key of the registered cloud service provider, ID j is the second identification of the registered cloud service provider, Is an exclusive or operation.
The specific calculation formula of the second encryption information may be:
Wherein P C is second encryption information corresponding to the user, h (S) is first identification of the registered cloud service provider, n B is second key of the registered cloud service provider, second identification of the registered cloud service provider of ID j, Is an exclusive or operation.
The specific calculation formula of the third encryption information may be: p A=nA×P.(IDj+h(IDi);
Wherein P A is third encryption information, n A is a first key of a registered cloud service provider, ID j is a second identifier of the registered cloud service provider, and h (ID i) is a user identifier.
The specific calculation formula of the fourth encryption information may be: p B=nB×P.(IDj+h(IDi);
Wherein P B is fourth encryption information corresponding to the user, n B is a second key of the registered cloud service provider, ID j is a second identifier of the registered cloud service provider, and h (ID i) is a user identifier.
In addition, the first identifier of the registration cloud service provider may be obtained by processing the second identifier of the registration cloud service provider.
Specifically, the registration cloud facilitator may generate the first random number r;
Then, calculating an intermediate value by the formula s=h (r 1.P||IDj), wherein || is an association operation, P is a base point of an elliptic curve equation, and h is a one-way hash function h (): {0,1} - > Zp, r is a first random number, S is an intermediate value;
and then carrying out hash processing on the intermediate value S to obtain a first identifier h (S) of the registered cloud service provider.
The intermediate value may be stored in the local server by the registration cloud service provider. And the second identifier and/or the first identifier of the registered cloud service provider can be stored on the blockchain so that the authentication cloud service provider can acquire the second identifier and/or the first identifier of the registered cloud service provider corresponding to the user from the blockchain so as to perform identity authentication on the registered user. The second identification and/or the first identification of the registering cloud facilitator may be uploaded to the blockchain by the registering cloud facilitator itself when the registering cloud facilitator registers into the blockchain.
It will be appreciated that the blockchain-based user registration method of the present application is performed based on blockchains. In order to facilitate management of user identities and authentication of user identities, at the initial stage of establishment of a blockchain, at least part of cloud service providers can determine base points of a unified hash function and an elliptic curve equation and the like, and the base points of the unified hash function and the elliptic curve equation are issued to the blockchain, so that terminal equipment and the cloud service providers can process data by using the same hash function and the base points of the elliptic curve equation, and can quickly and accurately perform key conversion, so that the condition that user identity authentication fails due to the fact that the terminal equipment and the cloud service providers use external reasons such as inconsistent hash functions and the base points of the elliptic curve equation is avoided, and a safe identity authentication channel can be provided for users and cloud service providers.
In addition, before step S102, the registration cloud facilitator may check on the blockchain whether the user has been registered based on the user information; if the account number is registered, the registration cloud service provider can ignore the registration request and can send a prompt to the terminal equipment to prompt the user that the account number is registered; if not, step S102 is performed.
S103: the registration cloud service provider uploads at least one piece of encryption information to the blockchain to complete registration of the user.
After obtaining the at least one piece of encryption information based on step S102, the registered cloud facilitator may upload the at least one piece of encryption information to the blockchain. And the registration cloud service provider can also send a message of successful registration to the terminal equipment so as to enable the user to know that the user has successfully registered.
In addition, the terminal device may store some parameters (e.g., common copy string, fuzzy extraction function Gen (), copy function Rep (), one-way hash h (), time interval Δt, base point P, and a 1) generated in the registration process on its own device.
Wherein A 1 is a compound of the formulaThe calculated; wherein, the initial identity of the user of ID i; b i is association information of the user; PW i is a password input by a user; s l may be a secret with a life cycle generated by processing the user's biometric.
After the encryption information corresponding to the user is uploaded to the blockchain based on the blockchain-based user registration method or other user registration methods, the terminal equipment and the authentication cloud server can utilize the encryption information corresponding to the user in the blockchain to carry out identity authentication of the user. The cloud service provider is the provider of the cloud service, and the cloud service provider can be a complete node in the blockchain and can have a complete copy of the blockchain distributed account, so that the cloud service provider can find encryption information corresponding to users registered by other cloud service providers on the blockchain so as to perform identity authentication of the users. Specifically, as shown in fig. 3, the distributed identity authentication method using the above-described encryption information may include the following steps.
S201: the terminal equipment acquires user information.
S202: the terminal device obtains the encrypted information of the user from the blockchain based on the user information.
S203: the terminal equipment calculates based on the encryption information of the user and the user information to obtain a first value.
S204: the authentication cloud facilitator verifies the first value.
S205: if the authentication is passed, the authentication cloud service provider sends an identity authentication message to the terminal equipment to complete identity authentication.
When the terminal equipment performs identity authentication, user information can be acquired firstly, so that the terminal equipment can acquire encryption information of a user from the blockchain based on the user information, the terminal equipment can calculate based on the encryption information of the user and the user information to obtain a first value, so that user identity authentication can be completed under the condition that an authentication cloud service provider passes the first value authentication, and the user identity authentication can be completed based on the encryption information corresponding to the user stored by the blockchain, so that different servers registered to the blockchain can authenticate the user identity based on the encryption information corresponding to the user on the blockchain, and a centralized server is not required to manage the information of the user, thereby avoiding the problems of data leakage and single-point faults.
In the first implementation manner, when the user is registered, the encrypted information of the user is obtained by the registration cloud service provider by performing reversible calculation on the user information based on the key of the registration cloud service provider, in step S203, the terminal device may calculate by using the user information and the encrypted information of the user to obtain the calculated value of the key of the registration cloud service provider, and send the calculated value of the key of the registration cloud service provider to the authentication cloud service provider as a first value, so that the authentication cloud service provider authenticates the calculated value of the key of the registration cloud service provider, and if the authentication passes, the authentication cloud service provider may send an identity authentication message to the terminal device to complete the identity authentication of the user. Specifically, in step S204, the authentication cloud facilitator may determine the true value of the key of the registration cloud facilitator based on the information such as the identification of the registration cloud facilitator corresponding to the user (for example, if the authentication cloud facilitator is not the registration cloud facilitator, the authentication cloud facilitator may directly request to obtain the true value of the key of the registration cloud facilitator from the registration cloud facilitator); if the authentication cloud service provider determines that the true key value of the registration cloud service provider is consistent with the calculated key value of the registration cloud service provider sent by the terminal equipment, the first value authentication is passed.
In the second implementation manner, in step S203, the terminal device may calculate using the user information and the encrypted information of the user, so as to calculate a calculated value of the key registered with the cloud service provider; the terminal device can calculate by using the calculated value of the key of the registration cloud service provider to obtain a first value, then the first value is sent to the authentication cloud service provider to enable the authentication cloud service provider to authenticate the first value, and if the authentication cloud service provider authenticates the first value, the authentication cloud service provider sends an identity authentication message to the terminal device to complete identity authentication of the user, namely the user identity authentication passes. Optionally, in step S204, the authentication cloud service provider may calculate a second value based on the first value, the identification of the registration cloud service provider, and the encryption information of the registration cloud service provider; confirming whether the first value and the second value are consistent; and if the first value and the second value are the same, the authentication cloud service provider authenticates the first value.
In the third implementation manner, in order to facilitate verification of user identities by different authentication cloud service providers, when a user is registered, the registration cloud service provider can obtain four pieces of encryption information, namely, first encryption information, second encryption information, third encryption information and fourth encryption information, corresponding to the user by using the two keys, namely, the first key and the second key. Specifically, in step S202, the terminal device may acquire, from the blockchain, first encryption information and fourth encryption information stored on the blockchain when the user registers, through the user information; then in step S203, the terminal device calculates a calculated value of the first key of the registered cloud service provider using the first encryption information and the user information; multiplying the extrapolated value of the first key by the fourth encryption information to obtain a first value; the terminal equipment sends the first value to the authentication cloud service provider so that the authentication cloud service provider calculates a second key of the registration cloud service provider based on second encryption information corresponding to the user and the identification of the registration cloud service provider in step S204; then multiplying the calculated second key by the third encryption information to obtain a second value; the authentication cloud service provider confirms whether the calculated second value is consistent with the first value; if the first value is consistent, the first value is verified to pass, namely the user identity authentication passes, and at the moment, an identity authentication message can be sent to the terminal equipment to finish the identity authentication of the user.
In a fourth implementation manner, in step S202, the terminal device may acquire, from the blockchain, first encryption information and fourth encryption information stored in the blockchain when the user registers through the user information; then in step S203, the terminal device calculates a calculated value of the first key of the registered cloud service provider using the first encryption information and the user information; multiplying the extrapolated value of the first key by the fourth encryption information to obtain a first intermediate value; the terminal equipment performs reversible processing on the first intermediate value and the first encryption information to obtain a first value; the terminal equipment sends the first value to the authentication cloud service provider so that the authentication cloud service provider calculates a second key of the registration cloud service provider based on the identification of the registration cloud service provider and second encryption information acquired from the blockchain in step S204; then multiplying the calculated second key by third encryption information obtained from the blockchain to obtain a second intermediate value; the authentication cloud service provider carries out reversible processing on the second intermediate value, the first value and the first encryption information obtained from the blockchain to obtain a second transition value; then, the authentication cloud service provider carries out reversible calculation on the second transition value, the second intermediate value and the first encryption information to obtain a second value; then, the authentication cloud service provider confirms whether the calculated second value is consistent with the first value; if the first value is consistent, the first value is verified, and an identity authentication message can be sent to the terminal equipment to complete the identity authentication of the user.
Optionally, the user information may include a user password, and the identification of the registered cloud service provider includes a first identification and a second identification. The step of the terminal device performing reversible processing on the first intermediate value and the first encryption information may include: the terminal equipment processes the user initial identifier, the user password, the current key string and the second identifier of the registered cloud service provider to obtain a first association value; and then the terminal equipment performs exclusive OR operation on the first association value, the first intermediate value and the first encryption information to obtain a first value.
The calculation formula of the first association value may be as follows:
A5=h(IDi||PWi||Bi*||r2||T1||IDj);
Wherein A 5 is a first association value, and ID i is an initial identification of a user; PW i is the password of the user; b i is the current key string of the user; r 2 is a second random number; t 1 is a first time and ID j is a second identification of a registered cloud facilitator. Wherein the second random number r 2 and the first time T 1 may be generated by the terminal device upon acquisition of user encryption information from the blockchain.
In addition, the calculation formula of the first value may be:
Wherein a 6 is a first value, a 5 is a first association value, D 1 is a first intermediate value, and a 4 is first encryption information of a user.
Further, in the foregoing implementation manner, the authentication cloud service provider may specifically perform reversible computation (for example, exclusive or computation) on the first identifier, the second identifier, and the second encryption information of the registered cloud service provider, so as to obtain the calculated value of the second key of the registered cloud service provider.
In addition, the user information may include the current biometric feature of the user, in step S203 in the above implementation manner, the terminal device may process the current biometric feature to obtain the current associated information of the user, and then the terminal device performs a reversible operation using the current associated information of the user and the encrypted information of the user to calculate the calculated value of the key registered with the cloud service provider, so that during user identity authentication, the terminal device may send the first value obtained by processing the biometric feature of the user to the authentication cloud service provider instead of directly sending the biometric feature of the user to the authentication cloud service provider, and may ensure that the biometric feature of the user is not sent to other devices on the premise of authenticating the user identity by using the biometric feature of the user, and the terminal device does not need to store the biometric feature of the user to protect the biometric security of the user.
Further, the user information may also include an initial identification of the user. In step S203, the terminal device may process the initial identification of the user based on the current biometric feature of the user to obtain the current association information of the user.
Specifically, the step of the terminal device processing the initial identification of the user based on the current biometric feature of the user may include: the terminal equipment can carry out fuzzy extraction on the current biological characteristics of the user so as to obtain a current key string; then, the current key string is associated with the initial user identifier to obtain an association value; and then carrying out hash processing on the association value to obtain association information.
Specifically, the calculation formula of the current association information is as follows: gen (BIO i*)=>(Bi*,BF);
B1*=h(IDi||Bi*);
The BIO i is the current biometric feature of the user, and the current biometric feature is the biometric feature obtained from the user when the terminal device logs in or accesses the authentication cloud service provider or when the user performs identity authentication on the authentication cloud service provider; gen () is the parent function of the fuzzy extractor; b i is a current key string obtained by fuzzy extraction of the current biological characteristics of the user; b F is a current common copy string obtained by fuzzy extraction of the current biological characteristics of the user; the I is an association operation; is an exclusive or operation; h () is a one-way hash function; ID i is the initial identity of the user.
In addition, the initial identifier of the user may be used to distinguish different users, so in step S202, the terminal device may use the initial identifier of the user or the user identifier obtained by processing the initial identifier to find the encryption information of the user stored in the blockchain distributed ledger when the user registers from the blockchain.
Accordingly, after the first value is acquired from the terminal device, the authentication cloud service provider may query the blockchain for encryption information such as the first encryption information, the second encryption information, and the third encryption information corresponding to the user based on the user identification, or based on the user identification and the identification of the authentication cloud service provider, so as to perform step S204 to verify the first value.
The authentication cloud service provider can determine information such as identification of the registered cloud service provider corresponding to the user based on the following method. For example, in step S204, the authentication cloud service provider may use information such as the user identification in the user information to find information such as the identification of the registration cloud service provider from the blockchain. For another example, after the terminal device calculates the first value, the first value and the identifier of the registration cloud service provider may be sent to the authentication cloud service provider together, so that the authentication cloud service provider may receive the identifier of the registration cloud service provider while receiving the first value.
In addition, when the first value is acquired from the terminal device, the authentication cloud service provider may take the current time as a second time T 2, and determine whether the difference between the second time T 2 and the first time T 1 is within the validity period Δt; if yes, inquiring encryption information corresponding to the user from the blockchain based on the user identification or based on the user identification and the identification of the authentication cloud service provider.
Further, before the encryption information corresponding to the user is queried from the blockchain based on the user identification or based on the user identification and the identification of the authentication cloud service provider, the authentication cloud service provider can also verify whether the user is logged off or not on the blockchain based on the identification of the user; if the user has logged off, the request is terminated, and steps S204 and S205 are not executed; if the user does not log off, steps S204 and S205 are performed to verify the first value based on the queried encrypted information corresponding to the user.
In addition, in step S205 of the above implementation manner, the authentication cloud service provider may generate an authentication message based on the first value, and transmit the generated authentication message to the terminal device.
The identity authentication message may be generated by the following formula, but is not limited thereto:
Wherein a 8 is an identity authentication message, a 5 is a second transition value, a 6 is a first value, r 2 is a second random number, T 3 is a third time, and r 3 is a third random number. Wherein. The third time and the third random number may be generated if the authentication cloud facilitator authenticates the first value.
In addition, the authentication cloud service provider may send the identity authentication message to the terminal device together with the third time, so that the terminal device confirms whether the difference between the time point T 4 when the terminal device receives the identity authentication message and the third time T 3 is within the validity period Δt, and if so, the identity authentication is successful.
As shown in fig. 4, for the terminal device, the steps for implementing the distributed identity authentication method are as follows.
S301: the terminal equipment acquires user information.
S302: the terminal device obtains the encrypted information of the user from the blockchain based on the user information.
S303: the terminal device calculates based on the encryption information and the user information to obtain a first value.
S304: and the terminal equipment sends the first value to the authentication cloud service provider so that the authentication cloud service provider can verify the identity of the user based on the first value.
The above steps are similar to those of the embodiment shown in fig. 3, and detailed description thereof will be omitted. When the terminal equipment performs identity authentication, user information is firstly obtained, then encryption information of a user is obtained from the blockchain based on the user information, then the terminal equipment can calculate based on the encryption information of the user and the user information to obtain a first value, and then the first value is sent to an authentication cloud service provider so that the authentication cloud service provider can complete user identity authentication under the condition that the first value is authenticated, and therefore the user identity authentication can be completed based on the encryption information corresponding to the user stored in the blockchain, different servers registered to the blockchain can authenticate the user identity based on the encryption information corresponding to the user on the blockchain, and a centralized server is not required to manage the information of the user, so that the problems of data leakage and single-point faults are avoided.
For authenticating a cloud service provider, refer to fig. 5, and fig. 5 is a schematic workflow diagram of authenticating the cloud service provider in the distributed identity authentication method according to the present application.
S401: the authentication cloud service provider obtains a first value from the terminal device.
The first value is calculated by the terminal equipment based on the encryption information of the user and the user information, and the encryption information of the user is obtained by the terminal equipment from the blockchain based on the user information.
S402: the authentication cloud facilitator verifies the first value.
S403: if the authentication is passed, the identity authentication message is sent to the terminal equipment to complete the identity authentication.
The steps described above in this embodiment are similar to those in the embodiment shown in fig. 3, and detailed descriptions thereof are omitted. After receiving the first value from the terminal equipment, the authentication cloud service provider sends an identity authentication message to the terminal equipment to complete identity authentication under the condition that the first value passes authentication, wherein the first value is obtained by the terminal equipment through calculation based on encryption information of a user and user information, the encryption information of the user is obtained from a blockchain based on the user information by the terminal equipment, and thus the identity authentication of the user can be completed based on the encryption information corresponding to the user stored by the blockchain, so that different servers registered to the blockchain can authenticate the identity of the user based on the encryption information corresponding to the user on the blockchain, and a centralized server is not required to manage the information of the user, thereby avoiding the problems of data leakage and single-point faults.
In order to better illustrate the distributed identity authentication method of the present application, the following specific embodiment of user identity authentication is provided for illustration:
Example 1
As shown in fig. 6, the distributed identity authentication method of the present embodiment includes the following steps:
1. The user MU i extracts the identification ID i, the password PW i and the biological characteristic BIO i from the terminal equipment and makes a request for accessing the authentication cloud service provider CSP j to the blockchain;
2. After receiving the access request and the related information, the block link sends the encryption information A 4,PB stored during the previous registration to the user;
3. After the user receives A 4,PB from the block link, a second random number r 2 is generated, a first time T 1 is calculated
A5=h(IDi||PWi||Bi*||r2||T1||IDj),
D1=nA×PB,
Then, the user sends the calculated information such as the first time T 1, the second random number r 2, the first value A 6 and the like to the corresponding authentication cloud service provider CSP j so as to perform identity authentication;
4. The authentication cloud service provider CSP j receives the first value A 6 and other information sent by the user MU i, verifies whether the difference value between the second time T 2 and the first time T 1 is within the validity period DeltaT, and if so, requests the encryption information corresponding to the user from the blockchain through the user identification h (ID i) and the second identification ID j of the registered cloud service provider;
5. The block link receives h (ID i) and ID j sent by the authentication cloud service provider CSP j, verifies whether the user is logged off or not on the distributed account book, if so, terminates the request, otherwise, returns the queried A 4,PA and P C to the authentication cloud service provider CSP j;
6. The authentication cloud service CSP j receives the a 4,PA and the P C sent by the blockchain, and verifies whether the locally generated key is consistent with the key sent by the user through local calculation:
S1=nB×PA,
Verifying whether the second value A 6 is equal to the first value A 6, if so, generating a third random number r 3, and a third time T 3, encrypting the information into an identity authentication message A 8, and sending the identity authentication message to the user MU i
7. The user MU i receives < a 8,T3 > sent by the authentication cloud service CSP j, first checks whether the difference between the current timestamp T 4 and the third time T 3 is within the validity period Δt, and if so, the identity authentication is successful.
The identity authentication method of the application can be applied to a plurality of application scenes, such as the following two application scenes.
In an application scenario, before the terminal device accesses the authentication cloud service provider, the identity authentication method of the present application may be executed, so that the authentication cloud service provider grants access rights to the terminal device after the authentication cloud service provider passes the identity authentication of the user using the terminal device. Specifically, in step S202, and in the application scenario, the terminal device may propose an access request of the user to the authentication cloud service provider to the blockchain commonly maintained by the terminal device and the authentication cloud service provider, so that the blockchain transmits the encrypted information of the user to the terminal device in response to the access request. The access request sent by the terminal equipment can carry information such as user identification and the like, so that the blockchain can find encryption information of the user stored on the blockchain when the user registers based on the information such as the user identification and the like.
In another application scenario, before the terminal device interacts with the authentication cloud service provider, the identity authentication method of the application can be executed, so that after the authentication cloud service provider passes the identity authentication of the user using the terminal device, the authentication cloud service provider performs information interaction with the terminal device.
In addition, if the user forgets the password or the like and needs to update or retrieve the password, the user may input the current biometric BIO i and the identifier ID i to the terminal device, so that the terminal device verifies the current biometric BIO i and the identifier ID i of the user, and if verification is successful, the terminal device agrees to the password resetting request of the user, and at this time, the user may input a new password or obtain a new password after being reset based on the terminal device.
The process of verifying the current biometric BIO i and the identification ID i of the user by the terminal device may be as follows:
The terminal equipment calculates the current biological feature BIO i by using a copy function of the fuzzy extractor, namely calculates by using a formula Rep (BIO i*,PF)=Bi to obtain a current key string B i;
The terminal equipment associates the current key string B i of the user with the identification ID i of the user, namely calculates by using a formula B 1*=h(IDi||Bi to obtain current association information B 1;
The terminal device verifies whether the current association information B 1 of the user is consistent with the association information B 1 stored on the terminal device;
If so, a new secret with a life cycle is generated s n, and a new A 1 n is generated based on the new password PW i n, e.g., using the formula And performing calculation to generate a new A 1 n, and replacing A 1 in the original mobile device with the new A 1 n, so that the updating/retrieving of the password is realized, and the participation of a cloud service provider is not needed in the whole process.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device 20 according to an embodiment of the application. The electronic device 20 of the present application includes a processor 22 for executing instructions to implement the methods provided by any of the embodiments and any non-conflicting combinations of blockchain-based user registration methods of the present application described above.
The electronic device 20 may be a terminal such as a mobile phone, a notebook computer, or may also be a server.
The processor 22 may also be referred to as a CPU (Central Processing Unit ). The processor 22 may be an integrated circuit chip having signal processing capabilities. Processor 22 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor, or the processor 22 may be any conventional processor or the like.
The electronic device 20 may further comprise a memory 21 for storing instructions and data needed for the operation of the processor 22.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a computer readable storage medium according to an embodiment of the application. The computer readable storage medium 30 of an embodiment of the present application stores instruction/program data 31 that, when executed, implements the methods provided by any of the above-described embodiments of the present application, as well as any non-conflicting combination. Wherein the instructions/program data 31 may be stored in the storage medium 30 as a software product in a form of a program file, so that a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) performs all or part of the steps of the methods according to the embodiments of the present application. And the aforementioned storage medium 30 includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes, or a computer, a server, a mobile phone, a tablet, or other devices.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The foregoing is only the embodiments of the present application, and therefore, the patent scope of the application is not limited thereto, and all equivalent structures or equivalent processes using the descriptions of the present application and the accompanying drawings, or direct or indirect application in other related technical fields, are included in the scope of the application.
Claims (12)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110778279.6A CN113569210B (en) | 2021-07-09 | 2021-07-09 | Distributed identity authentication method, device access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110778279.6A CN113569210B (en) | 2021-07-09 | 2021-07-09 | Distributed identity authentication method, device access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113569210A CN113569210A (en) | 2021-10-29 |
| CN113569210B true CN113569210B (en) | 2024-11-22 |
Family
ID=78164272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110778279.6A Active CN113569210B (en) | 2021-07-09 | 2021-07-09 | Distributed identity authentication method, device access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113569210B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948784B (en) * | 2021-03-23 | 2024-05-14 | 中国信息通信研究院 | Internet of Things terminal identity authentication method, computer storage medium and electronic device |
| CN115242435B (en) * | 2022-06-13 | 2023-05-26 | 中国电子科技集团公司第三十研究所 | A multi-factor authentication system and method with verifiable attributes |
| CN115766115B (en) * | 2022-10-28 | 2024-09-13 | 支付宝(杭州)信息技术有限公司 | Identity verification method and device, storage medium and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107196966A (en) * | 2017-07-05 | 2017-09-22 | 北京信任度科技有限公司 | The identity identifying method and system of multi-party trust based on block chain |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101464724B1 (en) * | 2013-10-15 | 2014-11-27 | 순천향대학교 산학협력단 | OpenID Based User Authentication Scheme for Multi-clouds Environment |
| KR101659226B1 (en) * | 2015-05-27 | 2016-09-30 | 인하대학교 산학협력단 | Method and system for remote biometric verification using fully homomorphic encryption |
| DE102016202262A1 (en) * | 2016-02-15 | 2017-08-17 | Bundesdruckerei Gmbh | A method and system for authenticating a mobile telecommunication terminal to a service computer system and mobile telecommunication terminal |
| CN106533696B (en) * | 2016-11-18 | 2019-10-01 | 江苏通付盾科技有限公司 | Identity identifying method, certificate server and user terminal based on block chain |
| CN109041205A (en) * | 2018-08-23 | 2018-12-18 | 刘高峰 | Client registers method, apparatus and system |
| CN109983466B (en) * | 2018-09-27 | 2023-03-03 | 区链通网络有限公司 | Account management system and method based on block chain and storage medium |
| CN109359464B (en) * | 2018-10-29 | 2021-10-15 | 南通大学 | A wireless security authentication method based on blockchain technology |
| CN109862041B (en) * | 2019-03-27 | 2021-06-15 | 深圳市网心科技有限公司 | A digital identity authentication method, device, device, system and storage medium |
| CN110069918B (en) * | 2019-04-11 | 2020-12-04 | 苏州同济区块链研究院有限公司 | Efficient double-factor cross-domain authentication method based on block chain technology |
| CN110457878A (en) * | 2019-08-14 | 2019-11-15 | 北京中电普华信息技术有限公司 | A blockchain-based identity authentication method, device and system |
| CN111148094B (en) * | 2019-12-30 | 2023-11-21 | 全链通有限公司 | Registration method of 5G user terminal, user terminal equipment and medium |
| CN112052444B (en) * | 2020-10-10 | 2022-08-05 | 江苏工程职业技术学院 | Authentication system and method of identity authentication system based on block chain technology |
-
2021
- 2021-07-09 CN CN202110778279.6A patent/CN113569210B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107196966A (en) * | 2017-07-05 | 2017-09-22 | 北京信任度科技有限公司 | The identity identifying method and system of multi-party trust based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113569210A (en) | 2021-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7121459B2 (en) | Blockchain authentication via hard/soft token verification | |
| JP6716745B2 (en) | Blockchain-based authorization authentication method, terminal and server using this | |
| US10567370B2 (en) | Certificate authority | |
| CN113569210B (en) | Distributed identity authentication method, device access method and device | |
| US11700133B2 (en) | Zero-knowledge proof-based certificate service method using blockchain network, certification support server using same, and user terminal using same | |
| US20200412554A1 (en) | Id as service based on blockchain | |
| WO2011134395A1 (en) | Authentication method and device, authentication centre and system | |
| US8234497B2 (en) | Method and apparatus for providing secure linking to a user identity in a digital rights management system | |
| CN107347073B (en) | A kind of resource information processing method | |
| JP2001186122A (en) | Authentication system and authentication method | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN115276998B (en) | Internet of Things identity authentication method, device and Internet of Things device | |
| EP2359525B1 (en) | Method for enabling limitation of service access | |
| KR102118556B1 (en) | Method for providing private blockchain based privacy information management service | |
| CN115865520B (en) | Authentication and access control method with privacy protection in mobile cloud service environment | |
| CN113569209B (en) | User registration method and device based on block chain | |
| CN117216737A (en) | Autonomous identity authentication method, system, equipment and storage medium | |
| US9882891B2 (en) | Identity verification | |
| Mishra et al. | Authenticated content distribution framework for digital rights management systems with smart card revocation | |
| Uppuluri et al. | Secure multiparty access and authentication based on advanced fuzzy extractor in smart home | |
| CN120046130A (en) | Identity authentication method and device based on blockchain, storage medium and electronic equipment | |
| KR20250101177A (en) | Apparatus and Method for Password-based Distributed Authentication | |
| CN120639456A (en) | A secure access method for the Internet of Things based on cloud-edge collaboration | |
| CN118074925A (en) | Unified identity authentication method, device and electronic equipment | |
| CN117768170A (en) | Access authentication method, device, edge device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |