[go: up one dir, main page]

WO2018184447A1 - Procédé, dispositif et système de suppression de certificat numérique à base de chaîne de blocs, et support de stockage - Google Patents

Procédé, dispositif et système de suppression de certificat numérique à base de chaîne de blocs, et support de stockage Download PDF

Info

Publication number
WO2018184447A1
WO2018184447A1 PCT/CN2018/078888 CN2018078888W WO2018184447A1 WO 2018184447 A1 WO2018184447 A1 WO 2018184447A1 CN 2018078888 W CN2018078888 W CN 2018078888W WO 2018184447 A1 WO2018184447 A1 WO 2018184447A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
block
backup
saved
identification information
Prior art date
Application number
PCT/CN2018/078888
Other languages
English (en)
Chinese (zh)
Inventor
阎军智
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2018184447A1 publication Critical patent/WO2018184447A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model

Definitions

  • the embodiments of the present disclosure relate to the field of network security technologies, and in particular, to a blockchain-based digital certificate deletion method, apparatus, and system.
  • a digital certificate is a file issued by an authority to prove the identity of a user on the network.
  • the process of issuing a digital certificate can also be called a Certification Authority (CA) process.
  • CA Certification Authority
  • PKI Public Key Infrastructure
  • CA is the starting point of trust. If you can control a CA, you can use the CA to arbitrarily issue digital certificates. Therefore, the core CA is vulnerable to attack. . Once a CA is compromised, all digital certificates issued by the CA are no longer secure and cannot be used.
  • the CA root digital certificate installed or preset by the digital certificate relying party may also be attacked. If the root digital certificate is maliciously falsified, it will affect the entire digital certificate verification process, and may even identify the fake user digital certificate as Legal user digital certificate.
  • the blockchain technology emerging in the chronological order stores the blocks storing the digital certificates in a sequential manner, and generates a trusted tree corresponding to the blocks according to the digital certificates stored in each block.
  • (Merkle) value for verifying the digital certificate stored in the block to prevent the digital certificate stored in the block from being tampered with.
  • each verification node in the blockchain stores all the digital certificates in the blockchain, and at the same time verifies the request to generate and invoke the digital certificate, there is no central CA node, even if a certain verification node fails or suffers Attacks can also guarantee the correctness of digital certificates.
  • the blockchain will contain all the historical digital certificates. Over time, the digital certificates stored in the blockchain will continue to increase, and the entire blockchain will be stored. The amount of data will be larger and larger, and the storage and computing resources of the node need to be verified, which will bring a serious burden to the verification node, affecting the operation of the verification node and the user experience.
  • the embodiments of the present disclosure provide a method, a device, and a system for deleting a digital certificate based on a blockchain, which are used to solve the problem that the amount of data in the digital certificate storage process is increasing in the prior art, and the storage and computing resources of the node to be verified are required to be verified. The higher the value, the problem that affects the operation of the verification node and the user's experience.
  • the embodiment of the present disclosure discloses a digital certificate deletion method for a blockchain, where the blockchain includes multiple verification nodes and at least one backup node, and the deletion method is applied to any backup node in the blockchain.
  • the method includes:
  • a delete message including identification information of the block is sent to each verification node in the blockchain, wherein the delete message is used to make each The verification node determines whether each digital certificate in the block of the identification information is invalid, and deletes the block body of the block of the identification information when each digital certificate in the block determining the identification information is invalid.
  • the embodiment of the present disclosure discloses a blockchain-based digital certificate deletion method, where the blockchain includes multiple verification nodes and at least one backup node, and the deletion method is applied to any verification node in the blockchain. , the method includes:
  • the embodiment of the present disclosure discloses a blockchain-based digital certificate deletion device, where the blockchain includes multiple verification nodes and at least one backup node, and the deletion device is applied to any backup node in the blockchain.
  • the device includes:
  • Determining a module configured to determine, according to information of each backup digital certificate that is saved for each block by itself, whether each backup digital certificate saved for the block is invalid;
  • a sending module configured to: if each backup digital certificate saved for the block is determined to be invalid, send a deletion message including the identification information of the block to each verification node in the blockchain, so that each verification node determines itself Whether each digital certificate in the block of the identification information is invalid, and when each digital certificate in the block determining the identification information is invalid, the block body of the block of the identification information is deleted.
  • the embodiment of the present disclosure discloses a blockchain-based digital certificate deletion device, where the blockchain includes multiple verification nodes and at least one backup node, and the deletion device is applied to any verification node in the blockchain.
  • the device includes:
  • a receiving module configured to receive a delete message that is sent by the backup node in the blockchain and includes the identifier information of the block, where the delete message is a backup node in the blockchain according to each backup that is saved for each block according to itself.
  • the information of the digital certificate is determined to be sent after each backup digital certificate saved for the block is invalid;
  • a judging module configured to determine whether each digital certificate in the block of the identification information saved by itself is invalid
  • the module is deleted, and is configured to delete the block body of the block if it is determined that each digital certificate in the block of the identification information is invalid.
  • the embodiment of the present disclosure discloses a blockchain-based digital certificate deletion system, where the deletion system includes at least one blockchain-based digital certificate deletion device applied to a backup node, and a plurality of the above-mentioned application to the verification node.
  • Block certificate based digital certificate deletion device
  • Embodiments of the present disclosure also disclose a computer storage medium storing computationally executable instructions; after the computer executable instructions are executed, enabling blockchain-based digital certificate deletion applied to a backup node One or more of the methods, or one or more of the blockchain-based digital certificate deletion methods applied to the verification node.
  • the embodiment of the disclosure discloses a method, a device and a system for deleting a digital certificate based on a blockchain, wherein the blockchain includes a plurality of verification nodes and at least one backup node, and the deletion method is applied to the blockchain.
  • the method includes: determining, according to information of each backup digital certificate that is saved for each block, whether each backup digital certificate saved for the block is invalid; if it is determined to be saved for the block Each of the backup digital certificates is invalid, and each of the verification nodes in the blockchain sends a deletion message containing the identification information of the block, so that each verification node determines whether each digital certificate in the block of the identification information is All are invalid, and when each digital certificate in the block that determines the identification information is invalid, the block body of the block of the identification information is deleted.
  • a delete message including the identification information of the block is sent to each verification node in the blockchain, so that Each verification node determines whether each digital certificate in the block of the identification information is invalid, and deletes the block body of the block of the identification information when each digital certificate in the block determining the identification information is invalid.
  • the storage space occupied by the data certificate storage process is reduced, the storage of the verification node and the calculation amount required for subsequent verification are saved, and the consumed computing resources are further reduced, and the operation efficiency of the verification node is improved (for example, Verify efficiency) and user experience.
  • FIG. 1 is a schematic diagram of a blockchain architecture provided by the present disclosure
  • FIG. 2 is a schematic diagram of a blockchain-based digital certificate deletion process according to Embodiment 1 of the present disclosure
  • FIG. 3 is a schematic diagram of a storage structure for verifying a node storing a digital certificate according to Embodiment 1 and Embodiment 4 of the present disclosure
  • FIG. 4 is a schematic diagram of a blockchain-based digital certificate deletion process according to Embodiment 4 of the present disclosure
  • FIG. 5 is a schematic structural diagram of a blockchain-based digital certificate deletion apparatus according to Embodiment 7 of the present disclosure.
  • FIG. 6 is a schematic structural diagram of a blockchain-based digital certificate deletion apparatus according to Embodiment 8 of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a blockchain-based digital certificate deletion system according to Embodiment 9 of the present disclosure.
  • FIG. 1 is a schematic diagram of a blockchain architecture according to an embodiment of the present disclosure.
  • the blockchain includes multiple verification nodes and at least one backup node, and each verification node is used to verify a user's request for generating a digital certificate and a user. An update request for the status of a digital certificate.
  • Each verification node sequentially generates a new block according to a preset time sequence, and stores the digital certificate into the corresponding block according to the digital certificate generation time, and is also used to store the stored number according to the user's update request for the digital certificate status.
  • the status of the certificate is updated.
  • the backup node is configured to back up each digital certificate stored in the block for each block of the verification node, and update the status of the digital certificate backed up for each block according to the user's update request for the status of the digital certificate.
  • FIG. 2 is a schematic diagram of a blockchain-based digital certificate deletion process according to an embodiment of the present disclosure, where the process includes:
  • S201 Determine, according to information about each backup digital certificate that is saved for each block, whether each backup digital certificate saved for the block is invalid.
  • a method for deleting a digital certificate based on a blockchain is applied to any backup node in a blockchain, and the backup node may be a personal computer with computing and storage functions (Personal Computer, PC) ) Machines, servers, etc.
  • PC Personal Computer
  • the backup node since the digital certificate stored in each corresponding block of each verification node is the same if it is not maliciously changed in the blockchain, the backup node pairs each of the blockchains.
  • the digital certificates saved in each block of the verification node are backed up, that is, the digital certificates in each block saved by the verification node are backed up, and each number in the block is saved in the backup node for each block.
  • the backup digital certificate corresponding to the certificate since the digital certificate stored in each corresponding block of each verification node is the same if it is not maliciously changed in the blockchain, the backup node pairs each of the blockchains.
  • the digital certificates saved in each block of the verification node are backed up, that is, the digital certificates in each block saved by the verification node are backed up, and each number in the block is saved in the backup node for each block.
  • the backup node determines, according to information about each backup digital certificate that is saved by each block for each block, whether each backup digital certificate saved for the block is invalid, wherein the information of the backup digital certificate may be the digital certificate.
  • Validity period A plurality of backup digital certificates are stored in one block. If each backup digital certificate in the area is invalid, it indicates that each digital certificate in the block of the block is invalid, and at least the block can be deleted. The block is generated, so the delete message is generated.
  • the backup node stores the backup digital certificate 1 and the backup digital certificate 2 for the block A, and the backup digital certificate 3 and the backup digital certificate 4 for the block B.
  • the current time is March 29, 2017, for the block A backup node according to the validity period of the backup digital certificate 1 from July 1, 2015 to July 1, 2016, it is determined that the validity period of the backup digital certificate 1 expires, and the backup digital certificate 1 is invalid.
  • the backup digital certificate 2 is invalid, and the backup digital certificate 1 for the block A is saved. Certificate 2 is invalid. It is determined that each backup digital certificate saved for block A is invalid.
  • the backup number is determined according to the validity period of the backup digital certificate 3 from July 5, 2015 to July 5, 2016.
  • the validity period of certificate 3 expires, and the backup digital certificate 3 is invalid.
  • the validity period of the backup digital certificate 4 from May 1, 2016 to May 1, 2017, it is determined that the validity period of the backup digital certificate 4 has not expired, and the backup digital certificate 4 is valid.
  • the backup digital certificate 4 saved in the block B is valid, and it is determined that there is a valid backup digital certificate in each backup digital certificate saved for the block B.
  • each backup digital certificate saved for the block is invalid, send a delete message containing the identification information of the block to each verification node in the blockchain.
  • the deletion message may cause each verification node to determine whether each digital certificate in the block of the identification information is invalid, and delete the area of the identification information when each digital certificate in the block determining the identification information is invalid.
  • the block body of the block may cause each verification node to determine whether each digital certificate in the block of the identification information is invalid, and delete the area of the identification information when each digital certificate in the block determining the identification information is invalid.
  • Each block in the blockchain is composed of a block header and a block body.
  • the block header stores the time generated by the block, and the parent block hash value, that is, the previous block before the time when the block is generated.
  • the hash value is stored in the block body with each digital certificate recorded in the block according to the Merkle value determined by each digital certificate held in the block.
  • FIG. 3 is a schematic diagram of a storage structure for verifying a node storing a digital certificate according to an embodiment of the present disclosure.
  • the verification node sequentially stores a creation block, a block 2, and a block n in time order, wherein each block is composed of The block header and the block body are composed, and each block certificate stores each digital certificate stored in the block.
  • the backup node determines that each backup digital certificate saved for the block is invalid, it indicates that each backup digital certificate saved for the block can be deleted and sent to each verification node in the blockchain.
  • the deletion message containing the identification information of the block if the digital certificate stored in each block of the verification node is the same as the backup digital certificate saved by the backup node, the verification node may directly delete the block body of the block with the identification information of the node.
  • the valid digital certificate cannot be deleted by the error, thereby causing damage to the user's rights and interests.
  • the verification node after the verification node receives the deletion message including the identification information of the block, it is determined whether each digital certificate in the block of the identification information is invalid, and each block in the identification information is determined. When the digital certificates are invalid, the block body of the block of the identification information is deleted.
  • each backup digital certificate saved by the backup node for block A is invalid, it means that each backup digital certificate saved for the block A can be deleted, and the included block is sent to each verification node in the blockchain.
  • A identifies the deletion message of the information 00001.
  • the verification node After receiving the deletion message including the identification information 00001, the verification node identifies the block A of the identification information saved by the identification information 00001, and verifies whether each digital certificate in the own block A is invalid. If each digital certificate in its own block A is invalid, the block body of the block A is deleted.
  • a delete message including the identification information of the block is sent to each verification node in the blockchain, so that Each verification node determines whether each digital certificate in the block of the identification information is invalid, and deletes the block body of the block of the identification information when each digital certificate in the block determining the identification information is invalid.
  • the storage space occupied by the data certificate storage process is reduced, the storage and computing resources of the verification node are saved, and the operation efficiency of the verification node and the user experience are improved.
  • each backup saved according to itself for each block The information of the digital certificate determines whether each backup digital certificate saved for the block is invalid, including:
  • each backup digital certificate saved for the block is expired and/or the backup digital certificate has been revoked, it is determined that each backup digital certificate saved for that block is invalid.
  • the information of the backup digital certificate includes: a validity period of the backup digital certificate and status information of the backup digital certificate, wherein the status information of the backup data certificate includes: issuing, revoking, suspending, recovering, etc., the backup node
  • the status information of the backup digital certificate can be determined to determine whether the backup digital certificate has been revoked.
  • the identification of the backup digital certificate status information is not described in the prior art.
  • the backup node can determine whether each backup digital certificate saved for the block is invalid according to whether the validity period of each backup digital certificate saved by each block is expired. Of course, it can also be used for each zone according to itself. Whether the status of each backup digital certificate saved by the block is revoked, and it is determined whether each backup digital certificate saved for the block is invalid.
  • each backup digital certificate saved for each block is invalid according to whether the validity period of each backup digital certificate saved for each block by itself and whether the backup digital certificate has been revoked. If each backup digital certificate saved for the block satisfies the expiration of the validity period of the backup digital certificate and/or the backup digital certificate has been revoked, it is determined that each backup digital certificate saved for the block is invalid. In an embodiment of the present disclosure, for each backup digital certificate, if the validity period of the backup digital certificate is expired, or the backup digital certificate is revoked, it is determined that the backup digital certificate is invalid.
  • the backup node stores a backup digital certificate 5 and a backup digital certificate 6 for the block C, wherein the backup digital certificate 5 is valid from July 5, 2015 to July 5, 2016, and the status is not revoked, and the digital certificate is backed up. 6 is valid from July 5, 2016 to July 5, 2017. The status is revoked. The current time is March 29, 2017. The validity period of the backup digital certificate 5 expires. The status of the backup digital certificate 6 is revoked. Each backup digital certificate saved for block C is invalid.
  • the method further include:
  • Each backup digital certificate saved by itself for the block of the identification information is sent to each verification node.
  • each verification node in the blockchain can use a preset for each digital certificate stored in each block according to a preset setting.
  • the algorithm performs the transformation. For example, the verification node hashes each digital certificate held by each block using a hash algorithm, and each block holds each digital certificate after the hash operation.
  • the backup node if the verification node converts each digital certificate held by each block using a preset algorithm, the backup node backs up the usage pre-stored in the block for each block in the blockchain. Set the algorithm to perform each digital certificate before the transformation.
  • the backup node saves each backup digital certificate according to its own for each block.
  • the information after determining that each backup digital certificate saved for the block is invalid, sending a deletion message including the identification information of the block to each verification node in the blockchain, and further targeting the identification information
  • Each backup digital certificate saved by the block is sent to each verification node, and the verification node receives the deletion message sent by the backup node containing the identification information of the block and each backup number saved by the block for the identification information.
  • the block of the identification information is determined according to the identifier information, and each backup digital certificate saved by the backup node for the block of the identification information is transformed by using a preset algorithm, and the identification information of the identifier is determined by the backup node. Whether each digital certificate saved by the block matches the digital certificate converted by the backup digital certificate, thereby determining that the backup node is targeted Whether each backup digital certificate saved by the block of the identification information is correct.
  • each digital certificate saved in each block of each verification node in the blockchain is changed using a hash algorithm, and the backup node determines that each backup digital certificate saved for the block E with the identification information of 00005 is Invalid, the backup node sends a delete message including the identification information 00005 to each verification node in the blockchain, and sends each backup digital certificate saved for the block E whose identification information is 00005 to each blockchain. Verify nodes.
  • the verification node After receiving the deletion message including the identification information 00005 and each backup digital certificate saved for the block of the identification information 00005, the verification node identifies the block E whose own identification information is 00005 according to the identification information 00005, and adopts a preset hash algorithm. Performing a hash operation on each backup digital certificate saved by the backup node for the block of the identification information 00005, and determining whether each digital certificate stored in the own block E matches the backup digital certificate after the hash operation, if , to determine that each backup digital certificate saved by the backup node for block E is correct.
  • FIG. 4 is a schematic diagram of a blockchain-based digital certificate deletion process according to an embodiment of the present disclosure, where the process includes:
  • S401 Receive a deletion message that includes the identifier information of the block sent by the backup node in the blockchain, where the delete message is a backup node in the blockchain according to each backup digital certificate that is saved for each block according to itself. Information, determined to be sent after each backup digital certificate saved for the block is invalid.
  • a method for deleting a digital certificate based on a blockchain is applied to any verification node in a blockchain, and the verification node may be a PC, a server, or the like having an operation and storage function.
  • the backup node since the digital certificate stored in each corresponding block of each verification node is the same if it is not maliciously changed in the blockchain, the backup node pairs each verification in the blockchain.
  • the digital certificate saved in each block of the node is backed up, that is, the digital certificate in each block saved by the verification node is backed up, and each digital certificate corresponding to the block is saved in the backup node for each block.
  • Backup digital certificate The backup node determines, according to the information of each backup digital certificate that is saved for each block, whether each backup digital certificate saved for the block is invalid, and is invalid for each backup digital certificate saved in the block. Sending a delete message containing the identification information of the block to each verification node in the blockchain.
  • the backup node saves the backup digital certificate 1 and the backup digital certificate 2 for the block A.
  • the current time is March 29, 2017, and the backup node for the block A is valid according to the validity of the backup digital certificate 1 July 1, 2015-2016 On July 1st, it is determined that the validity period of the backup digital certificate 1 expires, and the backup digital certificate 1 is invalid.
  • the backup digital certificate 2 is invalid.
  • the backup digital certificate 1 and the backup digital certificate 2 saved for the block A are invalid. It is determined that each backup digital certificate saved for the block A is invalid, and each verification node in the blockchain is invalid.
  • a delete message containing the identification information 00001 of the block A is sent.
  • the verification node receives, in the blockchain, the backup node determines, according to information of each backup digital certificate that is saved for each block, that each backup digital certificate saved for the block is invalid, and the sent The deletion message of the identification information of the block.
  • S402 Determine whether each digital certificate in the block of the identification information saved by itself is invalid.
  • the verification node determines whether each digital certificate in the block of the identifier information saved by the backup node is invalid, wherein the verification node may be based on the digital certificate.
  • the validity period determines whether the digital certificate is valid.
  • the verification node receives the deletion message of the identification information 00001 including the block sent by the backup node, and identifies the block A whose own identification information is 00001, and the block A holds the digital certificate 1 and the digital certificate 2, the current time 2017 3
  • the verification node determined that the validity period of the digital certificate 1 expired according to the validity period of the digital certificate 1 from July 1, 2015 to July 1, 2016, and the digital certificate 1 is invalid.
  • the validity period of the digital certificate 2 February 1, 2016 On February 1, 2017, it is determined that the validity period of the digital certificate 2 expires, the digital certificate 2 is invalid, and the digital certificate 1 and the digital certificate 2 saved for the block A are invalid, and each of the blocks A whose identification information is 00001 is determined.
  • Digital certificates are invalid.
  • Each block in the blockchain is composed of a block header and a block body.
  • the block header stores the time generated by the block, and the parent block hash value, that is, the previous block before the time when the block is generated.
  • the hash value is stored in the block body with each digital certificate recorded in the block according to the Merkle value determined by each digital certificate held in the block.
  • FIG. 3 is a schematic diagram of a storage structure for verifying a node storing a digital certificate according to an embodiment of the present disclosure.
  • the verification node sequentially stores a creation block, a block 2, and a block n in time order, wherein each block is composed of The block header and the block body are composed, and each block certificate stores each digital certificate stored in the block.
  • each digital certificate in the block of the identification information is invalid, it indicates that each digital certificate in the block can be deleted, and deleting the block for storing the digital certificate; If the verification node determines that there is at least one valid digital certificate in the block of the identification information, it indicates that there is a non-deletable digital certificate in the block, discarding the deletion message sent by the backup node, and does not do any work on the block. deal with.
  • the deleted block A is used to store the block body of the digital certificate.
  • the verification node determines, according to the information of each backup digital certificate that the backup node saves for each block according to itself, whether the content of each backup digital certificate saved for a certain block is invalid and is included.
  • the deletion message of the identification information of the block determines that each digital certificate in the block of the identification information is invalid, and deletes the block body of the block of the identification information, thereby reducing the storage space occupied by the data certificate storage process. , saving storage and computing resources, improving operational efficiency and user experience.
  • the method further includes:
  • the method further includes:
  • the subsequent step includes at least the step of determining whether each digital certificate in the block of the identification information saved by itself is invalid.
  • the verification node may use a preset algorithm to transform each digital certificate saved in each block according to a preset setting using a preset algorithm. For example, the verification node hashes each digital certificate held in each block using a hash algorithm, and saves each digital certificate after the hash operation for each block.
  • the backup node if the verification node converts each digital certificate held by each block using a preset algorithm, the backup node backs up the usage pre-stored in the block for each block in the blockchain.
  • the algorithm is set to perform each digital certificate before the conversion, and the information of each digital certificate is saved.
  • the verification node receives the deletion message including the block identifier sent by the backup node in the blockchain, and receives the Each backup digital certificate saved by the backup node for the block of the identification information sent by the backup node.
  • the verification node needs to determine that the backup node sends before determining whether each digital certificate in the identified block of the identity is invalid. Whether each of the backup digital certificates is correct, and optionally, the verification node converts each of the backup digital certificates by using a preset algorithm, and determines each digital certificate saved in the block for the identification information by itself. That is, the digital certificate that is transformed by using a preset algorithm is matched with the digital certificate converted by the backup digital certificate, and if the corresponding match is matched, it is determined that each of the backup nodes saves the block for the identification information.
  • the backup digital certificate has not been tampered with, and each backup digital certificate saved by the backup node for the block of the identification information is correct. At this time, because the backup node has judged that each backup digital certificate saved in the block of the identification information is invalid, the verification node may also delete the block of the block of the identification information, but because the backup certificate is saved by the backup node. The reliability is not very high. In order to further ensure the security of the digital certificate, the verification node verifies whether each digital certificate in the block of the identification information is invalid.
  • the verification node uses the preset algorithm to transform each of the backup digital certificates, and determines each digital certificate saved in the block for the identification information, that is, the digital certificate converted by using a preset algorithm cannot be used.
  • Corresponding to the digital certificate converted by the backup digital certificate it indicates that at least one backup digital certificate is falsified in each backup digital certificate saved by the backup node for the block of the identification information, in order to ensure the number saved by itself.
  • the correctness of the certificate prevents the erroneous deletion of the valid non-deletable digital certificate.
  • the verification node discards the deleted message sent by the backup node, and does not perform any processing on the block of the identification information.
  • the digital certificate in the block that determines the identity information saved by itself is Invalid is included:
  • each digital certificate in the block of the identification information is expired and/or the status of the digital certificate is revoked, each digital certificate in the block determining the identification information is invalid.
  • the information of the digital certificate includes: an expiration date of the digital certificate and status information of the digital certificate, where the status information of the data certificate includes: issuing, revoking, suspending, recovering, etc., and the verification node may identify the number
  • the status information of the certificate determines whether the digital certificate has been revoked.
  • the identification of the digital certificate status information is not described in the prior art. If the verification node is not preset for the verification node, the verification node performs a transformation on each digital certificate saved in each block using a preset algorithm, and the verification node performs information according to each digital certificate in the block of the identification information saved by itself.
  • Identifying the validity period of each un-transformed digital certificate stored in the block of the identification information, and the verification node may determine whether the validity period of each digital certificate in the block of the identification information saved by itself is expired. Whether each digital certificate in the block of the identification information is invalid; of course, according to whether the status of each digital certificate in the block of the identification information saved by itself is revoked, each block in the identification information is determined. Whether all digital certificates are invalid.
  • each digital certificate in the block of the identification information is invalid according to whether the validity period of each digital certificate in the block of the identification information saved by itself is expired and whether the digital certificate has been revoked. If each digital certificate in the block for the identification information satisfies the expiration of the validity period of the digital certificate and/or the status of the digital certificate is revoked, it is determined that each digital certificate in the block of the identification information is invalid. In an embodiment of the present disclosure, for each digital certificate, if the validity period of the digital certificate is expired, or the status of the digital certificate is revoked, it is determined that the digital certificate is invalid.
  • the identification information of the block included in the delete message sent by the backup node is 00003, and the digital certificate 5 and the digital certificate 6 are stored in the block C of the verification node whose own identification information is 00003, wherein the validity period of the digital certificate 5 is 2015 7 On the 5th of May - July 5th, 2016, the status is not revoked.
  • the digital certificate 6 is valid from July 5, 2016 to July 5, 2017.
  • the status is revoked.
  • the current time is March 29, 2017.
  • the validity period of the digital certificate 5 expires, the certificate status of the digital certificate 6 is revoked, and each digital certificate in the block C whose own identification information is 00003 is invalid.
  • the verification node uses a preset algorithm to transform each digital certificate saved in each block. Since the validity period of the digital certificate is recorded in the digital certificate, the verification node cannot identify the validity period of each converted digital certificate saved by the block of the identification information, in order for the verification node to determine each of the blocks of the identification information saved by itself. If the digital certificate is invalid, in the embodiment of the present disclosure, if the verification node is for each backup digital certificate sent by the backup node, it is determined that each digital certificate saved in the block for the identification information is associated with the backup.
  • the digital certificate converted by the digital certificate is matched, and the verification node saves each backup digital certificate saved by the backup node for the block of the identification information and the status information of each digital certificate saved by the backup node according to the received backup node. , determining whether each digital certificate in the block of the identification information saved by itself has no effect.
  • the verification node determines whether each digital certificate in the block of the identification information is determined according to whether each digital certificate in the block of the identification information has been revoked and/or the validity period of each backup digital certificate received is expired. All are invalid. If each digital certificate in the block of the identification information satisfies the status of the digital certificate as being revoked and/or each of the received digital certificates is expired, it is determined that each digital certificate in the block of the identification information is invalid. . In an embodiment of the present disclosure, for each digital certificate, if the status information of the digital certificate is revoked, or the backup digital certificate corresponding to the digital certificate is expired, it is determined that the digital certificate is invalid.
  • each digital certificate saved in each block of each verification node in the blockchain is changed using a hash algorithm, and the backup node determines that each backup digital certificate saved for the block E with the identification information of 00005 is Invalid, the backup node sends a delete message including the identification information 00005 to each verification node in the blockchain, and sends each backup digital certificate saved for the block E whose identification information is 00005 to each blockchain. Verify nodes.
  • the verification node After receiving the deletion message including the identification information 00005 and each backup digital certificate saved for the block of the identification information 00005, the verification node identifies the block E whose own identification information is 00005 according to the identification information 00005, and adopts a preset hash algorithm. Performing a hash operation on each backup digital certificate saved by the backup node for the block of the identification information 00005, and determining whether each digital certificate stored in the own block E matches the backup digital certificate after the hash operation, if corresponding Matching, determining that each backup digital certificate saved by the backup node for the block E has not been tampered with, each backup digital certificate is correct, and the status information of the digital certificate 8 saved in the own block E is revoked, the digital certificate 9 The status information is not revoked.
  • the backup digital certificate 8 matching the digital certificate 8 is valid from July 5, 2016 to July 5, 2017.
  • the backup digital certificate 9 matching the digital certificate 9 is valid for 2015. August 5th - August 5th, 2016, the current time is March 29th, 2017, the status information of the digital certificate 8 is determined to be revoked, corresponding to the digital certificate 9 Backup digital certificate validity expired 9, E determined for each digital certificate stored in its own block are invalid.
  • FIG. 5 is a schematic structural diagram of a device for deleting a digital certificate based on a blockchain according to an embodiment of the present disclosure, the device includes:
  • the determining module 51 is configured to determine, according to information of each backup digital certificate that is saved for each block by itself, whether each backup digital certificate saved for the block is invalid;
  • the sending module 52 is configured to: if it is determined that each backup digital certificate saved for the block is invalid, send a deletion message including the identification information of the block to each verification node in the blockchain, so that each verification node determines Whether each digital certificate in the block of the identification information is invalid, and when each digital certificate in the block determining the identification information is invalid, the block body of the block of the identification information is deleted.
  • the determining module 51 is configured to determine, according to information of each backup digital certificate that is saved for each block by itself, whether the validity period of each backup digital certificate saved for the block expires and/or whether the backup digital certificate has been revoked If each backup digital certificate saved for this block is expired and/or the backup digital certificate has been revoked, it is determined that each backup digital certificate saved for that block is invalid.
  • the sending module 52 is further configured to: if each digital certificate saved in each block of each verification node in the blockchain is transformed by using a preset algorithm, the region that is self-targeting the identification information Each backup digital certificate saved by the block is sent to each verification node.
  • the blockchain-based digital certificate deletion apparatus shown in FIG. 5 is applied to any backup node in a blockchain, wherein the blockchain includes multiple verification nodes and at least one Backup node.
  • FIG. 6 is a schematic structural diagram of a blockchain-based digital certificate deletion apparatus according to an embodiment of the present disclosure, where the apparatus includes:
  • the receiving module 61 is configured to receive a deletion message that includes the identifier information of the block sent by the backup node in the blockchain, where the delete message is a backup node in the blockchain according to its own saved for each block. Backing up the information of the digital certificate and determining that each backup digital certificate saved for the block is invalid and sent;
  • the determining module 62 is configured to determine whether each digital certificate in the block of the identification information saved by itself is invalid;
  • the deleting module 63 is configured to delete the block body of the block if it is determined that each digital certificate in the block of the identification information is invalid.
  • the receiving module 61 is further configured to: if each digital certificate saved for each block is converted by using a preset algorithm, receive the backup node sent by the backup node for saving the block of the identification information. Each backup digital certificate;
  • the device also includes:
  • the matching module 64 is configured to perform transformation on each of the backup digital certificates by using the preset algorithm; and determine, for each digital certificate saved in the block of the identification information, whether each digital certificate saved by itself is Corresponding to the digital certificate transformed by the backup digital certificate; if the matching result is yes, the judgment module is triggered.
  • the determining module 62 is configured to obtain the validity period and status information of each digital certificate in the block of the identification information saved by itself; determine whether the validity period of each digital certificate in the block of the identification information is expired and/or a digital certificate. Whether it has been revoked; if each digital certificate in the block of the identification information is expired and/or the status of the digital certificate is revoked, each digital certificate in the block determining the identification information is invalid.
  • the blockchain-based digital certificate deletion apparatus shown in FIG. 6 is applied to any verification node in a blockchain, wherein the blockchain includes a plurality of verification nodes and at least one Backup node.
  • FIG. 7 is a schematic structural diagram of a blockchain-based digital certificate deletion system according to an embodiment of the present disclosure, where the deletion system includes at least one blockchain-based digital certificate deletion device applied to the backup node 71, and multiple A blockchain based digital certificate deletion device applied to the verification node 72.
  • the embodiment of the disclosure discloses a method, a device and a system for deleting a digital certificate based on a blockchain, wherein the blockchain includes a plurality of verification nodes and at least one backup node, and the deletion method is applied to the blockchain.
  • the method includes: determining, according to information of each backup digital certificate that is saved for each block, whether each backup digital certificate saved for the block is invalid; if it is determined to be saved for the block Each of the backup digital certificates is invalid, and each of the verification nodes in the blockchain sends a deletion message containing the identification information of the block, so that each verification node determines whether each digital certificate in the block of the identification information is All are invalid, and when each digital certificate in the block that determines the identification information is invalid, the block body of the block of the identification information is deleted.
  • a delete message including the identification information of the block is sent to each verification node in the blockchain, so that Each verification node determines whether each digital certificate in the block of the identification information is invalid, and deletes the block body of the block of the identification information when each digital certificate in the block determining the identification information is invalid.
  • the storage space occupied by the data certificate storage process is reduced, the storage and computing resources of the verification node are saved, and the operation efficiency of the verification node and the user experience are improved.
  • Embodiments of the present disclosure also disclose a computer storage medium storing computationally executable instructions; after the computer executable instructions are executed, enabling blockchain-based digital certificate deletion applied to a backup node One or more of the methods, or one or more of the blockchain-based digital certificate deletion methods applied to the verification node, for example, performing the method as shown in FIGS. 2 and/or 4.
  • the computer storage medium mentioned in the embodiments of the present application may be various types of storage media, optionally a non-transitory storage medium.
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • a backup node finds that each backup digital certificate in all the backup digital certificates stored in an area stored by itself is invalid, a delete message is generated, so that all the verification nodes storing the block can be at least Deleting the block of the block, on the one hand, reducing the amount of stored data, thereby reducing the storage resources consumed, and on the other hand reducing the amount of check data in the subsequent blockchain generation process, thereby saving the need for verification Computational resources and improved verification efficiency have positive industrial effects.
  • the technical solution provided by the embodiments of the present disclosure has the characteristics of being simple and easy to implement, and can be widely implemented in the industry.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne un procédé, un dispositif et un système de suppression de certificat numérique à base de chaîne de blocs, ainsi qu'un support de stockage. Le procédé comprend les étapes suivantes : si des certificats numériques de sauvegarde respectifs stockés pour chaque bloc sont invalides selon des informations des certificats numériques de sauvegarde respectifs stockés localement pour le bloc, transmettre, à chaque nœud de vérification, un message de suppression comprenant des informations d'identifiant du bloc, de sorte que le nœud de vérification supprime un corps du bloc lorsque des certificats numériques respectifs dans le bloc associé aux informations d'identifiant sont déterminés comme étant invalides.
PCT/CN2018/078888 2017-04-05 2018-03-13 Procédé, dispositif et système de suppression de certificat numérique à base de chaîne de blocs, et support de stockage WO2018184447A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710218253.X 2017-04-05
CN201710218253.XA CN108696356B (zh) 2017-04-05 2017-04-05 一种基于区块链的数字证书删除方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2018184447A1 true WO2018184447A1 (fr) 2018-10-11

Family

ID=63711997

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/078888 WO2018184447A1 (fr) 2017-04-05 2018-03-13 Procédé, dispositif et système de suppression de certificat numérique à base de chaîne de blocs, et support de stockage

Country Status (2)

Country Link
CN (1) CN108696356B (fr)
WO (1) WO2018184447A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020093565A1 (fr) * 2018-11-08 2020-05-14 深圳壹账通智能科技有限公司 Procédé et appareil de suppression de blocs d'une chaîne de blocs et dispositif de terminal
CN111783133A (zh) * 2020-06-02 2020-10-16 广东科学技术职业学院 一种基于区块链技术的网络资源管理方法

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110264187B (zh) * 2019-01-23 2021-06-04 腾讯科技(深圳)有限公司 数据处理方法、装置、计算机设备及存储介质
CN109981586B (zh) * 2019-02-27 2021-09-07 北京柏链基石科技有限公司 一种节点标记方法及装置
CN112153085B (zh) * 2019-06-26 2022-05-17 华为技术有限公司 一种数据处理方法、节点及区块链系统
CN110598482B (zh) * 2019-09-30 2023-09-15 腾讯科技(深圳)有限公司 基于区块链的数字证书管理方法、装置、设备及存储介质
CN111027974B (zh) * 2019-12-12 2025-04-04 腾讯科技(深圳)有限公司 一种标识码的验证方法、装置、设备及存储介质
CN111737766B (zh) * 2020-08-03 2020-12-04 南京金宁汇科技有限公司 一种在区块链中判断数字证书签名数据合法性的方法
CN120281590A (zh) * 2025-06-11 2025-07-08 北京火山引擎科技有限公司 边缘计算设备的认证信息存储方法、系统、设备及产品

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150206106A1 (en) * 2014-01-13 2015-07-23 Yaron Edan Yago Method for creating, issuing and redeeming payment assured contracts based on mathemematically and objectively verifiable criteria
CN105790954A (zh) * 2016-03-02 2016-07-20 布比(北京)网络技术有限公司 一种构建电子证据的方法和系统
CN106385315A (zh) * 2016-08-30 2017-02-08 北京三未信安科技发展有限公司 一种数字证书管理方法及系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202159B (zh) * 2014-09-28 2018-09-11 网易有道信息技术(北京)有限公司 密钥分发方法和设备
US20170091726A1 (en) * 2015-09-07 2017-03-30 NXT-ID, Inc. Low bandwidth crypto currency transaction execution and synchronization method and system
CN106504091B (zh) * 2016-10-27 2018-06-29 深圳壹账通智能科技有限公司 区块链上交易的方法及装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150206106A1 (en) * 2014-01-13 2015-07-23 Yaron Edan Yago Method for creating, issuing and redeeming payment assured contracts based on mathemematically and objectively verifiable criteria
CN105790954A (zh) * 2016-03-02 2016-07-20 布比(北京)网络技术有限公司 一种构建电子证据的方法和系统
CN106385315A (zh) * 2016-08-30 2017-02-08 北京三未信安科技发展有限公司 一种数字证书管理方法及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020093565A1 (fr) * 2018-11-08 2020-05-14 深圳壹账通智能科技有限公司 Procédé et appareil de suppression de blocs d'une chaîne de blocs et dispositif de terminal
CN111783133A (zh) * 2020-06-02 2020-10-16 广东科学技术职业学院 一种基于区块链技术的网络资源管理方法

Also Published As

Publication number Publication date
CN108696356A (zh) 2018-10-23
CN108696356B (zh) 2020-08-18

Similar Documents

Publication Publication Date Title
WO2018184447A1 (fr) Procédé, dispositif et système de suppression de certificat numérique à base de chaîne de blocs, et support de stockage
US11601268B2 (en) Device attestation including attestation-key modification following boot event
KR102856751B1 (ko) 블록체인에 기반하는 암호화 통신 시스템 및 암호화 통신 방법
US8959346B2 (en) System and method for a single request—single response protocol with mutual replay attack protection
CN112583596B (zh) 一种基于区块链技术的完全跨域身份认证方法
CN106878009B (zh) 密钥更新方法及系统
CN112866242B (zh) 一种基于区块链的数字身份验证方法、设备及存储介质
CN108696358B (zh) 数字证书的管理方法、装置、可读存储介质及服务终端
CN108616504B (zh) 一种基于物联网的传感器节点身份认证系统及方法
JP2015171153A (ja) ルート証明書の無効化
CN101005357A (zh) 一种更新认证密钥的方法和系统
CN108647964A (zh) 一种区块链数据处理方法、装置及计算机可读存储介质
WO2017140358A1 (fr) Procédé destiné à stocker des données sur une entité de stockage
CN110826092A (zh) 一种文件签名处理系统
CN114257376B (zh) 数字证书更新方法、装置、计算机设备和存储介质
CN101873298A (zh) 注册方法及终端、服务器、系统
CN109543456A (zh) 区块生成方法及计算机存储介质
CN104392185B (zh) 在云环境日志取证中实现数据完整性验证的方法
WO2020073314A1 (fr) Procédé de génération de clé, procédé d'acquisition, procédé de mise à jour de clé privée, puce et serveur
CN114049121B (zh) 基于区块链的账户重置方法和设备
CN104243462A (zh) 一种用于发现服务的用户身份验证方法及系统
KR20150135032A (ko) Puf를 이용한 비밀키 업데이트 시스템 및 방법
CN114500049A (zh) 物联网系统内的可移动终端设备身份认证方法和系统
CN112600831A (zh) 一种网络客户端身份认证系统和方法
KR20180046593A (ko) 펌웨어 서명 검증과 보안키 관리를 위한 사물인터넷 디바이스의 펌웨어 업데이트 시스템

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18780331

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 31/01/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18780331

Country of ref document: EP

Kind code of ref document: A1