CN106372941B - Based on the ca authentication management method of block chain, apparatus and system - Google Patents

Based on the ca authentication management method of block chain, apparatus and system Download PDF

Info

Publication number
CN106372941B
CN106372941B CN201610782864.2A CN201610782864A CN106372941B CN 106372941 B CN106372941 B CN 106372941B CN 201610782864 A CN201610782864 A CN 201610782864A CN 106372941 B CN106372941 B CN 106372941B
Authority
CN
China
Prior art keywords
certificate
transaction
block chain
block
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610782864.2A
Other languages
Chinese (zh)
Other versions
CN106372941A (en
Inventor
汪德嘉
郭宇
王少凡
姜中正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Payegis Technology Co Ltd
Original Assignee
Jiangsu Payegis Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Payegis Technology Co Ltd filed Critical Jiangsu Payegis Technology Co Ltd
Priority to CN201610782864.2A priority Critical patent/CN106372941B/en
Publication of CN106372941A publication Critical patent/CN106372941A/en
Application granted granted Critical
Publication of CN106372941B publication Critical patent/CN106372941B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The safety for being at least able to solve root ca certificate caused by existing CA verification mode the invention discloses a kind of ca authentication management method based on block chain, apparatus and system is difficult to ensure, and then the technical issues of cause the accuracy of entire verification process to reduce.Wherein, block chain further comprises wound generation block and conventional block, and creates generation block for storing root ca certificate, which comprises receives the application certificate transaction comprising certificate of unsigning that node to be certified is sent in block chain network;The certificate of unsigning for including in the application certificate transaction is obtained, according to the certificates constructing signing certificate of unsigning;The certificate transaction comprising the signing certificate is sent to the node to be certified in block chain network;Wherein, the certificate transaction further comprises: being directed toward the first output par, c of the node block chain account to be certified address, and is directed toward the second output par, c of preset controllable block chain account address.

Description

Based on the ca authentication management method of block chain, apparatus and system
Technical field
The present invention relates to network communication technology fields, and in particular to a kind of ca authentication management method based on block chain, dress It sets and system.
Background technique
Digital certificate be it is a kind of issued by authoritative institution, on network prove user identity documentary evidence, issue The process of hair digital certificate is referred to as Certificate Authority (Certification Authority, abbreviation CA) process.Tradition Certificate authority system include root CA and root CA subordinate multistage CA, wherein root CA is most trust in certificate authority system Certification authority, can independently certificate, root CA generates certificate by oneself signature, not need by other CA mechanisms For its certificate.Other CA mechanisms at different levels can be its certificate by its higher level CA mechanism, or its junior CA machine Structure and its client's certificate, wherein the client of CA mechanism can be various network entities, for example, it may be website (website)。
It is large number of due to CA mechanism, and level is different, therefore, during traditional ca authentication, in order to identify one The true and false of a certificate not only will carry out signature verification to the certificate, moreover, also the mechanism for signing and issuing the certificate is verified, Also, there are higher level CA mechanisms if signing and issuing the mechanism of the certificate, it is also necessary to further verify to higher level CA mechanism, directly To root CA.For this reason, it may be necessary to user's certificate corresponding to built-in root CA in a browser in advance, in order to verify the true and false of root CA. But root ca certificate built in user in a browser is easy to meet with the attack of hacker, thus lead to the peace of root ca certificate Full property is lower, once and root ca certificate be maliciously tampered, then will affect the result of entire verification process.
It can be seen that existing verification mode is due to needing user to pre-save root ca certificate, thus not only increase use The operating quantity at family occupies the local storage space of user, and the safety for also resulting in root ca certificate is difficult to ensure, and then is caused The accuracy of entire verification process reduces.
Summary of the invention
In view of the above problems, the present invention is proposed to overcome the above problem in order to provide one kind or at least be partially solved The above problem based on the ca authentication management method of block chain, apparatus and system.
According to one aspect of the present invention, a kind of ca authentication management method based on block chain, the block chain are provided It further comprise wound generation block and conventional block, and the wound generation block is for storing root CA certificate, which comprises Receive the application certificate transaction comprising certificate of unsigning that node to be certified is sent in block chain network;Obtain the application The certificate of unsigning for including in certificate transaction, according to the certificates constructing signing certificate of unsigning;In block chain network to The node to be certified sends the certificate transaction comprising the signing certificate;Wherein, the certificate is traded into one Step includes: to be directed toward the first output par, c of the node block chain account to be certified address, and be directed toward preset controllable block Second output par, c of chain account address.
Optionally, further comprise: the application certificate being traded and corresponding first transaction record and described issues card Book corresponding second transaction record of trading is respectively written into the conventional block of the block chain, and to packet in block chain network Block containing first transaction record and second transaction record is broadcasted.
Optionally, the signing certificate is stored in the second output par, c of the certificate transaction.
It optionally, include verification information in the certificate of unsigning, then the certificates constructing of unsigning according to has been signed The step of name certificate, specifically includes: the certificate of unsigning verified according to the verification information, after being verified, The certificate of unsigning is digitally signed.
Optionally, the verification information includes at least one of the following: node public key to be certified, node to be certified letter Breath, node address to be certified, certification nodal information, certification node address, validity period of certificate and certificate authority time.
Optionally, described that the application certificate corresponding first transaction record of transaction and the certificate are traded Corresponding second transaction record is respectively written into after the step in the conventional block of the block chain, further comprises: from described Second transaction record is searched in conventional block, and the signing certificate is obtained according to second transaction record;In block The cancellation of doucment transaction comprising the signing certificate is sent in chain network, wherein cancellation of doucment transaction includes being directed toward institute The importation of the second output par, c of certificate transaction is stated, and is directed toward the defeated of the node block chain account to be certified Part out.
Optionally, further comprise: receiving the certificate query request that user terminal is sent, obtain the certificate query and ask The certificate information for including in asking;Corresponding transaction record is searched from the conventional block according to the certificate information, and according to The transaction record found obtains corresponding signing certificate;The signing certificate is sent to the user terminal.
Optionally, after described the step of sending the signing certificate to the user terminal, further comprise: looking into The transaction record corresponding with the signing certificate stored in the conventional block is ask, when judging in the transaction record The state of the second output par, c be when not spending state, Xiang Suoshu user terminal sends certificate efficient message;When judging The state for stating the second output par, c in transaction record is when having spent state, and Xiang Suoshu user terminal sends certificate and disappears in vain Breath.
Optionally, the root ca certificate includes: that root CA public key, root CA information, the address root CA, validity period of certificate, certificate are issued Send out time and digital signature.
Another aspect according to the present invention provides a kind of ca authentication managing device based on block chain, the block chain It further comprise wound generation block and conventional block, and the wound generation block is for storing root CA certificate, which comprises Receiving module, the application certificate transaction comprising certificate of unsigning sent in block chain network suitable for receiving node to be certified; Module is obtained, suitable for obtaining the certificate of unsigning for including in the application certificate transaction, has unsigned certificates constructing according to described Signing certificate;Sending module, suitable for being sent to the node to be certified comprising the signing certificate in block chain network Certificate transaction;Wherein, the certificate transaction further comprises: with being directed toward the node block chain account to be certified First output par, c of location, and it is directed toward the second output par, c of preset controllable block chain account address.
Optionally, further comprise: logging modle is suitable for corresponding first transaction record that the application certificate is traded And the certificate corresponding second transaction record of trading is respectively written into the conventional block of the block chain, and in area The block comprising first transaction record and second transaction record is broadcasted in block chain network.
Optionally, the signing certificate is stored in the second output par, c of the certificate transaction.
It optionally, include verification information in the certificate of unsigning, then the acquisition module is specifically used for: according to described Verification information verifies the certificate of unsigning, and after being verified, is digitally signed to the certificate of unsigning.
Optionally, the verification information includes at least one of the following: node public key to be certified, node to be certified letter Breath, node address to be certified, certification nodal information, certification node address, validity period of certificate and certificate authority time.
Optionally, further comprise: revocation module, suitable for searching second transaction record from the conventional block, The signing certificate is obtained according to second transaction record;It is sent in block chain network comprising the signing certificate Cancellation of doucment transaction, wherein cancellation of doucment transaction includes being directed toward the second output par, c of certificate transaction Importation, and it is directed toward the output par, c of the node block chain account to be certified.
Optionally, further comprise: enquiry module, the certificate query request sent suitable for receiving user terminal obtain institute State the certificate information for including in certificate query request;Corresponding friendship is searched from the conventional block according to the certificate information Easily record, and corresponding signing certificate is obtained according to the transaction record found;Described signed is sent to the user terminal Name certificate.
Optionally, the enquiry module is further used for: storing with the card of having signed in the inquiry conventional block The corresponding transaction record of book, when the state for judging the second output par, c in the transaction record is not spend state, to The user terminal sends certificate efficient message;When the state for judging the second output par, c in the transaction record is When cost state, Xiang Suoshu user terminal sends certificate invalid message.
Optionally, the root ca certificate includes: that root CA public key, root CA information, the address root CA, validity period of certificate, certificate are issued Send out time and digital signature.
According to the present invention in another aspect, a kind of ca authentication management system based on block chain is provided, including above-mentioned Ca authentication managing device and node to be certified.
In the ca authentication management method provided by the invention based on block chain, apparatus and system, block chain network is utilized The certificate and customer's certificate of CA mechanisms at different levels are managed, also, root ca certificate is stored into the wound generation block to block chain network In, since wound generation block is first block, safety is high, is difficult to be tampered.Correspondingly, the present invention will issue card The process of book is converted into the process of exchange in block chain network, and in the way of block chained record transaction record that institute is related It is all recorded in block chain in the operating process of certificate, to make the user do not need locally prestoring root ca certificate, only needs basis Block chain network is inquired, and is thus not only simplified user's operation, has been saved user's space, and greatly improves root The safety of CA certificate and the accuracy of subsequent authentication process.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are general for this field Logical technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to this hair Bright limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows the node distribution map in the block chain network of the embodiment of the present invention;
Fig. 2 shows the flow charts of the ca authentication management method provided by one embodiment of the present invention based on block chain;
Fig. 3 shows the certification hierarchy of root CA;
Fig. 4 shows the flow chart of the certificates constructing process of other CA mechanisms;
Fig. 5 shows the schematic diagram of a transaction;
Fig. 6 shows the schematic diagram of certificate transaction;
Fig. 7 shows the flow chart of the certificates constructing process of the client of CA mechanism;
Fig. 8 shows the certification hierarchy figure of signing certificate;
Fig. 9 a show in the embodiment of the present invention three issue and Website server that cancellation of doucment link relates generally to, The flow diagram of CA and block chain;
Fig. 9 b shows the Website server related generally in the embodiment of the present invention three in inquiry certificate link, user's end The schematic diagram of end and block chain;
Figure 10 shows the network architecture diagram based on block chain;
Figure 11 show another embodiment of the present invention provides a kind of ca authentication managing device based on block chain structure Figure;
Figure 12 show another embodiment of the present invention provides a kind of ca authentication management system based on block chain structure Schematic diagram.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing this public affairs in attached drawing The exemplary embodiment opened, it being understood, however, that may be realized in various forms the disclosure without the implementation that should be illustrated here Example is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the disclosure Range is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of based on the ca authentication management method of block chain, apparatus and system, at least can The safety for solving root ca certificate caused by existing CA verification mode is difficult to ensure, and then leads to entire verification process The technical issues of accuracy reduces.
In embodiments of the present invention, more particularly to following a few class network entities in block chain network: (1) root CA, be most by The certificate agency of trust;(2) other CA (non-root CA) at different levels need to identify it by higher level CA mechanism is its certificate Identity;(3) client server can to the corresponding server of user of CA mechanism requests certificate, such as Website server It is interpreted as the client of CA mechanism;(4) ordinary user, the user for needing to verify other side's certificate during network communication are corresponding User terminal.Wherein, in embodiments of the present invention, preceding three classes network entity is linked into area as the node in block chain network In block chain network, thus all information in block chain can be inquired, the 4th class network entity is not used as in block chain network Node is linked into block chain network, thus any node that need to be first coupled in block chain network is inquired.Certainly, exist In others embodiment of the invention, the light node in block chain network can also be also used as to be linked into the 4th class network entity In block chain network, in order to inquire.In addition, CA mechanism belongs to complete in block chain network in above-mentioned a few class network entities Full node has the power of packing, transaction record can either be written into block chain, can also read the transaction record in block chain; Client server can be complete node or non-fully node, but not have the power of packing, can not be written into block chain Transaction record is merely able to read the transaction record in block chain.Fig. 1 is shown in the block chain network of the embodiment of the present invention Node distribution map.As shown in Figure 1, first layer is root CA, and since the certificate of root CA is self-signed certificate, it first passes through in advance hard In coding mode write-in wound generation block, to realize the purpose that can not be changed, and then safety is improved.CAn is other CA mechanisms, The certificate of such CA mechanism need to be issued by higher level CA mechanism.For example, CA1, CA2 and CA3 are the junior CA of root CA in Fig. 1, It need to be its certificate by root CA, to prove oneself identity.CA11 and CA12 is the junior CA of CA1, need to be by CA1 Its certificate is to prove identity.Client server is the client needed to CA mechanism requests certificate, wherein client angle Color includes but are not limited to Website server, understands for convenience, is said by taking Website server as an example in the present embodiment It is bright.For example, in Fig. 1, client server 1 and client server 2 are the client of CA11.
Fig. 2 shows the flow charts of the ca authentication management method provided by one embodiment of the present invention based on block chain.Figure The executing subject of method shown in 2 is either root CA, is also possible to other CA at different levels.As shown in Fig. 2, this method comprises:
Step S210: the application certificate comprising certificate of unsigning that node to be certified is sent in block chain network is received Transaction.
Wherein, node to be certified refers to the network entity that all kinds of needs are its certificate by CA mechanism, for example, can be with It is CA mechanism, junior, is also possible to client server.It wherein, include certificate of unsigning in the transaction of this application certificate.
Step S220: the certificate of unsigning for including in above-mentioned application certificate transaction is obtained, according to the certificates constructing of unsigning Signing certificate.
Wherein, signing certificate is generated by way of signing to certificate of unsigning.It specifically, can be by each Class Digital Signature Algorithm is signed, the present invention to specific signature algorithm without limitation.
Optionally, before being signed, further (i.e. above-mentioned is to be certified by the initiator of verifying application certificate transaction Node) it whether is to audit the network node passed through in advance, and only sign when verification result is correct, if verification result is wrong Mistake is then refused to sign.It can prevent unauthorized malicious behaviors of nodes from sending application certificate transaction by verifying link, improve application certificate The reliability of transaction.
Step S230: the certificate transaction comprising signing certificate is sent to node to be certified in block chain network; Wherein, certificate transaction further comprises: it is directed toward the first output par, c of node block chain account to be certified address, and It is directed toward the second output par, c of preset controllable block chain account address.
Wherein, according to signing certificate generate and send certificate transaction, with notify node certificate application to be certified at Function.
Optionally, the embodiment of the present invention can further include following step S240: application certificate transaction is corresponded to The first transaction record and certificate corresponding second transaction record of trading be respectively written into the conventional block of block chain, And the block comprising first transaction record and second transaction record is broadcasted in block chain network.
Specifically, in the present invention, block chain further comprises wound generation block and conventional block, and creates generation block and use In storage root ca certificate, conventional block is used to store the corresponding transaction record of all kinds of certificate authority operations, looks into so as to subsequent It askes.So-called wound generation block, refers to first block in block chain, and it is earliest to generate the time, safety highest, it is subsequent other Block haves no right to be modified wound generation block, therefore, root ca certificate storage can be obviously improved root CA into wound generation block The safety of certificate.Other blocks in block chain in addition to creating generation block are referred to as conventional block, for storing each transaction Record, for inquiry.
Wherein, the executing subject of step S240 is either node to be certified mentioned above, is also possible to block link network Other network nodes in network, for example, it can be the network nodes that signature operation is executed to certificate of unsigning.The present invention couple Without limitation, therefore, step S240 is an optional step to the executing subject of step S240.
It can be seen that utilizing block chain network pipe in the ca authentication management method provided by the invention based on block chain The certificate and customer's certificate of CA mechanisms at different levels are managed, also, by root ca certificate storage into the wound generation block of block chain network, Since wound generation block is first block, safety is high, is difficult to be tampered.Correspondingly, the present invention is by certificate Process be converted into the process of exchange in block chain network, and will be all about in the way of block chained record transaction record The operating process of certificate is all recorded in block chain, thus make the user do not need locally prestoring root ca certificate, it only need to be according to area Block chain network is inquired, and is thus not only simplified user's operation, has been saved user's space, and greatly improves root CA The safety of certificate and the accuracy of subsequent authentication process.
Below with reference to specific example the present invention is described in detail provide the ca authentication management method based on block chain it is specific Realize details.Wherein, three kinds of management types, respectively certificate, cancellation of doucment and inquiry certificate are related generally to, below Introduce the detailed process of each type of management operation respectively by three embodiments:
Embodiment one,
The present embodiment is mainly used for realizing certificate class management operation.Specifically, certificate is related to root ca certificate Generating process, the process of junior CA superior CA application certificate and process from client to CA mechanism application certificate, separately below It is introduced:
(1) the certificates constructing process of root CA mechanism:
Since root CA is most trusted certificate agency, and the certificate of root CA is self-signed certificate, and no higher level CA recognizes Card, therefore, the certificate of root CA can trust for a long time, hardly need change.So in embodiments of the present invention will Wound generation block is written by hard coded mode in root ca certificate, after being all built upon wound generation block due to remaining block, so area The operation of each node can not be modified wound generation block on block chain, even if thus having ensured the node quilt malice in block chain Attack can not also change the certificate of root CA.Fig. 3 shows the certification hierarchy of root CA, since the certificate of root CA is self-signed certificate, It signs without higher level CA mechanism for it, so need to only record the information of root CA itself in certificate.As shown in figure 3, root ca certificate In include: certificate agency public key, certificate agency information, the block chain account address of certificate agency, validity period of certificate, certificate Issue the other informations such as time and digital signature.Wherein, block chain account address includes but is not limited to bit coin address.
(2) the certificates constructing process of other CA mechanisms:
Fig. 4 shows the flow chart of the certificates constructing process of other CA mechanisms.As shown in figure 4, the certificate of other CA mechanisms Generating process includes the following steps:
Step S410: superior CA mechanism in block chain network, CA mechanism, junior sends application certificate transaction.
Here, junior CA mechanism is it can be appreciated that node to be certified, higher level CA mechanism is it can be appreciated that certification section Point.The embodiment of the present invention can realize based on the transaction format of publicly-owned block chain, and therefore, every transaction may include input and defeated Two parts out.Fig. 5 shows the schematic diagram of the transaction, may include the certificate of unsigning of CA mechanism, junior in output par, c, i.e., Incomplete certificate.Wherein, any certificate of other nodes on block chain in order to prevent, is written in certificate of unsigning The relevant information of higher level CA mechanism.
Step S420: higher level CA mechanism obtains the certificate of unsigning for including in the transaction of above-mentioned application certificate, according to unsigning Certificates constructing signing certificate.
In order to improve safety, optionally, in this step, higher level CA mechanism is got in above-mentioned application certificate transaction After the certificate of unsigning for including, further the certificate of unsigning is verified, and subsequent behaviour is only executed after being verified Make.For the ease of verifying, verification information can be further included in above-mentioned certificate of unsigning, which, which removes, includes Except the relevant information of higher level CA mechanism mentioned above, can also include node public key to be certified, nodal information to be certified, Node block chain account to be certified address, certification nodal information, certification node block chain account address, validity period of certificate and At least one of information such as certificate authority time.When specific verifying, higher level CA mechanism is according to above-mentioned verification information to junior The identity of CA mechanism is verified, and is verified to the legitimacy for certificate of unsigning.Moreover, higher level CA mechanism will also be into one Step card unsign include in certificate certificate agency block chain account address whether the block chain account with the higher level CA mechanism Address matches, if matching, illustrates that specified certificate mechanism, CA mechanism, junior is the higher level CA mechanism, thus continues Execute subsequent step;If mismatching, illustrate that specified certificate mechanism, CA mechanism, junior is not the higher level CA mechanism, because And error message is returned to CA mechanism, junior, to prompt CA mechanism, junior to retransmit correct Transaction Information.Wherein, this hair The bright execution opportunity to verification step without limitation, for example, it is also possible to be verified after signature.In addition, institute in verification step The execution sequence for each verifying link for including also is arbitrary, and those skilled in the art can be arranged each according to actual needs Verify the verifying sequence of link.
After above-mentioned verification process passes through, higher level CA mechanism signs to certificate of unsigning, i.e., supplement is not signed completely Name certificate, obtains signing certificate.Generally comprised in signing certificate: the public key of user, the information of user, user block Chain account address, certificate agency information, the block chain account address of certificate agency, validity period of certificate, certificate authority time etc. its His information and digital signature.Wherein, user refers to CA mechanism, junior, and certificate agency refers to that higher level CA mechanism, digital signature are Refer to that higher level CA mechanism carries out the result of private key encryption to the Hash of the other information in certificate in addition to digital signature.
In addition, higher level CA mechanism also generates the controllable address that can be controlled, wherein the controllable address both can be in step Generate, can also pre-generate in S420, the present invention to generation opportunity of controllable address without limitation.Generate the controllable address Purpose essentially consist in identity certificate status information, in order to inquire certificate status.
Step S430: higher level CA mechanism sends issuing comprising signing certificate to CA mechanism, junior in block chain network It issues licence transaction;Wherein, certificate transaction further comprises: being directed toward the first output par, c of node to be certified, and refers to To the second output par, c of preset controllable address.Here, controllable address is controllable block chain account address mentioned above Abbreviation.Also, node to be certified is usually to pass through its account address in block chain network to be identified, therefore, the One output par, c is actually to be directed toward node block chain account to be certified address.In addition, working as other nets of direction referred to herein When network node (such as CA mechanism, junior), actually and it is directed toward the block chain account address of the network node.
Higher level CA mechanism initiates a certificate transaction to CA mechanism, junior, and the transaction is written in signing certificate Output par, c.Fig. 6 shows the schematic diagram of certificate transaction, as shown in fig. 6, certificate transaction is by root CA machine Structure is initiated, and " input " in Fig. 6 is partially the importation of transaction, which can be sky, and the address of root CA can also be added Information.As shown in fig. 6, there are two output par, cs altogether for the transaction, wherein output 0 is direction junior CA mechanism (i.e. junior CA Mechanism block chain account address) the first output par, c, for being sent to CA mechanism, junior, to notify CA mechanism, the junior card Book has been issued.Output 1 is the second output par, c for being directed toward above-mentioned controllable address, wherein " signing certificate " table in the part Show the overall format certificate by signature.Wherein, the sequence of above-mentioned output 0 and output 1 can be arbitrary.In addition, at this In step, higher level CA mechanism is further collected money from the audience into controllable address to generate the second above-mentioned output par, c, therefore, the part Output may also be referred to as not spending transaction output (unspent transaction outputs, abbreviation UTXO).Therefore, second The original state of output par, c is not spend state effectively for identity certificate, it may be assumed that as long as higher level CA mechanism is to controllably The money (such as bit coin) squeezed into location is not spent, then the state of the second output par, c, which always remains as, does not spend state, from And certification is effective, once the money that higher level CA mechanism is squeezed into controllable address is spent, then the shape of the second output par, c State, which is changed into, has spent state, so that certification is invalid.
Step S440: above-mentioned application certificate is traded for higher level CA mechanism and certificate is traded corresponding transaction record It is written in the conventional block of block chain, and hands in block chain network comprising first transaction record and described second The block easily recorded is broadcasted.
Wherein, step S440 is an optional step.In addition, the executing subject of step S440 is in addition to that can be higher level Outside CA mechanism, can also be other network nodes in block chain network, the present invention do not limit by above-mentioned application certificate trade with And certificate is traded the network node of corresponding transaction record write-in block chain.Moreover, above-mentioned application certificate is traded and is issued The corresponding transaction record of trading of issuing licence can be both written by the same network node, can also be respectively by different network sections Point write-in.
(3) the certificates constructing process of client:
Fig. 7 shows the flow chart of the certificates constructing process of the client of CA mechanism, in this example, takes by website of client It is illustrated for business device, in fact, can also be other kinds of client server in addition to Website server.Such as Fig. 7 institute Show, the certificates constructing process of client includes the following steps:
Step S710: Website server sends application certificate transaction to CA mechanism in block chain network.
Here, Website server is it can be appreciated that node to be certified, CA mechanism is it can be appreciated that certification node.It should It include the certificate of unsigning of Website server, i.e., incomplete certificate in the output par, c of transaction.Wherein, area in order to prevent Any certificate of other nodes on block chain, is also written with the relevant information of CA mechanism in certificate of unsigning.Then, net Site server will apply certificate trade corresponding transaction record write-in block chain conventional block in.
Step S720:CA mechanism obtains the certificate of unsigning for including in above-mentioned application certificate transaction, according to certificate of unsigning Signing certificate is generated, and generates the controllable address that the CA mechanism can control.
In order to improve safety, optionally, in this step, CA mechanism, which is got in above-mentioned application certificate transaction, includes Certificate of unsigning after, further the certificate of unsigning is verified, and subsequent operation is only executed after being verified. For the ease of verifying, verification information can be further included in above-mentioned certificate of unsigning, the verification information is except mentioned above CA mechanism relevant information except, can also be node public key to be certified, nodal information to be certified, node address to be certified, Authenticate the information such as nodal information, certification node address, validity period of certificate and certificate authority time.When specific verifying, CA machine Structure is verified according to identity of the above-mentioned verification information to Website server, and is tested the legitimacy for certificate of unsigning Card.Moreover, CA mechanism also further to verify include in certificate of unsigning certificate agency address whether the ground with this CA mechanism Location matches, if matching, illustrates that the specified certificate mechanism of Website server is this CA mechanism, thus after continuing to execute Continuous step;If mismatching, illustrate that the specified certificate mechanism of Website server is not this CA mechanism, thus is taken to website Business device returns to error message, to prompt its to retransmit correct Transaction Information.
After above-mentioned verification process passes through, CA mechanism signs to certificate of unsigning, i.e. the complete card of unsigning of supplement Book obtains signing certificate.Wherein, the certification hierarchy of signing certificate is as shown in Figure 8, comprising: the public key of user, user Other letters such as information, the address of user, certificate agency information, the address of certificate agency, validity period of certificate, certificate authority time Breath and digital signature.
In addition, CA mechanism will also generate the controllable address that can be controlled, which can generate in this step, It can also pre-generate, the purpose for generating the controllable address essentially consists in Store Credentials status information, in order to inquire certificate shape State.
Step S730:CA mechanism sends to Website server in block chain network and issues card comprising signing certificate Book transaction;Wherein, certificate transaction further comprises: being directed toward the first output par, c of Website server, and being directed toward can The second output par, c of address is controlled, and is stored in the second output par, c and does not spend status information effectively for identity certificate.
CA mechanism initiates a certificate transaction to Website server, and the defeated of the transaction is written in signing certificate Part out.Wherein, there are two output par, cs altogether for the transaction, wherein is directed toward the first output par, c of junior CA mechanism for sending out CA mechanism, junior is given, to notify CA mechanism, junior that the certificate has been issued.Second output par, c is directed toward above-mentioned controllable address, Wherein, the sig (cert) in the part indicates the overall format certificate by signature.In addition, in this step, CA mechanism into One step is collected money from the audience into controllable address to generate the second above-mentioned output par, c, and therefore, part output may also be referred to as not spending Transaction output (unspent transaction outputs, abbreviation UTXO).Alternatively, it is also possible to be interpreted as part output In include not spend status information effectively for identity certificate, it may be assumed that as long as the money that CA mechanism is squeezed into controllable address (being bit coin) is not spent yet, then illustrates that certificate is effective.
Above-mentioned application certificate is traded for step S740:CA mechanism and the corresponding transaction record of certificate transaction is written In the conventional block of block chain, and the block comprising above-mentioned transaction record is broadcasted in block chain network.
Wherein, step S740 is an optional step.In addition, the executing subject of step S740 is in addition to that can be CA machine Outside structure, it can also be other network nodes in block chain network, the present invention, which does not limit, to trade above-mentioned application certificate and issue It issues licence the network node of corresponding transaction record write-in block chain of trading.Moreover, card is traded and issued to above-mentioned application certificate The corresponding transaction record of book transaction can be both written by the same network node, can also be write respectively by different network nodes Enter.
Embodiment two,
The present embodiment is mainly used for realizing cancellation of doucment class management operation.Specifically, cancellation of doucment is related to higher level CA mechanism It cancels operation that it is the certificate that CA mechanism, junior issues and CA mechanism cancels the operation that it is the certificate that client issues, by It is similar in the process of two class destruction operations, therefore, first kind destruction operation is mainly introduced below:
Because the corresponding address of certificate is controlled by certification authority, card is issued in certification authority inquiry The transaction of book, and inquire to the output par, c (i.e. UTXO) where certificate agency controllable address generated, by the output par, c In include the amount of money use up, that is, show that certificate is revoked.
Specifically, the corresponding transaction record of above-mentioned certificate is searched from conventional block by CA mechanism, is obtained according to the transaction record Take signing certificate;Send comprising this signing certificate cancellation of doucment transaction, the cancellation of doucment transaction include be directed toward issues card The importation of second output par, c of book transaction, and it is directed toward the output par, c of node block chain account to be certified.It is specific real Now, the output par, c of preset controllable address is directed toward in cancellation of doucment transaction in importation reference certificate transaction, The block chain account address of CA mechanism can be set in output par, c.By cancellation of doucment transaction can will be directed toward it is preset can The state for controlling the second output par, c of block chain account address does not spend Status Change from initial to have spent state, thus Indicate that certificate is invalid.
Above-mentioned revocation mode both can be applied to cancel the certificate of CA mechanism, also can be applied to client's Certificate is cancelled.After certificate revocation, the state information updating that do not spend in the output of the corresponding transaction of the certificate is to have spent Status information, to show that certificate is invalid.
Embodiment three,
The present embodiment is mainly used for realizing inquiry (verifying) certificate class management operation.Wherein, the verifying of certificate be usually by There are the users of information exchange to go to verify with certificate owner's (such as Website server), and verification process will not only verify certificate Whether the certificate that owner itself is possessed is effective, also successively to verify the certificate of certification authority upwards.Specifically, it tests The key step of card process is as follows:
Step 1: user terminal access server, server sends the certificate that server is possessed to user terminal.
Specifically, whether correct user need to verify the contents such as the validity period of certificate, if correctly, continuing to execute subsequent step Suddenly, otherwise confirm certificate error.
Step 2: any network node of the user terminal into block chain network sends certificate query request, the network section Point receives and processes certificate query request.
Wherein, the network node of certificate query request is received and processed either CA mechanism, is also possible to website clothes Business device saves complete area due to the distributed storage feature of block chain network decentralization on each network node Block chain information.The network node issues machine according to certificate query request certificate information wherein included, and according to certificate Transaction Information is taken out in the corresponding transaction of the block chain account address search certificate of structure and certificate owner.
Step 3: the network node obtains corresponding signing certificate according to Transaction Information, by this, signing certificate has been sent To user terminal.
Specifically, the network node is first according to the address for the certification authority recorded in certificate and certificate owner The address of (such as Website server) searches the transaction that the certification authority is initiated to certificate owner to block chain, inquiry A newest transaction out, and take out signing certificate therein.Then, the network node this signing certificate is sent to User terminal.Whether the certificate received in the signing certificate and step 1 that user relatively receives is consistent, continues if consistent Subsequent step is executed, otherwise confirms certificate error.
Step 4: the transaction record corresponding with signing certificate that stores in inquiry block chain, when judging transaction record In the second output par, c include when not spending status information, confirmation certificate is effective;When judging that second in transaction record is defeated Part is comprising when having spent status information, confirmation certificate is invalid out.
Wherein, step 4 can both be completed by user terminal, can also be completed by user terminal requests CA mechanism.Also, Step 4 can answer the request of user terminal and trigger, can also after step 3 is finished automatic trigger.Specifically, if This output is used up, then illustrates that certificate has been revoked;If this output is not used up, illustrate that certificate is effective, wherein The amount of money having in the output is passed through trade give-ups to other addresses by meaning that for using up.
Step 5: the certificate of the upward examination of credentials issuing organization of recurrence, until root certificate.
Wherein, step 5 can both trigger under the request of user terminal, can also be automatic after step 4 has executed Triggering.In order to ensure the validity of certificate, need further to examine the legitimacy of the issuing organization of the certificate, that is, further examine Whether the certificate for looking into the issuing organization of the certificate is effective.The checking process of the part and the examination class to Website server certificate Seemingly, it is mainly examined in terms of the correctness of certificate and validity two.Wherein, in addition to root certificate, the mistake of other inquiry certificates at different levels Journey is essentially identical: firstly, according to content verifications certificates such as validity periods on certificate, secondly, going on block chain to search the card of preservation Whether whether correct secretary's record compares examination of credentials, finally, being revoked by inquiry UTXO state come examination of credentials.As for The examination of root certificate need to only go in wound generation block to be examined, not need to verify whether to be revoked.Since root certificate is certainly Signing certificate does not have higher level's issuing organization, would not be revoked after generation block is created in write-in.So the mistake of verifying root certificate Whether whether correctly journey only needs to verify certificate, do not need to examine validity period and be revoked.
If each of the above step card does not pass through, i.e., there are problems for explanation, can directly return to verification result, be not necessarily to Continue to verify.
By above-mentioned process, it is achieved that the checking process of certificate.In addition, in order to be more fully understood the present invention, Fig. 9 a The flow chart for the links being related in the above embodiment of the present invention is respectively illustrated with Fig. 9 b.As illustrated in fig. 9, of the invention It is being issued and cancellation of doucment link relates generally to Website server, CA and block chain in above-described embodiment.In step 91, Website server initiates transaction, sends certificate of unsigning.In step 92, CA authority signature certificate generates certificate account address (controllable address i.e. mentioned above).In step 93, CA mechanism initiates certificate transaction, certificate is written and to certificate Account is collected money from the audience.In step 94, the UTXO to collect money from the audience in the inquiry certificate transaction of CA mechanism generates a cancellation of doucment transaction, This output is used up.As shown in figure 9b, website service is related generally in inquiry certificate link in the above embodiment of the present invention Device, user terminal and block chain.In step 95, user terminal access Website server.In step 96, website service Device returns to certificate to user terminal.In step 97, user believes according to transaction corresponding with the certificate in certificate lookup block chain Breath.In step 98, user terminal makes comparisons the certificate on the certificate of Website server and block chain.In step 99, Corresponding UTXO state in user terminal verifying transaction.In step 100, the certificate of CA mechanism is examined.In a step 101, it examines The certificate of Cha Gen CA mechanism.Examination result is returned in a step 102.
Figure 10 shows the network architecture diagram based on block chain.As shown in Figure 10, which includes: root CA, root CA Junior CA1 and the bit coin address (controllable address i.e. mentioned above) that is controlled by root CA, further includes: client's net of CA1 Site server and the bit coin address (controllable address i.e. mentioned above) controlled by CA1, in addition, further including user user Terminal and block chain create generation block.It can be seen from fig. 10 that Website server can send application certificate transaction to CA1, CA1 can also send application certificate transaction to root CA.Correspondingly, root CA can send certificate transaction, CA1 to CA1 Certificate transaction can be sent to Website server, wherein while sending certificate transaction, it is also necessary to issuing The mechanism of certificate collects money from the audience in controllable bit coin address.In addition, user can access the effective of any network node verifying certificate Property.
It can be seen from the above that the present invention makes use of block chains the management operation such as to issue, cancel and inquire carry out CA certificate, fills Divide and the characteristics of being not easy to distort and come into the open of block chain is utilized, the deficiency in traditional ca authentication is compensated for, so that CA's issues It is propagated faster with revocation information, improves the confidence level of certification authority, especially root CA, user can be by looking into real time The record ask on block chain carrys out examination of credentials, relatively reliable.In addition, the distributed nature of block chain is depended on, so that even if CA Node will not influence the safety of entire CA network by malicious attack, and block chain network is possible to Problem is perceived in a short time.
In addition, those skilled in the art can carry out various changes and deformation to above-described embodiment, for example, this field skill Art personnel can also be modified from following several respects:
(1) in the above-described embodiments, the node on block chain includes CA mechanism and mechanism (such as website clothes for applying for certificate Business device), and verified when ordinary user's verifying certificate by any node on access block chain.It is alternatively possible to allow general General family is also used as the access of a node on block chain to come in, to improve the flexibility of verification process.
(2) since the certificate of root CA is that wound generation block is written by hard coded, there are multiple in block chain network CA, once some root CA is broken, to change root CA, it will destroy entire block chain network.It optionally, is all roots CA establishes a superior root, write-in wound generation block.By superior root come for root CA certificate.
(3) present invention generates the controllable address of a certification authority in certificate, and transaction generates the account The corresponding UTXO in family judges whether certificate cancels by the way that whether the UTXO is used up.Optionally, due to the validity of certificate It is to rely on UTXO, not particular account, therefore, the same account can be multiplexed, i.e., a certification authority only needs Such account is generated, all certificates which issues UTXO generated all corresponds to this account Family.
It (4) is the ground of certification authority and application organization comprising an option in the certificate of the embodiment of the present invention Location, i.e. its corresponding account address in block chain network.Optionally, in order to keep the unification with traditional certificate format, this portion Dividing can not also be put into certificate, and write direct inside the output par, c content of every transaction, as follows:
Figure 11 show another embodiment of the present invention provides a kind of ca authentication managing device based on block chain structure Figure.Wherein, block chain further comprises wound generation block and conventional block, and creates generation block and be used to store root ca certificate, described Device includes:
Receiving module 101, the Shen comprising certificate of unsigning sent in block chain network suitable for receiving node to be certified It please certificate transaction;
Module 102 is obtained, suitable for obtaining the certificate of unsigning for including in the application certificate transaction, is not signed according to described Name certificates constructing signing certificate;
Sending module 103 is suitable in block chain network sending to the node to be certified comprising the signing certificate Certificate transaction;Wherein, the certificate transaction further comprises: being directed toward the node block chain account to be certified First output par, c of address, and it is directed toward the second output par, c of preset controllable block chain account address.
Optionally, which further comprises: logging modle 104, is suitable for application certificate transaction corresponding first Transaction record and the certificate corresponding second transaction record of trading are respectively written into the conventional block of the block chain In, and the block comprising first transaction record and second transaction record is broadcasted in block chain network.
Optionally, the signing certificate is stored in the second output par, c of the certificate transaction.
It optionally, include verification information in the certificate of unsigning, then the acquisition module is specifically used for: according to described Verification information verifies the certificate of unsigning, and after being verified, is digitally signed to the certificate of unsigning.
Optionally, the verification information includes at least one of the following: node public key to be certified, node to be certified letter Breath, node address to be certified, certification nodal information, certification node address, validity period of certificate and certificate authority time.
Optionally, which further comprises: revocation module, hands over suitable for searching described second from the conventional block Easily record obtains the signing certificate according to second transaction record;It sends in block chain network and has been signed comprising described The cancellation of doucment transaction of name certificate, wherein cancellation of doucment transaction includes being directed toward the second output of the certificate transaction Partial importation, and it is directed toward the output par, c of the node block chain account to be certified.
Optionally, which further comprises: enquiry module, the certificate query request sent suitable for receiving user terminal, Obtain the certificate information for including in the certificate query request;According to certificate information lookup pair from the conventional block The transaction record answered, and corresponding signing certificate is obtained according to the transaction record found;Institute is sent to the user terminal State signing certificate.Specifically, the enquiry module is further used for: stored in the inquiry conventional block with it is described The corresponding transaction record of signing certificate, when judging the second output par, c in the transaction record is not spend state, to The user terminal sends certificate efficient message;When judge the second output par, c in the transaction record be spent shape When state, Xiang Suoshu user terminal sends certificate invalid message.
Wherein, the root ca certificate includes: root CA public key, root CA information, the address root CA, validity period of certificate, certificate authority Time and digital signature.
The specific works details of above-mentioned modules can refer to the description of corresponding portion in embodiment of the method, herein no longer It repeats.
In addition, the above-mentioned ca authentication managing device based on block chain is usually CA mechanism at different levels mentioned above.
Figure 12 show another embodiment of the present invention provides a kind of ca authentication management system based on block chain structure Schematic diagram, as shown in figure 12, the system include: above-mentioned ca authentication managing device 100 and node to be certified 110.Wherein, CA Authentication management device 100 is also possible to other CA at different levels either root CA;Node 110 to be certified is either CA machine at different levels Structure is also possible to client server.
In conclusion in the inventive solutions, main includes following several key problem in technology points:
Firstly, the trust of block chain is joined jointly by all nodes using certificate as on a part write-in block chain of transaction With completion.Therefore it ensure that the correctness of certificate.
Secondly, root certificate is written in wound generation block so that even if some node on block chain by malicious attack, Root certificate can not arbitrarily be changed.
Again, using the transactional nature of bit coin, whether consumed by the UTXO that transaction generates, to judge certificate Whether it is revoked.The process verified every time examines newest record on current block chain in real time, and solving user can not obtain in time The problem of whether certificate is revoked known.
Finally, in conjunction with the distributed feature of block chain, all nodes all save the record of transaction, therefore user can be with Arbitrary node is connected to go to be examined.So that checking process is independent of single source, it is therefore prevented that record and be maliciously tampered Risk.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this The preferred forms of invention.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, knot is not been shown in detail Structure and technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, In the above description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single reality sometimes It applies in example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: being wanted Ask protection the present invention claims features more more than feature expressly recited in each claim.More precisely, such as As following claims reflect, inventive aspect is all features less than single embodiment disclosed above. Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right It is required that itself is all as a separate embodiment of the present invention.
Those skilled in the art will understand that adaptivity can be carried out to the module in the equipment in embodiment Ground changes and they is arranged in one or more devices different from this embodiment.It can be the module in embodiment Or unit or assembly is combined into a module or unit or component, and furthermore they can be divided into multiple submodule or sons Unit or sub-component.It, can be with other than such feature and/or at least some of process or unit exclude each other Using any combination to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and such as All process or units of any method or apparatus of the displosure are combined.Unless expressly stated otherwise, this specification Each feature disclosed in (including the accompanying claims, abstract and drawings) can be by providing identical, equivalent, or similar mesh Alternative features replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including certain features rather than other feature, but the combination of the feature of different embodiment means to be in model of the invention Within enclosing and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to transport on one or more processors Capable software module is realized, or is implemented in a combination thereof.It will be understood by those of skill in the art that can make in practice It is realized with microprocessor or digital signal processor (DSP) some or all in device according to an embodiment of the present invention The some or all functions of component.The present invention be also implemented as a part for executing method as described herein or Whole device or device programs (for example, computer program and computer program product).It is such to realize journey of the invention Sequence can store on a computer-readable medium, or may be in the form of one or more signals.Such signal can To download from internet website, perhaps it is provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and this Field technical staff can be designed alternative embodiment without departing from the scope of the appended claims.In claim In, any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" is not excluded for depositing In element or step not listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple Such element.The present invention can be by means of including the hardware of several different elements and by means of properly programmed calculating Machine is realized.In the unit claims listing several devices, several in these devices can be by same Hardware branch embodies.The use of word first, second, and third does not indicate any sequence.It can be by these words It is construed to title.

Claims (19)

1. a kind of ca authentication management method based on block chain, which is characterized in that the block chain further comprises wound generation block And conventional block, and the wound generation block is for storing root ca certificate, which comprises
Receive the application certificate transaction comprising certificate of unsigning that node to be certified is sent in block chain network;
The certificate of unsigning for including in the application certificate transaction is obtained, according to the certificates constructing signing certificate of unsigning;
The certificate transaction comprising the signing certificate is sent to the node to be certified in block chain network;Wherein, The certificate transaction further comprises: it is directed toward the first output par, c of the node block chain account to be certified address, with And it is directed toward the second output par, c of preset controllable block chain account address.
2. according to the method described in claim 1, wherein, further comprising: application certificate transaction corresponding first is handed over Easily record and the certificate corresponding second transaction record of trading is respectively written into the conventional block of the block chain, and The block comprising first transaction record and second transaction record is broadcasted in block chain network.
3. according to the method described in claim 1, wherein, the signing certificate is stored in the second of the certificate transaction Output par, c.
4. it include verification information in the certificate of unsigning according to the method described in claim 1, wherein, then it is described according to institute State unsign certificates constructing signing certificate the step of specifically include:
The certificate of unsigning is verified according to the verification information, after being verified, to it is described unsign certificate into Row digital signature.
5. according to the method described in claim 4, wherein, the verification information includes at least one of the following: section to be certified Point public key, nodal information to be certified, node address to be certified, certification nodal information, certification node address, validity period of certificate, with And the certificate authority time.
6. according to the method described in claim 2, wherein, it is described by the application certificate trade corresponding first transaction record with And the certificate is traded after the step that corresponding second transaction record is respectively written into the conventional block of the block chain, Further comprise:
Second transaction record is searched from the conventional block, the card of having signed is obtained according to second transaction record Book;
The cancellation of doucment transaction comprising the signing certificate is sent in block chain network, wherein cancellation of doucment transaction packet The importation for being directed toward the second output par, c of the certificate transaction is included, and is directed toward the node block chain account to be certified The output par, c at family.
7. according to the method described in claim 2, wherein, further comprising:
The certificate query request that user terminal is sent is received, the certificate information for including in the certificate query request is obtained;
Corresponding transaction record is searched from the conventional block according to the certificate information, and according to the transaction record found Obtain corresponding signing certificate;
The signing certificate is sent to the user terminal.
8. according to the method described in claim 7, wherein, described the step of sending the signing certificate to the user terminal Later, further comprise:
The transaction record corresponding with the signing certificate stored in the conventional block is inquired, when judging that the transaction remembers The state of the second output par, c in record is when not spending state, and Xiang Suoshu user terminal sends certificate efficient message;Work as judgement The state of the second output par, c in the transaction record is when having spent state out, and it is invalid that Xiang Suoshu user terminal sends certificate Message.
9. according to the method described in claim 1, wherein, the root ca certificate includes: root CA public key, root CA information, root CA Location, validity period of certificate, certificate authority time and digital signature.
10. a kind of ca authentication managing device based on block chain, which is characterized in that the block chain further comprises wound generation block And conventional block, and the wound generation block, for storing root ca certificate, described device includes:
Receiving module is handed over suitable for receiving the application certificate comprising certificate of unsigning that node to be certified is sent in block chain network Easily;
Module is obtained, it is raw according to the certificate of unsigning suitable for obtaining the certificate of unsigning for including in the application certificate transaction At signing certificate;
Sending module issues card comprising the signing certificate suitable for sending in block chain network to the node to be certified Book transaction;Wherein, the certificate transaction further comprises: being directed toward the first of the node block chain account to be certified address Output par, c, and it is directed toward the second output par, c of preset controllable block chain account address.
11. device according to claim 10, wherein further comprise: logging modle is suitable for handing in the application certificate Easy corresponding first transaction record and corresponding second transaction record of certificate transaction are respectively written into the block chain Conventional block in, and to the block comprising first transaction record and second transaction record in block chain network It is broadcasted.
12. device according to claim 10, wherein the signing certificate is stored in the of certificate transaction Two output par, cs.
13. device according to claim 10, wherein include verification information, the then acquisition in the certificate of unsigning Module is specifically used for:
The certificate of unsigning is verified according to the verification information, after being verified, to it is described unsign certificate into Row digital signature.
14. device according to claim 13, wherein the verification information includes at least one of the following: to be certified Node public key, nodal information to be certified, node address to be certified, certification nodal information, certification node address, validity period of certificate, And the certificate authority time.
15. device according to claim 11, wherein further comprise:
Module is cancelled, suitable for searching second transaction record from the conventional block, is obtained according to second transaction record Take the signing certificate;The cancellation of doucment transaction comprising the signing certificate is sent in block chain network, wherein described Cancellation of doucment transaction includes the importation for being directed toward the second output par, c of the certificate transaction, and is directed toward described wait recognize Demonstrate,prove the output par, c of node block chain account.
16. device according to claim 11, wherein further comprise:
Enquiry module, the certificate query request sent suitable for receiving user terminal obtain in certificate query request and include Certificate information;Corresponding transaction record is searched from the conventional block according to the certificate information, and according to the friendship found Easily record obtains corresponding signing certificate;The signing certificate is sent to the user terminal.
17. device according to claim 16, wherein the enquiry module is further used for:
The transaction record corresponding with the signing certificate stored in the conventional block is inquired, when judging that the transaction remembers The state of the second output par, c in record is when not spending state, and Xiang Suoshu user terminal sends certificate efficient message;Work as judgement The state of the second output par, c in the transaction record is when having spent state out, and it is invalid that Xiang Suoshu user terminal sends certificate Message.
18. device according to claim 10, wherein the root ca certificate includes: root CA public key, root CA information, root CA Address, validity period of certificate, certificate authority time and digital signature.
19. a kind of ca authentication management system based on block chain, which is characterized in that including any in the claims 10-18 The ca authentication managing device and node to be certified.
CN201610782864.2A 2016-08-31 2016-08-31 Based on the ca authentication management method of block chain, apparatus and system Active CN106372941B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610782864.2A CN106372941B (en) 2016-08-31 2016-08-31 Based on the ca authentication management method of block chain, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610782864.2A CN106372941B (en) 2016-08-31 2016-08-31 Based on the ca authentication management method of block chain, apparatus and system

Publications (2)

Publication Number Publication Date
CN106372941A CN106372941A (en) 2017-02-01
CN106372941B true CN106372941B (en) 2019-07-16

Family

ID=57898771

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610782864.2A Active CN106372941B (en) 2016-08-31 2016-08-31 Based on the ca authentication management method of block chain, apparatus and system

Country Status (1)

Country Link
CN (1) CN106372941B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2589147A (en) * 2019-11-25 2021-05-26 Nchain Holdings Ltd Methods and devices for automated digital certificate verification

Families Citing this family (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106972931B (en) * 2017-02-22 2020-05-15 中国科学院数据与通信保护研究教育中心 Method for transparentizing certificate in PKI
CN106789090B (en) * 2017-02-24 2019-12-24 陈晶 Public key infrastructure system based on block chain and semi-random combined certificate signature method
US10484373B2 (en) * 2017-04-11 2019-11-19 Mastercard International Incorporated Systems and methods for biometric authentication of certificate signing request processing
CN107426157B (en) * 2017-04-21 2020-04-17 杭州趣链科技有限公司 Alliance chain authority control method based on digital certificate and CA authentication system
KR102694143B1 (en) * 2017-05-22 2024-08-13 엔체인 홀딩스 리미티드 Secure provision of undetermined data from an undetermined source into the locking script of a blockchain transaction
CN107451874A (en) * 2017-07-27 2017-12-08 武汉天喻信息产业股份有限公司 Electronic invoice integrated conduct method and system based on block chain
CN109428892B (en) * 2017-09-01 2021-12-28 埃森哲环球解决方案有限公司 Multi-stage rewritable block chain
CN107734502B (en) * 2017-09-07 2020-02-21 京信通信系统(中国)有限公司 Micro base station communication management method, system and equipment based on block chain
CN111433800B (en) * 2017-12-28 2024-04-09 华为国际有限公司 Transaction processing method and related equipment
CN108347483B (en) * 2018-02-06 2021-04-09 北京奇虎科技有限公司 Decentralized computing system based on double-layer network
CN108282539A (en) * 2018-02-06 2018-07-13 北京奇虎科技有限公司 Decentralization storage system based on double-layer network
CN110163004B (en) * 2018-02-14 2023-02-03 华为技术有限公司 Block chain generation method, related equipment and system
AU2019232978A1 (en) * 2018-03-14 2020-08-13 Jieqian ZHENG Block chain data processing method, management terminal, user terminal, conversion device, and medium
CN111901121B (en) * 2018-04-03 2023-09-29 创新先进技术有限公司 Cross-blockchain authentication method and device and electronic equipment
US11615060B2 (en) * 2018-04-12 2023-03-28 ISARA Corporation Constructing a multiple entity root of trust
JP7379371B2 (en) * 2018-04-27 2023-11-14 エヌチェーン ライセンシング アーゲー Blockchain network splitting
CN108933667B (en) * 2018-05-03 2021-08-10 深圳市京兰健康医疗大数据有限公司 Management method and management system of public key certificate based on block chain
CN108921694B (en) * 2018-06-21 2022-03-04 北京京东尚科信息技术有限公司 Block chain management method, block chain node and computer readable storage medium
CN108960825A (en) * 2018-06-26 2018-12-07 阿里巴巴集团控股有限公司 Electric endorsement method and device, electronic equipment based on block chain
CN108881471B (en) * 2018-07-09 2020-09-11 北京信息科技大学 Union-based whole-network unified trust anchor system and construction method
CN108964924B (en) 2018-07-24 2020-06-05 腾讯科技(深圳)有限公司 Digital certificate verification method and device, computer equipment and storage medium
CN109034826A (en) * 2018-08-06 2018-12-18 佛山市甜慕链客科技有限公司 It is a kind of for based on block chain verifying digital certificate method and system
CN108965469B (en) * 2018-08-16 2021-07-30 北京京东尚科信息技术有限公司 Dynamic management method, device, equipment and storage medium for members of block chain network
CN109242686A (en) * 2018-08-31 2019-01-18 深圳付贝科技有限公司 Transaction Recall voluntarily method digs mine machine and block catenary system
CN109325359B (en) * 2018-09-03 2023-06-02 平安科技(深圳)有限公司 Account system setting method, system, computer device and storage medium
CN109359479B (en) * 2018-09-21 2019-12-31 北京非对称区块链科技有限公司 Certificate generation and verification method, device, storage medium and electronic equipment
CN109547200A (en) * 2018-11-21 2019-03-29 上海点融信息科技有限责任公司 Certificate distribution method and corresponding calculating equipment and medium in block chain network
CN111027970B (en) * 2018-12-07 2024-02-23 深圳市智税链科技有限公司 Authentication management method, device, medium and electronic equipment of block chain system
CN111641504A (en) * 2019-03-01 2020-09-08 湖南天河国云科技有限公司 Block chain digital certificate application method and system based on bit currency system
GB2583767A (en) * 2019-05-10 2020-11-11 Nchain Holdings Ltd Methods and devices for public key management using a blockchain
WO2020232417A1 (en) * 2019-05-16 2020-11-19 Gmo Globalsign, Inc. Systems and methods for blockchain transactions with offer and acceptance
SG11202005059PA (en) 2019-06-28 2020-06-29 Alibaba Group Holding Ltd System and method for updating data in blockchain
EP3688710B1 (en) 2019-06-28 2022-05-25 Advanced New Technologies Co., Ltd. System and method for blockchain address mapping
CN110489234A (en) * 2019-08-16 2019-11-22 中国银行股份有限公司 Message processing method, device, equipment and the readable storage medium storing program for executing of block link layer
CN111047319B (en) * 2019-09-03 2021-12-10 腾讯科技(深圳)有限公司 Transaction processing method of block chain network and block chain network
CN110598375B (en) * 2019-09-20 2021-03-16 腾讯科技(深圳)有限公司 Data processing method, device and storage medium
CN110855679B (en) * 2019-11-15 2021-11-30 微位(深圳)网络科技有限公司 uPKI combined public key authentication method and system
CN112015460B (en) * 2020-09-09 2023-11-03 南京工程学院 Code responsibility-following method and system based on block chain technology
CN112512048B (en) * 2020-11-27 2022-07-12 达闼机器人股份有限公司 Mobile network access system, method, storage medium and electronic device
CN116055069B (en) * 2023-04-03 2023-06-27 北京微芯感知科技有限公司 Distributed CA (conditional access) implementation method based on block chain

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591753A (en) * 2016-01-13 2016-05-18 杭州复杂美科技有限公司 Application method of CA certificate on block chain
CN105592098A (en) * 2016-01-16 2016-05-18 杭州复杂美科技有限公司 Management method of vote and CA certificate of block chain
CN105701372A (en) * 2015-12-18 2016-06-22 布比(北京)网络技术有限公司 Block chain identity construction and verification method
EP3364351A1 (en) * 2015-10-16 2018-08-22 Coinplug, Inc Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3364351A1 (en) * 2015-10-16 2018-08-22 Coinplug, Inc Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same
CN105701372A (en) * 2015-12-18 2016-06-22 布比(北京)网络技术有限公司 Block chain identity construction and verification method
CN105591753A (en) * 2016-01-13 2016-05-18 杭州复杂美科技有限公司 Application method of CA certificate on block chain
CN105592098A (en) * 2016-01-16 2016-05-18 杭州复杂美科技有限公司 Management method of vote and CA certificate of block chain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2589147A (en) * 2019-11-25 2021-05-26 Nchain Holdings Ltd Methods and devices for automated digital certificate verification
WO2021105816A1 (en) * 2019-11-25 2021-06-03 nChain Holdings Limited Methods and devices for automated digital certificate verification

Also Published As

Publication number Publication date
CN106372941A (en) 2017-02-01

Similar Documents

Publication Publication Date Title
CN106372941B (en) Based on the ca authentication management method of block chain, apparatus and system
CN106301792B (en) Based on the ca authentication management method of block chain, apparatus and system
CN106384236B (en) Based on the ca authentication management method of block chain, apparatus and system
JP7076682B2 (en) Data processing methods, devices, electronic devices and computer programs based on blockchain networks
RU2718959C1 (en) Domain name control scheme for cross-chain interactions in blockchain systems
RU2707938C1 (en) Domain name scheme for cross-chain interactions in blockchain systems
EP3639465B1 (en) Improved hardware security module management
CN106339875B (en) Operation note checking method and device based on publicly-owned block chain
US10826888B2 (en) Method for providing certificate service based on smart contract and server using the same
US10965472B2 (en) Secure bootstrap for a blockchain network
US11469891B2 (en) Expendable cryptographic key access
KR101954268B1 (en) Method for managing electronic document based on blockchain, and electronic document management server using the same
CN108960825A (en) Electric endorsement method and device, electronic equipment based on block chain
CN109598147B (en) Data processing method and device based on block chain and electronic equipment
CN108429765B (en) Method, server and storage medium for realizing domain name resolution based on block chain
CN108111314A (en) The generation of digital certificate and method of calibration and equipment
CN115769241A (en) Privacy preserving architecture for licensed blockchains
CN109472599A (en) A kind of user's assets information circulation method and device based on block chain
CN109413076A (en) Domain name analytic method and device
US20200322351A1 (en) Mobile Multi-Party Digitally Signed Documents and Techniques for Using These Allowing Detection of Tamper
CN110535807A (en) A kind of service authentication method, device and medium
CN110188572B (en) Method and device for verifying consumable credential applied to blockchain
CN110674531A (en) Residence information management method, device, server and medium based on block chain
CN116975901A (en) Identity verification method, device, equipment, medium and product based on block chain
WO2020077055A1 (en) Systems and methods for a federated directory service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 3F301, C2 Building, Suzhou 2.5 Industrial Park, 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province

Applicant after: JIANGSU PAYEGIS TECHNOLOGY CO., LTD.

Address before: A street in Suzhou City, Jiangsu Province Industrial Park No. 388 innovation park off No. 6 Building 5 floor

Applicant before: JIANGSU PAYEGIS TECHNOLOGY CO., LTD.

GR01 Patent grant
GR01 Patent grant