CN114189341B - Digital certificate hierarchical processing method and device based on blockchain identification - Google Patents
Digital certificate hierarchical processing method and device based on blockchain identification Download PDFInfo
- Publication number
- CN114189341B CN114189341B CN202111506912.2A CN202111506912A CN114189341B CN 114189341 B CN114189341 B CN 114189341B CN 202111506912 A CN202111506912 A CN 202111506912A CN 114189341 B CN114189341 B CN 114189341B
- Authority
- CN
- China
- Prior art keywords
- certificate
- node
- blockchain
- digital certificate
- backbone
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 238000012795 verification Methods 0.000 claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 36
- 238000012545 processing Methods 0.000 claims abstract description 31
- 238000004590 computer program Methods 0.000 claims description 27
- 230000008569 process Effects 0.000 claims description 21
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a digital certificate hierarchical processing method and device based on a blockchain identifier, wherein a root certificate authority node and a plurality of super nodes form a main blockchain, a backbone node connected with each super node and a plurality of common nodes form at least one sub-blockchain, and the method comprises the following steps: the root certificate authority node issues a super node certificate for each super node according to the root certificate, and the super node certificates are stored on a main chain; each super node issues a backbone node certificate for the backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node; each backbone node issues a common node certificate to a common node on the sub-blockchain according to the backbone node certificate, and the common node certificate is stored on the sub-blockchain. The invention adopts the blockchain based on the main and sub chain architecture to carry out digital certificate identity processing, can reduce the burden of a single chain, improves the performance of certificate issuing and subsequent verification, and realizes efficient and safe hierarchical processing of digital certificates.
Description
Technical Field
The invention relates to the technical field of blockchain, in particular to a digital certificate hierarchical processing method and device based on blockchain identification.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
Because of the Internet e-commerce system technology, customers shopping on the Internet can obtain information of merchants and enterprises very conveniently and easily, but the risk of misusing certain sensitive or valuable data is increased. In order to ensure the security and confidentiality of electronic transactions and payments on the internet, and the like, and to prevent fraudulent conduct in the transaction and payment process, a trust mechanism must be established on the internet. This requires that both the buyer and the seller participating in the e-commerce must possess legitimate identities and be able to be effectively authenticated on the web.
Definition of identity and digital identity:
1. identity: an entity represented by one or more attributes that allow the entity to be sufficiently differentiated in context.
An identity is a set of attribute descriptions of a subject object that are distinctive and provable. The distinction is that one subject object can be uniquely determined by some or all of the attribute information of the identity, and the attestation is that the identity of the subject object can be attested by some or all of the attribute information of the subject object.
2. Digital identity: a digital identity is a digital representation of an entity in a digital environment such that individuals can be adequately distinguished in the digital environment.
The digital identity inherits various characteristics of the identity, is widely applied to digital society, and can be mapped to the actual society for application. Most digital identities have an ID attribute for uniquely identifying the digital identity, and the ID attribute may be a serial code defined and generated according to a certain rule, or a serial code generated through hash operation, and has uniqueness in a certain digital area.
As shown in FIG. 1, a general digital identity may be defined as a set of attributes associated with an identity. Or may be a single identifier that can uniquely distinguish the entity it represents within the environment.
Digital certificates are an authoritative electronic document, a type of digital identity. It provides a way to verify identity over the Internet that acts like a driver's license or an identification card in daily life. It is issued by an authority, CA certificate authority (CERTIFICATE AUTHORITY), which people can use to identify the identity of a partner in an internet interaction. Of course, in the digital certificate authentication process, the Certificate Authority (CA) acts as an authoritative, fair, trusted third party, the role of which is crucial.
Current digital certificate types mainly include: personal digital certificates, unit employee digital certificates, server certificates, VPN certificates, WAP certificates, code signature certificates, and form signature certificates. The issuing and verification of the traditional digital certificate depends on a centralized CA organization, identity data is easy to tamper, and the problem of low processing efficiency and security of the digital certificate exists.
Disclosure of Invention
The embodiment of the invention provides a digital certificate hierarchical processing method based on a blockchain identifier, which is used for efficiently and safely carrying out hierarchical processing on a digital certificate, wherein a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node connected with each super node and a plurality of common nodes form at least one sub-blockchain, and the method comprises the following steps:
a root certificate authority node on a main blockchain issues a super node certificate for each super node on the main blockchain according to the root certificate, and the super node certificates are stored on the main blockchain;
each super node issues a backbone node certificate to a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
And each backbone node issues a common node certificate to a common node on the corresponding sub-blockchain according to the backbone node certificate, and the common node certificate is stored on the sub-blockchain.
The embodiment of the invention also provides a digital certificate hierarchical processing device based on the blockchain identifier, which is used for efficiently and safely carrying out the hierarchical processing of the digital certificate, wherein a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node connected with each super node and a plurality of common nodes form at least one sub-blockchain, and the device comprises:
A root certificate authority node on the master blockchain for issuing a supernode certificate for each supernode on the master blockchain according to the root certificate, the supernode certificates being stored on the master blockchain;
Each super node is used for issuing a backbone node certificate for a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
and each backbone node is used for issuing a common node certificate to a common node on the corresponding sub-blockchain according to the backbone node certificate, wherein the common node certificate is stored on the sub-blockchain.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the digital certificate classification processing method based on the blockchain identification is realized when the processor executes the computer program.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the digital certificate hierarchical processing method based on the blockchain identification when being executed by a processor.
The embodiment of the invention also provides a computer program product, which comprises a computer program, wherein the computer program realizes the digital certificate hierarchical processing method based on the blockchain identification when being executed by a processor.
In the embodiment of the invention, based on the hierarchical processing scheme of the digital certificate of the blockchain identification, a root certificate authority node and a plurality of super nodes form a main blockchain, one backbone node and a plurality of common nodes connected with each super node form at least one sub-blockchain, and compared with the technical scheme that the issuing and verification of the traditional digital certificate in the prior art depend on a centralized CA mechanism, the identity data is easy to tamper, and the problem of low processing efficiency and security of the digital certificate exists, the method has the following advantages that: a root certificate authority node on a main blockchain issues a super node certificate for each super node on the main blockchain according to the root certificate, and the super node certificates are stored on the main blockchain; each super node issues a backbone node certificate to a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node; each backbone node issues a common node certificate for a common node on a corresponding sub-blockchain according to the backbone node certificate, the common node certificate is stored on the sub-blockchain, and the blockchain based on a main sub-chain architecture is adopted for digital certificate identity processing, so that single chain burden can be reduced, certificate issuing and subsequent verification performances are improved, and efficient and safe hierarchical processing of the digital certificates is realized.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:
FIG. 1 is a schematic diagram of a digital identity structure in an embodiment of the present invention;
FIG. 2 is a schematic diagram of a prior art application and use of user credentials based on blockchain identification;
FIG. 3 is a flow chart of a hierarchical processing method for digital certificates based on blockchain identification in an embodiment of the present invention;
FIG. 4 is a schematic diagram of a digital certificate hierarchical issuing processing device based on blockchain identification in an embodiment of the present invention;
FIG. 5 is a schematic diagram of a hierarchical verification process for digital certificates based on blockchain identification in an embodiment of the present invention;
FIG. 6 is a schematic diagram of an overall flow chart of a digital certificate classification process based on blockchain identification in an embodiment of the invention;
FIG. 7 is a schematic diagram of a process for issuing enterprise and user certificates in an embodiment of the present invention;
FIG. 8 is a schematic diagram of an overall flow of enterprise and user certificate issuance and verification in accordance with an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present invention and their descriptions herein are for the purpose of explaining the present invention, but are not to be construed as limiting the invention.
Before describing embodiments of the present invention, the terms related to the present invention will be described first.
EID- - -Electronic Identity citizen network electronic identity.
Uport-open identity system of distributed network design.
WAP- - -Wireless Application Protocol Wireless application protocol.
VPN-Virtual Private Network virtual private network.
BID- - -Blockchain-based Identifier blockchain identification.
The following describes the technical problems found by the inventor and existing in the digital certificate processing and the idea of the invention.
The traditional approach employs a centralized identity management approach. The digital certificate issuing process is generally as follows: the user first generates his own key pair and transmits the public key and part of the personal identity information to the authentication Center (CA). After verifying the identity, the authentication center will perform some necessary steps to make sure that the request was indeed sent by the user, and then the authentication center will issue the user a digital certificate containing the user's personal information and his public key information, together with the authentication center's signature information. The user can perform various activities related thereto using his/her own digital certificate. The digital certificate is issued by a separate certificate issuing authority. Digital certificates vary from one certificate to another, each certificate may provide a different level of trustworthiness.
The traditional mode adopts a centralized identity management mode, namely, the issuing and verification of the traditional digital certificate depend on a centralized CA organization, so that the identity data is easy to tamper, and the security problem exists.
The identity authentication based on blockchain identification, such as eID, uport, etc., as shown in fig. 2, takes application and use of user credentials as an example, and the process is as follows:
1. the user registers the identity through the client or browser for which the client or browser plug-in was generated.
2. The user activates the identity onto the chain.
3. And uploading the identity information by the user and applying for the identity certificate.
4. The trust anchor generates identity credentials and stores the credentials on a chain.
5. The third party user requests authentication of the identity credential.
6. The user provides the identity credential and generates verifiable data through black box processing.
7. The third party user is de-linked to verify if the identity is out of date.
8. And comparing the data provided by the user with the data on the chain, and performing identity authentication.
9. The chain returns the verification results to the user and the third party user.
Thus, based on blockchain identification identity authentication technology, the issuance of digital certificates relies on a centralized CA authority and the verification process relies on a de-centralized blockchain ledger.
The existing identity authentication based on blockchain identification mostly adopts a flattened identity authentication mode, namely, all users perform identity authentication on one chain, the requirement on the performance of the chain is higher, and under the premise of certain blockchain performance, blockage is easy to occur, so that authentication time delay is large.
In view of the above technical problems, the present invention proposes a digital certificate hierarchical processing scheme based on blockchain identification, where:
1. And the blockchain based on the main and sub chain architecture is adopted for identity management, so that the burden of a single chain is reduced, and the performance of certificate issuing and verification is improved.
2. The multi-stage certificate verification mode is adopted, and the root CA burden is reduced on the premise of not reducing the credibility.
3. The method has the advantages that the mode of combining the decentralizing root CA with the decentralizing system is adopted, the root CA of the decentralizing system is on the blockchain, and the risk of tampering of the root CA is reduced.
The digital certificate hierarchy processing scheme based on blockchain identification is described in detail below.
Fig. 3 is a flow chart of a digital certificate hierarchical processing method based on blockchain identification in an embodiment of the present invention, where a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node and a plurality of common nodes connected to each of the super nodes form at least one sub-blockchain, as shown in fig. 3, and the method includes the following steps:
Step 101: a root certificate authority node on a main blockchain issues a super node certificate for each super node on the main blockchain according to the root certificate, and the super node certificates are stored on the main blockchain;
step 102: each super node issues a backbone node certificate to a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
Step 103: and each backbone node issues a common node certificate to a common node on the corresponding sub-blockchain according to the backbone node certificate, and the common node certificate is stored on the sub-blockchain.
In specific implementation, the blockchain testify book management based on the main sub-chain architecture is adopted: the chain contains super nodes, backbone nodes, common nodes and users, the main body of the granted certificate is a node on the chain, and the certificate issuing process mainly comprises the following steps as shown in the following figure 3:
0. preconditions are: both the certificate issuer and the certificate grantee have a user ID (BID), and the certificate issuer holds the certificate.
1. The root CA (root certificate authority) node on the backbone (see backbone in fig. 4, i.e., master blockchain) issues a supernode certificate to the supernode on the backbone, which is stored on the backbone, i.e., step 101 described above, corresponding to ① in fig. 4.
2. The supernode issues a next level certificate (backbone node certificate) to the backbone node, which is stored on the backbone node, step 102 described above, corresponding to ② in fig. 4.
3. The backbone node issues a next-level certificate (a common node certificate) for the node on the sub-chain, and the common node certificate is stored on the sub-chain (see the sub-chain in fig. 4, i.e. the sub-blockchain), which corresponds to ③ in fig. 4, step 103 described above.
In particular embodiments, embodiments of the present invention may extend further levels of nodes in both the lateral and longitudinal directions. May extend both longitudinally and laterally, e.g., longitudinally may interface more chains laterally (for each chain) and there may be more node types.
In specific implementation, the types of the digital certificates in the embodiment of the present invention may include: personal digital certificates, unit employee digital certificates, server certificates, VPN certificates, WAP certificates, code signature certificates, form signature certificates, and the like.
The blockchain based digital certificate hierarchical processing method based on the blockchain identification adopts the blockchain based on the main and sub-chain architecture as identity management, so that the digital certificate can be issued on the main chain or the sub-chain, the burden of the main chain is lightened, the performance of certificate issuing and subsequent verification is improved, and the efficient and safe hierarchical processing of the digital certificate is realized. The digital certificate classification processing method based on the blockchain identification is described in detail below.
In one embodiment, the digital certificate hierarchical processing method based on the blockchain identification may further include:
receiving a verification request of a current digital certificate;
Verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the previous-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the previous-level issuer until the original digital certificate issuer is found; the original certificate issuer is a root certificate authority node;
If the digital certificate verification from the current digital certificate issuer to the chain of the original certificate issuer is all trusted, determining that the current digital certificate is trusted.
In specific implementation, as shown in fig. 5, the verification process of the digital certificate is illustrated by taking the current digital certificate as a common node certificate: receiving a verification request of a current digital certificate, namely initiating the verification request when the identity of a user needs to be verified when the user needs to be authenticated according to the digital certificate, for example, when the user logs in a system through a common node or when shopping on the internet; verifying a signature of the current digital certificate issuer (e.g., verifying a backbone node corresponding to a common node); if the current digital certificate is determined to exist in the superior issuer (super node) according to the signature verification result of the current digital certificate issuer, verifying the signature of the superior issuer until the original digital certificate issuer is found; the original certificate issuer is a root certificate authority node; if the digital certificate verification from the current digital certificate issuer to the chain of original digital certificate issuers is trusted, the current digital certificate (common node certificate) is determined to be trusted. In contrast to the process of fig. 4, the process of verification in fig. 5 is reversed, see the circled numbers in fig. 5 for details.
In practice, the overall flow of the blockchain identification-based digital certificate hierarchy process, i.e., issuance and verification, is shown in fig. 6.
In particular implementations, the user to whom the credentials are granted may be a personal user, an enterprise user, or a node user, wherein:
1. The node user may issue a certificate for the node user, the enterprise user, or the individual user.
2. Enterprise users may issue certificates for individual users.
3. The type of certificate issued is determined by the type of CA.
In implementation, the enterprise and user certificate issuing process may be as shown in fig. 7, and the overall enterprise and user certificate issuing and verifying process is as shown in fig. 8.
In particular implementations, the CA selection process may include:
scheme 1-1: a single CA is arranged in a centralized mode, and the CA is not selected;
scheme 1-2: multiple CAs issue certificates to users through consensus, and the selected manner of the CAs can utilize the selection manner of trust anchors.
In specific implementation, the CA acquires the certificate of the CA:
1. if only one CA exists, the self-visa book can be used;
2. if there are multiple CAs, the other CAs issue certificates to the CA:
1) One issuing certificate may be randomly selected among other valid CAs;
2) Or selecting N among M valid CAs as CA that issued the certificate.
In specific implementation, the certificate content: the CA issues certificates to other users, and the content comprises: certificate id, certificate type, certificate issuer id, issuance time, owner id, expiration date of public key, signature date, certificate issuing destination, public key identification, digital signature of issuing authority. The credential content may also include fields for the geographic location, name, etc. of the credential granted to the credential, as desired. An example is shown in table 1 below:
TABLE 1
Further preferred steps of embodiments of the present invention, namely certificate renewal and revocation steps, are described below.
1. Certificate updating
After the previous-stage user certificate is updated, the next-stage user certificates on the chain are updated, that is, in one embodiment, the above-mentioned digital certificate hierarchical processing method based on the blockchain identifier may further include: when any one level of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is detected to update the certificate, the next-level certificate of the current updated certificate is updated. Specifically, the main body performing the detected operation may be a root certificate authority node, a super node, a backbone node, or a common node, and when the root certificate authority node, the super node, the backbone node, or the common node detects any one level of certificate update among the root certificate, the super node certificate, the backbone node certificate, and the common node certificate, an update notification may be sent to a next level node (e.g., a backbone node) of the current node (e.g., a common node) to update the common node certificate (e.g., a next level certificate of the current update certificate). The following certificate procedure re-application and certificate revocation execution body and detailed re-application revocation procedure can refer to the description of the certificate update.
If the user certificate expires and needs to be reapplied, the previous user can issue the certificate again, that is, in one embodiment, the above-mentioned digital certificate hierarchical processing method based on the blockchain identifier may further include: when detecting that any one level of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is expired, re-applying the digital certificate to the issuer of the current expired certificate.
2. Certificate revocation
The user can cancel the own certificate by himself;
after the user certificate of the previous stage is revoked, the user certificate of the next stage on the chain is revoked and is required to be reapplied, that is, in one embodiment, the method for hierarchical processing of digital certificates based on blockchain identification may further include: after the user certificate of the previous stage is detected to be cancelled, user certificates of the lower stages on the current user certificate chain are cancelled and re-applied.
To facilitate an understanding of how the present invention may be implemented, the overall process of digital certificate hierarchy processing (issuance, validation, renewal, and revocation of certificates) based on blockchain identification is described below by way of two examples.
Example 1:
1. certificate issuance (root CA built-in).
The first step: the root CA issues a supernode certificate for the supernode, which is stored on the supernode.
And a second step of: the super node issues a backbone node certificate for the backbone node, and the backbone node certificate content is different from the last certificate: the issuer bid, the recipient bid, the node type, the creator public key and the signature, and the backbone node certificate is stored on the backbone node.
And a third step of: the backbone node issues a common node certificate for a common node, and the common node certificate content is different from the last certificate: the issuer bid, the recipient bid, the node type, the creator public key and the signature, and the common node certificate is stored on the common node.
2. And verifying the certificate.
The first step: the network finds the public key and the digital signature value of the certificate issuer according to the certificate content, verifies the digital signature value, and after the verification, verifies whether the previous-stage certificate exists or not, if not, the verification is finished; if so, a second step is performed. In this case, the common node has the node of the previous level: and the backbone node needs to verify the validity of the backbone node certificate.
And a second step of: finding a public key and a digital signature of a certificate issuer according to the certificate content of the backbone node, verifying the digital signature value, and after verification, existence of a last-stage certificate node: the super node needs to verify the validity of the super node certificate.
And a third step of: and finding a public key and a digital signature of the certificate issuer according to the content of the super node certificate, verifying the digital signature value of the public key and the digital signature, and verifying the validity of the root CA certificate after the verification is passed.
Fourth step: and after the root CA certificate passes the verification, the verification is finished.
3. And updating the certificate.
After the certificates of the nodes at the previous stage are updated, the certificates of the nodes at the next stage to the last stage need to be updated, for example, after the certificates of the super nodes are updated, the certificates of the backbone nodes and the common nodes on the chain need to be updated.
4. Certificate revocation.
After the certificates of the nodes at the previous stage are revoked, the certificates of the nodes at the next stage to the last stage are automatically revoked, for example, after the certificates of the super nodes are revoked, the certificates of the backbone nodes and the common nodes on the chain are revoked.
Example 2: issuance, verification, renewal of identity certificates see example 1 above, similar to example 1 above, except that the certificate type is "identity certificate".
In summary, the digital certificate hierarchical processing method based on the blockchain identification provided by the embodiment of the invention has the beneficial technical effects that:
1. And the blockchain based on the main and sub chain architecture is adopted for identity management, so that the burden of a single chain is reduced, and the performance of certificate issuing and verification is improved.
2. The multi-stage certificate verification mode is adopted, and the root CA burden is reduced on the premise of not reducing the credibility.
3. The method has the advantages that the mode of combining the decentralizing root CA with the decentralizing system is adopted, the root CA of the decentralizing system is on the blockchain, and the risk of tampering of the root CA is reduced.
The embodiment of the invention also provides a digital certificate grading processing device based on the blockchain identifier, as described in the following embodiment. Because the principle of the device for solving the problem is similar to that of the digital certificate hierarchical processing method based on the blockchain identification, the implementation of the device can be referred to the implementation of the digital certificate hierarchical processing method based on the blockchain identification, and the repetition is omitted.
The schematic structural diagram of the digital certificate hierarchical processing device based on blockchain identification in the embodiment of the invention can be shown in fig. 4, a root certificate authority node (CA in fig. 4) and a plurality of super nodes form a main blockchain, and a backbone node and a plurality of common nodes (nodes on the sub-chain in fig. 4) connected with each super node form at least one sub-blockchain, as shown in fig. 4, the device comprises:
A root certificate authority node on the master blockchain for issuing a supernode certificate for each supernode on the master blockchain according to the root certificate, the supernode certificates being stored on the master blockchain;
Each super node is used for issuing a backbone node certificate for a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
and each backbone node is used for issuing a common node certificate to a common node on the corresponding sub-blockchain according to the backbone node certificate, wherein the common node certificate is stored on the sub-blockchain.
In one embodiment, the root certificate authority node, super node, backbone node, or regular node may also be used to:
receiving a verification request of a current digital certificate;
Verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the previous-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the previous-level issuer until the original digital certificate issuer is found; the original certificate issuer is a root certificate authority node;
If the digital certificate verification from the current digital certificate issuer to the chain of the original certificate issuer is all trusted, determining that the current digital certificate is trusted.
The technical scheme of the application obtains, stores, uses, processes and the like the data, which all meet the relevant regulations of national laws and regulations.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the digital certificate classification processing method based on the blockchain identification is realized when the processor executes the computer program.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the digital certificate hierarchical processing method based on the blockchain identification when being executed by a processor.
The embodiment of the invention also provides a computer program product, which comprises a computer program, wherein the computer program realizes the digital certificate hierarchical processing method based on the blockchain identification when being executed by a processor.
In the embodiment of the invention, based on the hierarchical processing scheme of the digital certificate of the blockchain identification, a root certificate authority node and a plurality of super nodes form a main blockchain, one backbone node and a plurality of common nodes connected with each super node form at least one sub-blockchain, and compared with the technical scheme that the issuing and verification of the traditional digital certificate in the prior art depend on a centralized CA mechanism, the identity data is easy to tamper, and the problem of low processing efficiency and security of the digital certificate exists, the method has the following advantages that: a root certificate authority node on a main blockchain issues a super node certificate for each super node on the main blockchain according to the root certificate, and the super node certificates are stored on the main blockchain; each super node issues a backbone node certificate to a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node; each backbone node issues a common node certificate for a common node on a corresponding sub-blockchain according to the backbone node certificate, the common node certificate is stored on the sub-blockchain, and the blockchain based on a main sub-chain architecture is adopted for digital certificate identity processing, so that single chain burden can be reduced, certificate issuing and subsequent verification performances are improved, and efficient and safe hierarchical processing of the digital certificates is realized.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. The digital certificate hierarchical processing method based on the blockchain identification is characterized in that a root certificate authority node and a plurality of super nodes form a main blockchain, a backbone node connected with each super node and a plurality of common nodes form at least one sub-blockchain, and the digital certificate hierarchical processing method based on the blockchain identification comprises the following steps:
a root certificate authority node on a main blockchain issues a super node certificate for each super node on the main blockchain according to the root certificate, and the super node certificates are stored on the main blockchain;
each super node issues a backbone node certificate to a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
Each backbone node issues a common node certificate to a common node on a corresponding sub-blockchain according to the backbone node certificate, and the common node certificate is stored on the sub-blockchain;
wherein the process of selecting the root certificate authority CA comprises:
A single CA is arranged in a centralized mode, and the CA is not selected;
The plurality of CA issues certificates to users through consensus, and the selection mode of the CA can utilize the selection mode of the trust anchor;
the CA acquires the certificate of the CA:
if only one CA exists, the self-visa book can be used;
if there are multiple CAs, the other CAs issue certificates to the CA:
one issuing certificate may be randomly selected among other valid CAs;
Or selecting N among M valid CAs as CA that issued the certificate.
2. The blockchain identification-based digital certificate hierarchy processing method of claim 1, further comprising:
receiving a verification request of a current digital certificate;
Verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the previous-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the previous-level issuer until the original digital certificate issuer is found; the original certificate issuer is a root certificate authority node;
If the digital certificate verification from the current digital certificate issuer to the chain of the original certificate issuer is all trusted, determining that the current digital certificate is trusted.
3. The blockchain identification-based digital certificate hierarchy processing method of claim 1, further comprising: when any one level of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is detected to update the certificate, the next-level certificate of the current updated certificate is updated.
4. The blockchain identification-based digital certificate hierarchy processing method of claim 1, further comprising: when detecting that any one level of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is expired, re-applying the digital certificate to the issuer of the current expired certificate.
5. The blockchain identification-based digital certificate hierarchy processing method of claim 1, further comprising: after the user certificate of the previous stage is detected to be cancelled, user certificates of the lower stages on the current user certificate chain are cancelled and re-applied.
6. The utility model provides a digital certificate hierarchical processing device based on blockchain sign, its characterized in that root certificate authority node and a plurality of supernode constitute the main blockchain, a backbone node and a plurality of ordinary node that are connected with each supernode constitute at least one sub-blockchain, digital certificate hierarchical processing device based on blockchain sign includes:
A root certificate authority node on the master blockchain for issuing a supernode certificate for each supernode on the master blockchain according to the root certificate, the supernode certificates being stored on the master blockchain;
Each super node is used for issuing a backbone node certificate for a corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
Each backbone node is used for issuing a common node certificate for a common node on a corresponding sub-blockchain according to the backbone node certificate, and the common node certificate is stored on the sub-blockchain;
wherein the process of selecting the root certificate authority CA comprises:
A single CA is arranged in a centralized mode, and the CA is not selected;
The plurality of CA issues certificates to users through consensus, and the selection mode of the CA can utilize the selection mode of the trust anchor;
the CA acquires the certificate of the CA:
if only one CA exists, the self-visa book can be used;
if there are multiple CAs, the other CAs issue certificates to the CA:
one issuing certificate may be randomly selected among other valid CAs;
Or selecting N among M valid CAs as CA that issued the certificate.
7. The blockchain identification-based digital certificate hierarchy processing apparatus of claim 6, wherein the root certificate authority node, super node, backbone node, or regular node is further configured to:
receiving a verification request of a current digital certificate;
Verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the previous-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the previous-level issuer until the original digital certificate issuer is found; the original certificate issuer is a root certificate authority node;
If the digital certificate verification from the current digital certificate issuer to the chain of the original certificate issuer is all trusted, determining that the current digital certificate is trusted.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 5 when executing the computer program.
9. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 5.
10. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111506912.2A CN114189341B (en) | 2021-12-10 | 2021-12-10 | Digital certificate hierarchical processing method and device based on blockchain identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111506912.2A CN114189341B (en) | 2021-12-10 | 2021-12-10 | Digital certificate hierarchical processing method and device based on blockchain identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114189341A CN114189341A (en) | 2022-03-15 |
| CN114189341B true CN114189341B (en) | 2024-08-23 |
Family
ID=80604374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111506912.2A Active CN114189341B (en) | 2021-12-10 | 2021-12-10 | Digital certificate hierarchical processing method and device based on blockchain identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189341B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189883B (en) * | 2022-05-30 | 2024-10-22 | 西安电子科技大学 | Distributed certificate management system, construction method thereof and certificate management method |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1783848A (en) * | 2004-12-02 | 2006-06-07 | 北京航空航天大学 | Mail transmission agent primary anti-deny method based on domain hierarchy identifying mechanism |
| CN106533691A (en) * | 2016-10-18 | 2017-03-22 | 北京信安世纪科技有限公司 | Method and device for verifying validity of digital certificate |
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
| CN107360001B (en) * | 2017-07-26 | 2021-12-14 | 创新先进技术有限公司 | Digital certificate management method, device and system |
| WO2019161412A1 (en) * | 2018-02-16 | 2019-08-22 | Verimatrix, Inc. | Systems and methods for decentralized certificate hierarchy using a distributed ledger to determine a level of trust |
| CN111612456A (en) * | 2020-04-27 | 2020-09-01 | 深圳壹账通智能科技有限公司 | Expired digital certificate management and control method, system, device and storage medium |
| CN113746630B (en) * | 2020-05-28 | 2024-04-09 | 顺丰科技有限公司 | Block chain certificate management method, device, alliance chain and storage medium |
| CN112491847B (en) * | 2020-07-08 | 2022-02-22 | 支付宝(杭州)信息技术有限公司 | Block chain all-in-one machine and automatic chain building method and device thereof |
| CN111934870B (en) * | 2020-09-22 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
| CN112884476A (en) * | 2021-01-29 | 2021-06-01 | 西南林业大学 | CA cross-domain authentication method and system based on block chain |
| CN113256297B (en) * | 2021-07-02 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Data processing method, device and equipment based on block chain and readable storage medium |
-
2021
- 2021-12-10 CN CN202111506912.2A patent/CN114189341B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| 一种基于区块链的多应用证书系统模型;刘亚雪等;《计算机工程》;46(9);正文第2节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114189341A (en) | 2022-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10554421B2 (en) | Method for superseding log-in of user through PKI-based authentication by using smart contact and blockchain database, and server employing same | |
| US10846416B2 (en) | Method for managing document on basis of blockchain by using UTXO-based protocol, and document management server using same | |
| US11552795B2 (en) | Key recovery | |
| JP7029408B2 (en) | Methods and systems to control contract execution using distributed hash tables and peer-to-peer distributed ledgers | |
| CN108780390B (en) | System and method for providing identity scores | |
| JP6877448B2 (en) | Methods and systems for guaranteeing computer software using distributed hash tables and blockchain | |
| US11245524B2 (en) | Binding of decentralized identifiers to verified claims | |
| US11334882B1 (en) | Data access management on a distributed ledger system | |
| JP4971572B2 (en) | Facilitating transactions in electronic commerce | |
| US20190372781A1 (en) | Method for superseding log-in of user through pki-based authentication by using blockchain database of utxo-based protocol, and server employing same | |
| AU2019203848A1 (en) | Methods and devices for protecting sensitive data of transaction activity based on smart contract in blockchain | |
| CN110046482A (en) | Identity verification method and its system | |
| KR20200105999A (en) | System and method for generating digital marks | |
| JP2022550223A (en) | distributed data record | |
| US20050182941A1 (en) | Generic security claim processing model | |
| CN114341908A (en) | System and method for blockchain transactions with offers and accepts | |
| Kwame et al. | V-chain: A blockchain-based car lease platform | |
| CN113906713A (en) | Blockchain transactions including hash-based verification of executable code | |
| CN107425969A (en) | A kind of employee's physical examination information authentication method based on block chain technology | |
| CN115997229A (en) | Protocols on blockchain | |
| CN114189341B (en) | Digital certificate hierarchical processing method and device based on blockchain identification | |
| CN112862589A (en) | Identity verification method, device and system in financial scene | |
| CN117426073A (en) | Trusted chain of custody for verifiable credentials | |
| WO2024115139A1 (en) | Computer implemented methods and systems for public key infrastructure and identity verification | |
| WO2021153421A1 (en) | Control method, server, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |