阅读说明：本技术 认证方法、相关设备和系统及计算机可读存储介质 (Authentication method, related device and system and computer readable storage medium ) 是由 王帅 金华敏 汪来富 刘国荣 刘东鑫 沈军 于 2018-07-03 设计创作，主要内容包括：本公开提出一种认证方法、相关设备和系统及计算机可读存储介质,涉及网络信息安全领域。客户端生成由公钥和私钥组成的密钥对以及能够标识用户身份的电子身份信息；然后对电子身份信息签发第一证书,并使用密钥对中的私钥对第一证书进行签名,利用第一证书和签名后的第一证书进行认证并访问第一网络应用。在认证方案中,用户的身份信息不会曝露给外界,用户身份隐匿程度比较好,安全隐患降低。证书和公钥等信息发布到联盟区块链,不需要专门的硬件设备来保存这些信息,有利于降低信息发布成本。网络应用借助联盟区块链完成对用户的身份认证,联盟区块链具有去中心化的特点,可以避免单点故障造成的认证瓶颈问题。(The disclosure provides an authentication method, related equipment and system and a computer readable storage medium, and relates to the field of network information security. The client generates a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of a user; and then, issuing a first certificate to the electronic identity information, signing the first certificate by using a private key in a key pair, authenticating by using the first certificate and the signed first certificate, and accessing the first network application. In the authentication scheme, the identity information of the user cannot be exposed to the outside, the hiding degree of the identity of the user is good, and potential safety hazards are reduced. Information such as certificates, public keys and the like is issued to the block chain of the alliance, and special hardware equipment is not needed to store the information, so that the information issuing cost is reduced. The network application completes the identity authentication of the user by means of the alliance block chain, and the alliance block chain has the decentralized characteristic and can avoid the authentication bottleneck problem caused by single-point failure.)

1. An authentication method, comprising:

the client generates a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of a user;

the client signs a first certificate to the electronic identity information and signs the first certificate by using a private key in the key pair;

the client issues the signed first certificate and the public key in the key pair to a federation blockchain, so that a first network application joining the federation blockchain can acquire the signed first certificate issued by the client and the public key in the key pair from the federation blockchain;

the client side submits an access request to the first network application, wherein the access request carries a first certificate and the signed first certificate, so that the first network application can decrypt the signed first certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the first certificate carried in the access request, the client side is considered to pass authentication;

and the client receives an authentication result returned by the first network application.

2. The method of claim 1, further comprising:

the client acquires a second certificate signed and issued by at least one authority to the electronic identity information, and signs the second certificate by using a private key in the key pair;

the client issues the signed second certificate and the public key in the key pair to a federation blockchain, so that a second network application joining the federation blockchain can acquire the signed second certificate issued by the client and the public key in the key pair from the federation blockchain;

the client side submits an access request to the second network application, wherein the access request carries a second certificate and the signed second certificate, so that the second network application can decrypt the signed second certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the second certificate carried in the access request, the client side is considered to pass authentication;

and the client receives an authentication result returned by the second network application.

3. The method of claim 2, wherein different levels of authority issue second certificates of different security levels for the electronic identity information.

4. The method of claim 3, wherein,

security level of the certificate carried by the access request: and determining according to the level of the network application which is to be accessed by the user through the client, or determining according to the level of the network service which the user wants to obtain from the network application to be accessed through the client.

5. The method of claim 1 or 2,

the block chain of the alliance comprises a full node and a local node;

the signed certificate and the public key in the key pair are issued to all nodes in the block chain of the alliance, and the all nodes prevent issued information from being tampered through a billing and consensus mechanism in the block chain technology;

and the network application is used as a local node to join the block chain of the alliance, and acquires the information issued by the client from the whole node.

6. An authentication method, comprising:

receiving a certificate and a public key in a key pair issued by a client by a full node in a federation block chain, wherein the certificate comprises at least one of a first certificate issued by the client to electronic identity information capable of identifying user identity and a second certificate issued by an authority to the electronic identity information;

the whole node in the block chain synchronizes the public key in the certificate and the key pair to the network application which is used as a local node and added into the block chain;

local nodes in the alliance block chain receive an access request submitted by a client, wherein the access request carries a certificate and the certificate signed by a private key in the key pair;

local nodes in the alliance block chain decrypt the signed certificate carried in the access request by using the public key in the key pair, and if the decrypted certificate is consistent with the certificate carried in the access request, the client is considered to pass the authentication;

and local nodes in the block chain of the alliance return authentication results to the client.

7. The method of claim 6, wherein different levels of authority issue second certificates of different security levels for the electronic identity information;

security level of the certificate carried by the access request: and determining according to the level of the network application which is to be accessed by the user through the client, or determining according to the level of the network service which the user wants to obtain from the network application to be accessed through the client.

8. A client for authentication, comprising:

the electronic identity generating module is used for generating a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of a user;

the certificate self-issuing module is used for issuing a first certificate to the electronic identity information;

a signature module to sign the first certificate using a private key of the key pair;

an issuing module, configured to issue the signed first certificate and the public key in the key pair to a federation blockchain, so that a first network application joining the federation blockchain can obtain, from the federation blockchain, the signed first certificate and the public key in the key pair issued by the client;

and the access module is used for submitting an access request to the first network application and receiving an authentication result returned by the first network application, wherein the access request carries a first certificate and the signed first certificate, so that the first network application decrypts the signed first certificate carried in the access request by using a public key in the key pair, and if the decrypted certificate is consistent with the first certificate carried in the access request, the client is considered to pass the authentication.

9. The client of claim 8, further comprising:

the certificate application module is used for acquiring a second certificate which is issued by at least one authority to the electronic identity information;

the signature module is further configured to sign the second certificate using a private key of the key pair;

the issuing module is further configured to issue the signed second certificate and the public key in the key pair to a federation blockchain, so that a second network application joining the federation blockchain can obtain the signed second certificate and the public key in the key pair issued by the client from the federation blockchain;

the access module is further configured to submit an access request to the second network application, and receive an authentication result returned by the second network application, where the access request carries a second certificate and the signed second certificate, so that the second network application decrypts the signed second certificate carried in the access request by using the public key in the key pair, and if the decrypted certificate is consistent with the second certificate carried in the access request, the client is considered to pass authentication.

10. The client of claim 9, wherein,

security level of the certificate carried by the access request: and determining according to the level of the network application which is to be accessed by the user through the client, or determining according to the level of the network service which the user wants to obtain from the network application to be accessed through the client.

11. A client for authentication, comprising:

a memory; and

a processor coupled to the memory, the processor configured to perform the authentication method of any of claims 1-5 based on instructions stored in the memory.

12. A federation blockchain for authentication, comprising: full nodes and local nodes;

the system comprises a full node and a key pair, wherein the full node is used for receiving a certificate and a public key in the key pair issued by a client, and the certificate comprises at least one of a first certificate issued by the client to electronic identity information capable of identifying user identity and a second certificate issued by an authority to the electronic identity information; synchronizing the certificate and the public key in the key pair to the network application which is used as a local node and added into the block chain of the alliance;

the local node is used for receiving an access request submitted by a client, wherein the access request carries a certificate and the certificate signed by using a private key in the key pair; decrypting the signed certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the certificate carried in the access request, considering that the client passes the authentication; and returning an authentication result to the client.

13. A federation blockchain as claimed in claim 12, wherein a full node comprises:

the system comprises a certification chain module, a certification module and a key management module, wherein the certification chain module is used for receiving and storing a certificate and a public key in a key pair, the certificate is issued by a client, and the certificate comprises at least one of a first certificate issued by the client to electronic identity information capable of identifying user identity and a second certificate issued by an authority to the electronic identity information; synchronizing the certificate and the public key in the key pair to the network application which is used as a local node and added into the block chain of the alliance;

the accounting module is used for realizing the accounting function in the block chain technology;

and the consensus module is used for realizing the consensus function in the block chain technology.

14. A federation blockchain as claimed in claim 12, wherein a local node comprises:

the authentication chain module is used for acquiring and storing a certificate and a public key in a key pair which are all synchronous with each other;

the authentication module is used for receiving an access request submitted by a client, wherein the access request carries a certificate and the certificate signed by using a private key in the key pair; decrypting the signed certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the certificate carried in the access request, considering that the client passes the authentication; and returning an authentication result to the client.

15. A federation blockchain for authentication, comprising:

a memory; and

a processor coupled to the memory, the processor configured to perform the authentication method of any of claims 6-7 based on instructions stored in the memory.

16. An authentication system comprising:

the client of any one of claims 8-11;

and

a federation blockchain as claimed in any one of claims 12 to 15.

17. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the authentication method of any one of claims 1 to 7.

Technical Field

The present disclosure relates to the field of network information security, and in particular, to an authentication method, a related device and system, and a computer-readable storage medium.

Background

The user submits the personal identity information to the authority, and the authority generates the network identity of the user based on the personal identity information of the user. When accessing the network application, the user submits the network identity identification of the user to the network application. The network application requests the authority to authenticate the authenticity and validity of the network identity of the user based on the network identity of the user. If the user network identity is authenticated, the network application assigns a user network identity application identification to the user. The user may access the web application based on the application identification.

Disclosure of Invention

The inventor finds that the identity information of the user in the related authentication scheme is still exposed to the outside, so that the problem of insufficient hiding degree of the identity of the user exists, and potential safety hazards exist.

According to an aspect of the present disclosure, there is provided an authentication method, including:

the client generates a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of a user;

the client signs a first certificate to the electronic identity information and signs the first certificate by using a private key in the key pair;

the client issues the signed first certificate and the public key in the key pair to a federation blockchain, so that a first network application joining the federation blockchain can acquire the signed first certificate issued by the client and the public key in the key pair from the federation blockchain;

the client side submits an access request to the first network application, wherein the access request carries a first certificate and the signed first certificate, so that the first network application can decrypt the signed first certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the first certificate carried in the access request, the client side is considered to pass authentication;

and the client receives an authentication result returned by the first network application.

Optionally, the method further comprises:

the client acquires a second certificate signed and issued by at least one authority to the electronic identity information, and signs the second certificate by using a private key in the key pair;

the client issues the signed second certificate and the public key in the key pair to a federation blockchain, so that a second network application joining the federation blockchain can acquire the signed second certificate issued by the client and the public key in the key pair from the federation blockchain;

the client side submits an access request to the second network application, wherein the access request carries a second certificate and the signed second certificate, so that the second network application can decrypt the signed second certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the second certificate carried in the access request, the client side is considered to pass authentication;

and the client receives an authentication result returned by the second network application.

Optionally, different levels of authorities issue second certificates with different security levels to the electronic identity information.

Optionally, the security level of the certificate carried by the access request: and determining according to the level of the network application which is to be accessed by the user through the client, or determining according to the level of the network service which the user wants to obtain from the network application to be accessed through the client.

Optionally, the federation blockchain includes a full node and a local node;

the signed certificate and the public key in the key pair are issued to all nodes in the block chain of the alliance, and the all nodes prevent issued information from being tampered through a billing and consensus mechanism in the block chain technology;

and the network application is used as a local node to join the block chain of the alliance, and acquires the information issued by the client from the whole node.

According to still another aspect of the present disclosure, there is provided an authentication method including:

receiving a certificate and a public key in a key pair issued by a client by a full node in a federation block chain, wherein the certificate comprises at least one of a first certificate issued by the client to electronic identity information capable of identifying user identity and a second certificate issued by an authority to the electronic identity information;

the whole node in the block chain synchronizes the public key in the certificate and the key pair to the network application which is used as a local node and added into the block chain;

local nodes in the alliance block chain receive an access request submitted by a client, wherein the access request carries a certificate and the certificate signed by a private key in the key pair;

local nodes in the alliance block chain decrypt the signed certificate carried in the access request by using the public key in the key pair, and if the decrypted certificate is consistent with the certificate carried in the access request, the client is considered to pass the authentication;

and local nodes in the block chain of the alliance return authentication results to the client.

Optionally, different levels of authorities issue different levels of security second certificates for the electronic identity information;

security level of the certificate carried by the access request: and determining according to the level of the network application which is to be accessed by the user through the client, or determining according to the level of the network service which the user wants to obtain from the network application to be accessed through the client.

According to yet another aspect of the present disclosure, a client for authentication is provided, including:

the electronic identity generating module is used for generating a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of a user;

the certificate self-issuing module is used for issuing a first certificate to the electronic identity information;

a signature module to sign the first certificate using a private key of the key pair;

an issuing module, configured to issue the signed first certificate and the public key in the key pair to a federation blockchain, so that a first network application joining the federation blockchain can obtain, from the federation blockchain, the signed first certificate and the public key in the key pair issued by the client;

and the access module is used for submitting an access request to the first network application and receiving an authentication result returned by the first network application, wherein the access request carries a first certificate and the signed first certificate, so that the first network application decrypts the signed first certificate carried in the access request by using a public key in the key pair, and if the decrypted certificate is consistent with the first certificate carried in the access request, the client is considered to pass the authentication.

Optionally, the client further includes:

the certificate application module is used for acquiring a second certificate which is issued by at least one authority to the electronic identity information;

the signature module is further configured to sign the second certificate using a private key of the key pair;

the issuing module is further configured to issue the signed second certificate and the public key in the key pair to a federation blockchain, so that a second network application joining the federation blockchain can obtain the signed second certificate and the public key in the key pair issued by the client from the federation blockchain;

the access module is further configured to submit an access request to the second network application, and receive an authentication result returned by the second network application, where the access request carries a second certificate and the signed second certificate, so that the second network application decrypts the signed second certificate carried in the access request by using the public key in the key pair, and if the decrypted certificate is consistent with the second certificate carried in the access request, the client is considered to pass authentication.

Optionally, the security level of the certificate carried by the access request: and determining according to the level of the network application which is to be accessed by the user through the client, or determining according to the level of the network service which the user wants to obtain from the network application to be accessed through the client.

According to yet another aspect of the present disclosure, a client for authentication is provided, including:

a memory; and

a processor coupled to the memory, the processor configured to perform any of the aforementioned authentication methods based on instructions stored in the memory.

According to yet another aspect of the present disclosure, a federation blockchain for authentication is presented, comprising: full nodes and local nodes;

the system comprises a full node and a key pair, wherein the full node is used for receiving a certificate and a public key in the key pair issued by a client, and the certificate comprises at least one of a first certificate issued by the client to electronic identity information capable of identifying user identity and a second certificate issued by an authority to the electronic identity information; synchronizing the certificate and the public key in the key pair to the network application which is used as a local node and added into the block chain of the alliance;

the local node is used for receiving an access request submitted by a client, wherein the access request carries a certificate and the certificate signed by using a private key in the key pair; decrypting the signed certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the certificate carried in the access request, considering that the client passes the authentication; and returning an authentication result to the client.

Optionally, the full node comprises:

the system comprises a certification chain module, a certification module and a key management module, wherein the certification chain module is used for receiving and storing a certificate and a public key in a key pair, the certificate is issued by a client, and the certificate comprises at least one of a first certificate issued by the client to electronic identity information capable of identifying user identity and a second certificate issued by an authority to the electronic identity information; synchronizing the certificate and the public key in the key pair to the network application which is used as a local node and added into the block chain of the alliance;

the accounting module is used for realizing the accounting function in the block chain technology;

and the consensus module is used for realizing the consensus function in the block chain technology.

Optionally, the local node comprises:

the authentication chain module is used for acquiring and storing a certificate and a public key in a key pair which are all synchronous with each other;

the authentication module is used for receiving an access request submitted by a client, wherein the access request carries a certificate and the certificate signed by using a private key in the key pair; decrypting the signed certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the certificate carried in the access request, considering that the client passes the authentication; and returning an authentication result to the client.

According to yet another aspect of the present disclosure, a federation blockchain for authentication is presented, comprising:

a memory; and

a processor coupled to the memory, the processor configured to perform any of the aforementioned authentication methods based on instructions stored in the memory.

According to yet another aspect of the present disclosure, there is provided an authentication system including:

any of the foregoing clients;

and

any of the aforementioned federation blockchains.

According to yet another aspect of the disclosure, a computer-readable storage medium is proposed, on which a computer program is stored which, when being executed by a processor, carries out the steps of any of the aforementioned authentication methods.

In the authentication scheme, the identity information of the user cannot be exposed to the outside, the hiding degree of the identity of the user is good, and potential safety hazards are reduced.

Moreover, information such as the certificate and the public Key is issued to the alliance block chain, and special hardware equipment such as a USB Key is not needed for storing the information, so that the information issuing cost is reduced. The block chain of the alliance has the characteristic of being not tampered, and the safety of information issued to the block chain of the alliance can be guaranteed.

Moreover, the network application completes the identity authentication of the user by means of the alliance block chain, and the alliance block chain has the decentralized characteristic, so that the problem of authentication bottleneck caused by single-point failure can be avoided. In the related technology, the network application completes the identity authentication of the user by means of the authority, and the authority has the problem of single-point failure, which easily causes the authentication bottleneck.

In addition, the method and the system also realize multi-level identity authentication, and a user can perform identity authentication of corresponding security levels according to business requirements.

Drawings

The drawings that will be used in the description of the embodiments or the related art will be briefly described below. The present disclosure will be more clearly understood from the following detailed description, which proceeds with reference to the accompanying drawings,

it is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without undue inventive faculty.

Fig. 1 is a flow diagram illustrating some embodiments of an authentication method of the present disclosure.

Fig. 2 is a flow diagram illustrating additional embodiments of an authentication method according to the present disclosure.

Fig. 3 is a schematic diagram of some embodiments of an authentication system 300 of the present disclosure.

Fig. 4 is a schematic block diagram of some embodiments of the client 310 of the present disclosure.

Fig. 5 is a schematic structural diagram of another embodiment of the client 310 according to the present disclosure.

Fig. 6 is a block diagram illustrating the structure of some embodiments of federation block chain 320 of the present disclosure.

Fig. 7 is a block diagram illustrating further embodiments of federation block chains 320 of the present disclosure.

Detailed Description

The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure.

The descriptions of "first", "second", etc. in this disclosure are used only to distinguish different objects, and are not used to indicate the meaning of size or timing, etc.

Fig. 1 is a flow diagram illustrating some embodiments of an authentication method of the present disclosure.

As shown in fig. 1, the method of this embodiment includes: 110 to 170.

In step 110, the client generates a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of the user.

The generation method of the key pair and the electronic identity information can refer to the prior art, and the specific generation method is not limited by the disclosure.

As an example, the electronic identity information is calculated by using a base64 algorithm, for example, according to the personal identity information of the user and a random number, and optionally, the electronic identity information may be signed by using a private key. The electronic identity information does not contain the personal identity information of the user and cannot reversely deduce the personal identity information of the user.

At step 120, the client issues a first certificate to the electronic identity information and signs the first certificate using a private key of the key pair.

In some embodiments, the client may generate a plurality of electronic identity information, issue one first certificate for each electronic identity information, and thereby issue a plurality of first certificates.

In step 130, the client issues the signed first certificate and the public key of the key pair to the federation blockchain.

The federation blockchain includes a full node and a local node. The signed certificate and the public key in the key pair are issued to all nodes in the block chain of the alliance, and the all nodes prevent issued information from being tampered by an accounting and consensus mechanism in the block chain technology. The network application is added into the block chain of the alliance as a local node, and information issued by the client can be obtained from the whole node.

At step 140, the first network application joining the federation blockchain can obtain, from the federation blockchain, the signed first certificate and the public key of the key pair issued by the client.

In some embodiments, the first network application joins the federation blockchain as a local node, and may obtain information such as a client-issued certificate and public key from the full node.

In step 150, the client submits an access request to the first network application, wherein the access request carries the first certificate and the signed first certificate.

In step 160, the first network application decrypts the signed first certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the first certificate carried in the access request, the client is considered to pass authentication, otherwise, if the certificate obtained by decryption is inconsistent with the first certificate carried in the access request, the client authentication is considered to fail. The first network application returns an authentication result to the client, for example, authentication passes or authentication fails, etc.

In addition, the first network application can also identify the legality of the issuing authority of the first certificate under the condition that the certificate obtained by decryption is consistent with the first certificate carried in the access request, if the certificate obtained by decryption is legal, the client is considered to pass the authentication, otherwise, if the certificate obtained by decryption is inconsistent with the first certificate carried in the access request or the issuing authority of the first certificate is illegal, the client authentication is considered to be failed.

In step 170, the client receives the authentication result returned by the first network application. If the authentication is passed, the client may access the first network application. If the authentication fails, the client's access may be denied by the first network application.

In the authentication scheme of the embodiment, the identity information of the user cannot be exposed to the outside, the hiding degree of the identity of the user is good, and potential safety hazards are reduced.

Moreover, information such as the certificate and the public Key is issued to the alliance block chain, and special hardware equipment such as a USB Key is not needed for storing the information, so that the information issuing cost is reduced. The block chain of the alliance has the characteristic of being not tampered, and the safety of information issued to the block chain of the alliance can be guaranteed.

Moreover, the network application completes the identity authentication of the user by means of the alliance block chain, and the alliance block chain has the decentralized characteristic, so that the problem of authentication bottleneck caused by single-point failure can be avoided. In the related technology, the network application completes the identity authentication of the user by means of the authority, and the authority has the problem of single-point failure, which easily causes the authentication bottleneck.

Fig. 2 is a flow diagram illustrating additional embodiments of an authentication method according to the present disclosure.

As shown in fig. 2, the method of this embodiment includes: step 210-270.

In step 210, the client generates a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of the user.

In step 220, the client obtains a second certificate issued by at least one authority to the electronic identity information, and signs the second certificate by using a private key in the key pair.

For example, the client submits the electronic identity information, a public key corresponding to a private key used when generating the electronic identity information, and the personal identity information of the user to an authority, and the authority verifies the submitted information, wherein the verification content includes: and verifying the submitted electronic identity information by using the public key, checking the personal identity information of the user, and issuing a second certificate to the electronic identity information after the authority verifies the personal identity information.

And issuing second certificates with different security levels to the electronic identity information by authorities with different levels. The client may obtain second credentials of different security levels from different levels of authority.

For example, the authority may be, for example, a national public security agency, a bank, an operator, and the like. Generally, the national security agency is higher in level than a bank, an operator, and the like, and thus, the security level of a certificate issued by the national security agency is higher than that of a certificate issued by the bank, the operator, and the like. The client may obtain the second certificate of different security levels from a national public security agency, a bank, an operator, etc.

In step 230, the client issues the signed second certificate and the public key of the key pair to the federation blockchain.

The federation blockchain includes a full node and a local node. The signed certificate and the public key in the key pair are issued to all nodes in the block chain of the alliance, and the all nodes prevent issued information from being tampered by an accounting and consensus mechanism in the block chain technology. The network application is added into the block chain of the alliance as a local node, and information issued by the client can be obtained from the whole node.

At step 240, the second network application joining the federation blockchain can obtain the signed second certificate and the public key of the key pair issued by the client from the federation blockchain.

In some embodiments, the second network application joins the federation blockchain as a local node, and may obtain information such as a client-issued certificate and public key from the full node.

In step 250, the client submits an access request to the second network application, wherein the access request carries the second certificate and the signed second certificate.

In step 260, the second network application decrypts the signed second certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the second certificate carried in the access request, the client is considered to pass authentication. Otherwise, if the certificate obtained by decryption is inconsistent with the first certificate carried in the access request, the client authentication is considered to be failed. The second network application returns an authentication result to the client, for example, authentication passes or authentication fails, etc.

In addition, the second network application can also identify the legality of the issuing authority of the second certificate under the condition that the certificate obtained by decryption is consistent with the second certificate carried in the access request, if the certificate obtained by decryption is legal, the client is considered to pass the authentication, otherwise, if the certificate obtained by decryption is inconsistent with the second certificate carried in the access request or the issuing authority of the second certificate is illegal, the client authentication is considered to be failed.

In step 270, the client receives the authentication result returned by the second network application. If the authentication is passed, the client may access the second network application. If the authentication fails, the client's access may be denied by the second network application.

In the authentication scheme of the embodiment, the identity information of the user cannot be exposed to the outside, the hiding degree of the identity of the user is good, and potential safety hazards are reduced.

Moreover, information such as the certificate and the public Key is issued to the alliance block chain, and special hardware equipment such as a USB Key is not needed for storing the information, so that the information issuing cost is reduced. The block chain of the alliance has the characteristic of being not tampered, and the safety of information issued to the block chain of the alliance can be guaranteed.

Moreover, the network application completes the identity authentication of the user by means of the alliance block chain, and the alliance block chain has the decentralized characteristic, so that the problem of authentication bottleneck caused by single-point failure can be avoided. In the related technology, the network application completes the identity authentication of the user by means of the authority, and the authority has the problem of single-point failure, which easily causes the authentication bottleneck.

In the embodiments shown in fig. 1 and fig. 2, the certificate self-issued by the client and the certificate issued by the authority are included, and different certificates issued by different levels of authority are also included, and the security levels of the certificates are different. Generally speaking, the security level of the self-issued certificate of the client is lower than that of the certificate issued by the authority. A certificate issued by a high level authority (e.g., a national security agency) has a higher security level than a certificate issued by a low level authority (e.g., a bank). The multi-level identity authentication can be realized based on the certificates with different security levels, and the user can perform the identity authentication with corresponding security levels according to the service requirements.

In some embodiments, the security level of the credential carried by the access request may be determined according to the level of the web application that the user wants to access through the client. For example, assuming that the first web application is a low-level web application, the user, via the client, may choose to access the first web application using the self-issued first certificate. Assuming that the second network application is a high-level network application, the user accesses the second network application through the client by using the second certificate issued by the authority.

In some embodiments, the security level of the credential carried by the access request may be determined according to the level of network service that the user wishes to obtain from the network application to be accessed through the client. For example, the first network application can provide different levels of network services according to the security level of the certificate, and the user may submit the certificate of the corresponding security level to the first network application by what network service the client wishes to obtain from the first network application.

Fig. 3 is a schematic diagram of some embodiments of an authentication system 300 of the present disclosure.

As shown in fig. 3, the authentication system 300 of this embodiment includes: client 310, federation blockchain 320 (including full node 321 and local node 322). Optionally, the authentication system 300 further comprises: a number of authorities 330.

Each apparatus is described below.

Fig. 4 is a schematic block diagram of some embodiments of the client 310 of the present disclosure.

As shown in fig. 4, the client 310 of this embodiment includes: an electronic identity generating module 311, a certificate self-issuing module 312, a certificate applying module 313 (optional), a signing module 314, an issuing module 315, and an accessing module 316.

In some embodiments, the electronic identity generating module 311 is configured to generate a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of the user. The certificate self-issuing module 312 is configured to issue a first certificate for the electronic identity information. A signature module 314 to sign the first certificate using a private key of the key pair. The issuing module 315 is configured to issue the signed first certificate and the public key in the key pair to the federation blockchain, so that the first network application joining the federation blockchain can obtain, from the federation blockchain, the signed first certificate and the public key in the key pair issued by the client. The access module 316 is configured to submit an access request to the first network application, and receive an authentication result returned by the first network application, where the access request carries the first certificate and the signed first certificate, so that the first network application decrypts the signed first certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the first certificate carried in the access request, the client is considered to pass authentication.

In some embodiments, the electronic identity generating module 311 is configured to generate a key pair consisting of a public key and a private key and electronic identity information capable of identifying the identity of the user. The certificate application module 313 is configured to obtain a second certificate that is issued by at least one authority for the electronic identity information. The signature module 314 is further configured to sign the second certificate using a private key of the key pair. The issuing module 315 is further configured to issue the signed second certificate and the public key in the key pair to the federation blockchain, so that the second network application joining the federation blockchain can obtain the signed second certificate and the public key in the key pair issued by the client from the federation blockchain. The access module 316 is further configured to submit an access request to the second network application, and receive an authentication result returned by the second network application, where the access request carries the second certificate and the signed second certificate, so that the second network application decrypts the signed second certificate carried in the access request by using the public key in the key pair, and if the certificate obtained by decryption is consistent with the second certificate carried in the access request, the client is considered to pass authentication.

Fig. 5 is a schematic structural diagram of another embodiment of the client 310 according to the present disclosure.

As shown in fig. 5, the client 310 of this embodiment includes: a memory 510 and a processor 520 coupled to the memory 510, the processor 520 being configured to perform the authentication method in any of the embodiments described above based on instructions stored in the memory 510.

Memory 510 may include, for example, system memory, fixed non-volatile storage media, and the like. The system memory stores, for example, an operating system, an application program, a Boot Loader (Boot Loader), and other programs.

Client 310 may also include input-output interface 530, network interface 540, storage interface 550, and the like. These interfaces 530, 540, 550 and the connections between the memory 510 and the processor 520 may be, for example, via a bus 560. The input/output interface 530 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 540 provides a connection interface for various networking devices. The storage interface 550 provides a connection interface for external storage devices such as an SD card and a usb disk.

Fig. 6 is a block diagram illustrating the structure of some embodiments of federation block chain 320 of the present disclosure.

As shown in fig. 6, the federation block chain 320 of this embodiment includes: full node 321 and local node 322.

The full node 321 is configured to receive a certificate and a public key in a key pair issued by a client, where the certificate includes at least one of a first certificate issued by the client to electronic identity information capable of identifying a user identity and a second certificate issued by an authority to the electronic identity information; the public key of the certificate and key pair is synchronized to the network application that joins the federation blockchain as a local node.

The local node 322 is configured to receive an access request submitted by a client, where the access request carries a certificate and a certificate signed by using a private key in a key pair; decrypting the signed certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the certificate carried in the access request, considering that the client passes the authentication; and returning an authentication result to the client.

As shown in fig. 6, the full node 321 includes: modules 3211 to 3213.

The authentication chain module 3211 is configured to receive and store a certificate issued by a client and a public key in a key pair, where the certificate includes at least one of a first certificate issued by the client to electronic identity information capable of identifying a user identity and a second certificate issued by an authority to the electronic identity information; the public key of the certificate and key pair is synchronized to the network application that joins the federation blockchain as a local node.

The accounting module 3212 is configured to implement an accounting function in the block chain technology.

The consensus module 3213 is configured to implement a consensus function in a blockchain technique.

As shown in fig. 6, the local node 322 includes: modules 3221-3222.

The certificate chain module 3221 is configured to acquire and store a certificate synchronized with all nodes and a public key in a key pair.

The authentication module 3222 is configured to receive an access request submitted by a client, where the access request carries a certificate and a certificate signed by using a private key in a key pair; decrypting the signed certificate carried in the access request by using a public key in the key pair, and if the certificate obtained by decryption is consistent with the certificate carried in the access request, considering that the client passes the authentication; and returning an authentication result to the client.

Fig. 7 is a block diagram illustrating further embodiments of federation block chains 320 of the present disclosure.

As shown in fig. 7, the federation block chain 320 of this embodiment includes: a memory 710 and a processor 720 coupled to the memory 710, the processor 720 being configured to perform the authentication method in any of the embodiments described above based on instructions stored in the memory 710.

Memory 710 may include, for example, system memory, fixed non-volatile storage media, and the like. The system memory stores, for example, an operating system, an application program, a Boot Loader (Boot Loader), and other programs.

Federation blockchain 320 may also include an input-output interface 730, a network interface 740, a storage interface 750, and the like. These interfaces 730, 740, 750, as well as the memory 710 and the processor 720, may be connected, for example, by a bus 760. The input/output interface 730 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 740 provides a connection interface for various networking devices. The storage interface 750 provides a connection interface for external storage devices such as an SD card and a usb disk.

The present disclosure also proposes a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the authentication method in any of the foregoing embodiments.

As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only exemplary of the present disclosure and is not intended to limit the present disclosure, so that any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.