阅读说明：本技术 基于区块链的用户注册方法及装置 (User registration method and device based on block chain ) 是由 鲁静 程晗蕾 段焱明 宋斌 齐荣 于 2021-07-09 设计创作，主要内容包括：本申请公开了一种基于区块链的用户注册方法及装置。其中,该基于区块链的用户注册方法包括：云服务商获取到携带有用户信息的用户注册请求；云服务商基于自身的密钥和用户信息计算得到至少一个加密信息；云服务商将至少一个加密信息上传至区块链,以完成用户的注册。本申请通过区块链分布式账本对用户的身份信息进行管理,避免了集中式注册中心导致的数据泄露和单点故障问题。(The application discloses a user registration method and device based on a block chain. The user registration method based on the block chain comprises the following steps: the cloud service provider obtains a user registration request carrying user information; the cloud service provider calculates to obtain at least one piece of encryption information based on a key of the cloud service provider and user information; and the cloud service provider uploads at least one piece of encryption information to the block chain so as to complete the registration of the user. According to the method and the system, the identity information of the user is managed through the block chain distributed account book, and the problems of data leakage and single-point faults caused by a centralized registration center are solved.)

1. A user registration method based on a block chain is characterized in that the method comprises the following steps:

the cloud service provider obtains a user registration request carrying user information;

the cloud service provider calculates to obtain at least one piece of encryption information based on a key of the cloud service provider and the user information;

and the cloud service provider uploads the at least one piece of encryption information to a block chain so as to complete the registration of the user.

2. The blockchain-based user registration method according to claim 1, wherein the step of the cloud service provider calculating at least one encryption information based on its own key and the user information includes:

and the cloud service provider carries out reversible calculation on the user information based on the own secret key so as to obtain first encryption information.

3. The blockchain-based user registration method according to claim 2, wherein the key of the cloud service provider includes a first key and a second key, and the step of the cloud service provider calculating at least one encryption information based on the key of the cloud service provider and the user information includes:

the cloud service provider calculates the user information based on the first key to obtain first encryption information; the cloud service provider calculates the first identifier of the cloud service provider based on the second key to obtain second encryption information; the cloud service provider takes the product of the first key and a preset value as third encryption information; the cloud service provider takes the product of the second key and a preset value as fourth encryption information;

the step that the cloud service provider uploads the at least one piece of encryption information to a block chain to complete the registration of the user comprises:

the cloud service provider uploads the first encryption information, the second encryption information, the third encryption information and the fourth encryption information to the block chain.

4. The blockchain-based user registration method according to claim 3, wherein the user information includes a user identifier, and the cloud service provider uses a product of the first key and a preset value as third encryption information; the step that the cloud service provider takes the product of the second key and the preset value as fourth encryption information comprises the following steps:

and the cloud service provider calculates the second identification of the cloud service provider and the user identification to obtain a preset value.

5. The blockchain-based user registration method according to claim 4, wherein the step of the cloud service provider calculating the second identity of the cloud service provider and the user identity of the cloud service provider includes:

and the cloud service provider performs elliptic curve calculation on the sum of the user identifier and the second identifier to obtain the preset value.

6. The blockchain-based user registration method according to claim 2, wherein the user information includes associated information, and the step of the cloud service provider performing reversible calculation on the user information based on the own key to obtain first encrypted information includes:

the cloud service provider carries out reversible calculation on the key of the cloud service provider, the second identification of the cloud service provider and the associated information to obtain first encrypted information;

the associated information is obtained by processing the biological characteristics of the user by the user terminal.

7. The blockchain-based user registration method according to claim 6, wherein the key of the cloud service provider includes a first key and a second key;

the step of calculating the self key and the user information by the cloud service provider to obtain at least one piece of encryption information comprises the following steps:

the cloud service provider performs exclusive-or operation on a second identifier of the cloud service provider, the first key and the associated information to obtain first encryption information;

and the cloud service provider performs exclusive or operation on the first identifier, the second identifier and the second key of the cloud service provider to obtain the second encryption information.

8. The blockchain-based user registration method according to claim 1, wherein the step of the cloud service provider obtaining the user registration request carrying the user information includes:

the cloud service provider detects whether a user identifier in the user information exists on the block chain;

and if the encryption key does not exist, executing a step of obtaining at least one piece of encryption information by the cloud service provider through calculation based on the key of the cloud service provider and the user information.

9. An electronic device, characterized in that the electronic device comprises a processor; the processor is configured to execute instructions to implement the method of any one of claims 1-8.

10. A computer-readable storage medium, characterized in that a program file capable of implementing the method of any one of claims 1-8 is stored in the computer-readable storage medium.

Technical Field

The present application relates to the field of block chain technologies, and in particular, to a user registration method and apparatus based on a block chain.

Background

Mobile cloud computing provides additional computing resource capacity for resource-constrained terminal devices. However, in order to use services provided by different cloud providers, a mobile user must register a user identity at different cloud providers while having to remember a plurality of identities and credentials to access various cloud providers, and such an authentication method is complicated and cumbersome.

Currently, although many single sign-on schemes have emerged to eliminate multiple repeated registrations of mobile users accessing cloud providers. However, most of these solutions rely on a trusted third party registry, which is a centralized entity that manages the identity information of all mobile users registered with it. A centralized registry has full control over the data it owns, resulting in an increased likelihood of user data leakage and risk of single point of failure.

Disclosure of Invention

The application provides a user registration method and device based on a block chain, which manage the identity information of a user through a block chain distributed account book and avoid the problems of data leakage and single point failure caused by a centralized registration center.

In order to achieve the above object, the present application provides a user registration method based on a block chain, including:

the cloud service provider obtains a user registration request carrying user information;

the cloud service provider calculates to obtain at least one piece of encryption information based on a key of the cloud service provider and user information;

and the cloud service provider uploads at least one piece of encryption information to the block chain so as to complete the registration of the user.

To achieve the above object, the present application also provides an electronic device, which includes a processor; the processor is used for executing instructions to realize the method.

To achieve the above object, the present application also provides a computer-readable storage medium for storing instructions/program data that can be executed to implement the above method.

According to the user registration method based on the block chain, when a user registers to the cloud service provider through the terminal device, the cloud service provider can process user information into encrypted information and upload the encrypted information to the block chain, so that other cloud service providers can also perform user identity authentication by using the encrypted information stored in the block chain, the user does not need to perform identity registration at different cloud service providers, the user identity information is managed through the block chain, a centralized registration center is not needed, the problems of data leakage and single-point faults are avoided, the encrypted information of the user information is stored in the block chain, and the safety of the user information can be improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic flowchart illustrating an embodiment of a block chain-based user registration method according to the present application;

fig. 2 is a schematic flowchart of another embodiment of a user registration method based on a block chain according to the present application;

FIG. 3 is a flow chart illustrating an embodiment of a method for authenticating a user according to the present application;

FIG. 4 is a schematic view of a workflow of a terminal device in the method for authenticating a user identity according to the present application;

FIG. 5 is a schematic workflow diagram of a cloud service provider authentication in the method for user identity authentication of the present application;

FIG. 6 is a flow chart illustrating another embodiment of a method for authenticating a user according to the present application;

FIG. 7 is a schematic structural diagram of an embodiment of an electronic device of the present application;

FIG. 8 is a schematic structural diagram of an embodiment of a computer-readable storage medium according to the present application.

Detailed Description

The description and drawings illustrate the principles of the application. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the application and are included within its scope. Moreover, all examples herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the application and the concepts provided by the inventors and thus further the art, and are not to be construed as being limited to such specifically recited examples and conditions. Additionally, the term "or" as used herein refers to a non-exclusive "or" (i.e., "and/or") unless otherwise indicated (e.g., "or otherwise" or in the alternative). Moreover, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments may be combined with one or more other embodiments to form new embodiments.

The method aims to solve the problems of user data leakage and single point of failure in the existing technical scheme of managing the user identity through a centralized registration center.

The application provides a user registration method based on a block chain, when a user registers to a cloud service provider through terminal equipment, the cloud service provider can process user information into encrypted information and upload the encrypted information to the block chain, so that other cloud service providers can also perform user identity authentication by using the encrypted information stored in the block chain, the user does not need to perform identity registration at different cloud service providers, the user identity information is managed through the block chain, a centralized registration center is not needed, the problems of data leakage and single-point faults are avoided, the encrypted information of the user information is stored in the block chain, and the safety of the user information can be improved.

The following describes the block chain-based user registration method in detail, where a flowchart of an embodiment of the block chain-based user registration method is specifically shown in fig. 1 and fig. 2, and the block chain-based user registration method of the present embodiment includes the following steps. The application field of the user registration method based on the block chain is not limited, and the user registration method based on the block chain can be applied to the cross-border trade field or the Internet of things device management field. It should be noted that the following step numbers are only used for simplifying the description, and are not intended to limit the execution order of the steps, and the execution order of the steps in the present embodiment may be arbitrarily changed without departing from the technical idea of the present application.

S101: and the registration cloud service provider acquires a user registration request carrying user information.

In an implementation manner, the terminal device may directly send the user registration request carrying the user information to the registration cloud service provider, so that the registration cloud service provider may obtain the user registration request carrying the user information.

In another implementation manner, both the user and the registered cloud facilitator are nodes in a blockchain maintained by the user and the registered cloud facilitator, and the user can interact data with the registered cloud facilitator through the blockchain, so that the registered cloud facilitator can only provide services according to the received user registration request and user information, but cannot know who the user provided with the services is, and the privacy of the user can be protected.

In addition, the terminal equipment can encrypt the user registration request carrying the user information and send the encrypted data to the registration cloud service provider so as to improve the security of the user information. Moreover, the terminal device may select a cloud service provider as a cloud service provider (i.e., a registered cloud service provider) for receiving the user registration request, encrypt the user registration request carrying the user information with a public key of the registered cloud service provider, and send the encrypted user registration request to the registered cloud service provider, so that only the registered cloud service provider can decrypt the encrypted user registration request with its own private key to ensure the security of the user information.

The public key of the registered cloud service provider can be uploaded to the block chain by the registered cloud service provider when the registered cloud service provider registers in the block chain, so that the terminal device can obtain the public key of the registered cloud service provider from the block chain. In other embodiments, the registered cloud service provider may send the public key to some blockchain nodes selected by the registered cloud service provider, or may directly broadcast the public key over the whole network to send the public key to all blockchain nodes.

The computing process in which the public key of the cloud facilitator is registered may be: the registered cloud service provider selects at least one private key, such as x and y; the public key is then calculated using the private key. The public key Q can be calculated, for example, using the formula Q ═ x + y; wherein x and y are private keys selected by the registered cloud service provider, and P is a base point of the elliptic curve equation.

In addition, the user can select a registered cloud service provider nearby, and then the user registration request carrying the user information is sent to the registered cloud service provider nearby, so that the registered cloud service provider nearby selects processes the user information, each cloud service provider in the block chain is responsible for the registration request of the user node adjacent to the cloud service provider, and partition processing is achieved.

S102: and the registered cloud service provider calculates at least one piece of encryption information based on the own secret key and the user information.

After the registered cloud service provider obtains the user registration request carrying the user information, the registered cloud service provider can process the user information in response to the user registration request, so that the subsequent registered cloud service provider uploads the processed at least one piece of encryption information to the block chain to complete the registration of the user, and the user and other cloud service providers can obtain the at least one piece of encryption information corresponding to the user from the block chain, thereby authenticating the identity of the user when the user logs in or visits the user, so that the user can log in to access a plurality of cloud service providers only by one-time registration, and a centralized registration center is not needed to manage the identity information of the user, and the problems of data leakage and single-point failure can be avoided.

Optionally, the registered cloud service provider may perform reversible calculation on the user information based on a key of the registered cloud service provider to obtain the first encryption information, so that after the registered cloud service provider issues the first encryption information to the blockchain, the user may obtain the first encryption information from the blockchain, the user may calculate an estimated value of the key of the registered cloud service provider through the user information and the first encryption information obtained from the blockchain, and if the user information is correct, the estimated value of the key of the registered cloud service provider is equal to a true value of the key of the registered cloud service provider, so that the user identity authentication may pass.

The user information may include associated information obtained by processing the biometric features of the user by the user terminal. The registered cloud service provider can perform reversible calculation on the associated information based on a key of the registered cloud service provider to obtain first encrypted information, so that if the biological characteristics of the user acquired by the terminal device during user login are matched with the biological characteristics acquired during identity registration, the terminal device can calculate correct associated information based on the biological characteristics of the user acquired during user login, and further calculate the true value of the key of the registered cloud service provider so as to complete identity authentication of the user.

Further, the association information of the user may be obtained by associating the biometric characteristic of the user with the initial identification of the user. Specifically, the terminal device of the user can perform fuzzy extraction on the biological features of the user to obtain a key string; then, the key string is associated with the initial user identifier to obtain an associated value; and then carrying out hash processing on the correlation value to obtain correlation information.

Specifically, the calculation formula of the associated information is as follows: gen (BIO)_i)＝>(B_i,B_F)；

B₁＝h(ID_i||B_i)；

Wherein Gen (.) is a mother function of the fuzzy extractor; b is_iThe key string is obtained by fuzzy extraction of biological characteristics; b is_FA public copy string obtained by fuzzy extraction of biological characteristics; i is the correlation operation; and ≧ is XOR operation; h (.) is a one-way hash function; ID_iIs the initial identification of the user.

In an implementation manner, after the user identity registration is completed based on the implementation manner, and when the user logs in, the terminal device may send the calculated value of the key of the registered cloud service provider to the authentication cloud service provider, so that the authentication cloud service provider verifies the calculated value of the key, and if the verification is passed, the authentication cloud service provider passes the user identity verification.

In another implementation, because the authentication cloud service provider may not be the same as the registration cloud service provider, and the authentication cloud service provider may not know the true value of the key of the registration cloud service provider, in order to facilitate the authentication cloud service provider to verify the identity of the user, the registration cloud service provider may set two keys, namely, a first key and a second key, based on which the registration cloud service provider calculates the user information to obtain the first encrypted information, and based on which the registration cloud service provider calculates the first identifier of the registration cloud service provider to obtain the second encrypted information; in addition, the registered cloud service provider can also multiply a preset value by using the first key to obtain third encrypted information; the registered cloud service provider can also multiply the preset value by using a second key to obtain fourth encrypted information; then, in step S103, the first encrypted information, the second encrypted information, the third encrypted information and the fourth encrypted information are uploaded to the block chain, so that the terminal device used by the user when the user logs in can calculate a first key based on the user information and the first encrypted information obtained from the block chain, and multiply the first key and the fourth encrypted information obtained from the block chain to obtain a first value, and further the authentication cloud service provider can obtain information such as a first identifier of the registered cloud service provider, and calculate a second key using the information such as the first identifier of the registered cloud service provider and the second encrypted information obtained from the block chain, and obtain a second value using the second key and the third encrypted information obtained from the block chain, and if the user information used when the terminal device calculates the first value is correct and the calculation process is correct, then the second value will be the same as the first value, under the condition, the authentication cloud service provider passes the authentication of the user identity, so that the cloud service providers except the registered cloud service provider on the blockchain can also authenticate the identity of the user by using at least one piece of encryption information of the user, and the cloud service provider does not need to acquire information such as the biological characteristics of the user in the registration and login processes, so that the safety of the biological characteristic information of the user can be ensured. In order to describe the first, second, third and fourth encryption information, the first, second, third and fourth encryption information may be referred to as encryption information corresponding to a user, the first and fourth encryption information may be collectively referred to as encryption information of the user, and the second and third encryption information may be collectively referred to as encryption information of a registered cloud service provider.

The preset value may be a randomly generated random number, or may be a numerical value obtained by processing user information and/or identification information of a registered cloud service provider. Specifically, the user information may include a user identifier, and the preset value may be calculated for the user identifier and a second identifier of a registered cloud service provider. Further, in order to ensure the user information and the cloud service provider information, the identities of the user information and the cloud service provider information may be hidden by using an equation such as an elliptic curve, and specifically, the preset value may be obtained by performing elliptic curve calculation on the sum of the user identifier and the second identifier by a registered cloud service provider. The user identifier may be an initial identifier of the user, or may be a value obtained by performing hash processing on the initial identifier of the user.

The specific calculation formula of the first encryption information may be: a. the₄＝B₁⊕n_A⊕ID_j；

Wherein A is₄First encrypted information for the user, B₁Is associated information of a user, n_AFirst key, ID, for registering cloud facilitator_jAnd ≧ XOR operation is performed for registering the second identifier of the cloud service provider.

And the specific calculation formula of the second encryption information may be: p_C＝h(S)⊕n_B⊕ID_j；

Wherein, P_CSecond encrypted information corresponding to the user, h (S) a first identification of a registered cloud service provider, n_BSecond Key, ID, to register cloud facilitator_j≧ is exclusive or operation.

And the specific calculation formula of the third encryption information may be: p_A＝n_A×P.(ID_j+h(ID_i))；

Wherein, P_AFor the third encrypted information, n_AFirst key, ID, for registering cloud facilitator_jTo register a second identity, h (ID), of the cloud facilitator_i) And identifying the user.

And the specific calculation formula of the fourth encryption information may be: p_B＝n_B×P.(ID_j+h(ID_i))；

Wherein, P_BFourth encryption corresponding to userInformation, n_BSecond Key, ID, to register cloud facilitator_jTo register a second identity, h (ID), of the cloud facilitator_i) And identifying the user.

In addition, the first identifier of the registered cloud service provider may be obtained by processing a second identifier of the registered cloud service provider.

Specifically, the registered cloud service provider may first generate a first random number r;

then, the formula S is equal to h (r)₁.P||ID_j) Calculating an intermediate value, wherein | | is a correlation operation, P is a base point of an elliptic curve equation, and h is a one-way hash function h (): {0,1}* ->Zp, r is a first random number, S is an intermediate value;

and performing hash processing on the intermediate value S to obtain a first identifier h (S) of the registered cloud service provider.

The intermediate value can be saved in a local server by a registered cloud service provider. The second identifier and/or the first identifier of the registered cloud service provider can be stored on the blockchain, so that the authentication cloud service provider obtains the second identifier and/or the first identifier of the registered cloud service provider corresponding to the user from the blockchain, and the identity of the registered user can be authenticated. The second identifier and/or the first identifier of the registered cloud facilitator may be uploaded to the block chain by the registered cloud facilitator itself when the registered cloud facilitator registers in the block chain.

It can be understood that the user registration method based on the block chain is executed based on the block chain. In order to facilitate management of user identities and authentication of the user identities, at least part of cloud service providers can determine the base points of a unified hash function and an elliptic curve equation and the like at the initial stage of building a block chain, and the base points of the unified hash function and the elliptic curve equation are issued to the block chain, so that the terminal equipment and the cloud service providers can perform data processing by using the same hash function and the same base points of the elliptic curve equation, the terminal equipment and the cloud service providers can quickly and accurately perform key conversion, the condition that the user identity authentication fails due to external reasons that the terminal equipment and the cloud service providers use inconsistent hash functions and the base points of the elliptic curve equation is avoided, and a safe identity authentication channel can be provided for the user and the cloud service providers.

In addition, before step S102, the registered cloud facilitator may check whether the user has already registered on the blockchain based on the user information; if the account number is registered, the registered cloud service provider can ignore the registration request and send a prompt to the terminal equipment to prompt the user that the account number is registered; if not, go to step S102.

S103: and the registration cloud service provider uploads at least one piece of encryption information to the block chain so as to complete the registration of the user.

After obtaining the at least one encryption information based on step S102, the registered cloud facilitator may upload the at least one encryption information to the blockchain. And the registration cloud service provider can also send a successful registration message to the terminal equipment so as to enable the user to know that the user has successfully registered.

In addition, the terminal device may register some parameters (e.g., common copy string, fuzzy extraction function Gen (), copy function Rep (), one-way hash h (), time interval Δ t, base point P, and a) generated in the registration process₁) And storing the data on the own equipment.

Wherein A is₁Is obtained by the formulaCalculating; wherein, ID_iThe initial identification of the user; b is_iIs the associated information of the user; PW (pseudo wire)_iIs a password entered by the user; s_lMay be a secret with a life cycle generated by processing the user biometric.

After the encrypted information corresponding to the user is uploaded to the block chain based on the user registration method based on the block chain or other user registration methods, the terminal device and the authentication cloud service provider can perform identity authentication on the user by using the encrypted information corresponding to the user in the block chain. The cloud service provider is a cloud service provider, and the cloud service provider can be a complete node in a blockchain and can own a complete copy of a blockchain distributed account book, so that the cloud service provider can search encrypted information corresponding to users registered by other cloud service providers on the blockchain, and identity authentication of the users can be performed conveniently. Specifically, as shown in fig. 3, the method for authenticating the user identity by using the above-mentioned encryption information may include the following steps.

S201: the terminal device acquires user information.

S202: the terminal equipment acquires the encryption information of the user from the block chain based on the user information.

S203: the terminal device calculates based on the encryption information of the user and the user information to obtain a first value.

S204: the first value is verified by the authentication cloud service provider.

S205: and if the authentication passes the verification, the authentication cloud service provider sends the identity authentication message to the terminal equipment to complete identity authentication.

When the terminal equipment performs identity authentication, user information can be obtained firstly, so that the terminal equipment can obtain encryption information of a user from the blockchain based on the user information, the terminal equipment can calculate based on the encryption information of the user and the user information to obtain a first value, so that the user identity authentication can be completed under the condition that the authentication cloud service provider passes the first value authentication, the identity authentication of the user can be completed based on the encryption information corresponding to the user stored in the blockchain, different servers registered to the blockchain can authenticate the identity of the user based on the encryption information corresponding to the user in the blockchain, a centralized server is not needed to manage the information of the user, and the problems of data leakage and single-point faults are avoided.

In a first implementation manner, when the user is registered, the encryption information of the user is obtained by the registered cloud service provider through reversible calculation of the user information based on the key of the registered cloud service provider, then in step S203, the terminal device may calculate by using the user information and the encryption information of the user to obtain an estimated value of the key of the registered cloud service provider, and send the estimated value of the key of the registered cloud service provider as a first value to the authentication cloud service provider, so that the authentication cloud service provider authenticates the estimated value of the key of the registered cloud service provider, and if the authentication is passed, the authentication cloud service provider may send the identity authentication message to the terminal device to complete identity authentication of the user. Specifically, in step S204, the authentication cloud service provider may determine a true value of the key of the registration cloud service provider based on information such as an identifier of the registration cloud service provider corresponding to the user (for example, if the authentication cloud service provider is not the registration cloud service provider, the authentication cloud service provider may directly request the registration cloud service provider to obtain the true value of the key of the registration cloud service provider); and if the authentication cloud service provider determines that the key true value of the registered cloud service provider is consistent with the key calculation value of the registered cloud service provider sent by the terminal equipment, the first value passes the authentication.

In the second implementation manner, in step S203, the terminal device may estimate using the user information and the encryption information of the user to derive an estimated value of the key of the registered cloud service provider; the terminal equipment can calculate by using the calculated value of the secret key of the registered cloud service provider to obtain a first value, then the first value is sent to the authentication cloud service provider to enable the authentication cloud service provider to authenticate the first value, and if the authentication cloud service provider authenticates the first value, the authentication cloud service provider sends an identity authentication message to the terminal equipment to finish identity authentication of the user, namely the user identity authentication is passed. Optionally, in step S204, the authentication cloud service provider may calculate a second value based on the first value, the identifier of the registered cloud service provider, and the encryption information of the registered cloud service provider; confirming whether the first value and the second value are consistent; and if the first value is the same as the second value, the authentication cloud service provider passes the authentication of the first value.

In a third implementation manner, in order to facilitate different authentication cloud service providers to verify the identity of a user, when the user registers, the registration cloud service provider may obtain four pieces of encryption information, namely first encryption information, second encryption information, third encryption information, and fourth encryption information, corresponding to the user, by using two keys, namely a first key and a second key. Specifically, in step S202, the terminal device may obtain, from the blockchain, the first encryption information and the fourth encryption information that are stored on the blockchain when the user registers through the user information; then, in step S203, the terminal device calculates an estimated value of a first key of the registered cloud service provider by using the first encryption information and the user information; multiplying the extrapolated value of the first key by the fourth encryption information to obtain a first value; then, the terminal device sends the first value to an authentication cloud service provider, so that the authentication cloud service provider calculates a second key of the registration cloud service provider based on second encryption information corresponding to the user and the identifier of the registration cloud service provider in step S204; then multiplying the calculated second key by the third encryption information to obtain a second value; the authentication cloud service provider confirms whether the calculated second value is consistent with the first value or not; if the first value is consistent with the second value, the first value is verified to be passed, namely the user identity authentication is passed, and at the moment, the identity authentication message can be sent to the terminal equipment to finish the identity authentication of the user.

In a fourth implementation manner, in step S202, the terminal device may obtain, from the blockchain, the first encryption information and the fourth encryption information that are stored in the blockchain when the user registers through the user information; then, in step S203, the terminal device calculates an estimated value of a first key of the registered cloud service provider by using the first encryption information and the user information; multiplying the extrapolated value of the first key by the fourth encryption information to obtain a first intermediate value; the terminal equipment carries out reversible processing on the first intermediate value and the first encryption information to obtain a first value; the terminal device sends the first value to the authentication cloud service provider, so that the authentication cloud service provider calculates a second key of the registration cloud service provider based on the identifier of the registration cloud service provider and second encryption information acquired from the blockchain in step S204; then multiplying the calculated second key by third encryption information obtained from the block chain to obtain a second intermediate value; the authentication cloud service provider reversibly processes the second intermediate value, the first value and the first encryption information obtained from the block chain to obtain a second transition value; then the authentication cloud service provider carries out reversible calculation on the second transition value, the second intermediate value and the first encryption information to obtain a second value; then the authentication cloud service provider confirms whether the calculated second value is consistent with the first value or not; if the first value is consistent with the second value, the first value is verified to be passed, and the identity authentication message can be sent to the terminal equipment to finish the identity authentication of the user.

Optionally, the user information may include a user password, and the identifier of the registered cloud service provider includes the first identifier and the second identifier. The step of the terminal device performing reversible processing on the first intermediate value and the first encryption information may include: the terminal equipment processes the initial user identifier, the user password, the current key string and a second identifier of a registered cloud service provider to obtain a first correlation value; and then the terminal equipment carries out exclusive OR operation on the first correlation value, the first intermediate value and the first encryption information to obtain a first value.

Wherein, the calculation formula of the first correlation value can be as follows:

A₅＝h(ID_i||PW_i||B_i*||r₂||T₁||ID_j)；

wherein A is₅Is a first associated value, ID_iAn initial identification for the user; PW (pseudo wire)_iA password for the user; b is_iIs the current key string of the user; r is₂Is a second random number; t is₁Is the first time, ID_jIs a second identification of the registered cloud facilitator. Wherein the second random number r₂And a first time T₁The terminal device may be generated in the case of obtaining user encryption information from the blockchain.

In addition, the calculation formula of the first value may be:

wherein A is₆Is a first value, A₅Is a first correlation value, D₁Is a first intermediate value, A₄First encrypted information for the user.

Further, in the foregoing implementation manner, the authentication cloud service provider may specifically perform reversible calculation (for example, exclusive or calculation) on the first identifier, the second identifier, and the second encryption information of the registered cloud service provider, so as to obtain an estimated value of the second key of the registered cloud service provider.

In addition, the user information may include the current biometric features of the user, which, in step S203 in the above-described implementation, the terminal device may process the current biometric characteristic to obtain current associated information of the user, then the terminal equipment carries out reversible operation by using the current associated information of the user and the encrypted information of the user to calculate the estimated value of the key of the registered cloud service provider, therefore, when the user identity is authenticated, the terminal equipment can send the first value obtained by processing the biological characteristics of the user to the authentication cloud service provider, instead of directly sending the user biological characteristics to the authentication cloud service provider, the user biological characteristics can be ensured not to be sent to other equipment on the premise of authenticating the user identity by using the user biological characteristics, and the terminal equipment does not need to store the user biological characteristics so as to protect the biological characteristic security of the user.

Further, the user information may also include an initial identification of the user. In step S203, the terminal device may process the initial identifier of the user based on the current biometric features of the user to obtain the current association information of the user.

Specifically, the step of the terminal device processing the initial identification of the user based on the current biometric features of the user may include: the terminal equipment can perform fuzzy extraction on the current biological characteristics of the user to obtain a current key string; then, the current key string is associated with the initial user identifier to obtain an associated value; and then carrying out hash processing on the correlation value to obtain correlation information.

Specifically, the calculation formula of the current associated information is as follows: gen (BIO)_i*)＝>(B_i*,B_F*)；

B₁*＝h(ID_i||B_i*)；

Wherein BIO_iThe current biological characteristics are the biological characteristics acquired from the user when the terminal equipment logs in or accesses the authentication cloud service provider or when the user performs identity authentication on the authentication cloud service provider; gen (.) is the mother function of the fuzzy extractor; b is_iThe method comprises the steps of obtaining a current key string by fuzzy extraction of current biological features of a user; b is_FThe method comprises the steps of obtaining a current public copy string by fuzzy extraction of current biological features of a user; i is the correlation operation; and ≧ is XOR operation; h (.) is a one-way hash function; ID_iIs the initial identification of the user.

In addition, the initial identifier of the user may also be used to distinguish different users, so in step S202, the terminal device may find, from the blockchain, the encrypted information of the user stored in the blockchain distributed ledger when the user registers, by using the initial identifier of the user or using the user identifier obtained by processing the initial identifier.

Accordingly, after the first value is obtained from the terminal device, the authentication cloud provider may query the encrypted information, such as the first encrypted information, the second encrypted information, and the third encrypted information, corresponding to the user from the blockchain based on the user identifier or based on the user identifier and the identifier of the authentication cloud provider, so as to perform step S204 to verify the first value.

The authentication cloud service provider can determine information such as an identifier of a registration cloud service provider corresponding to the user based on the following method. For example, in step S204, the authentication cloud provider may find information such as an identifier of the registered cloud provider from the blockchain by using information such as a user identifier in the user information. For another example, after the terminal device calculates the first value, the terminal device may send the first value and the identifier of the registered cloud service provider to the authentication cloud service provider, so that the authentication cloud service provider may receive the identifier of the registered cloud service provider while receiving the first value.

In addition, when the first value is acquired from the terminal device, the authentication cloud service provider may use the current time as the second time T₂And judging the second time T₂And a first time T₁Whether the difference value of (a) is within the validity period DeltaT; and if so, inquiring the encryption information corresponding to the user from the block chain based on the user identification or based on the user identification and the identification of the authentication cloud service provider.

Further, before inquiring the encryption information corresponding to the user from the blockchain based on the user identification or based on the user identification and the identification of the authentication cloud service provider, the authentication cloud service provider can also verify whether the user logs off on the blockchain based on the user identification; if the user logs off, the request is terminated, and the steps S204 and S205 are not executed; if the user does not log off, steps S204 and S205 are performed to verify the first value based on the queried encryption information corresponding to the user.

Further, in step S205 of the above implementation, the authentication cloud provider may generate an authentication message based on the first value and transmit the generated authentication message to the terminal device.

The identity authentication message may be generated by the following formula, but is not limited thereto:

wherein A is₈For identity authentication messages, A₅Is the second transition value, A₆Is a first value, r₂Is a second random number, T₃At a third time, r₃Is a third random number. Wherein. The third time and the third random number may be generated in a case where the authentication cloud facilitator passes the authentication of the first value.

In addition, the authentication cloud service provider may send the third time to the terminal device while sending the identity authentication message to the terminal device, so that the terminal device may confirm the time point T when the terminal device receives the identity authentication message₄And a third time T₃If the difference value is within the validity period delta T, the identity authentication is successful.

As shown in fig. 4, the steps of implementing the distributed identity authentication method for the terminal device are as follows.

S301: the terminal device acquires user information.

S302: the terminal equipment acquires the encryption information of the user from the block chain based on the user information.

S303: the terminal device performs calculation based on the encryption information and the user information to obtain a first value.

S304: the terminal equipment sends the first value to the authentication cloud service provider so that the authentication cloud service provider can verify the identity of the user based on the first value.

The above steps are similar to the related steps in the embodiment shown in fig. 3, and detailed description is omitted. When the terminal equipment performs identity authentication, user information is obtained firstly, then encrypted information of a user is obtained from the blockchain based on the user information, then the terminal equipment can calculate based on the encrypted information of the user and the user information to obtain a first value, and then the first value is sent to the authentication cloud service provider, so that the authentication cloud service provider can complete user identity authentication under the condition that the first value is authenticated, the identity authentication of the user can be completed based on the encrypted information corresponding to the user stored in the blockchain, different servers registered to the blockchain can authenticate the identity of the user based on the encrypted information corresponding to the user in the blockchain, a centralized server is not needed to manage the information of the user, and the problems of data leakage and single-point faults are avoided.

For the cloud service provider authentication, please refer to fig. 5 for steps of implementing the distributed identity authentication method, and fig. 5 is a schematic diagram of a workflow of the cloud service provider authentication in the distributed identity authentication method of the present application.

S401: the authentication cloud service provider acquires the first value from the terminal device.

The first value is calculated by the terminal device based on the encryption information of the user and the user information, and the encryption information of the user is obtained by the terminal device from the block chain based on the user information.

S402: the first value is verified by the authentication cloud service provider.

S403: and if the authentication passes the verification, the identity authentication message is sent to the terminal equipment to complete the identity authentication.

In this embodiment, the steps are similar to those in the embodiment shown in fig. 3, and detailed description is omitted. After receiving the first value from the terminal device, the authentication cloud service provider sends the identity authentication message to the terminal device to complete identity authentication under the condition that the first value is authenticated, wherein the first value is obtained by the terminal device through calculation based on the encryption information and the user information of the user, and the encryption information of the user is obtained by the terminal device from the block chain based on the user information.

In order to better explain the distributed identity authentication method of the present application, the following specific embodiment of user identity authentication is provided for illustrative explanation:

example 1

As shown in fig. 6, the distributed identity authentication method of the present embodiment includes the following steps:

1. user MU_iExtracting its identification ID from a terminal device_iPassword PW_iBiological characteristic BIO_iAnd provides access authentication to the block chain to the CSP_jA request for (2);

2. after the block link receives the access request and the related information, the encryption information A stored in the previous registration is used₄，P_BSending the data to a user;

3. the user receives A from the tile link₄，P_BThen, a second random number r is generated₂First time T₁And calculate

A₅＝h(ID_i||PW_i||B_i*||r₂||T₁||ID_j)，

D₁＝n_A×P_B，

The user will then calculate the above first time T₁A second random number r₂And a first value A₆The information is sent to the corresponding authentication cloud service provider CSP_jTo perform identity authentication;

4. authentication cloud service provider CSP_jReceiving user MU_iTransmitted first value A₆Waiting for information, verifying the second time T₂And a first time T₁If the difference value of (A) is within the validity period Delta T, the identification h (ID) of the user is passed_i) And a second identification ID of the registered cloud service provider_jRequesting encryption information corresponding to a user from a block chain;

5. block link receiving authentication cloud service provider CSP_jH (ID) of transmission_i) And ID_jVerifying whether the user is logged off on the distributed account book, if so, terminating the request, otherwise, inquiring the obtained A₄，P_AAnd P_CReturned to the authentication cloud service provider CSP_j；

6. Authentication cloud service provider CSP_jReceiving A sent by a block chain₄，P_AAnd P_CAnd verifying whether the locally generated key is consistent with the key sent by the user through local calculation:

S₁＝n_B×P_A，

verifying the second value A₆Whether or not it is equal to the first value A₆If yes, generating a third random number r₃Third time T₃And encrypts the information into an authentication message A₈Send to user MU_i

7. User MU_iReceiving authentication cloud service provider CSP_jComing from<A₈，T₃>First, the current time stamp T is checked₄And a third time T₃If the validity period is within the delta T, the identity authentication is successful.

The identity authentication method of the present application can be applied to a plurality of application scenarios, for example, the following two application scenarios.

In an application scenario, before the terminal device accesses the authentication cloud service provider, the identity authentication method of the application may be executed, so that the authentication cloud service provider grants an access right to the terminal device after passing the identity authentication of the user using the terminal device. Specifically, in step S202, in the application scenario, the terminal device may submit an access request of the user to the authentication cloud service provider to a blockchain commonly maintained by the terminal device and the authentication cloud service provider, so that the blockchain sends the encrypted information of the user to the terminal device in response to the access request. The access request sent by the terminal device may carry information such as a user identifier, so that the blockchain finds encrypted information of the user stored in the blockchain when the user registers based on the information such as the user identifier.

In another application scenario, before the terminal device interacts with the authentication cloud service provider, the identity authentication method of the present application may be executed, so that the authentication cloud service provider performs information interaction with the terminal device after the authentication cloud service provider passes the identity authentication of the user using the terminal device.

In addition, if the user needs to update or retrieve the password because the user forgets the password, the user can use his/her current biometric BIO_iAnd identification ID_iInput into the terminal device so that the terminal device can provide the user with the current biometric BIO_iAnd identification ID_iAnd verifying, wherein if the verification is successful, the terminal equipment can agree with the password resetting request of the user, and at the moment, the user can input a new password or obtain the reset new password based on the terminal equipment.

Terminal equipment pairCurrent biometric characteristic BIO of the house_iAnd identification ID_iThe process of performing the verification can be as follows:

terminal equipment uses copy function of fuzzy extractor to carry out BIO on current biological characteristics_iPerforming calculations, i.e. using the formula Rep (BIO)_i*，P_F)＝B_iCalculating to obtain current key string B_i*；

Current key string B of terminal equipment to user_iAnd identification ID of user_iMaking the association, i.e. using formula B₁*＝h(ID_i||B_iIs calculated to obtain the current associated information B₁*；

Terminal equipment verifies current associated information B of user₁And associated information B stored on terminal equipment₁Whether the two are consistent;

if so, a new secret s with a life cycle is generated_nAnd based on the new password PW_i ⁿGeneration of a novel A₁ ⁿE.g. using formulaePerform calculations to generate a new A₁ ⁿAnd use of a new compound A₁ ⁿReplacing A in original Mobile device₁Therefore, the password is updated/retrieved without the participation of a cloud service provider in the whole process.

Referring to fig. 7, fig. 7 is a schematic structural diagram of an embodiment of an electronic device 20 according to the present application. The electronic device 20 of the present application includes a processor 22, and the processor 22 is configured to execute instructions to implement the method provided by any embodiment and any non-conflicting combination of the above-described user registration method based on blockchain.

The electronic device 20 may be a terminal such as a mobile phone or a notebook computer, or may be a server.

The processor 22 may also be referred to as a CPU (Central Processing Unit). The processor 22 may be an integrated circuit chip having signal processing capabilities. The processor 22 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor 22 may be any conventional processor or the like.

The electronic device 20 may further include a memory 21 for storing instructions and data required for operation of the processor 22.

Referring to fig. 8, fig. 8 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present disclosure. The computer readable storage medium 30 of the embodiments of the present application stores instructions/program data 31 that when executed enable the methods provided by any of the above embodiments of the methods of the present application, as well as any non-conflicting combinations. The instructions/program data 31 may form a program file stored in the storage medium 30 in the form of a software product, so as to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute all or part of the steps of the methods according to the embodiments of the present application. And the aforementioned storage medium 30 includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, or various media capable of storing program codes, or a computer, a server, a mobile phone, a tablet, or other devices.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.

The above embodiments are merely examples and are not intended to limit the scope of the present disclosure, and all modifications, equivalents, and flow charts using the contents of the specification and drawings of the present disclosure or those directly or indirectly applied to other related technical fields are intended to be included in the scope of the present disclosure.