阅读说明：本技术 基于区块链的科技服务平台跨域身份认证方案 (Block chain-based scientific and technological service platform cross-domain identity authentication scheme ) 是由 冯文龙 段志豪 黄梦醒 冯思玲 于 2021-07-12 设计创作，主要内容包括：基于区块链的科技服务平台跨域身份认证方案,包括S1：建立体系结构、S2：域内认证、S3：跨域认证、S4：相互认证,同一域内用户相互信任的信任范围,不同域之间的信任范围相互独立,可采用不同的加密设置,不同域之间用域A和域B标示,用户对于自己所在域进行访问或对其他域进行访问,经认证服务器进行认证用户身份,并设置用户访问权限,域A和域B的认证服务器用ASA和ASB表示,拥有某些系统权限的实体,在不同域内用户拥有的资源权限不同。通过分级分层的权限管理机制管理各个区块链的访问控制；研究运用大数据、云计算等技术分析客户交易行为,保障联盟链交易安全、规避风险,等违法行为。(The technical service platform cross-domain identity authentication scheme based on the block chain comprises S1: building an architecture, S2: intra-domain authentication, S3: cross-domain authentication, S4: mutual authentication, mutual trust ranges of users in the same domain and mutual independence of trust ranges between different domains can be adopted, different encryption settings are marked by a domain A and a domain B between different domains, a user accesses the domain where the user is or accesses other domains, the user identity is authenticated by an authentication server, user access rights are set, authentication servers of the domain A and the domain B are represented by ASA and ASB, entities with certain system rights are provided, and resource rights owned by the users in different domains are different. Managing access control of each block chain through a hierarchical and layered authority management mechanism; the research and application of technologies such as big data and cloud computing to analyze the transaction behaviors of the client, ensure the security of the alliance chain transaction, avoid risks and other illegal behaviors.)

1. A technology service platform cross-domain identity authentication scheme based on a block chain is characterized by comprising S1: building an architecture, S2: intra-domain authentication, S3: cross-domain authentication, S4: mutual authentication, mutual trust ranges of users in the same domain, mutual independence between different domains, different encryption settings, marking between different domains by a domain A and a domain B, accessing the domain where the user is located or accessing other domains by the user, authenticating the user identity by an authentication server, and setting user access authority, the authentication servers of the domain A and the domain B are represented by ASA and ASB, entities with certain system authority are provided, the resource authority owned by the users in different domains is different, the user in the A domain is represented by USA, the user in the B domain is represented by USB, after permission, the user between different domains joins the block chain network, and can interact with the block chain network, before the system runs, public and private keys of all users in the domain A and the domain B are generated, the block chain network is established, and chain codes are deployed, and password setting mode information adopted in each domain is stored in a block chain network, the user integrity is divided into five grades, the integrity is divided into subjective evaluation and objective evaluation, wherein the subjective evaluation accounts for 70% of comprehensive evaluation performed by a user registration domain and other domains, the objective evaluation accounts for 30% of evaluation performed by an intelligent contract, Honesty belongs to 0 and 1, user access permission can be set according to the user grade, and cross-domain access is not allowed for users with low integrity.

2. The block chain based technology service platform cross-domain identity authentication scheme according to claim 1, wherein in the step of S1: all entities in the domain a and the domain B, including the authentication server and all users, register, respectively initialize their public and private keys by using encryption settings used in the domain, after obtaining permission, the authentication server ASA and ASB join the blockchain network, and deploy the chain code CC into the blockchain, the chain code rule is negotiated and customized by each domain, and store domain encryption setting information (hash value, symbol, user attribute, etc.) into the blockchain, in the step S2: in an initial stage, all users in the domain a or the domain B need to send an identity authentication application to the ASX of the domain to perform user registration, the encryption mode follows the encryption mode in the domain, after receiving and verifying a request of the user USX, the ASX stores or updates the identity information of the user to the blockchain, and registers or revokes the identity for the user in the blockchain network, in the step S3: the method comprises the following steps that a domain A user USA requests an ASB to perform identity authentication, the ASB receives a user request and returns a random number N to respond, and the USA calculates (sigma, h), specifically:

σ＝Sign_A(sk_UAi；N)

USA sends (pkUSA, sigma, h) to ASB, ASB sends parameter tuple (Verify, sigma, h, N) to intelligent contract end, intelligent contract receives (Verify, sigma, h, N), acquires domain password setting information, if CC return value is null, returns result as 'identity authentication server does not exist', then terminates CC, if CC return value is not null, CC executes next step, CC verifies applicant signature, i.e. verifies that ASB interactive user is really the owner of pkUSA, Verify that verity function signs input (N, pkUSA, sigma, SignA), if verifying signature fails, verity function returns 'signature incorrect' message to ASB, then terminates CC, if verifying signature succeeds, CC continues to execute next step, verifies user identity information, i.e. determines authenticity of user domain, i.e. confirms whether user corresponding to pk user identity actually belongs to domain A, under normal conditions, corresponding user information can be queried by calculating a hasha (pkusa), if a CC return value is null, the user identity is proved to be illegal, a Verify function returns 'domain information is not true, a session user does not exist' to an ASB, and then the CC is terminated, otherwise, the next step is executed, Hash X (pkASX) is checked to be h (sent from the ASB), if the Hash function does not return 'domain information in session is not true', the ASB is terminated, and then the CC is terminated, and a user state value is checked: if the user status indicates that the user identity is not available currently, the function Verify function returns a session user status unavailable to the ASB, and then terminates the CC, otherwise, the next step is executed, the CC determines the honeyty of the applicant, sets a user cross-domain access right according to the honeyty, if the verification is successful, the CC returns verification information to the ASB, sets a right for the USA, performs cross-domain access to the domain B, if the verification is failed, the CC returns verification failure information to the USA, and terminates the CC, in the step S4, the USA has completed one-way authentication in the process of accessing the B domain, the USA has now accessed B domain resources according to the user right, in some cases, we need to consider one-to-one mutual authentication between users such as the USA and the USB, and when the B domain user accesses the a domain, the B domain user needs to be authenticated by the ASA, which is similar to the above-mentioned step, by this method, a trust chain USA → ASB → USB and USB → ASA → USA can be constructed, and the mutual trust relationship between the two domains can be obtained.

3. The block chain based technology service platform cross-domain identity authentication scheme of claim 2, wherein the intra-domain authentication comprises ASX verifying a USX username and password, and if the verification fails, ASX reports the failure to USX and terminates; and if the ASX is successfully verified to check the user state and grade the integrity of the user, setting the authority of the user by an intelligent contract.

4. A block chain-based technology service platform cross-domain identity authentication scheme according to claim 3, further comprising a honeyty Trust degree calculation method, wherein a Comprehensive Trust Evaluation (CTE) CTE (honeyty, Eni, He) needs to merge CTEi of each Trust path, and if the Comprehensive Evaluation of the ith Trust path is CTEi (honeyty, Eni, Hei), then:

the specific merging algorithm is as follows, the weight of each path is set by domain negotiations [ c1, c2, … cn ], ci is 0 ≦ 1 and c1+ c2+ … + ci ═ 1:

trust path merging algorithm:

Input:[CTE1,CTE2,…,CTEn],[c1,c2,…cn]

step 1:

step 2: path comprehensive trust entropy

And step 3: access entity hyper-entropy

Output：CTE(Honesty,En,He)

For subjective comprehensive trust, Honesty, each trust path is merged on the basis of m trust pathsThe trust level of the trust path, maximum, is the security level of the application itself when joining the federation blockchain. From the perspective of information security, an application with a low security level may not give an evaluation value higher than the security level of its own identity system, and in the present invention, max may take a value of 0, 0.25, 0.5, 0.75 or 1 according to the corresponding set identity security level. Where ci (the weight of each trust path) is at [0, 1%]Within the range, the identity management domain sets the identity management domain. Trust Domain of Low Security level generally fetchThe application with high security level can increase the weight of the path with low risk according to the risk evaluation value and reduce the weight of the path with high risk.

Technical Field

The invention belongs to the technical field of MOUMOU, and particularly relates to a block chain-based cross-domain identity authentication scheme of a scientific and technological service platform.

Background

The development of the internet enables people to enter an information age, identity authentication is widely applied to the internet as a mode for determining the identity of a user, and the user can confirm whether resources which can be used in a system and whether the user has certain use rights or not by determining the identity of the user. However, in the network identity verification, because the trust domains of the entities are different, the identity authentication management systems have different modes among different trust domains, and different types of identity authentication networks are formed. Therefore, the identity management systems are difficult to intercommunicate, and the user identities in different domains are difficult to mutually authenticate, thereby bringing a lot of difficulties to the fusion of network spaces.

At present, unified identity authentication is one of standards which are urgently needed to be customized for construction and operation of a scientific and technological platform, and is also a basic standard for guaranteeing information security of scientific and technological resources. Since numerous scientific and technological platforms are built and operated at present, corresponding platforms are developed according to the characteristics of professional resources of the platforms, identity authentication modes are different, so that the identities of users cannot be shared, users of the platforms have repeated login phenomena, resource access permissions are disordered, and the platform resource sharing efficiency and the information safety are seriously influenced. The block chain can unify standard authentication processes for each platform, guarantee user information safety, solve the problem of trust transfer in cross-domain application, and realize protection of entity identity privacy information and effective supervision of an identity management system and user behaviors by combining a password mechanism in the block chain.

The present invention has been made in view of this situation.

Disclosure of Invention

In order to solve the technical problems, the invention adopts the technical scheme that:

the technical service platform cross-domain identity authentication scheme based on the block chain comprises S1: building an architecture, S2: intra-domain authentication, S3: cross-domain authentication, S4: mutual authentication, mutual trust ranges of users in the same domain, mutual independence between different domains, different encryption settings, marking between different domains by a domain A and a domain B, accessing the domain where the user is located or accessing other domains by the user, authenticating the user identity by an authentication server, and setting user access authority, the authentication servers of the domain A and the domain B are represented by ASA and ASB, entities with certain system authority are provided, the resource authority owned by the users in different domains is different, the user in the A domain is represented by USA, the user in the B domain is represented by USB, after permission, the user between different domains joins the block chain network, and can interact with the block chain network, before the system runs, public and private keys of all users in the domain A and the domain B are generated, the block chain network is established, and chain codes are deployed, and password setting mode information adopted in each domain is stored in a block chain network, the user integrity is divided into five grades, the integrity is divided into subjective evaluation and objective evaluation, wherein the subjective evaluation accounts for 70% of comprehensive evaluation performed by a user registration domain and other domains, the objective evaluation accounts for 30% of evaluation performed by an intelligent contract, Honesty belongs to 0 and 1, user access permission can be set according to the user grade, and cross-domain access is not allowed for users with low integrity.

Compared with the prior art, the invention has the following beneficial effects:

the invention provides a cross-domain identity authentication scheme for a scientific and technological service platform, which sets access authority for cross-domain users based on trust evaluation and utilizes an intelligent contract to judge. The problems of disordered user identity information management and the like of the current scientific and technological service platform can be well solved, and access control of each block chain is managed through a hierarchical and layered authority management mechanism; the research and application of technologies such as big data and cloud computing to analyze the transaction behaviors of the client, ensure the security of the alliance chain transaction, avoid risks and other illegal behaviors.

The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.

Drawings

In the drawings:

FIG. 1 is a block chain-based cross-domain identity federation architecture;

FIG. 2 is a diagram of a cross-domain identity authentication model;

fig. 3 is a flow diagram of a cross-domain authentication scheme.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and the following embodiments are used to illustrate the present invention.

As shown in fig. 1 to 3, a block chain based technology service platform cross-domain identity authentication scheme,

aiming at the effective supervision problem of the cross-domain alliance chain of the scientific and technological service transaction, an alliance chain transaction monitoring system based on authority management and authorization authentication is researched. By constructing a block chain system structure, the maintenance and supervision of a alliance chain operation mechanism based on block chain transaction and cross-domain identity authentication are ensured; the safety and the authenticable of each node are ensured through an authorization authentication mode; the corresponding relation between the user identity and the transaction is completed through the registration center, the full life cycle management of the alliance chain is realized, the traceable alliance chain transaction is ensured, the cost of KYC and AML is reduced, and the supervision efficiency is improved; the user identity is authenticated and managed through an authentication center, and a personal digital certificate is issued to ensure the transaction safety; managing access control of each block chain through a hierarchical and layered authority management mechanism; the research and application of technologies such as big data and cloud computing to analyze the transaction behaviors of the client, guarantee the security of alliance chain transaction, avoid risks and prevent illegal behaviors such as double payment attacks and fraudulent transactions.

The invention constructs a cross-domain authentication system model based on the alliance chain, is responsible for identity unified identity certificates of the entities of the alliance users, provides a cross-domain trust transfer service mechanism and a user identity management system, and provides cross-domain identity authentication trust service for the members in the alliance chain. In the system, the identity management systems of the members in the alliance chain are mutually independent, and information transmission and interaction are carried out through a server interface. The system consists of a domain, an authentication server, a user and a blockchain network. The blockchain uses digital certificates and cryptographic services conforming to national standards to provide services of certificates, keys, hash calculation, encryption and decryption and signature verification for users. The method can provide identity attribute verification for different users and protect the privacy of the users.

The invention introduces a trust comprehensive evaluation system for accessing cross-domain users to carry out credit comprehensive evaluation on different users of each domain so as to determine the access authority of the users during cross-domain access. Meanwhile, the application security levels added into the alliance chain are automatically matched and classified through intelligent contracts, so that malicious attack events can be prevented from occurring during cross-domain access to a certain extent.

Domain: the trust range that users in the same domain trust each other. The trust scopes between different domains are independent of each other, and different encryption settings can be adopted. The different domains are denoted by domain a and domain B.

An authentication server: the user accesses the domain where the user is located or accesses other domains, the user identity is authenticated through the authentication server, and the user access authority is set. The authentication servers of domain a and domain B are denoted ASA and ASB.

The user: the entity possessing certain system authority has different resource authority in different domains. The users in the a domain are denoted by USA and the users in the B domain are denoted by USB.

Block chains: after permission, users between different domains join the blockchain network, and can interact with the blockchain network.

Before the system runs, public and private keys of all users in the domain A and the domain B are generated, a block chain network is established, chain codes are deployed, and password setting mode information adopted in each domain is stored in the block chain network.

The integrity of the user is divided into five grades, and the integrity is divided into subjective evaluation and objective evaluation, wherein the subjective evaluation accounts for 70% of the comprehensive evaluation performed by the user registration domain and other domains, the objective evaluation accounts for 30% of the evaluation performed by an intelligent contract, and the Honesty belongs to (0, 1). The user access authority can be set according to the user level, and cross-domain access is not allowed for users with low honesty.

1. Architecture

Step 1: public-private key generation

All entities in the domain A and the domain B, including the authentication server and all users, register, and respectively initialize public and private keys thereof by adopting encryption settings adopted in the domain.

Step 2: establishing block chain network and deploying chain code

After obtaining the license, the authentication servers ASA and ASB join the blockchain network, and deploy the chain code CC into the blockchain. The chain code rule is negotiated and customized by each domain.

And step 3: storing domain encryption setting information to a blockchain

Domain encryption setting information (hash value, symbol, user attribute, etc.) is stored into the blockchain.

2. And (3) intra-domain authentication:

step 1: registering: in the initial stage, all users in the domain a or the domain B need to send an identity authentication application to the ASX of the domain to perform user registration. The encryption mode follows the intra-domain encryption mode.

Step 2: and (3) verification: upon receiving and authenticating a request from a user USX, ASX stores or updates the user's identity information to the blockchain and registers or revokes the identity for the user in the blockchain network.

ASX verifies USX username and password

If the verification fails, the ASX reports the failure to the USX and terminates; and if the ASX is successfully verified to check the user state and grade the integrity of the user, setting the authority of the user by an intelligent contract.

3. Cross-domain authentication

Step 1: the A domain user USA requests ASB to carry out identity authentication;

step 2: the ASB receives the user request and returns a random number N for responding;

and step 3:

1) USA calculation (sigma, h)

σ＝Sign_A(sk_UAi；N)

2) USA sends (pkUSA, σ, h) to ASB;

and 4, step 4: ASB sends parameter tuple (Verify, sigma, h, N) to intelligent contract end;

and 5:

1) and (3) receiving (Verify, sigma, h and N) by the intelligent contract, acquiring domain password setting information, if the returned value of the CC is null, returning a result that the identity authentication server does not exist, and terminating the CC. If the CC return value is not null, the CC executes the next step;

2) the CC verifies the applicant signature, i.e. verifies that the user of the ASB interaction is indeed the owner of pkUSA, and the Verify function verifies the signature of the input (N, pkUSA,. sigma., SignA).

3) If the signature verification fails, the Verify function returns a "signature incorrect" message to the ASB, and then terminates the CC. If the signature verification is successful, the CC continues to execute the next step;

4) the user identity information is verified, that is, the authenticity of the user domain is determined, that is, whether the user corresponding to the pk user identity actually belongs to the domain a is confirmed, and under a normal condition, the corresponding user information can be queried by calculating hasha (pkusa). If the CC return value is null, the identity of the user is proved to be illegal, the Verify function returns that the domain information is not real and the session user does not exist to the ASB, and then the CC is terminated. Otherwise, executing the next step.

Check Hash X (pkASX) ═ h (sent from ASB), if not, Verify function returns "domain information in session is not true" to ASB, and then terminate CC.

Checking the user state value: if the user status indicates that the user identity is not currently available, "false", the function Verify function returns "session user status is not available" to the ASB, and then terminates the CC.

Otherwise, executing the next step.

The CC judges the Honesty of the applicant and sets the cross-domain access authority of the user according to the Honesty;

5) if the verification is successful, the CC returns verification information to the ASB, sets authority for the USA and carries out cross-domain access on the domain B;

6) if the verification fails, the CC returns verification failure information to the USA and terminates the CC.

4. Mutual authentication

The one-way authentication has been done during the USA access to the B-domain, which is now accessible according to the user rights USA. In some cases we need to consider one-to-one mutual authentication between users, e.g. USA and USB.

When a B domain user accesses resources to an A domain, the B domain user needs to be authenticated by ASA, and in the process, similar to the steps, a trust chain USA → ASB → USB and USB → ASA → USA can be constructed by the method, and the mutual trust relationship between the two domains can be obtained.

5. Method for calculating Honesty trust

When the scientific and technological service platform carries out cross-domain service authentication, the method needs to synthesize multiple domain comprehensive evaluations for the Honesty of the user so as to ensure the objectivity of the evaluations. A Comprehensive Trust Evaluation (CTE) CTE (honeysty, Eni, He) needs to merge the CTEi of each Trust path, and if the Comprehensive Evaluation of the ith Trust path is CTEi (honeysty, Eni, Hei), then:

the specific merging algorithm is as follows, the weight of each path is set by domain negotiations [ c1, c2, … cn ], ci is 0 ≦ 1 and c1+ c2+ … + ci ═ 1:

trust path merging algorithm:

Input:[CTE1,CTE2,…,CTEn],[c1,c2,…cn]

step 1:

step 2: path comprehensive trust entropy

And step 3: access entity hyper-entropy

Output：CTE(Honesty,En,He)

For subjective comprehensive trust, Honesty, the trust of each trust path is combined on the basis of m trust paths. maximum is the security level when the application itself joins the federation blockchain. From the perspective of information security, an application with a low security level may not give an evaluation value higher than the security level of its own identity system, and in the present invention, max may take a value of 0, 0.25, 0.5, 0.75 or 1 according to the corresponding set identity security level. Where ci (the weight of each trust path) is at [0, 1%]Within the range, the identity management domain sets the identity management domain. Trust Domain of Low Security level generally fetchThe application with high security level can increase the weight of the path with low risk according to the risk evaluation value and reduce the weight of the path with high risk.