CN108881471B - Union-based whole-network unified trust anchor system and construction method - Google Patents

Union-based whole-network unified trust anchor system and construction method Download PDF

Info

Publication number
CN108881471B
CN108881471B CN201810743031.4A CN201810743031A CN108881471B CN 108881471 B CN108881471 B CN 108881471B CN 201810743031 A CN201810743031 A CN 201810743031A CN 108881471 B CN108881471 B CN 108881471B
Authority
CN
China
Prior art keywords
trust
server
terminal
level
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810743031.4A
Other languages
Chinese (zh)
Other versions
CN108881471A (en
Inventor
蒋文保
史博轩
章峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Information Science and Technology University
Original Assignee
Beijing Information Science and Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Information Science and Technology University filed Critical Beijing Information Science and Technology University
Priority to CN201810743031.4A priority Critical patent/CN108881471B/en
Priority to PCT/CN2018/115239 priority patent/WO2020010767A1/en
Publication of CN108881471A publication Critical patent/CN108881471A/en
Application granted granted Critical
Publication of CN108881471B publication Critical patent/CN108881471B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a federation-based whole-network unified trust anchor system and a construction method thereof, wherein the system comprises: the system comprises a federation area, a first server and a second server, wherein the federation area comprises n root-of-trust servers, and all the root-of-trust servers are connected with each other; each top level trust server set is connected with one trust root server and comprises m top level trust servers which are connected with the same trust root server; the system comprises n-m permission trust server sets, wherein each permission trust server set is connected with a top level trust server, each permission trust server set comprises j permission trust servers, and the j permission trust servers are connected with the same top level trust server; and n, m and j terminal sets, wherein each terminal set is connected with one authority trust server, each terminal set comprises i terminals, and the i terminals are connected with the same authority trust server.

Description

Union-based whole-network unified trust anchor system and construction method
Technical Field
The invention relates to the field of communication, in particular to a whole network unified trust anchor system based on alliances and a construction method thereof.
Background
Because the existing TCP/IP protocol does not have the intrinsic safety mechanisms such as address authenticity identification and the like, the attack source and the identity of an attacker are difficult to trace. The routing equipment forwards the packet based on the destination address, the source of the data packet is not verified, a large amount of attack behaviors based on address forgery cannot be tracked, a large amount of attacks such as source address spoofing, routing hijacking, service denial and the like are caused, and the safety of the network is seriously threatened. The problem of network naming security including address security is solved, and the establishment of a secure and credible internet environment becomes an important problem to be solved urgently.
In the area of network naming security research, cryptography-based address security mechanisms are gaining increasing attention, including certificate-based public key cryptography mechanisms and self-authentication mechanisms. Under a public key cryptosystem, a public key digital signature technology needs to bind an entity identity and a public key by relying on a CA (certificate authority) issued by a Public Key Infrastructure (PKI) so as to ensure the authenticity of the entity public key. The user public key and the user identity are bound in the form of a public key certificate, and a mature scheme for solving the network security problem is formed. However, PKI comes at a cost in management, storage and computation of certificates by introducing a trusted third party CA: firstly, the process is complex, such as the issuance, the release, the acquisition, the verification, the revocation and the like of the certificate; secondly, an online certificate directory is needed to provide certificate downloading and state query services for a user at any time, so that maintenance cost is increased; thirdly, if the communication objects of the user are more, the user must locally store and manage the certificates, thereby increasing the use overhead of the user side; fourthly, the problem of large-scale key management is that a method of physically adding CA is generally adopted, and cross authentication and trust management also exist among users of each CA.
With the rapid development of mobile internet and internet of things, the number of sensors, wearable devices and intelligent terminals accessing the internet is increased dramatically, the number of public keys required by entity authentication is huge, and how to realize the management of efficient public keys and how to obtain the public key of the other party by a remote communication entity and ensure the authenticity of the public key becomes a challenge and is also an important problem related to whether the internet architecture can fall to the ground or not in the future.
Disclosure of Invention
The invention aims to overcome at least one of the defects and provides a federation-based whole-network unified trust anchor system and a construction method thereof so as to realize efficient management of public keys.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
one aspect of the present invention provides a federation-based global unified trust anchor system, comprising: the system comprises a federation area, a first server and a second server, wherein the federation area comprises n root-of-trust servers, and all the root-of-trust servers are connected with each other; each top level trust server set is connected with one trust root server and comprises m top level trust servers which are connected with the same trust root server; the system comprises n-m permission trust server sets, wherein each permission trust server set is connected with a top level trust server, each permission trust server set comprises j permission trust servers, and the j permission trust servers are connected with the same top level trust server; the system comprises n x m x j terminal sets, wherein each terminal set is connected with an authority trust server and comprises i terminals which are connected with the same authority trust server; each trust root server is used for storing names and public key information of all the trust root servers, storing names, addresses and public key information of all the top-level trust servers and signing and issuing certificates, and the information stored by each trust root server is completely the same, and the consistency of the stored information is ensured through a consensus algorithm; each top-level trust server is used for storing the public key information of the top-level trust server and storing the name, the address and the public key information of the authority trust server connected with the top-level trust server; each authority trust server is used for storing the public key information of the authority trust server and storing the name, the address and the public key information of the terminal connected with the authority trust server.
In addition, each top-level trust server set is connected with all the trust root servers, each top-level trust server set comprises m top-level trust servers, and the m top-level trust servers are connected with each trust root server.
In addition, the top trust server is also used for sending a change request to a trust root server connected with the top trust server; the trust root server is also used for proposing a changed resolution to the alliance area, responding to a change request of the top-level trust server in the trust root server after the resolution passes according to a preset resolution strategy, and updating data stored in all the trust root servers in the alliance area through a consensus algorithm; and the top-level trust server is also used for executing change operation.
In addition, the trust root server is also used for proposing a changed resolution in the alliance, changing own data after the resolution passes according to a preset resolution strategy, and updating data stored in all the trust root servers in the alliance area through a consensus algorithm.
In addition, the terminal is also used for sending a query request for the opposite terminal to the authority trust server connected with the terminal; the authority trust server is also used for sending a query request to a top level trust server connected with the authority trust server after the relevant information of the opposite terminal is not queried; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the relevant information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the related information of the opposite terminal is not queried, receiving the related information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located and the authority trust server where the opposite terminal is located sequentially through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located, and sending the related information of the opposite terminal, which is obtained by querying, to the terminal through the top level trust server and the authority trust server.
In addition, the terminal is also used for sending an authentication request for the opposite terminal to the authority trust server connected with the terminal; the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal obtained by querying through the trust root server where the opposite terminal is located, and sending the authentication information to the terminal through the top-level trust server and the authority trust server.
In addition, the terminal is also used for sending an authentication request for the opposite terminal to the authority trust server connected with the terminal; the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located and the authority trust server where the opposite terminal is located sequentially through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located, and sending the queried authentication information of the opposite terminal to the terminal through the top level trust server and the authority trust server.
The invention also provides a construction method of the whole network unified trust anchor based on the alliance, which comprises the following steps: the method comprises the steps of constructing a alliance area, configuring the alliance area to comprise n trust root servers, wherein the trust root servers are connected with one another, each trust root server stores the name and public key information of all the trust root servers, stores the name, address and public key information of all top-level trust servers and is used for issuing a certificate, the information stored by each trust root server is completely the same, and the consistency of the stored information is ensured through a consensus algorithm; the method comprises the steps that n top-level trust server sets are built and configured in such a way that each top-level trust server set is connected with a trust root server, each top-level trust server set comprises m top-level trust servers, the m top-level trust servers are connected with the same trust root server, and each top-level trust server stores own public key information and stores the name, address and public key information of an authority trust server connected with the top-level trust server; constructing n x m authority trust server sets, configuring that each authority trust server set is connected with a top level trust server, each authority trust server set comprises j authority trust servers, the j authority trust servers are connected with the same top level trust server, and each authority trust server stores the own public key information and stores the name, the address and the public key information of a terminal connected with the authority trust server; and constructing n m j terminal sets, configuring that each terminal set is connected with one authority trust server, wherein each terminal set comprises i terminals, and the i terminals are connected with the same authority trust server.
In addition, the method further comprises: and configuring each top-level trust server set to be connected with all the trust root servers, wherein each top-level trust server set comprises m top-level trust servers, and the m top-level trust servers are connected with each trust root server.
In addition, the method further comprises: a change flow of the top-level trust server; the changing process of the top-level trust server comprises the following steps: the top-level trust server sends a change request to a trust root server connected with the top-level trust server; the trust root server puts forward a changed resolution to the alliance area, responds to a change request of a top-level trust server in the trust root server after the resolution passes according to a preset resolution strategy, and updates data stored in all the trust root servers in the alliance area through a consensus algorithm; the top level trust server performs the change operation.
In addition, the method further comprises: and (3) changing process of the trust root server: the change process of the trust root server comprises the following steps: and the trust root server puts forward a changed resolution in the alliance, changes own data after the resolution passes according to a preset resolution strategy, and updates the data stored in all the trust root servers in the alliance area through a consensus algorithm.
In addition, the method further comprises: and (3) a terminal query process: the inquiry process of the terminal comprises the following steps: the terminal sends a query request to an authority trust server connected with the terminal to an opposite terminal; after the authority trust server does not inquire the related information of the opposite terminal, the authority trust server sends an inquiry request to a top level trust server connected with the authority trust server; after the top-level trust server does not inquire the relevant information of the opposite terminal, the top-level trust server sends an inquiry request to a trust root server connected with the top-level trust server; when the related information of the opposite terminal is not inquired by the trust root server, an inquiry request is sent to the trust root server where the opposite terminal connected with the trust root server is located, the related information of the opposite terminal obtained by inquiring the trust root server where the opposite terminal is located through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located which are connected with the trust root server in sequence, and the related information of the opposite terminal obtained by inquiring is sent to the terminal through the top level trust server and the authority trust server.
In addition, the method further comprises: an authentication process of the terminal; the authentication process of the terminal comprises the following steps: the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal; the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal obtained by querying through the trust root server where the opposite terminal is located, and sending the authentication information to the terminal through the top-level trust server and the authority trust server.
In addition, the method further comprises: an authentication process of the terminal; the authentication process of the terminal comprises the following steps: the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal; the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located and the authority trust server where the opposite terminal is located sequentially through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located, and sending the queried authentication information of the opposite terminal to the terminal through the top level trust server and the authority trust server.
According to the technical scheme provided by the invention, the alliance trust anchor exists in a decentralized form, the data of all trust root servers in an alliance region are ensured to be consistent through a consensus algorithm, the whole network unified trust anchor is established in an alliance, and public keys are managed together.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a trust model provided in an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a federation-based global unified trust anchor system according to an embodiment of the present invention;
fig. 3 is a flowchart of a federation-based full-text unified trust anchor system and a construction method according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The basis for building the trust model is that all trusted users have a trusted root. In the trust model, as shown in FIG. 1, this is a simple three-tier trust structure, which is a chain trust relationship, such as trusted entity A1 can be represented as such a chain of trust: (R, C1, A1) states that the root of trust R that produced it can be traced back up from A1. There is one root node R as the starting point of trust, and this point of establishing a trust relationship is called a trust anchor. The trust path of the model is formed by the path from the root node to the leaf node.
In the invention, a mode of establishing a alliance trust anchor is adopted, as shown in figure 2, each country has one trust root server (data are consistent), and each country is managed by each country depending on the sub-cluster of the trust root server of each country. The root of trust server is maintained by the country to which it belongs. The federation region consists of the root-of-trust servers of minimum depth. All the root-of-trust servers in the federation region form an undirected graph. All root-of-trust servers have a physical link between them and can communicate with each other. The root server node of trust, shown as A, X, Y, Z in FIG. 2, constitutes a federation region.
Specifically, the federation-based global unified trust anchor system provided by the embodiment of the present invention includes:
a federation area including n root-of-trust servers (shown as A, X, Y, Z), each root-of-trust server interconnected;
each top trust server set comprises m top trust servers (shown as B1 and B2 … …), and the m top trust servers are connected with the same trust root server;
n x m sets of authority trust servers, each set of authority trust servers is connected with a top level trust server, each set of authority trust servers comprises j authority trust servers (as shown in the figure, C1, C2 … … or C3 and C4 … …), and the j authority trust servers are connected with the same top level trust server;
n m j terminal sets, each terminal set is connected with one authority trust server, each terminal set comprises i terminals (as shown in the figure, D1, D2 … … or D3, D4 … … or D5 and D6 … …), and the i terminals are connected with the same authority trust server;
wherein,
each trust root server is used for storing the names and public key information of all the trust root servers, storing the names, addresses and public key information of all the top-level trust servers and signing and issuing certificates, and the information stored by each trust root server is completely the same, and the consistency of the stored information is ensured through a consensus algorithm;
each top-level trust server is used for storing the public key information of the top-level trust server and storing the name, the address and the public key information of the authority trust server connected with the top-level trust server;
each authority trust server is used for storing the public key information of the authority trust server and storing the name, the address and the public key information of the terminal connected with the authority trust server.
Specifically, the federation trust anchor exists in a decentralized form, the data of each trust root server in a federation area is ensured to be consistent through a consensus algorithm, a whole-network unified trust anchor is established in the federation, and a public key is managed together. The consensus algorithm is determined according to specific situations, for example, an Epaxos consensus algorithm can be adopted, in a federation area, the master rights among nodes are equal, each node is only responsible for the work of the node, and the application, modification or binding of information of other top-level trust servers is forbidden in principle. Among the sub-clusters, various countries may assume, for example, multi-paxos-based cluster management. In the alliance area, the rights of all alliance nodes are equal, so that a leader role is not set.
Each trust root server in the alliance area adopts an asymmetric encryption mode and has a public key of other trust root servers, and public key updating, inquiry and authentication processes between terminal bodies need to pass through an alliance resolution. The name, address and public key information of all top-level trust servers are stored in each trust root server, and the data specifically stored by each server is shown in the following table.
Examples of data stored on the root trust server:
Figure BDA0001723676570000061
Figure BDA0001723676570000071
numbering Root Server name Root server public key
1 A Public Key 1
2 X Public Key 2
3 Y Public Key 3
4 Z Public Key 4
5
Data examples stored on the top level trust server (with its own public key also stored on the top level server):
numbering Authority server name Authority server address information Authority server public key
1 C1 addr1 Public Key 1
2 C2 addr2 Public Key 2
3
Examples of data stored on the rights trust server (the rights server also stores its own public key):
numbering Terminal entity name Terminal entity address information Terminal entity public key
1 D1 addr1 Public Key 1
2 D2 addr2 Public Key 2
3 …… ……
As an optional embodiment of the invention, each top-level trust server set is connected with all the trust root servers, each top-level trust server set comprises m top-level trust servers, and the m top-level trust servers are connected with each trust root server. Therefore, the top-level trust server can be connected with any trust root server and perform data transmission.
As an optional embodiment of the present invention, the top-level trust server is further configured to send a change request to a root-of-trust server connected thereto; the trust root server is also used for proposing a changed resolution to the alliance area, responding to a change request of the top-level trust server in the trust root server after the resolution passes according to a preset resolution strategy, and updating data stored in all the trust root servers in the alliance area through a consensus algorithm; and the top-level trust server is also used for executing change operation. In this way, the top-level root of trust server can apply for change to the root of trust server connected with the top-level root of trust server, and after the root of trust server connected with the top-level root of trust server receives and changes the root of trust server, a resolution is performed in the alliance area, and only after the resolution passes in the alliance area, the change operation can be performed, and meanwhile, all the root of trust servers in the alliance area perform the same modification through a consensus algorithm, so that the consistency of data is ensured.
Specifically, when the public key needs to be updated in the top-level trust server B1, the specific process includes:
1. the top trust server B1 sends a request to its upper trust root server a to update the public key.
2. The root-of-trust server a proposes a resolution to the federation interior to update the public key.
3. After the resolution passes, the public key of the top level trust server B1 is updated in the root of trust server a. And realizing the consistency of data in each trust root server through a consensus algorithm.
4. The top level trust server B1 updates its public key.
When the public key needs to be updated in the terminal entity D1, the specific process includes:
1. terminal entity D1 sends a request to its superior authority trust server C1 to update the public key.
2. After the audit is passed, the public key of the terminal entity D1 is updated in the authority trust server C1.
3. Terminal entity D1 updates its public key.
When the public key needs to be updated in the rights trust server C1, the specific process includes:
1. the authority trust server C1 sends a request to its upper top level trust server B1 to update the public key.
2. After the audit is passed, the public key of the authority trust server C1 is updated in the top level trust server B1.
3. The rights trust server C1 updates its public key.
As an optional embodiment of the present invention, the root of trust server is further configured to propose a changed resolution in the federation, change data of the root of trust server according to a preset resolution policy after the resolution passes, and update data stored in all root of trust servers in the federation area through a consensus algorithm. In this way, if a certain trust root server in the alliance region needs to change data, a resolution is performed in the alliance region, only after the resolution in the alliance region passes, the change operation can be performed, and meanwhile, all the trust root servers in the alliance region perform the same modification through a consensus algorithm, so that the consistency of the data is ensured.
Specifically, when the public key needs to be updated in the root of trust server a, the specific process includes:
1. the root-of-trust server a proposes a resolution within the federation to update the public key.
2. After the resolution passes, the trust root server A updates its own public key. And realizing the consistency of data in each trust root server through a consensus algorithm.
As an optional implementation manner of the present invention, the terminal is further configured to send a query request to the peer terminal to the authority trust server connected thereto; the authority trust server is also used for sending a query request to a top level trust server connected with the authority trust server after the relevant information of the opposite terminal is not queried; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the relevant information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the related information of the opposite terminal is not queried, receiving the related information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located and the authority trust server where the opposite terminal is located sequentially through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located, and sending the related information of the opposite terminal, which is obtained by querying, to the terminal through the top level trust server and the authority trust server. In this way, if the terminal needs to inquire the relevant information of the opposite terminal, the terminal can inquire through the authority trust server, the top-level trust root server and the trust root server which are connected with the terminal, at this time, when the trust root server does not inquire, the terminal can inquire through another trust root server in the alliance area, and after the inquiry is finished, the terminal can send the information to the terminal through the trust root server, the top-level trust root server and the authority trust server.
Specifically, when the terminal subject D1 wants to query the public key of the terminal subject G1, the specific flow includes:
1. the terminal body D1 inquires of its upper authority trust server C1.
2. When the public key of the terminal body G1 is not queried in the authority trust server C1, the authority trust server C1 queries its upper top level trust server B1.
3. When the top trust server B1 does not have queried the public key of the terminal body G1, the top trust server B1 queries its upper trust root server a.
4. When the root-of-trust server a does not query the public key of terminal principal G1, there are two considerations:
(1) in consideration of the management method, only the root of trust server in the home country can access the lower-level server in the home country.
(2) The root of trust server in the home country can also access the lower level servers in other countries for efficiency.
In the manner of (1), the root of trust server a queries the root of trust server X where the public key of the terminal body G1 is located. Through the trust root server X, the lower-level top trust server E1 of the trust root server X is inquired, then the top-level trust server E1 inquires the lower-level authority trust server F1 of the trust root server X, and finally the public key of the terminal main body G1 is inquired.
By the method of (2), the root of trust server a can directly query the lower-level top trust server E1 of the root of trust server X, then query the lower-level authority trust server F1 of the root of trust server X by the top-level trust server E1, and finally query the public key of the terminal subject G1.
In addition, if the domain is not crossed, the relevant operation is performed by the following example:
when the terminal principal D1 wants to query the public key of the terminal principal D2, the specific process includes:
1. the terminal body D1 inquires of its upper authority trust server C1.
2. When the public key of the terminal subject D2 is found in the rights trust server C1, the public key of D2 found in the terminal subject D1 is returned.
When the terminal principal D1 wants to query the public key of the terminal principal D5, the specific process includes:
1. the terminal body D1 inquires of its upper authority trust server C1.
2. When the public key of the terminal body D5 is not queried in the authority trust server C1, the authority trust server C1 queries its upper top level trust server B1.
3. When the top trust server B1 does not have queried the public key of the terminal body D5, the top trust server B1 queries its upper trust root server a.
4. The trust root server A passes through the lower top trust server B2, then the top trust server B2 queries the authority trust server C3, the authority trust server C3 queries the public key of the terminal body D5, and returns the public key of the D5 queried by the terminal body D1.
Specifically, two modes are considered for communication authentication between terminal bodies:
1. authentication based on a certificate issued by a superior;
2. authentication based on a public key between peers.
Therefore, as an optional implementation manner of the present invention, the terminal is further configured to send an authentication request for the peer terminal to the authority trust server connected thereto; the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal obtained by querying through the trust root server where the opposite terminal is located, and sending the authentication information to the terminal through the top-level trust server and the authority trust server. In this way, if the terminal needs to authenticate the opposite terminal, the terminal can authenticate through the authority trust server, the top-level trust root server and the trust root server which are connected with the terminal, at this time, when the trust root server does not inquire authentication information, the terminal can inquire the authentication information through another trust root server in the alliance area, and after the authentication information is inquired, the terminal can send the authentication information to the terminal through the trust root server, the top-level trust root server and the authority trust root server.
Specifically, when the terminal subject D1 wants to authenticate the public key of the terminal subject D5, the public key of the upper authority trust server C3 of the terminal subject D5 is needed, and the top trust server B2 includes the public key information of the authority trust server C3, so that only the data of the top trust server B2 needs to be found, and the specific flow includes:
1. the terminal body D1 inquires of its upper authority trust server C1.
2. When the authority trust server C3's public key is not queried in the authority trust server C1, the authority trust server C1 queries its upper top level trust server B1.
3. When the top trust server B1 does not query the authority trust server C3's public key, the top trust server B1 queries its upper level root of trust server a.
4. The data of the top-level trust server B2 is inquired in the trust root server A, so that the public key of the authority trust server C3 is obtained, and the authentication is completed.
As an optional implementation manner of the present invention, the terminal is further configured to send an authentication request for the peer terminal to a rights trust server connected thereto; the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired; the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried; and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located and the authority trust server where the opposite terminal is located sequentially through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located, and sending the queried authentication information of the opposite terminal to the terminal through the top level trust server and the authority trust server. In this way, if the terminal needs to authenticate the opposite terminal, the terminal can authenticate through the authority trust server, the top-level trust root server and the trust root server which are connected with the terminal, at this time, when the trust root server does not inquire authentication information, the other trust root server in the alliance area inquires the authentication information, the other trust root server inquires the authentication information through the top-level trust server and the authority trust root server which are connected with the other trust root server, and the inquired authentication information is sent to the terminal through the trust root server, the top-level trust root server and the authority trust root server.
Specifically, when the terminal body D1 wants to authenticate the public key of the terminal body D5, the terminal body D1 needs to authenticate the public key of the terminal body D5, and the specific flow includes:
1. the terminal body D1 inquires of its upper authority trust server C1.
2. When the public key of the terminal body D5 is not queried in the authority trust server C1, the authority trust server C1 queries its upper top level trust server B1.
3. When the top trust server B1 does not query the public key of the terminal body D5, the top trust server B1 queries its upper trust root server a.
4. The root-of-trust server a queries through its lower top-level trust server B2.
5. And the lower authority trust server C3 of the top trust server B2 obtains the public key of the terminal main body D5, and completes authentication.
Therefore, through the alliance-based whole network unified trust anchor system provided by the invention, the alliance trust anchor exists in a decentralized form, the data of all trust root servers in an alliance region are ensured to be consistent through a consensus algorithm, the whole network unified trust anchor is established in the alliance, and public keys are managed together.
Fig. 3 shows a method for constructing a federation-based global unified trust anchor according to an embodiment of the present invention, where the scheme is applied to the above system, and only a brief description is given here to the method, and please refer to the related description of the above system for other reasons, referring to fig. 3, a method for constructing a federation-based global unified trust anchor according to an embodiment of the present invention includes:
s301, a federation region is constructed, the federation region is configured to comprise n trust root servers, all the trust root servers are connected with one another, each trust root server stores the name and public key information of all the trust root servers, stores the name, address and public key information of all the top-level trust servers and is used for signing and issuing certificates, the information stored by each trust root server is completely the same, and the consistency of the stored information is ensured through a consensus algorithm;
s302, n top-level trust server sets are constructed and configured to be that each top-level trust server set is connected with a trust root server, each top-level trust server set comprises m top-level trust servers, the m top-level trust servers are connected with the same trust root server, and each top-level trust server stores the own public key information and stores the name, the address and the public key information of an authority trust server connected with the top-level trust server;
s303, constructing n-m authority trust server sets, configuring that each authority trust server set is connected with a top level trust server, each authority trust server set comprises j authority trust servers, the j authority trust servers are connected with the same top level trust server, and each authority trust server stores the own public key information and stores the name, the address and the public key information of a terminal connected with the authority trust server;
and S304, constructing n m j terminal sets, configuring that each terminal set is connected with one authority trust server, wherein each terminal set comprises i terminals, and the i terminals are connected with the same authority trust server.
Therefore, through the alliance-based whole network unified trust anchor construction method provided by the invention, the alliance trust anchor exists in a decentralized form, the data of all trust root servers in an alliance region are ensured to be consistent through a consensus algorithm, the whole network unified trust anchor is established in the alliance, and public keys are managed together.
As an optional implementation manner of the embodiment of the present invention, the method for constructing a federation-based global unified trust anchor further includes: and configuring each top-level trust server set to be connected with all the trust root servers, wherein each top-level trust server set comprises m top-level trust servers, and the m top-level trust servers are connected with each trust root server. Therefore, the top-level trust server can be connected with any trust root server and perform data transmission.
As an optional implementation manner of the embodiment of the present invention, the method for constructing a federation-based global unified trust anchor further includes: a change flow of the top-level trust server;
the changing process of the top-level trust server comprises the following steps:
the top-level trust server sends a change request to a trust root server connected with the top-level trust server;
the trust root server puts forward a changed resolution to the alliance area, responds to a change request of a top-level trust server in the trust root server after the resolution passes according to a preset resolution strategy, and updates data stored in all the trust root servers in the alliance area through a consensus algorithm;
the top level trust server performs the change operation.
In this way, the top-level root of trust server can apply for change to the root of trust server connected with the top-level root of trust server, and after the root of trust server connected with the top-level root of trust server receives and changes the root of trust server, a resolution is performed in the alliance area, and only after the resolution passes in the alliance area, the change operation can be performed, and meanwhile, all the root of trust servers in the alliance area perform the same modification through a consensus algorithm, so that the consistency of data is ensured.
As an optional implementation manner of the embodiment of the present invention, the method for constructing a federation-based global unified trust anchor further includes: and (3) changing process of the trust root server:
the change process of the trust root server comprises the following steps:
and the trust root server puts forward a changed resolution in the alliance, changes own data after the resolution passes according to a preset resolution strategy, and updates the data stored in all the trust root servers in the alliance area through a consensus algorithm.
In this way, if a certain trust root server in the alliance region needs to change data, a resolution is performed in the alliance region, only after the resolution in the alliance region passes, the change operation can be performed, and meanwhile, all the trust root servers in the alliance region perform the same modification through a consensus algorithm, so that the consistency of the data is ensured.
As an optional implementation manner of the embodiment of the present invention, the method for constructing a federation-based global unified trust anchor further includes: and (3) a terminal query process:
the inquiry process of the terminal comprises the following steps:
the terminal sends a query request to an authority trust server connected with the terminal to an opposite terminal;
after the authority trust server does not inquire the related information of the opposite terminal, the authority trust server sends an inquiry request to a top level trust server connected with the authority trust server;
after the top-level trust server does not inquire the relevant information of the opposite terminal, the top-level trust server sends an inquiry request to a trust root server connected with the top-level trust server;
when the related information of the opposite terminal is not inquired by the trust root server, an inquiry request is sent to the trust root server where the opposite terminal connected with the trust root server is located, the related information of the opposite terminal obtained by inquiring the trust root server where the opposite terminal is located through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located which are connected with the trust root server in sequence, and the related information of the opposite terminal obtained by inquiring is sent to the terminal through the top level trust server and the authority trust server.
In this way, if the terminal needs to inquire the relevant information of the opposite terminal, the terminal can inquire through the authority trust server, the top-level trust root server and the trust root server which are connected with the terminal, at this time, when the trust root server does not inquire, the terminal can inquire through another trust root server in the alliance area, and after the inquiry is finished, the terminal can send the information to the terminal through the trust root server, the top-level trust root server and the authority trust server.
As an optional implementation manner of the embodiment of the present invention, the method for constructing a federation-based global unified trust anchor further includes: an authentication process of the terminal;
the authentication process of the terminal comprises the following steps:
the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired;
the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried;
and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal obtained by querying through the trust root server where the opposite terminal is located, and sending the authentication information to the terminal through the top-level trust server and the authority trust server.
In this way, if the terminal needs to authenticate the opposite terminal, the terminal can authenticate through the authority trust server, the top-level trust root server and the trust root server which are connected with the terminal, at this time, when the trust root server does not inquire authentication information, the terminal can inquire the authentication information through another trust root server in the alliance area, and after the authentication information is inquired, the terminal can send the authentication information to the terminal through the trust root server, the top-level trust root server and the authority trust root server.
As an optional implementation manner of the embodiment of the present invention, the method for constructing a federation-based global unified trust anchor further includes: an authentication process of the terminal;
the authentication process of the terminal comprises the following steps:
the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending an authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired;
the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried;
and the trust root server is also used for sending a query request to the trust root server where the opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, receiving the authentication information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located and the authority trust server where the opposite terminal is located sequentially through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located, and sending the queried authentication information of the opposite terminal to the terminal through the top level trust server and the authority trust server.
In this way, if the terminal needs to authenticate the opposite terminal, the terminal can authenticate through the authority trust server, the top-level trust root server and the trust root server which are connected with the terminal, at this time, when the trust root server does not inquire authentication information, the other trust root server in the alliance area inquires the authentication information, the other trust root server inquires the authentication information through the top-level trust server and the authority trust root server which are connected with the other trust root server, and the inquired authentication information is sent to the terminal through the trust root server, the top-level trust root server and the authority trust root server.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The above examples are only for describing the preferred embodiments of the present invention, and are not intended to limit the scope of the present invention, and various modifications and improvements made to the technical solution of the present invention by those skilled in the art without departing from the spirit of the present invention should fall within the protection scope defined by the claims of the present invention.

Claims (14)

1. A federation-based, network-wide unified trust anchor system, comprising:
a federation area including n root-of-trust servers, each of the root-of-trust servers being interconnected;
each top-level trust server set is connected with one trust root server, each top-level trust server set comprises m top-level trust servers, and the m top-level trust servers are connected with the same trust root server;
the authority trust server sets comprise a plurality of authority trust server sets, each authority trust server set is connected with one top level trust server, each authority trust server set comprises j authority trust servers, and the j authority trust servers are connected with the same top level trust server;
n m j terminal sets, wherein each terminal set is connected with one authority trust server, each terminal set comprises i terminals, and the i terminals are connected with the same authority trust server;
wherein,
each trust root server is used for storing names and public key information of all the trust root servers, storing names, addresses and public key information of all the top-level trust servers and signing and issuing certificates, and the information stored by each trust root server is completely the same, and the consistency of the stored information is ensured through a consensus algorithm;
each top-level trust server is used for storing the public key information of the top-level trust server and storing the name, the address and the public key information of the authority trust server connected with the top-level trust server;
each authority trust server is used for storing the own public key information and storing the name, the address and the public key information of the terminal connected with the authority trust server.
2. The system of claim 1,
each top level trust server set is connected with all the trust root servers, each top level trust server set comprises m top level trust servers, and the m top level trust servers are connected with each trust root server.
3. The system of claim 1,
the top trust server is also used for sending a change request to the trust root server connected with the top trust server;
the trust root server is also used for proposing a changed resolution to a alliance area, responding to a change request of the top-level trust server in the trust root server after the resolution passes according to a preset resolution strategy, and updating data stored in all the trust root servers in the alliance area through the consensus algorithm;
and the top-level trust server is also used for executing change operation.
4. The system of claim 1,
the trust root server is also used for proposing a changed resolution in the alliance, changing own data after the resolution passes according to a preset resolution strategy, and updating data stored in all the trust root servers in the alliance area through the consensus algorithm.
5. The system of claim 1,
the terminal is also used for sending a query request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending the query request to a top level trust server connected with the authority trust server after the relevant information of the opposite terminal is not queried;
the top-level trust server is also used for sending the query request to a trust root server connected with the top-level trust server after the relevant information of the opposite terminal is not queried;
the trust root server is further configured to send the query request to a trust root server where an opposite terminal connected to the trust root server is located when the related information of the opposite terminal is not queried, receive the related information of the opposite terminal, which is obtained by querying the trust root server where the opposite terminal is located through a top-level trust server where the opposite terminal is located and an authority trust server where the opposite terminal is located, which are connected in sequence, and send the queried related information of the opposite terminal to the terminal through the top-level trust server and the authority trust server.
6. The system of claim 1,
the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending the authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired;
the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried;
and the trust root server is further used for sending the query request to a trust root server where an opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, and receiving the authentication information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located, and sending the authentication information of the opposite terminal to the terminal through the top-level trust server and the authority trust server.
7. The system of claim 1,
the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending the authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired;
the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried;
the trust root server is further configured to send the query request to a trust root server where an opposite terminal connected to the trust root server is located when authentication information of the opposite terminal is not queried, receive authentication information of the opposite terminal, which is obtained by querying the trust root server where the opposite terminal is located through a top-level trust server where the opposite terminal is located and an authority trust server where the opposite terminal is located, which are connected in sequence, and send the queried authentication information of the opposite terminal to the terminal through the top-level trust server and the authority trust server.
8. A construction method of a whole network unified trust anchor based on alliance is characterized by comprising the following steps:
the method comprises the steps of constructing a alliance area, configuring the alliance area to comprise n trust root servers, wherein the trust root servers are connected with one another, each trust root server stores the name and public key information of all the trust root servers, stores the name, address and public key information of all top-level trust servers and is used for signing and issuing certificates, the information stored by each trust root server is completely the same, and the consistency of the stored information is ensured through a consensus algorithm;
constructing n top-level trust server sets, configuring that each top-level trust server set is connected with one trust root server, each top-level trust server set comprises m top-level trust servers, the m top-level trust servers are connected with the same trust root server, and each top-level trust server stores the own public key information and stores the name, the address and the public key information of an authority trust server connected with the top-level trust server;
constructing n-m permission trust server sets, configuring that each permission trust server set is connected with one top level trust server, each permission trust server set comprises j permission trust servers, the j permission trust servers are connected with the same top level trust server, and each permission trust server stores own public key information and stores the name, address and public key information of a terminal connected with the permission trust server;
and constructing n m j terminal sets, configuring that each terminal set is connected with one authority trust server, wherein each terminal set comprises i terminals, and the i terminals are connected with the same authority trust server.
9. The method of claim 8, further comprising:
and configuring each top-level trust server set to be connected with all the trust root servers, wherein each top-level trust server set comprises m top-level trust servers, and the m top-level trust servers are connected with each trust root server.
10. The method of claim 8, further comprising: a change flow of the top-level trust server;
the changing process of the top trust server comprises the following steps:
the top-level trust server sends a change request to the trust root server connected with the top-level trust server;
the trust root server provides a changed resolution to a alliance area, responds to a change request of the top-level trust server in the trust root server after the resolution passes according to a preset resolution strategy, and updates data stored in all the trust root servers in the alliance area through the consensus algorithm;
the top level trust server performs a change operation.
11. The method of claim 8, further comprising: the change process of the trust root server comprises the following steps:
the change process of the trust root server comprises the following steps:
and the trust root server puts forward a changed resolution in the alliance, changes own data after the resolution passes according to a preset resolution strategy, and updates the data stored in all the trust root servers in the alliance area through the consensus algorithm.
12. The method of claim 8, further comprising: the query process of the terminal comprises the following steps:
the query process of the terminal comprises the following steps:
the terminal sends a query request to an authority trust server connected with the terminal to an opposite terminal;
after the authority trust server does not inquire the related information of the opposite terminal, the authority trust server sends the inquiry request to a top level trust server connected with the authority trust server;
after the top-level trust server does not inquire the relevant information of the opposite terminal, the top-level trust server sends the inquiry request to a trust root server connected with the top-level trust server;
when the related information of the opposite terminal is not inquired by the trust root server, the inquiry request is sent to the trust root server where the opposite terminal connected with the trust root server is located, the related information of the opposite terminal, which is obtained by inquiring the trust root server where the opposite terminal is located through the top level trust server where the opposite terminal is located and the authority trust server where the opposite terminal is located which are connected in sequence, is received, and the related information of the opposite terminal, which is obtained by inquiring, is sent to the terminal through the top level trust server and the authority trust server.
13. The method of claim 8, further comprising: an authentication process of the terminal;
the authentication process of the terminal comprises the following steps:
the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending the authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired;
the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried;
and the trust root server is further used for sending the query request to a trust root server where an opposite terminal connected with the trust root server is located when the authentication information of the opposite terminal is not queried, and receiving the authentication information of the opposite terminal, which is obtained by querying through the trust root server where the opposite terminal is located, and sending the authentication information of the opposite terminal to the terminal through the top-level trust server and the authority trust server.
14. The method of claim 8, further comprising: an authentication process of the terminal;
the authentication process of the terminal comprises the following steps:
the terminal is also used for sending an authentication request to the opposite terminal to the authority trust server connected with the terminal;
the authority trust server is also used for sending the authentication request to a top level trust server connected with the authority trust server after the authentication information of the opposite terminal is not inquired;
the top-level trust server is also used for sending a query request to the trust root server connected with the top-level trust server after the authentication information of the opposite terminal is not queried;
the trust root server is further configured to send the query request to a trust root server where an opposite terminal connected to the trust root server is located when authentication information of the opposite terminal is not queried, receive authentication information of the opposite terminal, which is obtained by querying the trust root server where the opposite terminal is located through a top-level trust server where the opposite terminal is located and an authority trust server where the opposite terminal is located, which are connected in sequence, and send the queried authentication information of the opposite terminal to the terminal through the top-level trust server and the authority trust server.
CN201810743031.4A 2018-07-09 2018-07-09 Union-based whole-network unified trust anchor system and construction method Active CN108881471B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810743031.4A CN108881471B (en) 2018-07-09 2018-07-09 Union-based whole-network unified trust anchor system and construction method
PCT/CN2018/115239 WO2020010767A1 (en) 2018-07-09 2018-11-13 Alliance-based unified trust anchor system for whole network, and construction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810743031.4A CN108881471B (en) 2018-07-09 2018-07-09 Union-based whole-network unified trust anchor system and construction method

Publications (2)

Publication Number Publication Date
CN108881471A CN108881471A (en) 2018-11-23
CN108881471B true CN108881471B (en) 2020-09-11

Family

ID=64299874

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810743031.4A Active CN108881471B (en) 2018-07-09 2018-07-09 Union-based whole-network unified trust anchor system and construction method

Country Status (2)

Country Link
CN (1) CN108881471B (en)
WO (1) WO2020010767A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109327481B (en) * 2018-12-17 2021-12-14 北京信息科技大学 Block chain-based unified online authentication method and system for whole network
CN109753779B (en) * 2019-01-11 2020-10-30 北京信息科技大学 Whole-network unified identity authentication method and system based on biological characteristic recognition
CN110224713B (en) * 2019-06-12 2020-09-15 读书郎教育科技有限公司 Safety protection method and system based on high-safety intelligent child watch
CN110868446A (en) * 2019-08-29 2020-03-06 北京大学深圳研究生院 Back IP main power network system architecture

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101129016A (en) * 2004-12-24 2008-02-20 秦内蒂克有限公司 Public key infrastructures
CN102263787A (en) * 2011-07-08 2011-11-30 西安电子科技大学 Dynamic distributed certification authority (CA) configuration method
CN103973451A (en) * 2014-05-05 2014-08-06 西南交通大学 Cross-trust-domain authentication method used for distributed network system
CN106301792A (en) * 2016-08-31 2017-01-04 江苏通付盾科技有限公司 Ca authentication management method based on block chain, Apparatus and system
CN106372941A (en) * 2016-08-31 2017-02-01 江苏通付盾科技有限公司 CA authentication management method, device and system based on block chain
CN107070644A (en) * 2016-12-26 2017-08-18 北京科技大学 A kind of decentralization public key management method and management system based on trust network
CN107426157A (en) * 2017-04-21 2017-12-01 杭州趣链科技有限公司 A kind of alliance's chain authority control method based on digital certificate and ca authentication system
CN107613041A (en) * 2017-09-22 2018-01-19 中国互联网络信息中心 DNS management system, domain name management method and domain name analytic method based on block chain
CN108052530A (en) * 2017-11-10 2018-05-18 杭州云象网络技术有限公司 A kind of decentralization CA construction methods and its system based on alliance's chain

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7747851B1 (en) * 2004-09-30 2010-06-29 Avaya Inc. Certificate distribution via license files
CN108055263B (en) * 2017-12-11 2020-07-24 北京理工大学 Entity authentication authority management system and method in satellite communication network
CN108243190A (en) * 2018-01-09 2018-07-03 北京信息科技大学 The credible management method and system of a kind of network identity

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101129016A (en) * 2004-12-24 2008-02-20 秦内蒂克有限公司 Public key infrastructures
CN102263787A (en) * 2011-07-08 2011-11-30 西安电子科技大学 Dynamic distributed certification authority (CA) configuration method
CN103973451A (en) * 2014-05-05 2014-08-06 西南交通大学 Cross-trust-domain authentication method used for distributed network system
CN103973451B (en) * 2014-05-05 2017-04-12 西南交通大学 Cross-trust-domain authentication method used for distributed network system
CN106301792A (en) * 2016-08-31 2017-01-04 江苏通付盾科技有限公司 Ca authentication management method based on block chain, Apparatus and system
CN106372941A (en) * 2016-08-31 2017-02-01 江苏通付盾科技有限公司 CA authentication management method, device and system based on block chain
CN107070644A (en) * 2016-12-26 2017-08-18 北京科技大学 A kind of decentralization public key management method and management system based on trust network
CN107426157A (en) * 2017-04-21 2017-12-01 杭州趣链科技有限公司 A kind of alliance's chain authority control method based on digital certificate and ca authentication system
CN107613041A (en) * 2017-09-22 2018-01-19 中国互联网络信息中心 DNS management system, domain name management method and domain name analytic method based on block chain
CN108052530A (en) * 2017-11-10 2018-05-18 杭州云象网络技术有限公司 A kind of decentralization CA construction methods and its system based on alliance's chain

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Analysis and Design of an Adaptive Automated Trust Negotiation System;Wenliang Chen,Wenbao Jiang;《2011 International Conference on Mechatronic Science, Electric Engineering and Computer》;20110923;全文 *
基于区块链技术的高效跨域认证方案;周致成,李立新,李作辉;《计算机应用》;20180210;第316-320页 *

Also Published As

Publication number Publication date
WO2020010767A1 (en) 2020-01-16
CN108881471A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
CN108881471B (en) Union-based whole-network unified trust anchor system and construction method
Capkun et al. Self-organized public-key management for mobile ad hoc networks
Li et al. A trust model based routing protocol for secure ad hoc networks
Omar et al. Reliable and fully distributed trust model for mobile ad hoc networks
Hwang et al. Dynamic access control scheme for iot devices using blockchain
CN102647394B (en) Routing device identity identifying method and device
EP2056563B1 (en) Peer-to-peer network
CN113935016B (en) Trusted access and cross-domain authentication method based on blockchain in named data networking
JP2011514032A (en) Wireless multi-hop network authentication access method, apparatus and system based on ID
CN101374159B (en) Credible control method and system for P2P network
CN111262692A (en) Key distribution system and method based on block chain
CN113269546B (en) User identity card system and method based on block chain
CN113824563A (en) Cross-domain identity authentication method based on block chain certificate
Chotkan et al. Distributed attestation revocation in self-sovereign identity
CN108243190A (en) The credible management method and system of a kind of network identity
Koisser et al. {V'CER}: Efficient Certificate Validation in Constrained Networks
Li et al. Cross-Domain Authentication Scheme for IoT Devices Based on BlockChain
CN101997875A (en) Secure multi-party network communication platform and construction method and communication method thereof
Xu et al. When Web 3.0 Meets Reality: A Hyperdimensional Fractal Polytope P2P Ecosystems
Forne et al. Certificate status validation in mobile ad hoc networks
Glendenning et al. Ziggurat: A framework for providing scalability and security in iot blockchains
Mohanty et al. OMT: A dynamic authenticated data structure for security kernels
Yan et al. User-Centric Network Architecture Design for 6G Mobile Communication Systems
Shi et al. A Construction Method for Alliance-based Network Trust Anchor
Saha et al. Self-organized key management based on fidelity relationship list and dynamic path

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant