CN111865988B - Certificate-free key management method, system and terminal based on block chain - Google Patents

Certificate-free key management method, system and terminal based on block chain Download PDF

Info

Publication number
CN111865988B
CN111865988B CN202010708020.XA CN202010708020A CN111865988B CN 111865988 B CN111865988 B CN 111865988B CN 202010708020 A CN202010708020 A CN 202010708020A CN 111865988 B CN111865988 B CN 111865988B
Authority
CN
China
Prior art keywords
key
user
pkg
key management
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010708020.XA
Other languages
Chinese (zh)
Other versions
CN111865988A (en
Inventor
张波
单兰存
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Huapu Information Technology Co ltd
Original Assignee
Shandong Huapu Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Huapu Information Technology Co ltd filed Critical Shandong Huapu Information Technology Co ltd
Priority to CN202010708020.XA priority Critical patent/CN111865988B/en
Publication of CN111865988A publication Critical patent/CN111865988A/en
Application granted granted Critical
Publication of CN111865988B publication Critical patent/CN111865988B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a certificateless key management method, a certificateless key management system and a certificateless key management terminal based on a block chain.A block chain key management platform is initialized, PKGs in respective control domains receive a key management request of a user in the domain to generate key management data, and the PKGs report the key management data to the block chain key management platform for data chaining; before any user public key is used, searching the key management data on the link, verifying the validity of the data and obtaining the user public key. After the user and the local private key generation center jointly generate the user key, the local private key generation center generates key management data to perform uplink storage based on the block chain technology so as to ensure non-repudiation. When the user public key is needed to be used, the data on the link can be inquired according to the identity information to obtain the latest public parameter and public key information, so that public key replacement attacks possibly initiated by any malicious entity can be fundamentally and effectively resisted, and the usability of the system in an open environment is improved.

Description

Certificate-free key management method, system and terminal based on block chain
Technical Field
The present application relates to the field of network security technologies, and in particular, to a certificateless key management method, system and terminal based on a block chain.
Background
The certificateless public key cryptography is proposed to solve the problem of 'complicated certificate management' existing in the traditional certificate-based cryptography and the problem of 'key escrow' inherent in identity-based cryptography. In the certificateless cipher system, the public key of the user does not need to depend on the certificate issued by the third party to complete the authentication, part of the private key of the user is generated by a Private Key Generator (PKG), and the other part of the private key is generated by the user, so that the complete control of the private key of the user by the PKG in the identity-based cipher system is effectively avoided, and the certificateless cipher system has important significance for protecting the privacy of the user.
Although there is no nominal trust center in the certificateless public key cryptosystem, there is a PKG that generates part of private keys for users, and the current application range is mainly a relatively closed trust domain environment. In open environment, it is likely to face huge trust crisis and working pressure, and becomes a system bottleneck. How to effectively manage the user key and realize the interoperation of crossing trust domains in an open environment needs to be solved urgently. In addition, because of the generation mode of the user key in the certificateless system, the user public key is not authenticated by a trusted entity, so that the user public key is confronted with the 'public key replacement' attack which is possibly initiated by a malicious user, and the usability of the system is seriously influenced by the attack form.
In an open environment, if an attacker injects a large number of counterfeit public keys into the system frequently, it will have a significant impact on system availability. Therefore, how to establish a public key infrastructure in an open environment and effectively manage a user public key fundamentally avoids the possible harm brought by 'public key replacement', which is an urgent problem to be solved in a certificateless public key cryptosystem.
Disclosure of Invention
In order to solve the technical problems, the following technical scheme is provided:
in a first aspect, an embodiment of the present application provides a certificateless key management method based on a block chain, where the method includes: initializing a block chain key management platform, wherein the block chain key management platform is used for auditing PKGs of each autonomous domain, and the PKGs of different autonomous domains obey a unique consensus mechanism; the PKGs in respective administrative domains receive the key management request of a user in the domain and generate key management data, wherein the key management data comprise: the autonomous domain public parameter, the key information, the user key updating data and the user key revocation data; the PKG reports the key management data to the block chain key management platform for data uplink; before any user public key is used, searching the key management data on the link, verifying the validity of the data and obtaining the user public key.
By adopting the implementation mode, after the user and the local private key generation center jointly generate the user key, the local private key generation center generates the key management data and performs uplink storage based on the block chain technology to ensure non-repudiation. When the user public key is needed to be used, the data on the link can be inquired according to the identity information to obtain the latest public parameter and public key information, so that public key replacement attacks possibly initiated by any malicious entity can be fundamentally and effectively resisted, and the usability of the system in an open environment is improved.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the generating an autonomous domain public parameter includes: the autonomous domain generates a trust domain identifier, PKG description information, a cryptographic algorithm identifier, a public parameter tuple and a PKG signature; and the generated information is submitted after the PKGs in the trust domains become system nodes through the block chain key management platform authentication, wherein one trust domain corresponds to a unique PKG, and the identifier of each trust domain is unique in the block chain key management platform.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the generating the key information includes: the PKG and the user in the autonomous domain generate a public and private key pair of the user through a certificateless cipher key generation algorithm; according to different application scenes and different importance degrees of the secret key, different user identity authentication and verification processes are achieved, and the secret key with high importance degree level is transmitted through physical equipment.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the generating user key update data includes: a user puts forward a key updating request in a validity period, and a PKG interacts with the user to respectively generate secret values; the PKG generates a new public and private key with an effective period for the user according to the secret value; and the PKG is encrypted by using the old public key and then is sent to the user or is sent to the user through physical equipment.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the generating user key revocation data includes: if the private key is leaked within the validity period, a key revocation application needs to be submitted to the PKG; or if the private key is leaked in the valid period of the PKG, prompting the user to submit a key revocation application to the PKG.
With reference to the first aspect or any one of the first to the fourth possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the reporting, by the PKG, the key management data to the blockchain key management platform for data uplink includes: the PKG issues the key management data to a block chain key management platform; and the block chain key management platform receives the key management data and performs data uplink storage after verifying the validity.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, before using any user public key, performing on-chain key management data retrieval, and verifying data validity, where obtaining the user public key includes: the block chain key management platform opens an inquiry interface for all public key users; the public key user uses a trust domain query identifier to query any trust domain parameter information, and the trust domain query identifier comprises a unique tuple identifier consisting of the trust domain identifier and a user identity identifier.
With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the method further includes: and when the PKG and the user dispute about the public information, the PKG and the user are arbitrated by a third party mechanism according to the digital evidence.
In a second aspect, an embodiment of the present application provides a certificateless key management system based on a blockchain, where the system includes: the system comprises a platform initial module, a block chain key management platform and a block chain key management module, wherein the platform initial module is used for initializing the block chain key management platform, the block chain key management platform is used for auditing PKGs of all autonomous domains, and the PKGs of different autonomous domains obey a unique consensus mechanism; the data generation module is used for the PKGs in the respective administrative domains to receive the key management requests of the users in the administrative domains and generate key management data, and the key management data comprises: the autonomous domain public parameter, the key information, the user key updating data and the user key revocation data; the data storage module is used for reporting the key management data to the block chain key management platform by the PKG for data uplink; and the data query module is used for searching the key management data on the link before using any user public key, verifying the validity of the data and obtaining the user public key.
In a third aspect, an embodiment of the present application provides a terminal, including: a processor; a memory for storing computer executable instructions; when the processor executes the computer-executable instructions, the processor executes the method described in the first aspect or any one of the possible implementation manners of the first aspect, implements a certificateless key management method based on a block chain, and manages a certificateless public key.
Drawings
Fig. 1 is a schematic flowchart of a certificateless key management method based on a blockchain according to an embodiment of the present application;
fig. 2 is a schematic diagram of a certificateless key management system based on a block chain according to an embodiment of the present application;
fig. 3 is a schematic diagram of a terminal according to an embodiment of the present application.
Detailed Description
The scheme is explained in the following by combining the attached drawings and the detailed description.
Fig. 1 is a schematic flowchart of a certificateless key management method based on a blockchain according to an embodiment of the present application, and referring to fig. 1, the method includes:
s101, initializing a block chain key management platform.
The block chain key management platform in the embodiment of the application is used for auditing PKGs of each autonomous domain, and the PKGs of different autonomous domains obey a unique consensus mechanism. Specifically, the blockchain key management platform is mainly constructed by service providers with public credibility or government agencies or industry alliances, the PKGs in the respective control domains are semi-trusted in the trust domains, and need to be audited by the blockchain system and then added to the blockchain network to serve as accounting nodes in the open environment, and an consensus mechanism is used for accounting and other operations.
S102, PKGs in respective administrative domains receive the key management request of the user in the administrative domain and generate key management data.
And initializing the PKGs in the respective administrative domains, receiving the key management request of the user in the administrative domain, providing the key management service for the user, and generating corresponding key management data. The key management data includes: the autonomous domain public parameter, the key information, the user key updating data and the user key revocation data.
Specifically, the generating of the autonomous domain public parameter in this embodiment includes: and the autonomous domain generates a trust domain identifier, PKG description information, a cryptographic algorithm identifier, a public parameter tuple and a PKG signature. And submitting the generated information after the PKGs in the trust domains become system nodes through the block chain key management platform authentication, wherein one trust domain corresponds to a unique PKG, and the identifier of each trust domain is unique in the block chain key management platform. The contents of the item do not change for a considerable period of time. The trust domain identification is unique in the system, and the PKG signature ensures that the content of the item is not forgeable.
Generating the key information includes: and the PKG and the user in the autonomous domain generate a public and private key pair of the user through a certificateless cipher key generation algorithm. According to different application scenes and different importance degrees of the secret key, different user identity authentication and verification processes are achieved, and the secret key with high importance degree level is transmitted through physical equipment.
Specifically, a user applies for the PKG, the PKG performs identity authentication on the user, the user is determined to have a unique identity in a trust domain, and the PKG and user interaction information generates a public and private key pair for the user. Wherein the user private key should include two parts of secret: one part is generated by the PKG through calculation of the user's identity using a private key, called the user's partial private key, which must be communicated to the user over a secure channel. Another part is generated locally by the user himself. After the private key is determined, the public key information of the user is determined accordingly. And generating a user public key information entry after the key pair of the user is authenticated by the PKG, broadcasting the user public key information entry to the block chain system, and after the block chain nodes are identified in common, accounting the common key distribution.
The user public key data entry comprises the contents of a trust domain identifier, a user identity identifier, a public key serial number, a public key, a validity period, extension information, a PKG signature, certification material and the like. The entry is submitted by the PKG after the PKG interacts with the user to generate the user's public-private key pair. The public key serial number and the user identity mark are unique in the trust domain, the user identity can be marked by a mobile phone number, an electronic mail address, a website address, an identity card number and the like, PKG signature information ensures that the content of the item cannot be forged, the certification material is optional content, the legality of the key pair is ensured, the key pair can be recorded and stored locally by a PKG, or the key pair can be uploaded and stored after being encrypted by the PKG, and is displayed after being decrypted by the PKG when disputes occur.
Generating the user key update data includes: the user puts forward a key updating request in the validity period, and the PKG interacts with the user to respectively generate secret values. And the PKG generates a new public and private key with a validity period for the user according to the secret value. And the PKG is encrypted by using the old public key and then is sent to the user or is sent to the user through physical equipment.
Specifically, in the validity period of the key, the user can make a key updating request, the PKG and the user exchange information to generate a new public and private key pair for the user, the process is similar to the generation process, but the difference is that the authentication process is relatively simplified, and meanwhile, the new key can be transmitted after being encrypted by the original key, so that a secure channel is not used.
The user key updating item comprises a trust domain identifier, a user identity identifier, public key information, a validity period, extension information, a serial number of a previous public key, a PKG signature, certification material and the like. The entry is submitted by the PKG after the PKG interacts with the user to generate a new public and private key pair, and the PKG signature information ensures that the content of the entry cannot be forged. The proof material is optional content, which is to ensure the validity of the update of the key pair, and can be recorded and stored locally by the PKG, or can be uploaded and stored after being encrypted by the PKG, and is displayed after being decrypted by the PKG when disputes occur.
Generating the user key revocation data includes: if the private key is leaked within the validity period, a key revocation application needs to be submitted to the PKG. And if the private key of the PKG is revealed in the validity period, prompting the user to submit a key revocation application to the PKG.
Specifically, in the validity period of the key, the user may issue a key revocation request due to the problem of private key leakage, and the PKG generates a user private key revocation entry, broadcasts the user private key revocation entry to the blockchain system, and after the blockchain nodes are identified, the key revocation is completed by accounting. After the user submits the application, the service confirmation data with the digital signature and the time stamp returned by the PKG can be reserved.
The user public key revocation item comprises a trust domain identifier, a user identity identifier, public key information, a public key revocation reason, extension information, a PKG signature and the like. After the user applies for the item to the PKG in the trust domain, the item is submitted by the PKG, and the PKG signature information ensures that the content of the item cannot be forged.
The use of the user key comprises the steps of: if a public key of a certain user is used, a key inquiry is initiated in the blockchain system, and the key condition of the certain user in the related trust domain can be inquired by taking the trust domain identifier and the user identity identifier as key words. Including the generation, updating and revocation of user keys and the public parameters of the trust domain.
S103, the PKG reports the key management data to the block chain key management platform for data uplink.
The PKG issues the key management data to a blockchain key management platform. And the block chain key management platform receives the key management data, and performs data chain storage after verifying the validity.
Each PKG serving as a node in the blockchain completes the on-chain traffic by calling the service provided by the blockchain service module. For the key management data generated by the PKG, the generated PKG broadcasts to the whole network, each node in the block chain key management system monitors the chain broadcast, and for the management data which meets the requirement of an entry format, has legal content (can be confirmed by verifying the signature of the PKG in the entry) and is not repeated, each node records the data into a locally constructed block and sequences the data, and writes the data into an uplink in the block according to a chain common identification mechanism for storage.
And S104, before any user public key is used, searching the key management data on the link, verifying the validity of the data and obtaining the user public key.
And the block chain key management platform opens an inquiry interface for all public key users. The public key user uses a trust domain query identifier to query any trust domain parameter information, and the trust domain query identifier comprises a unique tuple identifier consisting of the trust domain identifier and a user identity identifier.
Before using a certain user public key, searching the key management data on the chain, verifying the validity of the data and obtaining the user public key. The block chain key management platform opens an inquiry interface for all public key users, can inquire parameter information of a certain trust domain by using a trust domain identifier, and can inquire all key information of the user in a certain trust domain by using a tuple of < trust domain identifier and user identity identifier > as a unique identifier. After the related key management data is acquired, the validity of the key can be judged from the aspects of whether the key is in the validity period, whether the digital signature of the PKG in the entry is valid, whether the key is revoked, and the like. If one wants to use a certain key before, the time element in the key life cycle needs to be considered. If not revoked before a certain time, it can be used to determine the validity of a previous cryptographic operation, e.g., to verify the validity of a digital signature at a certain time using the public key.
It should be noted that, in the embodiment of the present application, when the PKG and the user dispute about the public notice information, both parties can arbitrate the digital evidence by the third party organization. If the user finds that illegal public key information appears on the chain at a certain time, the data item can be held to propose arbitration, the PKG must show the digital evidence used by the user for generating the secret key, otherwise, the data item is forged by the PKG; if the user finds that the key revocation request proposed by the user is not processed in time, the service confirmation data returned by the PKG can be held to propose arbitration, and the time stamp in the service confirmation data and the time of block release are evidence for dispute resolution.
It can be seen from the foregoing embodiment that, in the certificateless key management method based on a blockchain provided in the foregoing embodiment, after a user and a local private key generation center jointly generate a user key, the local private key generation center generates key management data to perform uplink storage based on a blockchain technology, so as to ensure non-repudiation. When the user public key is needed to be used, the data on the link can be inquired according to the identity information to obtain the latest public parameter and public key information, so that public key replacement attacks possibly initiated by any malicious entity can be fundamentally and effectively resisted, and the usability of the system in an open environment is improved.
Corresponding to the method for certificateless key management based on a block chain provided in the embodiment of the present application, the present application further provides an embodiment of a certificateless key management system based on a block chain, and referring to fig. 2, the certificateless key management system 20 based on a block chain provided in this embodiment includes: the platform initialization module 201, the data generation module 202, the data storage module 203 and the data query module 204.
The platform initialization module 201 is configured to initialize a blockchain key management platform, where the blockchain key management platform is configured to audit PKGs of each autonomous domain, and the PKGs of different autonomous domains obey a unique consensus mechanism.
The data generating module 202 is configured to receive, by a PKG in each subordinate domain, a key management request of a user in the domain, and generate key management data, where the key management data includes: the autonomous domain public parameter, the key information, the user key updating data and the user key revocation data.
Further, the data generation module 202 includes: the system comprises an autonomous domain public parameter generating unit, a key information generating unit, a user key updating data generating unit and a user key revocation data generating unit.
The autonomous domain public parameter generating unit includes: an information generating subunit and an information submitting subunit. The information generation subunit is used for generating a trust domain identifier, PKG description information, a cryptographic algorithm identifier, a public parameter tuple and a PKG signature from the autonomous domain. The information submitting subunit is used for submitting the generated information after the PKGs in the trust domains become system nodes through the block chain key management platform authentication, wherein one trust domain corresponds to a unique PKG, and the identifier of each trust domain is unique in the block chain key management platform.
The key information generating unit includes a first key generating subunit and a second key delivering subunit. And the key generation subunit is used for generating a public and private key pair of the user by the PKG and the user in the autonomous domain through a certificateless cipher key generation algorithm. The key transmission subunit is used for transmitting the key with high importance level through physical equipment according to different application scenes and importance levels of the key and different user identity authentication and verification processes.
The user key update data generation unit includes: the key updating request sub-unit, the second key generation sub-unit and the second key transmission sub-unit.
The key updating request subunit is used for making a key updating request by a user within the validity period, and the PKG interacts with the user and respectively generates secret values. And the second key generation subunit is used for generating a public and private key with a new validity period for the user by the PKG according to the secret value. And the second key transmission subunit is used for sending the encrypted key to the user or sending the encrypted key to the user through physical equipment by the PKG.
The user key revocation data generation unit is used for submitting a key revocation application to the PKG if a private key of a user is leaked within the validity period; or if the private key of the PKG is disclosed in the validity period, prompting the user to submit a key revocation application to the PKG.
The data storage module 203 is configured to report the key management data to the blockchain key management platform for data uplink by the PKG.
The data storage module 203 comprises an uploading unit and a storage unit. And the uploading unit is used for the PKG to issue the key management data to the block chain key management platform. And the storage unit is used for receiving the key management data by the block chain key management platform and performing uplink data storage after validity is verified.
The data query module 204 is configured to, before using any user public key, perform linked key management data retrieval, verify data validity, and obtain a user public key.
The data query module 204 includes a query interface opening unit and a query unit, where the query interface opening unit is used for opening a query interface for all public key users by the blockchain key management platform. The inquiry unit is used for the public key user to inquire any trust domain parameter information by using a trust domain inquiry identifier, and the trust domain inquiry identifier comprises a unique tuple identifier consisting of the trust domain identifier and a user identity identifier.
The certificateless key management system 20 based on the blockchain provided by the embodiment of the present application further includes an arbitration module, configured to arbitrate between the PKG and the user according to the digital evidence when the PKG and the user dispute about the public information.
The embodiment of the present application further provides a terminal, referring to fig. 3, the terminal 30 includes: a processor 301, a memory 302, and a communication interface 303.
In fig. 3, the processor 301, the memory 302, and the communication interface 303 may be connected to each other by a bus; the bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 3, but this does not mean only one bus or one type of bus.
The processor 301 generally controls the overall functions of the terminal 30, such as starting the terminal 30 and initializing the blockchain key management platform after the terminal is started, and PKGs in respective control domains receive intra-domain user key management requests and generate key management data, and report the key management data to the blockchain key management platform for data uplink by the PKGs; before any user public key is used, searching the key management data on the link, verifying the validity of the data and obtaining the user public key.
Further, the processor 301 may be a general-purpose processor, such as a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may also be a Microprocessor (MCU). The processor may also include a hardware chip. The hardware chips may be Application Specific Integrated Circuits (ASICs), programmable Logic Devices (PLDs), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a Field Programmable Gate Array (FPGA), or the like.
Memory 302 is configured to store computer-executable instructions to support the operation of terminal 30 data. The memory 301 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
After the terminal 30 is started, the processor 301 and the memory 302 are powered on, and the processor 301 reads and executes the computer executable instructions stored in the memory 302 to complete all or part of the steps in the above-mentioned embodiment of the block chain-based certificateless key management method.
The communication interface 303 is used for the terminal 30 to transmit data, for example, to realize data communication with a user or a PKG. The communication interface 303 includes a wired communication interface, and may also include a wireless communication interface. The wired communication interface comprises a USB interface, a Micro USB interface and an Ethernet interface. The wireless communication interface may be a WLAN interface, a cellular network communication interface, a combination thereof, or the like.
In an exemplary embodiment, the terminal 30 provided by the embodiments of the present application further includes a power supply component that provides power to the various components of the terminal 30. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the terminal 30.
A communications component configured to facilitate communications between the terminal 30 and other devices in a wired or wireless manner. The terminal 30 may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. The communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. The communication component also includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
The same and similar parts among the various embodiments in the specification of the present application may be referred to each other. In particular, for the system and terminal embodiments, since the method therein is substantially similar to the method embodiments, the description is relatively simple, and reference may be made to the description in the method embodiments for relevant points.
It is noted that, in this document, relational terms such as "first" and "second," and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Of course, the above description is not limited to the above examples, and technical features that are not described in this application may be implemented by or using the prior art, and are not described herein again; instead, the present application has been described in detail with reference to preferred embodiments, and it should be understood by those skilled in the art that changes, modifications, additions or substitutions may be made without departing from the spirit and scope of the present application, which is defined by the following claims.

Claims (9)

1. A certificateless key management method based on a blockchain, the method comprising:
initializing a block chain key management platform, wherein the block chain key management platform is used for auditing PKGs of each autonomous domain, and the PKGs of different autonomous domains obey a unique consensus mechanism;
the PKGs in respective administrative domains receive the key management request of a user in the domain and generate key management data, wherein the key management data comprise: the autonomous domain public parameter, the key information, the user key updating data and the user key revocation data; generating the key information includes: the PKG and the user in the autonomous domain generate a public and private key pair of the user through a certificateless cipher key generation algorithm; according to different application scenes and different importance degrees of the secret key, different user identity authentication and verification processes are carried out, and the secret key with high importance degree level is transmitted through physical equipment; the user applies for the PKG, the PKG authenticates the identity of the user, the user is determined to have a unique identity in a trust domain, and the PKG and the user interaction information generate a public and private key pair for the user; wherein the user private key should include two parts of the secret: one part is generated by the PKG through the calculation of the identity of the user by using a private key, namely a part private key of the user, and the private key must be transmitted to the user through a secure channel; the other part is generated locally by the user; after the private key is determined, the public key information of the user is determined; a user key pair is authenticated by a PKG (public Key gateway) to generate a user public key information item, the user public key information item is broadcast to a block chain system, and the block chain nodes are identified and then accounted to complete public key distribution;
the PKG reports the key management data to the block chain key management platform for data uplink;
before any user public key is used, searching the key management data on the link, verifying the validity of the data and obtaining the user public key.
2. The certificateless key management method based on block chain of claim 1, wherein generating an autonomous domain public parameter comprises:
the autonomous domain generates a trust domain identifier, PKG description information, a cryptographic algorithm identifier, a public parameter tuple and a PKG signature;
and the generated information is submitted after the PKGs in the trust domains become system nodes through the block chain key management platform authentication, wherein one trust domain corresponds to a unique PKG, and the identifier of each trust domain is unique in the block chain key management platform.
3. The blockchain-based certificateless key management method according to claim 1, wherein generating user key update data comprises:
a user puts forward a key updating request in a validity period, and a PKG interacts with the user to respectively generate secret values;
the PKG generates a new public and private key with an effective period for the user according to the secret value;
and the PKG is encrypted by using the old public key and then is sent to the user or is sent to the user through physical equipment.
4. The blockchain-based certificateless key management method of claim 1, wherein generating user key revocation data comprises:
if the private key is leaked within the validity period, a key revocation application needs to be submitted to the PKG;
or if the private key is leaked in the valid period of the PKG, prompting the user to submit a key revocation application to the PKG.
5. The blockchain-based certificateless key management method of any one of claims 1-4 wherein the PKG reporting the key management data to the blockchain key management platform for data uplink comprises:
the PKG issues the key management data to a block chain key management platform;
and the block chain key management platform receives the key management data and performs data uplink storage after verifying the validity.
6. The method of claim 5, wherein the retrieving the key management data on the chain and verifying the validity of the data before using any user public key to obtain the user public key comprises:
the block chain key management platform opens an inquiry interface for all public key users;
the public key user uses a trust domain query identifier to query any trust domain parameter information, and the trust domain query identifier comprises a unique tuple identifier consisting of the trust domain identifier and a user identity identifier.
7. The method of claim 6, further comprising: and when the PKG and the user dispute about the public information, the PKG and the user are arbitrated by a third party mechanism according to the digital evidence.
8. A certificateless key management system based on blockchains, the system comprising:
the system comprises a platform initial module, a block chain key management platform and a block chain key management module, wherein the platform initial module is used for initializing the block chain key management platform, the block chain key management platform is used for auditing PKGs of all autonomous domains, and the PKGs of different autonomous domains obey a unique consensus mechanism;
a data generation module, configured to accept, by a PKG in each subordinate domain, a key management request of a user in the domain, and generate key management data, where the key management data includes: the autonomous domain public parameter, the key information, the user key updating data and the user key revocation data; generating the key information includes: the PKG and the user in the autonomous domain generate a public and private key pair of the user through a certificateless cipher key generation algorithm; according to different application scenes and different importance degrees of the secret key, different user identity authentication and verification processes are carried out, and the secret key with high importance degree level is transmitted through physical equipment; the user applies for the PKG, the PKG authenticates the identity of the user, the user is determined to have a unique identity in a trust domain, and the PKG and the user interaction information generate a public and private key pair for the user; wherein the user private key should include two parts of secret: one part is generated by the PKG through the calculation of the identity of the user by using a private key, namely a part private key of the user, and the private key is transmitted to the user through a secure channel; the other part is generated locally by the user; after the private key is determined, the public key information of the user is determined; a user key pair is authenticated by a PKG (public Key gateway) to generate a user public key information item, the user public key information item is broadcast to a block chain system, and the block chain nodes are identified and then accounted to complete public key distribution;
the data storage module is used for reporting the key management data to the block chain key management platform by the PKG for data uplink;
and the data query module is used for searching the key management data on the link before using any user public key, verifying the validity of the data and obtaining the user public key.
9. A terminal, comprising:
a processor;
a memory for storing computer executable instructions;
when the processor executes the computer-executable instructions, the processor performs the method of any one of claims 1 to 7, implements a blockchain-based certificateless key management method, and manages a certificateless public key.
CN202010708020.XA 2020-07-22 2020-07-22 Certificate-free key management method, system and terminal based on block chain Active CN111865988B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010708020.XA CN111865988B (en) 2020-07-22 2020-07-22 Certificate-free key management method, system and terminal based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010708020.XA CN111865988B (en) 2020-07-22 2020-07-22 Certificate-free key management method, system and terminal based on block chain

Publications (2)

Publication Number Publication Date
CN111865988A CN111865988A (en) 2020-10-30
CN111865988B true CN111865988B (en) 2022-10-18

Family

ID=73002344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010708020.XA Active CN111865988B (en) 2020-07-22 2020-07-22 Certificate-free key management method, system and terminal based on block chain

Country Status (1)

Country Link
CN (1) CN111865988B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112532392B (en) * 2020-11-16 2022-10-25 中信银行股份有限公司 Key processing method, device, equipment and storage medium
CN112437089A (en) * 2020-11-26 2021-03-02 交控科技股份有限公司 Train control system key management method and device based on block chain
CN113158202B (en) * 2021-03-22 2023-12-15 北京信息科技大学 Distributed key management and verification method and system based on identification password
CN117421782B (en) * 2023-10-11 2024-06-07 浙江星汉信息技术股份有限公司 File signature, integrity detection and tracking method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103702326A (en) * 2013-12-02 2014-04-02 北京理工大学 Certificateless key agreement method on basis of mobile Ad Hoc network
CN105187205A (en) * 2015-08-05 2015-12-23 北京航空航天大学 Certificateless authentication key negotiation method and system based on hierarchical identities
CN107395349A (en) * 2017-08-16 2017-11-24 深圳国微技术有限公司 A kind of block chain network cryptographic key distribution method based on self-certified public key system
CN108449325A (en) * 2018-02-27 2018-08-24 中国地质大学(武汉) A kind of block chain authentication method, equipment and the storage device of ID-based cryptosystem
CN108809652A (en) * 2018-05-21 2018-11-13 安徽航天信息有限公司 A kind of block chain encryption account book based on privacy sharing
CN109639420A (en) * 2019-01-02 2019-04-16 西南石油大学 Based on block chain technology can anonymous Identity the public auditing method of medical cloud storage
GB201917896D0 (en) * 2019-12-06 2020-01-22 Nchain Holdings Ltd Identity-based public-key generation protocol

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10296248B2 (en) * 2017-09-01 2019-05-21 Accenture Global Solutions Limited Turn-control rewritable blockchain
CN109428892B (en) * 2017-09-01 2021-12-28 埃森哲环球解决方案有限公司 Multi-stage rewritable block chain
CN108880784A (en) * 2018-05-28 2018-11-23 江苏众享金联科技有限公司 User privacy information shared system under a kind of different trust domain of solution based on block chain
CN108989032A (en) * 2018-07-27 2018-12-11 深圳市新名泽科技有限公司 Key reading/writing method, device, block catenary system and terminal device
CN109617698B (en) * 2019-01-09 2021-08-03 腾讯科技(深圳)有限公司 Method for issuing digital certificate, digital certificate issuing center and medium
CN110719165B (en) * 2019-10-12 2022-07-12 杭州云象网络技术有限公司 Block chain distributed dynamic network key generation and encryption method
CN111211905A (en) * 2019-12-17 2020-05-29 航天信息股份有限公司 Identity management method for Fabric alliance chain members based on certificate-free authentication

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103702326A (en) * 2013-12-02 2014-04-02 北京理工大学 Certificateless key agreement method on basis of mobile Ad Hoc network
CN105187205A (en) * 2015-08-05 2015-12-23 北京航空航天大学 Certificateless authentication key negotiation method and system based on hierarchical identities
CN107395349A (en) * 2017-08-16 2017-11-24 深圳国微技术有限公司 A kind of block chain network cryptographic key distribution method based on self-certified public key system
CN108449325A (en) * 2018-02-27 2018-08-24 中国地质大学(武汉) A kind of block chain authentication method, equipment and the storage device of ID-based cryptosystem
CN108809652A (en) * 2018-05-21 2018-11-13 安徽航天信息有限公司 A kind of block chain encryption account book based on privacy sharing
CN109639420A (en) * 2019-01-02 2019-04-16 西南石油大学 Based on block chain technology can anonymous Identity the public auditing method of medical cloud storage
GB201917896D0 (en) * 2019-12-06 2020-01-22 Nchain Holdings Ltd Identity-based public-key generation protocol

Also Published As

Publication number Publication date
CN111865988A (en) 2020-10-30

Similar Documents

Publication Publication Date Title
CN111865988B (en) Certificate-free key management method, system and terminal based on block chain
CN107493273B (en) Identity authentication method, system and computer readable storage medium
CN102594558B (en) Anonymous digital certificate system and verification method of trustable computing environment
Barker et al. Recommendation for key management part 3: Application-specific key management guidance
KR100925329B1 (en) Method and apparatus of mutual authentication and key distribution for downloadable conditional access system in digital cable broadcasting network
US10567370B2 (en) Certificate authority
CN101212293B (en) Identity authentication method and system
US20070127719A1 (en) Efficient management of cryptographic key generations
US20060206433A1 (en) Secure and authenticated delivery of data from an automated meter reading system
US9124561B2 (en) Method of transferring the control of a security module from a first entity to a second entity
CN102273239A (en) Solutions for identifying legal user equipments in a communication network
CA2518025A1 (en) Secure e-mail messaging system
JP6667371B2 (en) Communication system, communication device, communication method, and program
CN114238999A (en) Data transfer method, method for controlling data use, and cryptographic apparatus
KR100947119B1 (en) Verification method, method and terminal for certificate management
JP2007053569A (en) Electronic mail security device and system therefor
WO2005096543A1 (en) Method of providing key containers
Verheul Activate Later Certificates for V2X--Combining ITS efficiency with privacy
ES2665887T3 (en) Secure data system
CN110383755A (en) The network equipment and trusted third party&#39;s equipment
EP2517431A1 (en) Usage control of digital data exchanged between terminals of a telecommunications network
CN101252432B (en) Field managing server and system, digital authority managing method based on field
KR100979205B1 (en) Method and system for device authentication
CN109510712B (en) Remote medical data privacy protection method, system and terminal
Barker et al. Sp 800-57. recommendation for key management, part 1: General (revised)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant