CN116264691A - Authentication method, authentication device, authentication platform and storage medium - Google Patents

Authentication method, authentication device, authentication platform and storage medium Download PDF

Info

Publication number
CN116264691A
CN116264691A CN202111528311.1A CN202111528311A CN116264691A CN 116264691 A CN116264691 A CN 116264691A CN 202111528311 A CN202111528311 A CN 202111528311A CN 116264691 A CN116264691 A CN 116264691A
Authority
CN
China
Prior art keywords
authentication
proposal
request
terminal
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111528311.1A
Other languages
Chinese (zh)
Inventor
黄晓婷
任兰芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111528311.1A priority Critical patent/CN116264691A/en
Publication of CN116264691A publication Critical patent/CN116264691A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Finance (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Technology Law (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses an authentication method, an authentication device, an authentication platform and a storage medium; the method comprises the following steps: the server receives an access request from the terminal; generating a security authentication request according to the access request; inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request; the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.

Description

Authentication method, authentication device, authentication platform and storage medium
Technical Field
The present invention relates to the field of network information security, and in particular, to an authentication method, an authentication device, an authentication platform, and a storage medium.
Background
In the related art, a secondary authentication procedure is used for authentication between a terminal and a Data Network (DN). Wherein the data network is owned by the application provider and is located outside the operator domain. The primary purpose of the secondary authentication is because the application provider does not always trust the authentication result of the operator, and wants to perform authentication itself instead of relying solely on the initial authentication provided by the operator. Specifically, when a malicious user accesses the data network after passing the primary authentication of the operator, a denial of service (DoS, denial of Service) attack may be initiated on the data network. Therefore, the secondary authentication aims at allowing the application provider to perform identity authentication on the user before the operator establishes a user plane connected to the data network for the user, so that DoS attack of a malicious user on the data network can be effectively reduced.
In practical application, considering the preset and management cost of authentication credentials, not all application providers, especially some small and medium-sized application providers, cannot perform secondary authentication, and are not willing to rely on the initial authentication result of the operator only; therefore, how to secure the data network access of such application providers is a problem to be solved.
Disclosure of Invention
In view of the above, a primary object of the present invention is to provide an authentication method, an authentication device, an authentication platform and a storage medium.
In order to achieve the above purpose, the technical scheme of the invention is realized as follows:
the embodiment of the invention provides an authentication method, which is applied to a server, and comprises the following steps:
receiving an access request from a terminal;
generating a security authentication request according to the access request;
inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In the above scheme, the method further comprises:
sending a proposal request to the blockchain network; the proposal request is used for terminal information uplink;
receiving a proposal response from the blockchain network; the proposal response includes at least: reading a book set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
generating a transaction according to the proposal request and the proposal response;
transmitting a transaction proposal to the blockchain network; the blockchain network is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to each confirmation node in the blockchain network for storage.
In the above scheme, the server corresponds to one or more endorsement nodes;
when a plurality of endorsement nodes correspond to the server, the receiving proposal response from the blockchain network comprises:
receiving proposal responses sent by a plurality of endorsement nodes;
determining a book set in a proposal response of each endorsement node of the plurality of endorsement nodes;
when the content in the plurality of reading sets is consistent, generating a transaction according to the proposal request and the proposal response;
and when the content in the plurality of reading sets is inconsistent, resending the proposal request until the received content in the plurality of reading sets is consistent.
In the above scheme, the server is one of the following: an operator service end, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
The embodiment of the invention provides an authentication method, which is applied to an authentication platform and comprises the following steps:
receiving a security authentication request from a server;
inquiring account book data according to the security authentication request to obtain an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In the above scheme, the blockchain network includes: an endorsement node, a sorting node and a confirmation node;
the method further comprises the steps of:
the endorsement node receives a proposal request from a server; the proposal request is used for terminal information uplink;
generating a reading set according to the proposal request, and sending the proposal response to the server; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
The ordering node receives a transaction proposal from the server, packages the transaction proposal to obtain a block according to the transaction proposal and broadcasts the block to the blockchain network;
each validation node in the blockchain network receives the block and writes the block to its own ledger data.
In the above scheme, the generating a reading set according to the proposal request includes:
verifying whether the proposal request meets preset requirements or not, and calling a chain code and inquiring an account book of the user when the proposal request meets the preset requirements; the account book stores information of all terminals in the current blockchain network;
simulating and executing the proposal request, and updating the account book according to the proposal request;
and determining newly added content and/or modified content in the account book according to the updated account book, and generating a reading set according to the newly added content and/or modified content.
In the above scheme, the service end includes at least one of the following: an operator, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
The embodiment of the invention provides an authentication device which is applied to a server, and comprises:
The first communication module is used for receiving an access request from the terminal;
the first processing module is used for generating a security authentication request according to the access request;
inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In the above scheme, the first communication module is further configured to send a proposal request to the blockchain network; the proposal request is used for terminal information uplink;
receiving a proposal response from the blockchain network; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
the first processing module is further configured to generate a transaction according to the proposal request and the proposal response;
the first communication module is further used for sending a transaction proposal to the blockchain network; the blockchain network is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to each confirmation node in the blockchain network for storage.
In the above scheme, the server corresponds to one or more endorsement nodes;
when a plurality of endorsement nodes correspond to the server side, the first communication module is used for receiving proposal responses sent by the endorsement nodes;
the first processing module is further configured to determine a book set in a proposal response of each endorsement node in the plurality of endorsement nodes;
when the content in the plurality of reading sets is consistent, generating a transaction according to the proposal request and the proposal response;
and when the content in the plurality of reading sets is inconsistent, resending the proposal request until the received content in the plurality of reading sets is consistent.
In the above scheme, the server is one of the following: an operator service end, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
The embodiment of the invention provides an authentication platform, which comprises:
the second communication module is used for receiving a security authentication request from the server;
the second processing module is used for inquiring account book data according to the security authentication request to obtain an authentication result of the terminal corresponding to the security authentication request;
The authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In the above scheme, the blockchain network includes: an endorsement node, a sorting node and a confirmation node;
the endorsement node includes: the first sub-communication module and the first sub-processing module;
the ordering node comprises: the second sub-communication module and the second sub-processing module;
the acknowledgement node comprises: the third sub-communication module and the third sub-processing module;
the first sub-communication module of the endorsement node is used for receiving a proposal request from a server; the proposal request is used for terminal information uplink;
the first sub-processing module of the endorsement node is used for generating a reading set according to the proposal request and sending the proposal response to the server; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
The second sub-communication module of the ordering node is used for receiving the transaction proposal from the server;
the second sub-processing module is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to the blockchain network;
and a third sub-communication module of each confirmation node in the blockchain network is used for receiving the block, and the third sub-processing module is used for writing the block into own account book data.
In the above scheme, the first sub-processing module is configured to verify whether the proposal request meets a preset requirement, and call a chain code and query an account book of the first sub-processing module when the proposal request is determined to meet the preset requirement; the account book stores information of all terminals in the current blockchain network;
simulating and executing the proposal request, and updating the account book according to the proposal request;
and determining newly added content and/or modified content in the account book according to the updated account book, and generating a reading set according to the newly added content and/or modified content.
In the above scheme, the service end includes at least one of the following: an operator, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
The embodiment of the invention provides an authentication device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes any one of the steps of the method at the server side when executing the program; alternatively, the processor, when executing the program, implements the steps of the method of any one of the authentication platform sides.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, the computer program implementing the steps of any one of the methods at the server side when being executed by a processor; alternatively, the computer program, when executed by a processor, implements the steps of the method of any one of the authentication platform sides.
The embodiment of the invention provides an authentication method, an authentication device, an authentication platform and a storage medium, wherein the authentication method comprises the following steps: the server receives an access request from the terminal; generating a security authentication request according to the access request; inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request; the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the account book data is generated based on the security authentication information of one or more server sides;
Correspondingly, the authentication platform receives a security authentication request from the server side; inquiring account book data according to the security authentication request to obtain an authentication result of a terminal corresponding to the security authentication request;
thus, the authentication platform constructed based on the blockchain network has the terminal information of each server, and authentication is performed by utilizing the terminal information shared by each server, so that some servers can perform access control based on the collected terminal information without deploying an own identity verification system.
Drawings
FIG. 1 is a flow chart of a secondary authentication method;
fig. 2 is a schematic flow chart of an authentication method according to an embodiment of the present invention;
fig. 3 is a flowchart of another authentication method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an authentication system according to an embodiment of the present invention;
fig. 5 is a flow chart of a terminal information uplink method provided by an application embodiment of the present invention;
fig. 6 is a flowchart of an authentication method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an authentication platform according to an embodiment of the present invention;
Fig. 9 is a schematic structural diagram of another authentication device according to an embodiment of the present invention.
Detailed Description
The related art will be described before further describing the present invention in detail with reference to examples.
The precondition for the secondary authentication to occur is that the terminal has accessed the network of the operator, such as the fourth generation mobile communication technology (4G,the 4th Generation Mobile Communication Technology) network, the fifth generation mobile communication technology (5G,5th Generation Mobile Communication Technology) network, and successfully completed the initial authentication. Furthermore, if the application provider wants to use the secondary authentication capability, it is necessary to pre-store its authentication credentials in the user terminal. One smart design for secondary authentication is that it uses an extensible authentication protocol (EAP, extensible Authentication Protocol) framework. Since the EAP framework is widely used in the internet, the use of the EAP framework for secondary authentication can be applied to various certificate types and authentication methods used by different third party service providers.
Taking the 5G network as an example, in the secondary authentication process, a session management function (SMF, session Management Function) in the 5G network plays a role of EAP authentication, and an authentication server (DN-AAA, data network-Authentication Authorization Accounting) of the external Data network plays a role of an EAP backend authentication server.
As shown in fig. 1, when a terminal (UE) requests to establish a User plane protocol data unit (PDU, protocol Data Unit) session from an SMF, the SMF decides whether a secondary authentication procedure is required according to registration information of the end User and a local policy. If yes, the SMF initiates the EAP authentication flow, triggers the EAP authentication interaction message between the terminal and DN-AAA, and when the authentication is successful, the SMF continues to trigger the PDU session establishment flow to establish the PDU session between the terminal and DN-AAA.
The present invention will be described in further detail with reference to examples.
Fig. 2 is a schematic flow chart of an authentication method according to an embodiment of the present invention; as shown in fig. 2, the method can be applied to a server; the method comprises the following steps:
step 201, receiving an access request from a terminal;
step 202, generating a security authentication request according to the access request;
step 203, inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
The server is one of the following: an operator Service end, an application Provider end (AP, application Provider), a Service Provider end (SP);
the operator service end is a provider for providing network services, such as: mobile operators, etc.
The application providing end and the service providing end provide applications and/or services for the terminal through a Data Network (DN); for example, a provider of an APP (Application), a provider of a service platform (such as water and electricity payment, shopping, flight inquiry, etc.).
The terminal is a device using applications and/or services through accessing a Data Network (DN), such as a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a Personal Digital Assistant (PDA), a tablet computer (PAD), a Portable Multimedia Player (PMP), a wearable device (such as a smart bracelet, a smart watch, etc.), a navigation device, etc.
In practical application, the service end, the application providing end and the service providing end of the operator can link own terminal information, so that the sharing of the terminal information of the service end, each application providing end and each service providing end of the operator is realized.
The access request of the terminal can carry the identity of the terminal; correspondingly, the generated security authentication request also carries the identity of the terminal; and inquiring an authentication platform based on the identity of the terminal, and determining an authentication result of the terminal corresponding to the security authentication request.
Based on this, in some embodiments, the method further comprises:
sending a proposal request to the blockchain network; the proposal request is used for terminal information uplink;
receiving a proposal response from the blockchain network; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
generating a transaction according to the proposal request and the proposal response;
transmitting a transaction proposal to the blockchain network; the blockchain network is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to each confirmation node in the blockchain network for storage.
Specifically, the service end (may be an operator service end, an application providing end or a service providing end) generates a proposal request according to own terminal information, and sends the proposal request to an endorsement node (may be one or a plurality of endorsement nodes) in the blockchain network; the endorsement node receives a proposal request from a server, generates a reading set according to the proposal request, and sends a proposal response comprising the reading set to the server; the book reading set is used for defining newly added content and/or modified content in the account book of the endorsing node;
The server receives proposal response from an endorsement node in the blockchain network, generates transaction according to the proposal request and the proposal response, and then sends transaction proposal to a sequencing node in the blockchain network; the ordering node receives a transaction proposal from a server, packages the transaction proposal to obtain a Block (Block) and broadcasts the obtained Block to each confirmation node in the Block chain network; each validation node in the blockchain network receives the block and writes the block to its own ledger data.
Of course, during practical application, verification operation is also involved in the uplink process, for example, after the server generates a proposal request, the server signs the proposal request, and after receiving the proposal request, the corresponding endorsement node firstly verifies whether the signature of the sender is legal, then checks whether the proposal request is a request before replay, if not, directly refuses the request, and executes the corresponding endorsement operation for legal and non-replay proposal requests.
For another example, after receiving a proposal response with a signature from an endorsement node, the server first needs to verify whether the signature is legal, and if so, the server packages the proposal response into a transaction. For example, if the server-side linking process involves a plurality of endorsement nodes, it is further necessary to detect whether the reading sets in the proposal responses returned by the endorsement nodes are consistent, and package the endorsement nodes into a transaction only when it is determined that the reading sets of the endorsement nodes are consistent.
Of course, after each confirmation node receives the block, format check, repeatability verification and/or signature check can be performed, and after the check is legal, the block is split and endorsed for signature verification; next, read-write set conflict checks or the like are performed on all transactions in the block.
In some embodiments, the server corresponds to one or more endorsement nodes;
when a plurality of endorsement nodes correspond to the server, the receiving proposal response from the blockchain network comprises:
receiving proposal responses sent by a plurality of endorsement nodes;
determining a book set in a proposal response of each endorsement node of the plurality of endorsement nodes;
when the content in the plurality of reading sets is consistent, generating a transaction according to the proposal request and the proposal response;
and when the content in the plurality of reading sets is inconsistent, resending the proposal request until the received content in the plurality of reading sets is consistent.
In some embodiments, the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
The authentication result may include at least one of:
The method comprises the steps of primary authentication results of an operator server, hash values of important terminal information, terminal attribute information, terminal network creditworthiness and a terminal blacklist.
The terminal attribute information may include: the terminal corresponds to the gender, network service life and the like of the user;
terminal history network behavior, comprising: abnormal behavior on the terminal network, etc.;
the reputation of the terminal network can be the reputation scoring of the corresponding terminal by an operator server, an application providing terminal and a service providing terminal, such as good, bad and the like;
the blacklist of the terminal can refer to whether the operator service end, the application providing end and the service providing end add the terminal into the blacklist, and further, the blacklist of the terminal can comprise the operator service end or the specific application providing end and the service providing end.
The primary authentication result may refer to a result of the operator primary authentication;
the hash value of the important information is used to mark the unexposed information, i.e. not to display the original information content, by the hash value of the important information, considering that the terminal may have sensitive information that cannot be disclosed by itself.
Fig. 3 is a schematic flow chart of an authentication method according to an embodiment of the present invention; as shown in fig. 3, the method can be applied to an authentication platform; the method comprises the following steps:
Step 301, receiving a security authentication request from a server;
step 302, inquiring account book data according to the security authentication request to obtain an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In some embodiments, the blockchain network may be configured by an operator service end, an application providing end, and a service providing end, where each operator service end, application providing end, and service providing end may respectively provide a device or a communication node to construct an authentication platform, where the device or the communication node performs a part of endorsement function on one hand, and performs a transaction confirmation function on the other hand, that is, may be used as an endorsement node, and may also be used as a confirmation node.
The receiving the security authentication request from the server side comprises the following steps:
any one of the confirmation nodes in the block chain network receives a security authentication request sent by a data network of the service end to which the confirmation node belongs or is associated with the confirmation node;
The security authentication request carries an identifier of a terminal to be subjected to security authentication.
In some embodiments, the blockchain network includes: an endorsement node, a sorting node and a confirmation node;
the method further comprises the steps of:
the endorsement node receives a proposal request from a server; the proposal request is used for terminal information uplink;
generating a reading set according to the proposal request, and sending the proposal response to the server; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
the ordering node receives a transaction proposal from the server, packages the transaction proposal to obtain a block according to the transaction proposal and broadcasts the block to the blockchain network;
each validation node in the blockchain network receives the block and writes the block to its own ledger data.
Specifically, the service end (may be an operator service end, an application providing end or a service providing end) generates a proposal request according to own terminal information, and sends the proposal request to an endorsement node (may be one or a plurality of endorsement nodes) in the blockchain network; the endorsement node receives a proposal request from a server, generates a reading set according to the proposal request, and sends a proposal response comprising the reading set to the server; the book reading set is used for defining newly added content and/or modified content in the account book of the endorsing node;
The server receives proposal response from an endorsement node in the blockchain network, generates transaction according to the proposal request and the proposal response, and then sends transaction proposal to a sequencing node in the blockchain network; the ordering node receives a transaction proposal from a server, packages the transaction proposal to obtain a Block (Block) and broadcasts the obtained Block to each confirmation node in the Block chain network; each validation node in the blockchain network receives the block and writes the block to its own ledger data.
Of course, during practical application, verification operation is also involved in the uplink process, for example, after the server generates a proposal request, the server signs the proposal request, and after receiving the proposal request, the corresponding endorsement node firstly verifies whether the signature of the sender is legal, then checks whether the proposal request is a request before replay, if not, directly refuses the request, and executes the corresponding endorsement operation for legal and non-replay proposal requests.
For another example, after receiving a proposal response with a signature from an endorsement node, the server first needs to verify whether the signature is legal, and if so, the server packages the proposal response into a transaction. For example, if the server-side linking process involves a plurality of endorsement nodes, it is further necessary to detect whether the reading sets in the proposal responses returned by the endorsement nodes are consistent, and package the endorsement nodes into a transaction only when it is determined that the reading sets of the endorsement nodes are consistent.
Of course, after each confirmation node receives the block, format check, repeatability verification and/or signature check can be performed, and after the check is legal, the block is split and endorsed for signature verification; next, read-write set conflict checks or the like are performed on all transactions in the block.
In some embodiments, the generating a reading book set according to the proposal request includes:
verifying whether the proposal request meets preset requirements or not, and calling a chain code and inquiring an account book of the user when the proposal request meets the preset requirements; the account book stores information of all terminals in the current blockchain network;
simulating and executing the proposal request, and updating the account book according to the proposal request;
and determining newly added content and/or modified content in the account book according to the updated account book, and generating a reading set according to the newly added content and/or modified content.
Wherein the preset requirements include at least one of:
whether the signature of the proposal request is legal or not, and whether the proposal request is a request before replay or not;
correspondingly, determining that a request in a proposal request is legal and/or a request before the proposal request is not replayed, simulating and executing the proposal request by an endorsement node through calling a chain code (S1) and inquiring and accessing an account book (L1), updating the account book according to the proposal request, and then obtaining the updated account book to determine newly added content and/or modified content in the account book.
In some embodiments, the server includes at least one of: an operator, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
The authentication result may include at least one of:
the method comprises the steps of primary authentication results of an operator server, hash values of important terminal information, terminal attribute information, terminal network creditworthiness and a terminal blacklist.
The terminal attribute information may include: the terminal corresponds to the gender, network service life and the like of the user;
terminal history network behavior, comprising: abnormal behavior on the terminal network, etc.;
the reputation of the terminal network can be the reputation scoring of the corresponding terminal by an operator server, an application providing terminal and a service providing terminal, such as good, bad and the like;
the blacklist of the terminal can refer to whether the operator service end, the application providing end and the service providing end add the terminal into the blacklist, and further, the blacklist of the terminal can comprise the operator service end or the specific application providing end and the service providing end.
The primary authentication result may refer to a result of the operator primary authentication;
The hash value of the important information is used to mark the unexposed information, i.e. not to display the original information content, by the hash value of the important information, considering that the terminal may have sensitive information that cannot be disclosed by itself.
The embodiment of the invention provides a secondary authentication system based on a blockchain, which enables operators and application providers to safely share terminal information with each other; the terminal information may include terminal identity information, terminal attribute information, terminal network reputation, terminal blacklists, terminal historical network behavior, and the like.
Fig. 4 is a block chain based secondary authentication system according to an embodiment of the present invention, as shown in fig. 4, the system may include: a terminal (UE), an Operator (corresponding to the Operator server), an application provider, and a service provider.
The operator and the application provider are used for collecting and integrating terminal information of each terminal acquired by the operator and the application provider. The terminal information is related to identity verification and authorization, and comprises the following steps: terminal identity information, terminal attribute information, terminal network reputation, terminal blacklists, terminal historical network behaviors and the like.
For operators, current access control is based on Authentication and Key Agreement (AKA) which relies on symmetric keys shared by the operator network and subscriber identity module (SIM, subscriber Identity Module card, universal subscriber identity module (USIM, universal Subscriber Identity Module). By this architecture, fine-grained user authentication and authorization control mechanisms can also be provided for operators to prevent malicious users from accessing the network or services, taking into account terminal attribute information, terminal historical network behavior, terminal network reputation, terminal blacklist, etc. during initial authentication performed by the operator.
In addition, because the mobile operator may collect or analyze security-related information from network entities, network management systems, and security devices during network operation, including: security threats, attack events, risk alerts, disposal responses, and the like. The analysis of this information can be written to the blockchain and shared with each other. Operators and application providers and service providers can timely prevent potential malicious users or malicious events, and the overall security protection capability of the whole network and the whole application is improved, so that the network and the application accessed by the users are controlled more flexibly, intelligently and safely.
The embodiment of the invention provides a blockchain platform for writing authentication information into Hyperledger Fabric (an open-source, enterprise-level and rights-bearing distributed ledger platform) based authentication information sharing; the blockchain platform for authentication information sharing is commonly constructed by operators and application providers. The operator acts as a client and sends a proposal request for writing user information to the blockchain; the procedure is the same when the application provider sends a proposal request as a client.
The method provided by the embodiment of the invention can use the alliance chain Hyperledger as a blockchain platform for sharing authentication information, and relates to a Peer node and an Order node. The Peer node bears a part of endorsement function on one hand and also bears a confirmation function of the transaction on the other hand. Here, the uplink process of each piece of user information is equivalent to a transaction process, and the whole transaction process involves three links of endorsement, ordering and confirmation. The Peer node and the Order node in the blockchain platform are jointly constructed by an operator and an application provider and a service provider of the 5G network.
The operator takes a user plane function (UPF, user Plane Function) as an example, and initiates a terminal information uplink request; the application Provider initiates a terminal attribute information uplink request using (AP, application Provider) 1 and the Service Provider uses (SP, service Provider) 1 as an example. The procedure of terminal information uplink, terminal attribute information uplink request refers to fig. 5.
Here, before using Hyperledger Fabric, the operator and application provider (AP, application Provider) 1 can deploy and install a corresponding software development kit (Software Development Kit, SDK) based on which terminal information uplink requests can be packaged into a format conforming to the system application program interface (API, application Programming Interface) requirement messages, while requesting the request with a certain call chain code method, i.e. specifying who is specifically to endorse. Meanwhile, hyperledger Fabric requires signature in each link of the transaction to prevent the message from being forged or tampered with.
Taking terminal information uplink of an operator as an example, the method comprises the following steps:
step 501, an operator sends a proposal request;
the specific number of steps is that the step 1 comprises the following steps: after generating and signing a proposal request of terminal information uplink by using the SDK, the operator sends the proposal request of user information uplink to an endorsement node (denoted as P1).
Here, the node P2 does not undertake an endorsement work on network operator related transactions, and therefore the request is not sent to the node P2.
Step 502, after receiving the proposal request, the node P1 invokes a chain code and queries a Ledger (Ledger);
specifically, after receiving the proposal request, the node P1 first verifies whether the signature of the sender of the proposal request is legal, and then checks whether the proposal request is a request before replay;
if the signature is illegal and/or the request before replay, directly rejecting the request;
if the signature is legal and the proposal request of the non-replay class is not replayed, the node P1 simulates whether executing the proposal request is reasonable or not by calling the chain code S1 and executing the query access to the account book L1;
after the node P1 completes the simulation execution, an endorsement response and a read-write set are generated, wherein the read-write set can clearly determine the content which is specifically added or modified by a user;
the node P1 returns the endorsement response and the read-write set signature to the operator.
Note that, since all information of all terminals in the current blockchain is stored in the ledger book L1, whether to add a new terminal, add terminal information, or update original terminal information can be confirmed by querying the ledger book L1.
In step 503, after receiving the proposal response with the signature from the node P1, the operator first verifies whether the signature is legal, and then checks whether the proposal response is consistent.
In this embodiment, only one endorsement node (i.e., P1) is used by the UPF, and in an actual application scenario, there may be multiple nodes to complete the endorsement process. In this case, the UPF needs to compare whether the proposal responses returned by all endorsement nodes are consistent, and if the inconsistent endorsement process fails, it needs to reinitiate the proposal request, and request each endorsement request to endorse again.
Step 504, the operator packages the proposal request and proposal response into a transaction (transaction) proposal, and submits the transaction proposal to the ordering node to request the ordering node to order the transaction.
Wherein the transaction proposal comprises: reading and writing the signature of the collection and the endorsement node.
Step 505, the ordering node receives a transaction proposal, and generates a Block (Block) according to the transaction proposal;
specifically, the ordering node receives a transaction proposal sent by the operator and verifies the signature of the operator.
The ordering node does not need to check the whole content of the transaction in order to execute the operation, and only receives the transaction from all the servers in the network, packages all the received transactions into blocks according to a certain size according to a preset consensus mechanism, signs the blocks, and broadcasts the packaged blocks to all the confirmation nodes in the blockchain platform.
Wherein the confirmation node comprises: the node P1 and the node P2;
the application scenario based on the actual application may further include a node P3 and a node P4 and … … node Pn.
Step 506, the confirmation node receives the Block, and updates the account book according to the received Block.
Here, the acknowledgement node includes: node P1 and node P2; both node P1 and node P2 perform the operations of step 6.
The updating the ledger according to the received Block includes:
firstly, performing format check, repeatability verification and signature check on received blocks;
then, splitting the Block, and endorsing and verifying the signature;
then, performing read-write set conflict check on all transactions in the Block;
finally, node P1 writes the entire Block into ledger L1, and node P2 writes the entire Block into ledger L2.
The blocks written into the ledger will be almost identical to the blocks received from the Order node, except that each transaction in a Block will have a valid or invalid tag.
Therefore, the operators, the application provider and the service operator all have the same account book data, and sharing of user identity authentication is well realized.
The procedure for the uplink of the terminal information, the terminal network credibility and the terminal blacklist of the application provider and the service operator is similar, and is not repeated here.
The following provides a secondary authentication method of a blockchain platform based on the authentication information sharing, as shown in fig. 6, the method includes:
step 601, an operator completes main authentication with UE, and AUSF writes an identity authentication result into a blockchain platform;
here, the AUSF provides UE authentication service for the AMF.
Step 602, the UE initiates a PDU session establishment request to the UPF to access the Data Network (DN) of the application provider.
Step 603, the data network obtains the authentication result from the blockchain platform.
Here, unlike the secondary authentication provided by the related art, the data network does not need to perform the EAP procedure, and directly obtains the authentication result from the blockchain platform.
Step 604, if the user is legitimate, the PDU session is successfully established and the user can then access the application service.
In this process, the application provider allows the UE to access the application services according to the results of the blockchain platform. The result may be a combination of a simple operator's primary authentication result, a hash value of terminal important information, terminal application attributes, and may also include terminal network reputation, terminal blacklist. The detailed information is set by the application provider and the service provider based on the own demand.
In addition, during the process of accessing the application server by the user, the application provider can write the behavior of the user into the blockchain platform at any time. Once an attack occurs, the application provider can write this information to the blockchain platform and share it with the mobile operator and other application providers in time, avoiding a wider range of security events.
Furthermore, existing initial authentication is based solely on the identity of the user and does not care about the user's attributes, behavior, and reputation. The block chain-based authentication system provided by the embodiment of the invention can enable operators to execute fine-grained master authentication, not only based on the identity of users, but also based on the attribute of the users, the reputation of the users and even the blacklist of the users; thus, the network and application security protection capability is enhanced, and the whole 5G network is safer and more intelligent.
Fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present invention; as shown in fig. 7, the apparatus is applied to a federal learning platform, and comprises:
the first communication module is used for receiving an access request from the terminal;
the first processing module is used for generating a security authentication request according to the access request;
Inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In some embodiments, the first communication module is further configured to send a proposal request to the blockchain network; the proposal request is used for terminal information uplink;
receiving a proposal response from the blockchain network; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
the first processing module is further configured to generate a transaction according to the proposal request and the proposal response;
the first communication module is further used for sending a transaction proposal to the blockchain network; the blockchain network is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to each confirmation node in the blockchain network for storage.
In some embodiments, the server corresponds to one or more endorsement nodes;
when a plurality of endorsement nodes correspond to the server side, the first communication module is used for receiving proposal responses sent by the endorsement nodes;
the first processing module is further configured to determine a book set in a proposal response of each endorsement node in the plurality of endorsement nodes;
when the content in the plurality of reading sets is consistent, generating a transaction according to the proposal request and the proposal response;
and when the content in the plurality of reading sets is inconsistent, resending the proposal request until the received content in the plurality of reading sets is consistent.
In some embodiments, the server is one of: an operator service end, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
It should be noted that: in the authentication device provided in the above embodiment, when implementing the corresponding authentication method, only the division of each program module is used for illustration, in practical application, the processing allocation may be completed by different program modules according to needs, that is, the internal structure of the federal learning platform is divided into different program modules, so as to complete all or part of the processing described above. In addition, the apparatus provided in the foregoing embodiments and the embodiments of the corresponding methods belong to the same concept, and specific implementation processes of the apparatus and the embodiments of the methods are detailed in the method embodiments, which are not described herein again.
Fig. 8 is a schematic structural diagram of another authentication platform according to an embodiment of the present invention; as shown in fig. 8, the authentication platform includes:
the second communication module is used for receiving a security authentication request from the server;
the second processing module is used for inquiring account book data according to the security authentication request to obtain an authentication result of the terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
In some embodiments, the blockchain network includes: an endorsement node, a sorting node and a confirmation node;
the endorsement node includes: the first sub-communication module and the first sub-processing module;
the ordering node comprises: the second sub-communication module and the second sub-processing module;
the acknowledgement node comprises: the third sub-communication module and the third sub-processing module;
the first sub-communication module of the endorsement node is used for receiving a proposal request from a server; the proposal request is used for terminal information uplink;
The first sub-processing module of the endorsement node is used for generating a reading set according to the proposal request and sending the proposal response to the server; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
the second sub-communication module of the ordering node is used for receiving the transaction proposal from the server;
the second sub-processing module is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to the blockchain network;
and a third sub-communication module of each confirmation node in the blockchain network is used for receiving the block, and the third sub-processing module is used for writing the block into own account book data.
In some embodiments, the first sub-processing module is configured to verify whether the proposal request meets a preset requirement, and call a chain code and query an account book of the first sub-processing module when the proposal request is determined to meet the preset requirement; the account book stores information of all terminals in the current blockchain network;
simulating and executing the proposal request, and updating the account book according to the proposal request;
and determining newly added content and/or modified content in the account book according to the updated account book, and generating a reading set according to the newly added content and/or modified content.
In some embodiments, the server includes at least one of: an operator, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
It should be noted that: in the authentication platform provided in the above embodiment, when implementing the corresponding authentication method, only the division of each program module is used for illustration, in practical application, the processing allocation may be completed by different program modules according to needs, that is, the internal structure of the authentication platform is divided into different program modules, so as to complete all or part of the processing described above. In addition, the apparatus provided in the foregoing embodiments and the embodiments of the corresponding methods belong to the same concept, and specific implementation processes of the apparatus and the embodiments of the methods are detailed in the method embodiments, which are not described herein again.
Fig. 9 is a schematic structural diagram of another authentication device according to an embodiment of the present invention, as shown in fig. 9, the authentication device 90 includes: a processor 901 and a memory 902 for storing a computer program capable of running on the processor;
the authentication device is applied to a server, and the processor 901 is configured to execute, when executing the computer program: receiving an access request from a terminal; generating a security authentication request according to the access request; inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request; the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers. Specifically, the authentication device may also execute the method shown in fig. 2, which belongs to the same concept as the authentication method embodiment shown in fig. 2, and the detailed implementation process of the authentication device is referred to the method embodiment and will not be described herein.
The authentication device is applied to an authentication platform, and the processor 901 is configured to execute, when executing the computer program: receiving a security authentication request from a server; inquiring account book data according to the security authentication request to obtain an authentication result of a terminal corresponding to the security authentication request; the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers. Specifically, the authentication device may also execute the method shown in fig. 3, which belongs to the same concept as the authentication method embodiment shown in fig. 3, and the detailed implementation process of the authentication device is referred to the method embodiment and will not be described herein.
In practical applications, the authentication device 90 may further include: at least one network interface 903. The various components of the authentication device 90 are coupled together by a bus system 904. It is appreciated that the bus system 904 is used to facilitate connected communications between these components. The bus system 904 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration, the various buses are labeled as bus system 904 in fig. 9. The number of the processors 901 may be at least one. The network interface 903 is used for wired or wireless communication between the authentication apparatus 90 and other devices.
The memory 902 in an embodiment of the present invention is used to store various types of data to support the operation of the authentication device 90.
The method disclosed in the above embodiment of the present invention may be applied to the processor 901 or implemented by the processor 901. Processor 901 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 901 or instructions in the form of software. The Processor 901 may be a general purpose Processor, a DiGital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 901 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in a memory 902 and the processor 901 reads information in the memory 902, in combination with its hardware, performing the steps of the method as described above.
In an exemplary embodiment, the authentication device 90 may be implemented by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field-programmable gate arrays (FPGA, field-Programmable Gate Array), general purpose processors, controllers, microcontrollers (MCU, micro Controller Unit), microprocessors (Microprocessor), or other electronic components for performing the aforementioned methods.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored;
the computer readable storage medium is applied to a server, and when the computer program is executed by a processor, the computer program performs: receiving an access request from a terminal; generating a security authentication request according to the access request; inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request; the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers. Specifically, the computer program may also execute the method shown in fig. 2, which belongs to the same concept as the authentication method embodiment shown in fig. 2, and the detailed implementation process of the computer program is detailed in the method embodiment, which is not described herein again.
The computer readable storage medium is applied to an authentication platform, and when the computer program is executed by a processor, the computer program performs: receiving a security authentication request from a server; inquiring account book data according to the security authentication request to obtain an authentication result of a terminal corresponding to the security authentication request; the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers. Specifically, the computer program may also execute the method shown in fig. 3, which belongs to the same concept as the authentication method embodiment shown in fig. 3, and the detailed implementation process of the computer program is detailed in the method embodiment, which is not described herein again.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program when executed performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.
Alternatively, the above-described integrated units of the present invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
It should be noted that: "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.
In addition, the embodiments described in the present application may be arbitrarily combined without any collision.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (12)

1. An authentication method, applied to a server, comprising:
receiving an access request from a terminal;
generating a security authentication request according to the access request;
inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
2. The method according to claim 1, wherein the method further comprises:
sending a proposal request to the blockchain network; the proposal request is used for terminal information uplink;
receiving a proposal response from the blockchain network; the proposal response includes at least: reading a book set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
generating a transaction according to the proposal request and the proposal response;
transmitting a transaction proposal to the blockchain network; the blockchain network is used for obtaining blocks according to the transaction proposal package and broadcasting the blocks to each confirmation node in the blockchain network for storage.
3. The method of claim 2, wherein the server corresponds to one or more endorsement nodes;
when a plurality of endorsement nodes correspond to the server, the receiving proposal response from the blockchain network comprises:
receiving proposal responses sent by a plurality of endorsement nodes;
determining a book set in a proposal response of each endorsement node of the plurality of endorsement nodes;
when the content in the plurality of reading sets is consistent, generating a transaction according to the proposal request and the proposal response;
and when the content in the plurality of reading sets is inconsistent, resending the proposal request until the received content in the plurality of reading sets is consistent.
4. The method of claim 2, wherein the server is one of: an operator service end, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
5. An authentication method, applied to an authentication platform, the method comprising:
receiving a security authentication request from a server;
Inquiring account book data according to the security authentication request to obtain an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
6. The method of claim 5, wherein the blockchain network includes: an endorsement node, a sorting node and a confirmation node;
the method further comprises the steps of:
the endorsement node receives a proposal request from a server; the proposal request is used for terminal information uplink;
generating a reading set according to the proposal request, and sending the proposal response to the server; the proposal response includes at least: the book reading set; the book reading set is used for defining newly added content and/or modified content in an account book of an endorsing node;
the ordering node receives a transaction proposal from the server, packages the transaction proposal to obtain a block according to the transaction proposal and broadcasts the block to the blockchain network;
Each validation node in the blockchain network receives the block and writes the block to its own ledger data.
7. The method of claim 6, wherein generating a reading set from the proposal request comprises:
verifying whether the proposal request meets preset requirements or not, and calling a chain code and inquiring an account book of the user when the proposal request meets the preset requirements; the account book stores information of all terminals in the current blockchain network;
simulating and executing the proposal request, and updating the account book according to the proposal request;
and determining newly added content and/or modified content in the account book according to the updated account book, and generating a reading set according to the newly added content and/or modified content.
8. The method of claim 6, wherein the server comprises at least one of: an operator, an application providing end and a service providing end;
the terminal information includes at least one of: terminal attribute information, terminal historical network behavior, terminal network reputation, and terminal blacklist.
9. An authentication device, for application to a server, the device comprising:
The first communication module is used for receiving an access request from the terminal;
the first processing module is used for generating a security authentication request according to the access request;
inquiring an authentication platform according to the security authentication request, and determining an authentication result of a terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
10. An authentication platform, the authentication platform comprising:
the second communication module is used for receiving a security authentication request from the server;
the second processing module is used for inquiring account book data according to the security authentication request to obtain an authentication result of the terminal corresponding to the security authentication request;
the authentication platform is built based on a blockchain network, and the blockchain network comprises at least one confirmation node; each of the at least one validation node stores the same ledger data; the ledger data is generated based on security authentication information of one or more servers.
11. An authentication device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any one of claims 1 to 4 when the program is executed; alternatively, the processor, when executing the program, implements the steps of the method of any one of claims 5 to 8.
12. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor realizes the steps of the method according to any of claims 1 to 4; alternatively, the computer program, when executed by a processor, implements the steps of the method of any of claims 5 to 8.
CN202111528311.1A 2021-12-14 2021-12-14 Authentication method, authentication device, authentication platform and storage medium Pending CN116264691A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111528311.1A CN116264691A (en) 2021-12-14 2021-12-14 Authentication method, authentication device, authentication platform and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111528311.1A CN116264691A (en) 2021-12-14 2021-12-14 Authentication method, authentication device, authentication platform and storage medium

Publications (1)

Publication Number Publication Date
CN116264691A true CN116264691A (en) 2023-06-16

Family

ID=86722302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111528311.1A Pending CN116264691A (en) 2021-12-14 2021-12-14 Authentication method, authentication device, authentication platform and storage medium

Country Status (1)

Country Link
CN (1) CN116264691A (en)

Similar Documents

Publication Publication Date Title
CN112446785B (en) Cross-chain transaction method, system, device, equipment and storage medium
CN109314703B (en) Method for managing the status of a connected device
CN111869187A (en) Interworking between IOT service layer system and distributed ledger system
CN100507934C (en) System and method for registering entities for code signing services
CN110266642A (en) Identity identifying method and server, electronic equipment
CN111163467B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN109660534B (en) Multi-merchant-based security authentication method and device, electronic equipment and storage medium
CN113569263A (en) Secure processing method and device for cross-private-domain data and electronic equipment
CN113852639B (en) Data processing method, device, electronic equipment and computer readable storage medium
CN101896917B (en) Method for moving rights object and method for managing rights of issuing rights object and system thereof
US20230259930A1 (en) Cross-chain transaction processing method and apparatus, electronic device, and storage medium
CN111182527B (en) OTA (over the air) firmware upgrading method and device, terminal equipment and storage medium thereof
CN112053159A (en) Transaction data verification method and device, risk control server and business server
CN110602218A (en) Method and related device for assembling cloud service in user-defined manner
US20220272203A1 (en) Blockchain-Based Roaming Transaction Method and Apparatus
CN116264691A (en) Authentication method, authentication device, authentication platform and storage medium
CN111163466B (en) Method for 5G user terminal to access block chain, user terminal equipment and medium
KR101331575B1 (en) Method and system blocking for detour hacking of telephone certification
CN115438353A (en) User data management method and related equipment
CN114640992A (en) Method and device for updating user identity
CN112583606A (en) Security verification method, server, terminal and storage medium
CN110766407A (en) Transaction verification method, accounting node and medium based on block chain
CN111212062B (en) Information completion method and device, storage medium and electronic equipment
CN114338148B (en) Interaction method and device, server and storage medium
WO2024061207A1 (en) User-level data management method and apparatus, communication device, and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination