WO2018214133A1 - Method, device and system for fido authentication based on blockchain - Google Patents

Method, device and system for fido authentication based on blockchain Download PDF

Info

Publication number
WO2018214133A1
WO2018214133A1 PCT/CN2017/086029 CN2017086029W WO2018214133A1 WO 2018214133 A1 WO2018214133 A1 WO 2018214133A1 CN 2017086029 W CN2017086029 W CN 2017086029W WO 2018214133 A1 WO2018214133 A1 WO 2018214133A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
transaction
user equipment
blockchain
user
Prior art date
Application number
PCT/CN2017/086029
Other languages
French (fr)
Chinese (zh)
Inventor
***
谢辉
Original Assignee
深圳前海达闼云端智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海达闼云端智能科技有限公司 filed Critical 深圳前海达闼云端智能科技有限公司
Priority to CN201780002556.6A priority Critical patent/CN108064440B/en
Priority to PCT/CN2017/086029 priority patent/WO2018214133A1/en
Publication of WO2018214133A1 publication Critical patent/WO2018214133A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present disclosure relates to the field of information security, and in particular, to a blockchain-based FIDO authentication method, apparatus, and system.
  • the FIDO (Fast Identity Online) standard is an open standard protocol proposed by the FIDO Alliance to provide an online authentication with high security, cross-platform compatibility, excellent user experience and user privacy protection.
  • Technology Architecture The FIDO standard accomplishes user authentication by integrating biometrics and asymmetric encryption to try to end the years when users have to remember and use a large number of complex passwords.
  • Two authentication protocols are proposed in the current FIDO standard: U2F (Universal 2nd Factor Protocol) and UAF (Universal Authentication Framework).
  • U2F is based on the compatibility of existing password verification system.
  • the verification device is called a U2F device, for example, a second generation U shield.
  • the user name and password are first used to log in to the website or service, and then the U2F device is accessed when there is a high security requirement (such as transaction confirmation). And confirm this authentication operation, you can complete the user strong authentication and improve transaction security.
  • U2F devices users no longer need to memorize a large number of complex passwords. Traditional passwords are mainly used for user logins. They do not determine the security of transactions. Even users who use only 4 simple passwords will not affect the final transaction security. Not only that, but the U2F protocol also supports a single U2F authentication device for strong security authentication services for multiple websites or services.
  • UAF fully absorbs the new technology of mobile smart devices and is more in line with the habits of mobile users.
  • the smart device uses biometric technology (such as fingerprint recognition, facial recognition, iris recognition, etc.) to obtain user authorization, and then generates encrypted authentication data for the background server to perform user authentication operation through asymmetric encryption technology.
  • biometric technology such as fingerprint recognition, facial recognition, iris recognition, etc.
  • the entire process can be completely free of passwords, and the "terminal password" is realized in the true sense.
  • the transaction is in UAF-based authentication When you just need to swipe your fingerprint, or say a word, or simply look at the camera, you can complete user login, transaction confirmation or other strong authentication operations.
  • the current FIDO architecture is a C/S (Client/Server, client/server) architecture, in which the server side adopts a centralized architecture, and privacy information related to identity authentication, such as the user's public key, registration information, etc. are stored in FIDO.
  • identity authentication such as the user's public key, registration information, etc.
  • An object of the present disclosure is to provide a blockchain-based FIDO authentication method, apparatus, and system, which can solve the problem that the existing FIDO server centralized deployment mode is vulnerable to information leakage, tampering, or system failure.
  • the present disclosure provides a blockchain-based FIDO authentication method, which is applied to an online fast identity authentication FIDO server, and the method includes:
  • FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is a node in a blockchain network;
  • an authentication response sent by the user equipment where the authentication response includes a challenge value signature
  • the challenge value signature is obtained by the user equipment signing the challenge value by using an authentication private key.
  • the authentication private key corresponds to the first user and the first application service;
  • a transaction authentication response sent by the user equipment where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, and the signature of the hash value is
  • the user equipment is obtained by signing the hash value with the authentication private key
  • the signature of the hash value in the authentication response is verified using the authentication public key.
  • the method further includes:
  • the user equipment performs a key pair generated by the registration of the first user by using an authenticator that meets the verification policy, and the signature of the authentication public key is an authentication private key of the user equipment using the authenticator. Signing the authentication public key;
  • the authentication public key is stored in the blockchain.
  • the method further includes:
  • the user information is set to invalid data, wherein the user information includes: an authentication public key of the specified user, and a corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
  • the method further includes:
  • the FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and a signature of the first transaction, the signature of the first transaction is obtained by the FIDO server signing the first transaction by using a private key of the FIDO server, and the FIDO server is recorded in the smart contract Operational authority of the account;
  • the first transaction is used to perform the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding authenticator information, modifying authenticator information, or deleting an authenticator information.
  • the present disclosure further provides a blockchain-based FIDO authentication apparatus, which is applied to an online fast identity authentication FIDO server, and the apparatus includes:
  • a receiving module configured to receive, by using the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is in a blockchain network a node;
  • An authentication response module configured to send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request;
  • the receiving module is further configured to receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is that the user equipment uses an authentication private key pair The challenge value is obtained by signature, and the authentication private key corresponds to the first user and the first application service;
  • a reading module configured to acquire, from the blockchain, an authentication public key corresponding to the authentication private key
  • An authentication module configured to verify, by using the authentication public key, the challenge value signature in the authentication response
  • the receiving module is further configured to receive, by using the first application service, an initializing transaction request that is sent by the user equipment based on the first user;
  • a transaction response module configured to send a transaction authentication request to the user equipment in response to the initializing transaction request, where the transaction authentication request includes transaction information
  • the receiving module is further configured to receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value,
  • the signature of the hash value is obtained by the user equipment by using the authentication private key to sign the hash value;
  • the reading module is further configured to obtain the authentication public key from the blockchain;
  • a transaction verification module configured to verify, by using the authentication public key, a signature of the hash value in the authentication response.
  • the device further includes: a registration response module, a secret key verification module, and a storage module;
  • the receiving module is configured to: before receiving, by the first application service, an initial authentication request sent by the user equipment, or before receiving, by the first application service, the first user that is sent by the user equipment Receiving, by the first application service, an initialization registration request sent by the user equipment, before initializing the transaction request;
  • the registration response module is configured to send a registration request to the user equipment in response to the initial registration request, where the registration request includes an authentication policy, where the verification policy includes an authentication method supported by the first application service. And the type of authenticator;
  • the receiving module is further configured to receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public
  • the key and the authentication private key are key pairs generated by the user equipment after the registration of the first user by the authenticator conforming to the verification policy, and the signature of the authentication public key is the user equipment utilization Declaring the authentication private key of the authenticator to sign the authentication public key;
  • the reading module is further configured to obtain an authentication public key of the authenticator from the blockchain;
  • the secret key verification module is configured to verify, by using the authentication public key, a signature of the authentication public key in the authentication response;
  • the storage module is configured to store the authentication public key in the blockchain when the signature of the authentication public key is verified.
  • the device further includes: a logout module
  • the receiving module is configured to receive, by using the first application service, an initial sent by the user equipment Initialize the logout request;
  • the logout module is configured to, in response to the initializing the logout request, write data to the blockchain for setting user information of the specified user to be invalid, wherein the user information includes: the specified user And a corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
  • the device further includes: an authenticator management module, configured to:
  • the FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of a smart contract, a management operation to be performed, and the a signature of the first transaction, the signature of the first transaction is obtained by the FIDO server using the private key of the FIDO server to sign the first transaction, and the account of the FIDO server is recorded in the smart contract Operational authority;
  • the first transaction is used to perform the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding authenticator information, modifying authenticator information, or deleting an authenticator information.
  • the present disclosure also provides a blockchain-based FIDO system, the system comprising: at least one user equipment, at least one online fast identity authentication FIDO server, and a blockchain system, the blockchain system Including blockchain networks and blockchains;
  • each of the FIDO servers includes the blockchain-based FIDO authentication device of the second aspect, each of the FIDO servers being a node in the blockchain network, and each of the FIDO servers corresponds to One or more application services.
  • the present disclosure also provides a computer readable storage medium having stored thereon a computer program, the computer program being executed by a processor to implement the steps of the method of the first aspect.
  • the present disclosure further provides an electronic device, including:
  • One or more processors for executing a computer program in the computer readable storage medium.
  • the blockchain-based FIDO authentication method, device, and system provided by the present disclosure, after receiving the initial authentication request sent by the user equipment by using the first application service, the FIDO server sends an authentication request to the user equipment, where the authentication request includes a challenge value, The user device utilizes the authentication private key for the pick After the battle value is signed, the FIDO server receives the authentication response sent by the user equipment by using the first application service, where the authentication response includes the challenge value signature, and then the FIDO obtains the authentication public key corresponding to the authentication private key from the blockchain, and uses the authentication public key. The authentication public key verifies the challenge value signature in the authentication response.
  • the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain,
  • the blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage.
  • the blockchain network is based on P2P (Peer to Peer), it is a distributed network.
  • the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and can improve the security of the FIDO system.
  • FIG. 1 is a flowchart of a blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure
  • FIG. 2 is a flowchart of another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure
  • FIG. 3 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure
  • FIG. 4 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure
  • FIG. 5 is a block diagram of a blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure
  • FIG. 6 is a block diagram of another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure.
  • FIG. 7 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure.
  • FIG. 8 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure.
  • FIG. 9 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure.
  • FIG. 10 is a structural diagram of a blockchain-based FIDO system according to an exemplary embodiment of the present disclosure.
  • FIG. 11 is a structural diagram of another blockchain-based FIDO system according to an exemplary embodiment of the present disclosure.
  • FIG. 12 is a structural diagram of still another blockchain-based FIDO system according to an exemplary embodiment of the present disclosure.
  • FIG. 13 is a structural diagram of still another blockchain-based FIDO system according to an exemplary embodiment of the present disclosure.
  • FIG. 14 is a block diagram of an electronic device, according to an exemplary embodiment.
  • the blockchain is introduced, and the blockchain is decentralized by all the nodes in the blockchain network.
  • a distributed database system consisting of a series of cryptographically generated data blocks, each of which is a block in a blockchain. According to the order of the generation time, the blocks are linked together in an orderly manner to form a data chain, which is aptly called a blockchain.
  • a node in a blockchain network may be referred to as a blockchain node, wherein the blockchain network is based on a P2P network, and each P2P network node participating in the transaction and block storage, verification, and forwarding is a node in a blockchain network.
  • the FIDO server involved in various embodiments of the present disclosure is any node in the blockchain network.
  • the user identity in the blockchain is represented by a public key, and the public key and the private key are paired.
  • the private key corresponding to the public key is mastered by the user and not posted to the network, and the public key can pass a specific hash and After encoding, it becomes an "address".
  • the "address" can be understood as an account, representing its corresponding user, and can be freely published in the blockchain network.
  • the private key of the FIDO server is used on any of the nodes in the blockchain network, and the node can act as a FIDO server.
  • each node participating in the calculation has the same authority (decentralized, no trust), including transactions, calculation blocks (commonly known as mining, ie mining) And other core functions.
  • the transaction representative will be written into the block data, and the block (Block) adopts a specific generation mechanism to ensure that the longest chain (the longest chain contains the most relevant blocks) is the effective chain.
  • the data of the transaction usually includes a certain attribute or currency, such as the digital signature of the transaction owner (ie, the owner's private key encrypts the transaction, usually called digital signature), the account address of the transaction recipient Etc., after the transaction passes the verification of the owner's digital signature and is written into the block, the ownership of the currency is transferred to the recipient.
  • the process of writing blocks to the data of the blockchain is performed by the blockchain node by writing a transaction to the blockchain network to write data to the blockchain.
  • the transaction includes: the blockchain node performs a digital signature on the generated transaction data packet according to a preset transaction data format, and uses the private key of the blockchain node to perform the digital signature on the transaction data packet, and the digital signature is used to prove the The identity of the user of the blockchain node.
  • the transaction is then recorded by the “miners” in the blockchain network (ie, the blockchain nodes that perform the PoW consensus competition mechanism) into the new blocks generated in the blockchain, and the transaction is posted to the blockchain network.
  • the transaction is verified by other blockchain nodes (other nodes can obtain the public key of the blockchain node from the transaction generated by the blockchain node, and sign the digital signature according to the public key of the blockchain node Verification, in addition to verifying the digital signature, can verify that the transaction packet is the specified data structure) and the transaction is written to the blockchain.
  • other nodes can obtain the public key of the blockchain node from the transaction generated by the blockchain node, and sign the digital signature according to the public key of the blockchain node Verification, in addition to verifying the digital signature, can verify that the transaction packet is the specified data structure) and the transaction is written to the blockchain.
  • the new block in the blockchain is implemented by the above-mentioned “miners” to implement the PoW consensus competition mechanism (this mechanism can be understood as: each “miner” according to the preset technical requirements of the block, for example, according to the preset random number requirement
  • This mechanism can be understood as: each “miner” according to the preset technical requirements of the block, for example, according to the preset random number requirement
  • To jointly calculate the random number which "miner” first calculates the random number that meets the requirements of the random number, and the block produced by the "miner” is periodically generated as the new block, thus generating a new area.
  • the time interval of the block is usually related to the above-mentioned preset technical requirements, and the time interval at which the blockchain generates a new block can be changed by setting different preset technical requirements.
  • the process of writing data (such as storing user information, storing a public key of a user or an authenticator) into a blockchain may employ the above process.
  • the FIDO system adopts a C/S (Client/Sever, client/server) architecture, which mainly includes: a user device (User Device) and a trusted party (Relying) Party) and the blockchain network, the user equipment includes a FIDO client, mainly including an operating system of the user equipment, for example, Windows, MacOS, iOS, Android, etc., and the user equipment also includes a FIDO authenticator (Authenticator) (hereinafter referred to as the authenticator), the type of the authenticator includes but is not limited to: fingerprint, voiceprint, iris, face recognition, the user equipment also includes a user agent (User Agent), such as a browser, or an app (application)
  • the trusted party includes an application service and a FIDO server corresponding to the application service, and the user equipment can interact with the application service through the user agent, thereby implementing interaction with the FIDO server.
  • the FIDO server is a node in
  • FIG. 1 is a flowchart of a blockchain-based FIDO authentication method, which is applied to a FIDO server, as shown in FIG. 1, according to an exemplary embodiment of the present disclosure, the method includes:
  • Step 101 Receive, by using the first application service, a first user initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, and the FIDO server is a node in the blockchain network.
  • the first application service may be any type of application service, such as a web application.
  • the user identity of the user equipment needs to be authenticated first, and therefore, an application service for identity authentication is required.
  • the user equipment can initiate an authentication process to the FIDO server.
  • the user equipment can be authenticated by the user agent, for example, by logging in to the first application on the browser of the user equipment.
  • the user device When the service-related page is authenticated by using the first application service-related App (application), the user device sends an Initial Authentication Request (Initiate Authentication) to the first application service by using the user agent, and the first application service will The received initialization authentication request is transparently transmitted to its corresponding FIDO server (actually the application server (App Sever) of the first application service is transmitted to FIDO). The server's), so that the FIDO server can receive an initial authentication request sent by the user equipment through the first application service.
  • an Initial Authentication Request Initiate Authentication
  • Step 102 Send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request.
  • the FIDO server After the FIDO server receives the initialization authentication request, the FIDO server sends an authentication request including a challenge to the user equipment, and the authentication request is actually sent to the FIDO client of the user equipment.
  • Step 103 Receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is obtained by the user equipment using the authentication private key to sign the challenge value, and the authentication is performed.
  • the private key corresponds to the user of the user equipment and the first application service.
  • the user equipment When the user equipment receives the authentication request from the FIDO server, the user equipment (the FIDO client in the user equipment) authenticates the first user using the user equipment through an authenticator (Authenticator) on the user equipment, and the verification manner includes: Fingerprint, iris, face recognition, voiceprint, password, etc., when the user passes the verification, unlock the authentication private key stored in the authenticator, wherein the authentication private key and its corresponding authentication public key are at the first
  • the key pair generated when the user registers with the first application service can become an authentication key (Authentication Keys).
  • the FIDO server when the user equipment initiates the authentication process, the FIDO server is informed of the information of the first user of the user equipment, such as the username of the first user, so that the FIDO server sends an authentication request to the user equipment, and the authentication request is sent.
  • the user name and the AppID (application identifier) of the first application service may be included, and after the key pair is generated, a binding relationship may be established with the user name and the first application service, so that the key pair and the first user And corresponding to the first application service, so that when the first user passes the verification, the authentication private key corresponding to the first user and the first application service can be unlocked.
  • the authentication request sent to the user equipment in step 102 may further include a verification policy, where the authentication method may be specified (such as allowing fingerprint or iris), and the supported/unsupported authenticator may be specified.
  • the authentication method may be specified (such as allowing fingerprint or iris), and the supported/unsupported authenticator may be specified.
  • Type for example, support/non-support for certain certifiers specified by the manufacturer, or support/non-support for certain certifiers that are specified by the manufacturer and whose ID meets certain requirements
  • key protection methods such as encryption algorithms used
  • the user equipment uses the above-mentioned unlocked authentication private key to sign the challenge value to obtain the challenge value signature, and sends the authentication response to the FIDO server, thereby The FIDO server gets an authentication response with a challenge value signature.
  • Step 104 Obtain an authentication public key corresponding to the authentication private key from the blockchain.
  • Step 105 Verify the challenge value signature in the authentication response by using the authentication public key.
  • the FIDO server may read the authentication public key corresponding to the first user and the first application service from the blockchain, thereby finding the authentication public key corresponding to the authentication private key.
  • the challenge value signature in the authentication response is then verified using the authentication public key. After the challenge value signature is verified, the first user of the user equipment passes the authentication.
  • the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain,
  • the blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage.
  • the blockchain network is based on a P2P network, the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and improve the security of the FIDO system.
  • FIG. 2 A flowchart of another blockchain-based FIDO authentication method, which is applied to a FIDO server, as shown in FIG. 2, according to an exemplary embodiment of the present disclosure, the method includes:
  • Step 106 Receive, by the first application service, an initial transaction request sent by the user equipment based on the first user.
  • the user agent can send an Initialization Transaction request to the FIDO through the user agent, and the FIDO server receives the initial transaction request in the same manner as that shown in step 101, and also passes the first
  • the application service receives the initial transaction request sent by the user equipment, and transparently transmits the request to the FIDO server. For details, refer to step 101.
  • Step 107 In response to the initializing the transaction request, send a transaction authentication request to the user equipment, where the transaction authentication request includes transaction information.
  • the FIDO server After receiving the initial transaction request, the FIDO server sends the transaction information (ie, the transaction text, which may also be referred to as a transaction text) to the user equipment, and the transaction information may include, for example, the transaction amount, and may also include other related items such as the transaction object. information.
  • the user equipment After receiving the transaction authentication request, the user equipment can obtain the transaction information. Then, the user equipment (of the FIDO client) authenticates the first user using the user equipment through the authenticator on the user equipment, and the verification method is the same as that described in step 103.
  • the transaction authentication request sent to the user equipment in step 107 may also include a verification policy (Policy), which is used in the verification policy shown in step 103, and is also used to specify the verification mode, support/non-support.
  • Policy verification policy
  • the authenticator and the key protection mode after the user equipment receives the authentication request, first select an authenticator that conforms to the verification policy according to the verification policy, and then use the authenticator to perform the user verification.
  • the transaction authentication request sent to the user equipment in step 107 may further include a challenge value, which has the same function as the challenge value sent to the user equipment in step 102, and the user equipment may receive the transaction authentication request after receiving the transaction authentication request.
  • the challenge value may be signed by using the authentication private key of the user equipment, and the challenge value signature is sent to the FIDO server through the transaction authentication response together with the hash value of the transaction information and the signature of the hash value, so that the FIDO server receives
  • the challenge value signature is verified using the authentication public key after the transaction authentication response.
  • Step 108 Receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, where the signature of the hash value is the user equipment
  • the hash value is signed with the authentication private key.
  • the user equipment can unlock the authentication private key stored in the authenticator, and then display the transaction information to the first user, and the user confirms that the transaction information is correct.
  • the hash value of the transaction information is calculated, and the hash value is performed with the authenticated private key that has been unlocked. Sign the signature to get the signature of the hash value.
  • the transaction authentication response is then sent to the FIDO server, and the FIDO server can receive the transaction authentication response sent by the user equipment through the first application service.
  • the authentication private key is the authentication private key described in step 103, and the generating method can refer to the step. Step 103, and the method shown in FIG.
  • Step 109 Acquire the authentication public key from the blockchain.
  • Step 110 Verify the signature of the hash value in the authentication response by using the authentication public key.
  • the FIDO server may read the authentication public key corresponding to the first user and the first application service from the blockchain, thereby finding the authentication public key corresponding to the authentication private key. And then using the authentication public key to verify the signature of the hash value in the authentication response. When the signature of the hash value is verified, it can be stated that the hash value in the received transaction authentication response is legally valid, and thus the current transaction passes the authentication.
  • the authentication process shown in steps 101 to 105 may not be performed, and the transaction authentication shown in step 106 to step 110 may be directly performed.
  • Process For example, in some scenarios, you need to log in to the user before you can perform the payment operation. In this scenario, you can perform the authentication process shown in steps 101 to 105 to log in to the user, and then execute the payment/transfer behavior.
  • the transaction authentication process shown in steps 106 to 110 is completed to complete the transaction. However, in a certain scenario, the payment/transfer behavior can be directly performed without performing user login. At this time, the transaction authentication process shown in steps 106 to 110 can be directly performed to complete the transaction.
  • FIG. 3 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure. The method is applied to a FIDO server, and the method is implemented in FIG. 1 or Before the method shown in Figure 2, as shown in Figure 3, the method includes:
  • Step 111 Receive an initial registration request sent by the user equipment by using the first application service.
  • the user agent may send an initial registration request (FI) to the FIDO, and the FIDO server receives the initial registration request in the same manner as that shown in step 101.
  • the application service receives the initial registration request sent by the user equipment, and transparently transmits the request to the FIDO server. For details, refer to step 101.
  • Step 112 In response to the initial registration request, send a registration request to the user equipment, where the registration request includes an authentication policy, where the verification policy includes a verification party supported by the first application service. Type and authenticator type.
  • the verification policy may specify the authentication mode that is allowed to be used (such as allowing fingerprints or irises), the type of authenticator supported/unsupported (for example, support/non-support for certain certified vendors, or support/no) Supporting certain certifiers that are produced by the manufacturer and having IDs that meet certain requirements, and key protection methods (such as encryption algorithms used).
  • the user equipment receives the registration request, it first selects the verification according to the verification policy.
  • the authenticator of the policy and then use the authenticator to receive the authentication information input by the user for the first time. For example, when the user registers, the authenticator needs to receive the fingerprint, iris, face or voiceprint input by the user for the first time and store it for subsequent authentication. The basis for identity authentication in the process.
  • Step 113 Receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key and a signature of the authentication public key.
  • the authentication public key and the authentication private key are key pairs generated after the user equipment performs registration of the first user by using an authenticator that conforms to the verification policy, and the signature of the authentication public key is that the user equipment uses the authenticator.
  • the authentication private key is obtained by signing the authentication public key.
  • the authentication public key including the foregoing may be generated for the first user according to a preset algorithm built in the authenticator or according to a preset algorithm specified in the verification policy. And the key pair that authenticates the private key.
  • the FIDO server may be notified of the user information of the user equipment that is to be registered, for example, the user name of the first user is set, so the FIDO server registers the request when sending the registration request to the user equipment.
  • the user name and the AppID of the first application service may be further included, and after the key pair is generated, a binding relationship may be established with the user name and the first application service, so that the key pair is associated with the first user and the first application. Service correspondence.
  • the user equipment signs the authentication public key using an authentication key (Attestation Key) built in the authenticator, obtains the signature of the authentication public key, and then the authentication public key
  • the signature is sent to the FIDO server through the registration response, and then the FIDO server can receive the registration response through the first application service, and obtain the signature of the authentication public key contained therein, and then the FIDO server can perform step 114.
  • the registration request sent to the user equipment in step 112 may further include a challenge value, which has the same function as the challenge value sent to the user equipment in step 102.
  • the user equipment may The challenge value is combined with the prescribed information to perform certain calculations. And calculating the calculated value obtained by using the authentication private key of the authenticator, and then sending the signature of the calculated value to the FIDO server through the registration response together with the signature of the authentication public key, so that the FIDO server receives the registration. After the response, the signature of the calculated value is verified by the authenticator of the authenticator.
  • Step 114 Obtain an authentication public key of the authenticator from the blockchain.
  • Step 115 Verify the signature of the authentication public key in the authentication response by using the authentication public key.
  • the FIDO server may read the authentication public key matching the authentication private key from the blockchain, and then verify the signature of the authentication public key by using the authentication public key.
  • the authentication public key is pre-configured and stored in the blockchain.
  • two management and maintenance modes can be adopted: first, the authenticator is given in the blockchain.
  • the manufacturer opens the management authority, and the authentication device directly adds or modifies/deletes the authentication key of the authenticator to the blockchain, which can be understood as adding the node of the authenticator manufacturer in the blockchain network, and for the node
  • the account used is open to add, modify/delete the authentication key of the authenticator to the blockchain; the second opens the administrative authority to the account used by the FIDO server, thereby allowing the FIDO server to add and modify the blockchain. / Delete the authentication key of the authenticator.
  • the authentication keys in the blockchain can be managed by using smart contracts on the blockchain.
  • smart contracts different accounts can be used. Permissions are restricted and set, for example, the FIDO server has the authority to add/modify/deregister users, and the authority to add/modify/delete the authenticator authentication key.
  • the authenticator only has the Add/Modify/Delete Authenticator The right of the right key.
  • the FIDO server is taken as an example to describe the maintenance process of the authenticator information in the blockchain:
  • the FIDO server initiates a first transaction (Transaction) for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and the The signature of the first transaction.
  • the signature of the first transaction is obtained by the FIDO server signing the first transaction by using the private key of the FIDO server, and the operation authority of the account of the FIDO server is recorded in the smart contract.
  • the first transaction is for performing the management operation to be performed in the blockchain by using the smart contract, wherein the management operation to be performed You can add authenticator information, modify authenticator information, or delete authenticator information.
  • the Authenticator information in addition to the above-mentioned authenticator authentication key, may further include: an Authenticator Attestation ID (AAID), an authenticator version, a public key encoding type, a cryptographic algorithm supported by the authenticator, and authentication.
  • AAID Authenticator Attestation ID
  • Information such as the certificate, that is, the FIDO server and the authenticator can maintain the above information in addition to the authentication key.
  • Smart Contract is actually executable code stored in the blockchain. It is not strictly an account because it does not necessarily have an actual owner, but its characteristics and behavior can be seen as A machine account controlled by programming logic.
  • the first transaction is released to the blockchain network, and other nodes in the blockchain network firstly are first based on the public key of the FIDO server.
  • the signature of the transaction is verified.
  • the signature of the first transaction it is determined whether the account of the FIDO server has the right to perform the management operation to be executed according to the content of the smart contract to be called by the first transaction.
  • the authority of the calling interface of the FIDO server can be specified, for example, the FIDO server and the authenticator manufacturer are allowed to call the add-on authentication interface, modify the authenticator interface, and read the authenticator interface, where the authenticator interface is added. Adding a new authenticator information to the blockchain, modifying the authenticator interface to modify a certain information or all information of the authenticator, and deleting the authenticator interface for deleting the information of an authenticator, so other nodes
  • the account of the FIDO server can be judged whether the account of the FIDO server has the right to perform the management operation to be executed according to the interface authority of the FIDO server whose account is allowed to be called as specified in the smart contract.
  • the first transaction passes the verification of other various nodes (which may also be part of the nodes specified in the blockchain network), and each of the other nodes confirms that the account of the FIDO server has the authority to perform the management operation to be performed
  • the other smart nodes execute the smart contract, so that the management operation to be performed can be completed, thereby realizing the maintenance and management of the authenticator by the FIDO server, and the node of the authenticator manufacturer maintains the authenticator in the blockchain and FIDO.
  • the server is the same and will not be described again.
  • the user information and the authenticator information are stored in the FIDO server's Cryptographic Authentication Key Reference Database, and the authenticator information is maintained through the FIDO metadata service (FIDO Metadata). Service) to achieve.
  • FIDO Metadata FIDO Metadata
  • the above-mentioned encrypted authentication key reference database and FIDO metadata service are replaced by a blockchain to implement user information and authenticator information. Storage and maintenance of authenticator information.
  • the blockchain based FIDO authentication method shown in the embodiments of the present disclosure is more secure than the traditional centralized architecture of the FIDO server.
  • Step 116 When the signature of the authentication public key passes the verification, the authentication public key is stored in the blockchain.
  • the authentication public key is actually required to establish a binding relationship with the registered first user and the used first application service.
  • the first user's user name or user ID (userID), the first application service application number (AppID) is stored. And so on, and then the public key number (KeyID) of the authentication public key is associated with the user number and the application number and stored.
  • FIG. 4 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure.
  • the method is applied to a FIDO server.
  • the method may further include:
  • Step 117 Receive an initial logout request sent by the user equipment by using the first application service.
  • the user can send an initial write-out request to the FIDO through the user agent.
  • the manner in which the FIDO server receives the initial write-out request is the same as that shown in step 101, and is also received by the first application service.
  • the initial logout request sent by the user equipment is transparently transmitted to the FIDO server. For details, refer to step 101.
  • Step 118 in response to the initializing the logout request, writing data for setting the user information of the specified user to be invalid to the blockchain, wherein the user information includes: the authentication public key of the specified user, and the designation Correspondence between the user's authentication public key and the specified user and the first application service.
  • the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain,
  • the blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage.
  • the blockchain network is based on a P2P network, the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and improve the security of the FIDO system.
  • FIG. 5 is a block diagram of a blockchain-based FIDO authentication apparatus, as shown in FIG. 5, applied to a FIDO server, the apparatus 500 includes:
  • the receiving module 501 is configured to receive, by using the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is one of the blockchain networks. node;
  • the authentication response module 502 is configured to send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request;
  • the receiving module 501 is further configured to receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is that the user equipment uses the authentication private key to sign the challenge value.
  • the authentication private key corresponds to the first user and the first application service;
  • the reading module 503 is configured to obtain, from the blockchain, an authentication public key corresponding to the authentication private key;
  • the authentication module 504 is configured to verify the challenge value signature in the authentication response by using the authentication public key.
  • FIG. 6 is a block diagram of another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure, the apparatus 500 further includes: a transaction response module 505 and a transaction verification module 506;
  • the receiving module 501 is further configured to receive, by using the first application service, an initializing transaction request sent by the user equipment based on the first user;
  • a transaction response module 505 configured to send to the user equipment in response to the initial transaction request a transaction authentication request, the transaction authentication request including transaction information;
  • the receiving module 501 is further configured to receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, and the signature of the hash value
  • the user equipment is obtained by signing the hash value with the authentication private key
  • the reading module 503 is further configured to obtain the authentication public key from the blockchain;
  • the transaction verification module 506 is configured to verify the signature of the hash value in the authentication response by using the authentication public key.
  • the block chain-based FIDO authentication apparatus 500 shown in FIG. 6 further includes a transaction response module 505 including a receiving module 501, an authentication response module 502, a reading module 503, and an authentication module 504.
  • the transaction verification module 506, in fact, may also include a transaction response module 505 and a transaction verification module 506 (not shown) without including the authentication response module 502 and the authentication module 504.
  • FIG. 7 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure.
  • the apparatus 500 further includes: a registration response module 507, a secret key verification module 508, and a storage module. 509;
  • the receiving module 501 is configured to: before receiving the initial authentication request sent by the user equipment by using the first application service, or before receiving, by using the first application service, the initial transaction request sent by the user equipment based on the first user, Receiving, by the first application service, an initial registration request sent by the user equipment;
  • the registration response module 507 is configured to send a registration request to the user equipment in response to the initial registration request, where the registration request includes an authentication policy, where the verification policy includes a verification mode and an authenticator type supported by the first application service;
  • the receiving module 501 is further configured to receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public key and the authentication private key are
  • the user equipment performs a key pair generated by the registration of the first user by using an authenticator that conforms to the verification policy, and the signature of the authentication public key is that the user equipment uses the authentication private key of the authenticator to perform the authentication public key.
  • the reading module 503 is further configured to obtain an authentication public key of the authenticator from the blockchain;
  • the key verification module 508 is configured to use the authentication public key to verify the signature of the authentication public key in the authentication response;
  • the storage module 509 is configured to store the authentication public key in the blockchain when the signature of the authentication public key is verified.
  • FIG. 8 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure, the apparatus 500 further includes: a logout module 510;
  • the receiving module 501 is configured to receive, by using the first application service, an initial logout request sent by the user equipment;
  • the logout module 510 is configured to, in response to the initial logout request, write data to the blockchain for setting user information of the specified user to be invalid, wherein the user information includes: an authentication public key of the specified user, and The corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
  • FIG. 9 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure.
  • the apparatus 500 further includes an authenticator management module 511, configured to:
  • the FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and a first transaction Signing, the signature of the first transaction is obtained by the FIDO server using the private key of the FIDO server to sign the first transaction, and the smart contract records the operation authority of the account of the FIDO server;
  • the first transaction is for performing the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding the authenticator information, modifying the authenticator information, or deleting the authenticator information.
  • the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain,
  • the blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage.
  • the blockchain network is based on a P2P network, the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and improve the security of the FIDO system.
  • FIG. 10 is a structural diagram of a blockchain-based FIDO system according to an exemplary embodiment of the present disclosure. As shown in FIG. 10, the system includes: at least one user equipment 10, at least one online fast identity authentication FIDO. Server 20, and blockchain system 30;
  • the blockchain system 30 includes a blockchain network and a blockchain, and the blockchain is jointly maintained by nodes in the blockchain network, and each FIDO server 20 includes any of the above-described FIGS. 6-9.
  • each FIDO server 20 is a node in the blockchain network, and each FIDO server corresponds to one or more application services.
  • the user equipment 10 includes a user agent, a FIDO client, and a FIDO authenticator.
  • the FIDO server 20 belongs to a trusted party, and the trusted party further includes an application service server.
  • the user device 20 and the application service may be based on the UAF. Protocol interaction, the application service can transmit messages (requests/responses, etc.) sent by the user equipment to the FIDO server.
  • one application service corresponds to one FIDO server.
  • multiple FIDO servers can be set correspondingly, and the structure thereof can be as shown in FIG. 11; optionally, as shown in FIG. It is also possible to use a structure in which a plurality of application services use the same FIDO server, or as shown in FIG. 13, a structure in which two modes are mixed.
  • FIG. 14 is a block diagram of an electronic device 1400, according to an exemplary embodiment.
  • the electronic device 1400 can be provided as a server.
  • the electronic device 1400 includes a processor 1422, which may be one or more, and a memory 1432 for storing a computer program executable by the processor 1422.
  • the computer program stored in memory 1432 can include one or more modules each corresponding to a set of instructions.
  • the processor 1422 can be configured to execute the computer program to perform the blockchain-based FIDO authentication method described above.
  • electronic device 1400 can also include a power supply component 1426 and a communication component 1450 that can be configured to perform power management of electronic device 1400, which can be configured to enable communication of electronic device 1400, eg, wired Or wireless communication. Additionally, the electronic device 1400 can also include an input/output (I/O) interface 1458. The electronic device 1400 can operate based on an operating system stored in the memory 1432, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, and the like.
  • an operating system stored in the memory 1432, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, and the like.
  • a computer readable storage medium comprising program instructions, such as a memory 1432 comprising program instructions executable by a processor 1422 of an electronic device 1400 to perform the above-described region based FIDO certification method for blockchain.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present disclosure relates to a method, device and system for FIDO authentication based on a blockchain. The method comprises: after receiving, by means of a first application service, an authentication initialization request sent by a user equipment, sending an authentication request to the user equipment, the authentication request including a challenge value; after the user equipment signs the challenge value by using a private authentication key, an FIDO server receiving, by means of the first application service, an authentication response sent by the user equipment, the authentication response including a challenge value signature; and then, the FIDO server acquiring, from a blockchain, a public authentication key corresponding to the private authentication key, and using the public authentication key to verify the challenge value signature in the authentication response. The present invention can solve the problem of information being leaked and tampered with or a system failure caused by the fact that existing FIDO systems are easily attacked, and thus, the security of an FIDO system is improved.

Description

基于区块链的FIDO认证方法、装置及***Method, device and system for FIDO authentication based on blockchain 技术领域Technical field
本公开涉及信息安全领域,具体地,涉及一种基于区块链的FIDO认证方法、装置及***。The present disclosure relates to the field of information security, and in particular, to a blockchain-based FIDO authentication method, apparatus, and system.
背景技术Background technique
FIDO(Fast Identity Online,线上快速身份认证)标准是由FIDO联盟提出的一个开放的标准协议,旨在提供一个高安全性、跨平台兼容性、极佳用户体验与用户隐私保护的在线身份验证技术架构。FIDO标准通过集成生物识别与非对称加密两大技术来完成用户身份验证,试图终结多年来用户必须记忆并使用大量复杂密码的烦恼。目前的FIDO标准中提出了两种认证协议:U2F(Universal 2nd Factor Protocol,通用第二因素)与UAF(Universal Authentication Framework,通用认证框架)。The FIDO (Fast Identity Online) standard is an open standard protocol proposed by the FIDO Alliance to provide an online authentication with high security, cross-platform compatibility, excellent user experience and user privacy protection. Technology Architecture. The FIDO standard accomplishes user authentication by integrating biometrics and asymmetric encryption to try to end the years when users have to remember and use a large number of complex passwords. Two authentication protocols are proposed in the current FIDO standard: U2F (Universal 2nd Factor Protocol) and UAF (Universal Authentication Framework).
其中,U2F是在兼容现有密码验证体系基础上提出的。当在线进行高安全属性的在线操作时,用户需提供一个符合U2F协议的验证设备作为第二身份验证因素,即可保证交易足够安全。该验证设备被称为U2F设备,例如第二代U盾,用户在使用时先通过用户名和密码的方式登录该网站或服务,然后在任何有高安全需求时(如交易确认)接入U2F设备并确认本次身份验证操作,就可以完成用户强身份验证,提升交易安全。借助U2F设备,用户不再需要记忆大量的复杂密码,传统密码主要用于用户登录使用,不决定交易安全性高低,用户即使只使用4位简单密码也不会影响到最终的交易安全。不仅如此,U2F协议还支持单一U2F验证设备同时为多个网站或服务进行强安全认证服务。Among them, U2F is based on the compatibility of existing password verification system. When online operation of high security attributes is performed online, the user needs to provide a verification device conforming to the U2F protocol as a second authentication factor to ensure that the transaction is sufficiently secure. The verification device is called a U2F device, for example, a second generation U shield. When the user uses the user, the user name and password are first used to log in to the website or service, and then the U2F device is accessed when there is a high security requirement (such as transaction confirmation). And confirm this authentication operation, you can complete the user strong authentication and improve transaction security. With U2F devices, users no longer need to memorize a large number of complex passwords. Traditional passwords are mainly used for user logins. They do not determine the security of transactions. Even users who use only 4 simple passwords will not affect the final transaction security. Not only that, but the U2F protocol also supports a single U2F authentication device for strong security authentication services for multiple websites or services.
UAF充分地吸收了移动智能设备所具有的新技术,更加符合移动用户的使用习惯。在需要验证身份时,智能设备利用生物识别技术(如指纹识别、面部识别、虹膜识别等)取得用户授权,然后通过非对称加密技术生成加密的认证数据供后台服务器进行用户身份验证操作。整个过程可完全不需要密码,真正意义上实现了“终结密码”。交易在进行基于UAF协议的身份验证 时,只需用户刷一下指纹,或说一句话,又或简单看着摄像头就可以完成用户登录、交易确认或其他需要强身份验证操作。依据UAF协议,用户所有的个人生物数据与私有密钥都只存储在用户设备中,无需经网络传送到网站服务器,而服务器只需存储有用户的公有密钥即可完成用户身份验证。这样就大大降低了用户验证信息暴露的风险。UAF fully absorbs the new technology of mobile smart devices and is more in line with the habits of mobile users. When the identity needs to be verified, the smart device uses biometric technology (such as fingerprint recognition, facial recognition, iris recognition, etc.) to obtain user authorization, and then generates encrypted authentication data for the background server to perform user authentication operation through asymmetric encryption technology. The entire process can be completely free of passwords, and the "terminal password" is realized in the true sense. The transaction is in UAF-based authentication When you just need to swipe your fingerprint, or say a word, or simply look at the camera, you can complete user login, transaction confirmation or other strong authentication operations. According to the UAF protocol, all personal biometric data and private keys of the user are stored only in the user equipment, and need not be transmitted to the website server via the network, and the server only needs to store the user's public key to complete the user identity verification. This greatly reduces the risk of user authentication information exposure.
但是目前的FIDO架构是C/S(Client/Server,客户端/服务器)架构,其中服务器端采用中心化架构,与身份认证相关的隐私信息,比如用户的公钥,注册信息等均存储在FIDO服务器的数据库中,一旦FIDO服务器受到攻击可能导致信息的泄露、被篡改或出现***故障等问题,因此存在一定的安全隐患。However, the current FIDO architecture is a C/S (Client/Server, client/server) architecture, in which the server side adopts a centralized architecture, and privacy information related to identity authentication, such as the user's public key, registration information, etc. are stored in FIDO. In the database of the server, once the FIDO server is attacked, it may cause information leakage, tampering, or system failure, so there are certain security risks.
发明内容Summary of the invention
本公开的一个目的是提供一种基于区块链的FIDO认证方法、装置及***,能够解决现有的FIDO服务器中心化部署方式易受到攻击而造成信息泄露、被篡改或出现***故障的问题。An object of the present disclosure is to provide a blockchain-based FIDO authentication method, apparatus, and system, which can solve the problem that the existing FIDO server centralized deployment mode is vulnerable to information leakage, tampering, or system failure.
为了实现上述目的,第一方面,本公开提供一种基于区块链的FIDO认证方法,应用于线上快速身份认证FIDO服务器,所述方法包括:In order to achieve the above object, in a first aspect, the present disclosure provides a blockchain-based FIDO authentication method, which is applied to an online fast identity authentication FIDO server, and the method includes:
通过第一应用服务接收用户设备发送的基于第一用户的初始化认证请求,所述FIDO服务器为所述第一应用服务对应的FIDO服务器,所述FIDO服务器为区块链网络中的一个节点;Receiving, by the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is a node in a blockchain network;
响应于所述初始化认证请求,向所述用户设备发送认证请求,所述认证请求中包含挑战值;Sending an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initializing the authentication request;
通过所述第一应用服务接收所述用户设备发送的认证响应,所述认证响应中包含挑战值签名,所述挑战值签名是所述用户设备利用认证私钥对所述挑战值进行签名得到的,所述认证私钥与所述第一用户以及所述第一应用服务对应;Receiving, by the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is obtained by the user equipment signing the challenge value by using an authentication private key. The authentication private key corresponds to the first user and the first application service;
从所述区块链中获取所述认证私钥对应的认证公钥;Obtaining, from the blockchain, an authentication public key corresponding to the authentication private key;
利用所述认证公钥对所述认证响应中的所述挑战值签名进行验证;Verifying the challenge value signature in the authentication response by using the authentication public key;
和/或, and / or,
通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求;Receiving, by the first application service, an initialization transaction request sent by the user equipment based on the first user;
响应于所述初始化交易请求,向所述用户设备发送交易认证请求,所述交易认证请求中包含交易信息;Transmitting, to the user equipment, a transaction authentication request, where the transaction authentication request includes transaction information, in response to the initializing a transaction request;
通过所述第一应用服务接收所述用户设备发送的交易认证响应,所述交易认证响应中包含所述交易信息的哈希值以及所述哈希值的签名,所述哈希值的签名是所述用户设备利用与所述认证私钥对所述哈希值进行签名得到的;Receiving, by the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, and the signature of the hash value is The user equipment is obtained by signing the hash value with the authentication private key;
从所述区块链中获取所述认证公钥;Obtaining the authentication public key from the blockchain;
利用所述认证公钥对所述认证响应中的所述哈希值的签名进行验证。The signature of the hash value in the authentication response is verified using the authentication public key.
可选地,在所述通过第一应用服务接收用户设备发送的初始化认证请求之前,或在所述通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求之前,所述方法还包括:Optionally, before the initial authentication request sent by the user equipment is received by the first application service, or the initial transaction request based on the first user sent by the user equipment is received by the first application service Previously, the method further includes:
通过所述第一应用服务接收所述用户设备发送的初始化注册请求;Receiving, by the first application service, an initial registration request sent by the user equipment;
响应于所述初始化注册请求,向所述用户设备发送注册请求,所述注册请求中包含验证策略,所述验证策略包含所述第一应用服务所支持的验证方式和认证器种类;And in response to the initializing the registration request, sending a registration request to the user equipment, where the registration request includes an authentication policy, where the verification policy includes a verification mode and an authenticator type supported by the first application service;
通过所述第一应用服务接收所述用户设备发送的注册响应,所述注册响应中包含所述认证公钥,以及所述认证公钥的签名,所述认证公钥和所述认证私钥是所述用户设备通过符合所述验证策略的认证器进行所述第一用户的注册后生成的密钥对,所述认证公钥的签名是所述用户设备利用所述认证器的鉴权私钥对所述认证公钥进行签名得到的;Receiving, by the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public key and the authentication private key are The user equipment performs a key pair generated by the registration of the first user by using an authenticator that meets the verification policy, and the signature of the authentication public key is an authentication private key of the user equipment using the authenticator. Signing the authentication public key;
从所述区块链中获取所述认证器的鉴权公钥;Obtaining an authentication public key of the authenticator from the blockchain;
利用所述鉴权公钥对所述认证响应中的所述认证公钥的签名进行验证;Using the authentication public key to verify the signature of the authentication public key in the authentication response;
当所述认证公钥的签名通过验证时,将所述认证公钥存储在所述区块链中。When the signature of the authentication public key passes verification, the authentication public key is stored in the blockchain.
可选地,所述方法还包括:Optionally, the method further includes:
通过所述第一应用服务接收所述用户设备发送的初始化注销请求;Receiving, by the first application service, an initial logout request sent by the user equipment;
响应于所述初始化注销请求,向所述区块链中写入用于将指定用户的用 户信息设置为无效的数据,其中所述用户信息包括:所述指定用户的认证公钥,以及所述指定用户的认证公钥与所述指定用户、所述第一应用服务的对应关系。Writing to the blockchain for use by the designated user in response to the initial logout request The user information is set to invalid data, wherein the user information includes: an authentication public key of the specified user, and a corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
可选地,所述方法还包括:Optionally, the method further includes:
所述FIDO服务器在所述区块链中发起用于认证器管理的第一交易,所述第一交易中包括所述FIDO服务器的账户,所述智能合约的账户,待执行的管理操作,以及所述第一交易的签名,所述第一交易的签名是所述FIDO服务器利用所述FIDO服务器的私钥对所述第一交易进行签名得到的,所述智能合约中记录有所述FIDO服务器的账户的操作权限;The FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and a signature of the first transaction, the signature of the first transaction is obtained by the FIDO server signing the first transaction by using a private key of the FIDO server, and the FIDO server is recorded in the smart contract Operational authority of the account;
所述第一交易用于利用所述智能合约在所述区块链中执行所述待执行的管理操作,所述待执行的管理操作包括:添加认证器信息、修改认证器信息或删除认证器信息。The first transaction is used to perform the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding authenticator information, modifying authenticator information, or deleting an authenticator information.
第二方面,本公开还提供一种基于区块链的FIDO认证装置,应用于线上快速身份认证FIDO服务器,所述装置包括:In a second aspect, the present disclosure further provides a blockchain-based FIDO authentication apparatus, which is applied to an online fast identity authentication FIDO server, and the apparatus includes:
接收模块,用于通过第一应用服务接收用户设备发送的基于第一用户的初始化认证请求,所述FIDO服务器为所述第一应用服务对应的FIDO服务器,所述FIDO服务器为区块链网络中的一个节点;a receiving module, configured to receive, by using the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is in a blockchain network a node;
认证响应模块,用于响应于所述初始化认证请求,向所述用户设备发送认证请求,所述认证请求中包含挑战值;An authentication response module, configured to send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request;
所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的认证响应,所述认证响应中包含挑战值签名,所述挑战值签名是所述用户设备利用认证私钥对所述挑战值进行签名得到的,所述认证私钥与所述第一用户以及所述第一应用服务对应;The receiving module is further configured to receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is that the user equipment uses an authentication private key pair The challenge value is obtained by signature, and the authentication private key corresponds to the first user and the first application service;
读取模块,用于从所述区块链中获取所述认证私钥对应的认证公钥;a reading module, configured to acquire, from the blockchain, an authentication public key corresponding to the authentication private key;
认证模块,用于利用所述认证公钥对所述认证响应中的所述挑战值签名进行验证;An authentication module, configured to verify, by using the authentication public key, the challenge value signature in the authentication response;
和/或,and / or,
所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求; The receiving module is further configured to receive, by using the first application service, an initializing transaction request that is sent by the user equipment based on the first user;
交易响应模块,用于响应于所述初始化交易请求,向所述用户设备发送交易认证请求,所述交易认证请求中包含交易信息;a transaction response module, configured to send a transaction authentication request to the user equipment in response to the initializing transaction request, where the transaction authentication request includes transaction information;
所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的交易认证响应,所述交易认证响应中包含所述交易信息的哈希值以及所述哈希值的签名,所述哈希值的签名是所述用户设备利用与所述认证私钥对所述哈希值进行签名得到的;The receiving module is further configured to receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, The signature of the hash value is obtained by the user equipment by using the authentication private key to sign the hash value;
所述读取模块,还用于从所述区块链中获取所述认证公钥;The reading module is further configured to obtain the authentication public key from the blockchain;
交易验证模块,用于利用所述认证公钥对所述认证响应中的所述哈希值的签名进行验证。And a transaction verification module, configured to verify, by using the authentication public key, a signature of the hash value in the authentication response.
可选地,所述装置还包括:注册响应模块、秘钥验证模块和存储模块;Optionally, the device further includes: a registration response module, a secret key verification module, and a storage module;
所述接收模块,用于在所述通过第一应用服务接收用户设备发送的初始化认证请求之前,或在所述通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求之前,通过所述第一应用服务接收所述用户设备发送的初始化注册请求;The receiving module is configured to: before receiving, by the first application service, an initial authentication request sent by the user equipment, or before receiving, by the first application service, the first user that is sent by the user equipment Receiving, by the first application service, an initialization registration request sent by the user equipment, before initializing the transaction request;
所述注册响应模块,用于响应于所述初始化注册请求,向所述用户设备发送注册请求,所述注册请求中包含验证策略,所述验证策略包含所述第一应用服务所支持的验证方式和认证器种类;The registration response module is configured to send a registration request to the user equipment in response to the initial registration request, where the registration request includes an authentication policy, where the verification policy includes an authentication method supported by the first application service. And the type of authenticator;
所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的注册响应,所述注册响应中包含所述认证公钥,以及所述认证公钥的签名,所述认证公钥和所述认证私钥是所述用户设备通过符合所述验证策略的认证器进行所述第一用户的注册后生成的密钥对,所述认证公钥的签名是所述用户设备利用所述认证器的鉴权私钥对所述认证公钥进行签名得到的;The receiving module is further configured to receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public The key and the authentication private key are key pairs generated by the user equipment after the registration of the first user by the authenticator conforming to the verification policy, and the signature of the authentication public key is the user equipment utilization Declaring the authentication private key of the authenticator to sign the authentication public key;
所述读取模块,还用于从所述区块链中获取所述认证器的鉴权公钥;The reading module is further configured to obtain an authentication public key of the authenticator from the blockchain;
所述秘钥验证模块,用于利用所述鉴权公钥对所述认证响应中的所述认证公钥的签名进行验证;The secret key verification module is configured to verify, by using the authentication public key, a signature of the authentication public key in the authentication response;
所述存储模块,用于当所述认证公钥的签名通过验证时,将所述认证公钥存储在所述区块链中。The storage module is configured to store the authentication public key in the blockchain when the signature of the authentication public key is verified.
可选地,所述装置还包括:注销模块;Optionally, the device further includes: a logout module;
所述接收模块,用于通过所述第一应用服务接收所述用户设备发送的初 始化注销请求;The receiving module is configured to receive, by using the first application service, an initial sent by the user equipment Initialize the logout request;
所述注销模块,用于响应于所述初始化注销请求,向所述区块链中写入用于将指定用户的用户信息设置为无效的数据,其中所述用户信息包括:所述指定用户的认证公钥,以及所述指定用户的认证公钥与所述指定用户、所述第一应用服务的对应关系。The logout module is configured to, in response to the initializing the logout request, write data to the blockchain for setting user information of the specified user to be invalid, wherein the user information includes: the specified user And a corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
可选地,所述装置还包括:认证器管理模块,用于:Optionally, the device further includes: an authenticator management module, configured to:
所述FIDO服务器在所述区块链中发起用于认证器管理的第一交易,所述第一交易中包括所述FIDO服务器的账户,智能合约的账户,待执行的管理操作,以及所述第一交易的签名,所述第一交易的签名是所述FIDO服务器利用所述FIDO服务器的私钥对所述第一交易进行签名得到的,所述智能合约中记录有所述FIDO服务器的账户的操作权限;The FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of a smart contract, a management operation to be performed, and the a signature of the first transaction, the signature of the first transaction is obtained by the FIDO server using the private key of the FIDO server to sign the first transaction, and the account of the FIDO server is recorded in the smart contract Operational authority;
所述第一交易用于利用所述智能合约在所述区块链中执行所述待执行的管理操作,所述待执行的管理操作包括:添加认证器信息、修改认证器信息或删除认证器信息。The first transaction is used to perform the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding authenticator information, modifying authenticator information, or deleting an authenticator information.
第三方面,本公开还提供一种基于区块链的FIDO***,所述***包括:至少一个用户设备,至少一个线上快速身份认证FIDO服务器,以及区块链***,所述区块链***包括区块链网络和区块链;In a third aspect, the present disclosure also provides a blockchain-based FIDO system, the system comprising: at least one user equipment, at least one online fast identity authentication FIDO server, and a blockchain system, the blockchain system Including blockchain networks and blockchains;
其中,每个所述FIDO服务器包括第二方面所述的基于区块链的FIDO认证装置,每个所述FIDO服务器为所述区块链网络中的一个节点,且每个所述FIDO服务器对应一个或多个应用服务。Wherein each of the FIDO servers includes the blockchain-based FIDO authentication device of the second aspect, each of the FIDO servers being a node in the blockchain network, and each of the FIDO servers corresponds to One or more application services.
第四方面,本公开还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现第一方面所述方法的步骤。In a fourth aspect, the present disclosure also provides a computer readable storage medium having stored thereon a computer program, the computer program being executed by a processor to implement the steps of the method of the first aspect.
第五方面,本公开还提供一种电子设备,包括:In a fifth aspect, the present disclosure further provides an electronic device, including:
第四方面中所述的计算机可读存储介质;以及a computer readable storage medium as described in the fourth aspect;
一个或者多个处理器,用于执行所述计算机可读存储介质中的计算机程序。One or more processors for executing a computer program in the computer readable storage medium.
本公开提供的基于区块链的FIDO认证方法、装置及***,FIDO服务器在通过第一应用服务接收用户设备发送的初始化认证请求后,向用户设备发送认证请求,该认证请求中包含挑战值,在用户设备利用认证私钥对该挑 战值进行签名后,FIDO服务器通过第一应用服务接收用户设备发送的认证响应,该认证响应中包含挑战值签名,而后FIDO从区块链中获取该认证私钥对应的认证公钥,并利用该认证公钥对认证响应中的该挑战值签名进行验证。通过上述技术方案,本公开用区块链来替代原有的FIDO服务器中的数据库,使得FIDO服务器作为区块链中的一个节点,而认证公钥等相关用户信息存储在区块链中,由于区块链具有不可篡改、不可伪造、可追溯的特点,因此能够提高用户存储的安全性。并且由于区块链网络是基于P2P(Peer to Peer,对等网络),是一种分布式网络,FIDO服务器可能是整个网络中的任一节点,因此能够降低FIDO服务器被攻击的可能性。因此,能够解决现有FIDO***易受到攻击而造成信息泄露、被篡改或出现***故障的问题,能够提高FIDO***的安全性。The blockchain-based FIDO authentication method, device, and system provided by the present disclosure, after receiving the initial authentication request sent by the user equipment by using the first application service, the FIDO server sends an authentication request to the user equipment, where the authentication request includes a challenge value, The user device utilizes the authentication private key for the pick After the battle value is signed, the FIDO server receives the authentication response sent by the user equipment by using the first application service, where the authentication response includes the challenge value signature, and then the FIDO obtains the authentication public key corresponding to the authentication private key from the blockchain, and uses the authentication public key. The authentication public key verifies the challenge value signature in the authentication response. Through the above technical solution, the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain, The blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage. And since the blockchain network is based on P2P (Peer to Peer), it is a distributed network. The FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and can improve the security of the FIDO system.
本公开的其他特征和优点将在随后的具体实施方式部分予以详细说明。Other features and advantages of the present disclosure will be described in detail in the detailed description which follows.
附图说明DRAWINGS
附图是用来提供对本公开的进一步理解,并且构成说明书的一部分,与下面的具体实施方式一起用于解释本公开,但并不构成对本公开的限制。在附图中:The drawings are intended to provide a further understanding of the disclosure, and are in the In the drawing:
图1是根据本公开一示例性实施例示出的一种基于区块链的FIDO认证方法的流程图;FIG. 1 is a flowchart of a blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure;
图2是根据本公开一示例性实施例示出的另一种基于区块链的FIDO认证方法的流程图;FIG. 2 is a flowchart of another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure; FIG.
图3是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证方法的流程图;FIG. 3 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure; FIG.
图4是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证方法的流程图;FIG. 4 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure; FIG.
图5是根据本公开一示例性实施例示出的一种基于区块链的FIDO认证装置的框图;FIG. 5 is a block diagram of a blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure; FIG.
图6是根据本公开一示例性实施例示出的另一种基于区块链的FIDO认证装置的框图; FIG. 6 is a block diagram of another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure; FIG.
图7是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证装置的框图;FIG. 7 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure; FIG.
图8是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证装置的框图;FIG. 8 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure; FIG.
图9是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证装置的框图;FIG. 9 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure; FIG.
图10是根据本公开一示例性实施例示出的一种基于区块链的FIDO***的结构图;FIG. 10 is a structural diagram of a blockchain-based FIDO system according to an exemplary embodiment of the present disclosure; FIG.
图11是根据本公开一示例性实施例示出的另一种基于区块链的FIDO***的结构图;11 is a structural diagram of another blockchain-based FIDO system according to an exemplary embodiment of the present disclosure;
图12是根据本公开一示例性实施例示出的又一种基于区块链的FIDO***的结构图;FIG. 12 is a structural diagram of still another blockchain-based FIDO system according to an exemplary embodiment of the present disclosure; FIG.
图13是根据本公开一示例性实施例示出的又一种基于区块链的FIDO***的结构图;FIG. 13 is a structural diagram of still another blockchain-based FIDO system according to an exemplary embodiment of the present disclosure; FIG.
图14是根据一示例性实施例示出的一种电子设备的框图。FIG. 14 is a block diagram of an electronic device, according to an exemplary embodiment.
具体实施方式detailed description
以下结合附图对本公开的具体实施方式进行详细说明。应当理解的是,此处所描述的具体实施方式仅用于说明和解释本公开,并不用于限制本公开。The specific embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. It is to be understood that the specific embodiments described herein are not to be construed
首先,在对本公开提供的基于区块链的FIDO认证方法、装置及***进行说明之前,先对区块链进行介绍,区块链是由区块链网络中所有节点共同参与维护的去中心化分布式数据库***,它是由一系列基于密码学方法产生的数据块组成,每个数据块即为区块链中的一个区块。根据产生时间的先后顺序,区块被有序地链接在一起,形成一个数据链条,被形象地称为区块链(Blockchain)。下面对区块链网络的一些概念进行介绍。Firstly, before describing the blockchain-based FIDO authentication method, device and system provided by the present disclosure, the blockchain is introduced, and the blockchain is decentralized by all the nodes in the blockchain network. A distributed database system consisting of a series of cryptographically generated data blocks, each of which is a block in a blockchain. According to the order of the generation time, the blocks are linked together in an orderly manner to form a data chain, which is aptly called a blockchain. Some concepts of the blockchain network are introduced below.
区块链网络中的节点可以称为区块链节点,其中区块链网络基于P2P网络,每个参与交易和区块存储、验证、转发的P2P网络节点都是一个区块链网络中的节点。本公开各个实施例中所涉及FIDO服务器就是该区块链网络中的任一节点。 A node in a blockchain network may be referred to as a blockchain node, wherein the blockchain network is based on a P2P network, and each P2P network node participating in the transaction and block storage, verification, and forwarding is a node in a blockchain network. . The FIDO server involved in various embodiments of the present disclosure is any node in the blockchain network.
区块链中的用户身份使用公钥表示,并且公钥和私钥是成对出现的,上述公钥所对应的私钥由用户掌握而不发布到网络,公钥可以通过特定的哈希和编码后成为“地址”,该“地址”可以理解为一个账户,代表了其对应的用户,并可随意发布在区块链网络中。用户身份和区块链节点不存在一一对应关系,用户可以在任意一个区块链节点上使用自己的私钥。例如,在本公开的各个实施例中,在区块链网络中的任意一个节点上使用了FIDO服务器的私钥,则该节点就可以作为FIDO服务器。The user identity in the blockchain is represented by a public key, and the public key and the private key are paired. The private key corresponding to the public key is mastered by the user and not posted to the network, and the public key can pass a specific hash and After encoding, it becomes an "address". The "address" can be understood as an account, representing its corresponding user, and can be freely published in the blockchain network. There is no one-to-one correspondence between user identity and blockchain nodes. Users can use their own private key on any blockchain node. For example, in various embodiments of the present disclosure, the private key of the FIDO server is used on any of the nodes in the blockchain network, and the node can act as a FIDO server.
通常意义上,在区块链的形成过程中,每一个参与计算的节点均享有相同的权限(去中心、无信任),其中包括交易(Transaction),计算区块(俗称挖矿,即mining)等核心功能。其中,交易代表将被写入区块的数据,而区块(Block)则采用特定生成机制,保证最长的链(最长的链包含最多前后关联的区块)为有效链。在交易的数据中,通常包括了一定属性或货币,比如交易拥有者的数字签名(即拥有者的私钥对其交易进行加密处理,通常意义上称为数字签名),交易接受者的账户地址等,在该交易通过了对拥有者数字签名的验证,并被写入区块后,即将该货币的所有权转移到接受者一方。In the usual sense, in the formation of the blockchain, each node participating in the calculation has the same authority (decentralized, no trust), including transactions, calculation blocks (commonly known as mining, ie mining) And other core functions. Among them, the transaction representative will be written into the block data, and the block (Block) adopts a specific generation mechanism to ensure that the longest chain (the longest chain contains the most relevant blocks) is the effective chain. In the data of the transaction, usually includes a certain attribute or currency, such as the digital signature of the transaction owner (ie, the owner's private key encrypts the transaction, usually called digital signature), the account address of the transaction recipient Etc., after the transaction passes the verification of the owner's digital signature and is written into the block, the ownership of the currency is transferred to the recipient.
关于区块链的数据写入区块的过程,是由区块链节点通过向区块链网络发布交易(Transaction)实现向区块链写入数据。该交易包括:区块链节点按照预设的交易数据格式对生成的交易数据包,以及利用该区块链节点自己的私钥对该交易数据包进行的数字签名,该数字签名用于证明该区块链节点的用户的身份。而后,该交易被区块链网络中的“矿工”(即执行PoW共识竞争机制的区块链节点)记录入区块链中产生的新区块,并将该交易发布到区块链网络中,在该交易被其他区块链节点验证通过(其他节点可以从该区块链节点生成的交易中获取该区块链节点的公钥,并根据该区块链节点的公钥对上述的数字签名进行验证,除了验证数字签名之外还可以验证交易数据包是否为规定的数据结构)和接受后,该交易即被写入区块链。其中,区块链中的新区块是由上述的“矿工”通过执行PoW共识竞争机制(该机制可以理解为:各个“矿工”按照区块的预设技术要求,例如按照预设的随机数要求来共同计算随机数,哪一个“矿工”先计算出符合该随机数要求的随机数,该“矿工”产生的区块就作为该新区块)而定期产生的,因此产生新区 块的时间间隔通常和上述的预设技术要求相关,通过设置不同的预设技术要求可以改变区块链产生新区块的时间间隔。本发明公开的各个实施例中,向区块链中写入数据(如存储用户信息、存储用户或认证器的公钥)的流程均可以采用上述流程。The process of writing blocks to the data of the blockchain is performed by the blockchain node by writing a transaction to the blockchain network to write data to the blockchain. The transaction includes: the blockchain node performs a digital signature on the generated transaction data packet according to a preset transaction data format, and uses the private key of the blockchain node to perform the digital signature on the transaction data packet, and the digital signature is used to prove the The identity of the user of the blockchain node. The transaction is then recorded by the “miners” in the blockchain network (ie, the blockchain nodes that perform the PoW consensus competition mechanism) into the new blocks generated in the blockchain, and the transaction is posted to the blockchain network. The transaction is verified by other blockchain nodes (other nodes can obtain the public key of the blockchain node from the transaction generated by the blockchain node, and sign the digital signature according to the public key of the blockchain node Verification, in addition to verifying the digital signature, can verify that the transaction packet is the specified data structure) and the transaction is written to the blockchain. Among them, the new block in the blockchain is implemented by the above-mentioned “miners” to implement the PoW consensus competition mechanism (this mechanism can be understood as: each “miner” according to the preset technical requirements of the block, for example, according to the preset random number requirement To jointly calculate the random number, which "miner" first calculates the random number that meets the requirements of the random number, and the block produced by the "miner" is periodically generated as the new block, thus generating a new area. The time interval of the block is usually related to the above-mentioned preset technical requirements, and the time interval at which the blockchain generates a new block can be changed by setting different preset technical requirements. In various embodiments of the present disclosure, the process of writing data (such as storing user information, storing a public key of a user or an authenticator) into a blockchain may employ the above process.
下面介绍一下本公开各个实施例所涉及的FIDO***的结构,该FIDO***采用C/S(Client/Sever,客户端/服务器)架构,主要包括:用户设备(User Device)和可信赖方(Relying Party)以及区块链网络,该用户设备中包括FIDO客户端,主要包括该用户设备的操作***,例如:Windows、MacOS、iOS,Android等操作***,该用户设备中还包括FIDO认证器(Authenticator)(下文简称认证器),认证器的类型包括但不限于:指纹、声纹、虹膜、人脸识别,该用户设备中还包括用户代理(User Agent),例如浏览器、或app(应用程序);该可信赖方包括应用服务和该应用服务对应的FIDO服务器,用户设备可以通过该用户代理与应用服务交互,从而实现与FIDO服务器的交互。该FIDO服务器是该区块链网络中的某个节点,具有向区块链中写入/读取数据的权限。The following describes the structure of the FIDO system involved in various embodiments of the present disclosure. The FIDO system adopts a C/S (Client/Sever, client/server) architecture, which mainly includes: a user device (User Device) and a trusted party (Relying) Party) and the blockchain network, the user equipment includes a FIDO client, mainly including an operating system of the user equipment, for example, Windows, MacOS, iOS, Android, etc., and the user equipment also includes a FIDO authenticator (Authenticator) (hereinafter referred to as the authenticator), the type of the authenticator includes but is not limited to: fingerprint, voiceprint, iris, face recognition, the user equipment also includes a user agent (User Agent), such as a browser, or an app (application) The trusted party includes an application service and a FIDO server corresponding to the application service, and the user equipment can interact with the application service through the user agent, thereby implementing interaction with the FIDO server. The FIDO server is a node in the blockchain network with the authority to write/read data into the blockchain.
图1是根据本公开一示例性实施例示出的一种基于区块链的FIDO认证方法的流程图,该方法应用于FIDO服务器,如图1所示,该方法包括:1 is a flowchart of a blockchain-based FIDO authentication method, which is applied to a FIDO server, as shown in FIG. 1, according to an exemplary embodiment of the present disclosure, the method includes:
步骤101,通过第一应用服务接收用户设备发送的基于第一用户初始化认证请求,该FIDO服务器为该第一应用服务对应的FIDO服务器,该FIDO服务器为区块链网络中的一个节点。Step 101: Receive, by using the first application service, a first user initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, and the FIDO server is a node in the blockchain network.
其中,第一应用服务可以是任意一种应用服务,例如网页应用(Web App),例如在进行交易前,需要率先进行用户设备的用户身份的认证,因此需要使用用于进行身份认证的应用服务,此时可以由用户设备向FIDO服务器发起认证流程,当用户设备向FIDO服务器发起认证流程时,可以通过该用户设备上的用户代理,比如通过在用户设备的浏览器上登录与该第一应用服务相关的页面,或者是使用该第一应用服务相关的App(应用程序)进行认证时,该用户设备通过该用户代理向第一应用服务发送初始化认证请求(Initiate Authentication),第一应用服务将收到的初始化认证请求透传给其对应的FIDO服务器(实际上是第一应用服务的应用服务器(App Sever)传给FIDO 服务器的),从而FIDO服务器能够通过第一应用服务接收用户设备发送的初始化认证请求。The first application service may be any type of application service, such as a web application. For example, before the transaction is performed, the user identity of the user equipment needs to be authenticated first, and therefore, an application service for identity authentication is required. At this time, the user equipment can initiate an authentication process to the FIDO server. When the user equipment initiates the authentication process to the FIDO server, the user equipment can be authenticated by the user agent, for example, by logging in to the first application on the browser of the user equipment. When the service-related page is authenticated by using the first application service-related App (application), the user device sends an Initial Authentication Request (Initiate Authentication) to the first application service by using the user agent, and the first application service will The received initialization authentication request is transparently transmitted to its corresponding FIDO server (actually the application server (App Sever) of the first application service is transmitted to FIDO). The server's), so that the FIDO server can receive an initial authentication request sent by the user equipment through the first application service.
步骤102,响应于该初始化认证请求,向该用户设备发送认证请求,该认证请求中包含挑战值。Step 102: Send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request.
在FIDO服务器接收到初始化认证请求后,FIDO服务器向该用户设备发送包含挑战值(challenge)的认证请求(Authentication Request),该认证请求实际是发到了该用户设备的FIDO客户端。After the FIDO server receives the initialization authentication request, the FIDO server sends an authentication request including a challenge to the user equipment, and the authentication request is actually sent to the FIDO client of the user equipment.
步骤103,通过该第一应用服务接收该用户设备发送的认证响应,该认证响应中包含挑战值签名,该挑战值签名是该用户设备利用认证私钥对该挑战值进行签名得到的,该认证私钥与该用户设备的用户以及该第一应用服务对应。Step 103: Receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is obtained by the user equipment using the authentication private key to sign the challenge value, and the authentication is performed. The private key corresponds to the user of the user equipment and the first application service.
用户设备在接收到FIDO服务器的认证请求时,该用户设备(中的FIDO客户端)会通过该用户设备上的认证器(Authenticator)对使用该用户设备的第一用户进行验证,验证方式包括:指纹、虹膜、人脸识别、声纹、密码等等,当该用户通过验证时,解锁存储在认证器中的该认证私钥,其中该认证私钥与其对应的认证公钥是在该第一用户使用第一应用服务注册时生成的密钥对,可以成为认证秘钥(Authentication Keys)。实际上在用户设备发起认证流程时,会告知FIDO服务器该用户设备的第一用户的信息,例如该第一用户的用户名(username),从而FIDO服务器在向用户设备发送认证请求时,认证请求还可以包括该用户名、第一应用服务的AppID(应用标识),在生成上述的密钥对后可以与该用户名和第一应用服务建立绑定关系,从而该密钥对与该第一用户以及第一应用服务对应,因此当该第一用户通过验证后,即可解锁与该第一用户以及该第一应用服务对应的认证私钥。When the user equipment receives the authentication request from the FIDO server, the user equipment (the FIDO client in the user equipment) authenticates the first user using the user equipment through an authenticator (Authenticator) on the user equipment, and the verification manner includes: Fingerprint, iris, face recognition, voiceprint, password, etc., when the user passes the verification, unlock the authentication private key stored in the authenticator, wherein the authentication private key and its corresponding authentication public key are at the first The key pair generated when the user registers with the first application service can become an authentication key (Authentication Keys). In fact, when the user equipment initiates the authentication process, the FIDO server is informed of the information of the first user of the user equipment, such as the username of the first user, so that the FIDO server sends an authentication request to the user equipment, and the authentication request is sent. The user name and the AppID (application identifier) of the first application service may be included, and after the key pair is generated, a binding relationship may be established with the user name and the first application service, so that the key pair and the first user And corresponding to the first application service, so that when the first user passes the verification, the authentication private key corresponding to the first user and the first application service can be unlocked.
另外,步骤102中向该用户设备发送的认证请求中还可以包括验证策略(Policy),该验证策略中可以规定允许使用的验证方式(如允许使用指纹或者虹膜),支持/不支持的认证器类型(例如支持/不支持某些规定厂商生产的认证器,或者支持/不支持某些规定厂商生产的且ID符合一定要求的认证器),以及秘钥保护方式(例如采用的加密算法等),当用户设备收到认证请求后,首先根据该验证策略来选择符合该验证策略的认证器,然后再使用该认证器 来进行用户的验证。In addition, the authentication request sent to the user equipment in step 102 may further include a verification policy, where the authentication method may be specified (such as allowing fingerprint or iris), and the supported/unsupported authenticator may be specified. Type (for example, support/non-support for certain certifiers specified by the manufacturer, or support/non-support for certain certifiers that are specified by the manufacturer and whose ID meets certain requirements), and key protection methods (such as encryption algorithms used) After receiving the authentication request, the user equipment first selects an authenticator that conforms to the verification policy according to the verification policy, and then uses the authenticator. To verify the user.
最后,在第一用户通过验证后,该用户设备(中的FIDO客户端)利用上述解锁得到的认证私钥对该挑战值进行签名得到该挑战值签名,并向FIDO服务器发送该认证响应,从而该FIDO服务器就得到了包含挑战值签名的认证响应。Finally, after the first user passes the verification, the user equipment (the FIDO client) uses the above-mentioned unlocked authentication private key to sign the challenge value to obtain the challenge value signature, and sends the authentication response to the FIDO server, thereby The FIDO server gets an authentication response with a challenge value signature.
步骤104,从该区块链中获取该认证私钥对应的认证公钥。Step 104: Obtain an authentication public key corresponding to the authentication private key from the blockchain.
步骤105,利用该认证公钥对该认证响应中的该挑战值签名进行验证。Step 105: Verify the challenge value signature in the authentication response by using the authentication public key.
FIDO服务器在接收到该认证响应后,可以从区块链中读取与该第一用户以及该第一应用服务对应的认证公钥,从而就找到了与该认证私钥对应的认证公钥,然后利用该认证公钥对该认证响应中的该挑战值签名进行验证。当该挑战值签名通过验证后,该用户设备的该第一用户也就通过了本次认证。After receiving the authentication response, the FIDO server may read the authentication public key corresponding to the first user and the first application service from the blockchain, thereby finding the authentication public key corresponding to the authentication private key. The challenge value signature in the authentication response is then verified using the authentication public key. After the challenge value signature is verified, the first user of the user equipment passes the authentication.
通过上述技术方案,本公开用区块链来替代原有的FIDO服务器中的数据库,使得FIDO服务器作为区块链中的一个节点,而认证公钥等相关用户信息存储在区块链中,由于区块链具有不可篡改、不可伪造、可追溯的特点,因此能够提高用户存储的安全性。并且由于区块链网络是基于P2P网络,FIDO服务器可能是整个网络中的任一节点,因此能够降低FIDO服务器被攻击的可能性。因此,能够解决现有FIDO***易受到攻击而造成信息泄露、被篡改或出现***故障的问题,提高FIDO***的安全性。Through the above technical solution, the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain, The blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage. And since the blockchain network is based on a P2P network, the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and improve the security of the FIDO system.
在完成用户的认证后,可以进行交易,此过程中需要对交易相关的信息(例如交易金额)进行认证,因此在图1所示的方法之后还可以包括图2所示的方法,图2是根据本公开一示例性实施例示出的另一种基于区块链的FIDO认证方法的流程图,该方法应用于FIDO服务器,如图2所示,该方法包括:After the user's authentication is completed, the transaction can be performed. In this process, the transaction-related information (such as the transaction amount) needs to be authenticated. Therefore, the method shown in FIG. 2 may be included after the method shown in FIG. A flowchart of another blockchain-based FIDO authentication method, which is applied to a FIDO server, as shown in FIG. 2, according to an exemplary embodiment of the present disclosure, the method includes:
步骤106,通过该第一应用服务接收该用户设备发送的基于该第一用户的初始化交易请求。Step 106: Receive, by the first application service, an initial transaction request sent by the user equipment based on the first user.
其中,当用户设备要发起一个交易时,可以通过其用户代理向FIDO发送初始化交易请求(Initiate Transaction),FIDO服务器接收该初始化交易请求的方式与步骤101所示的方式相同,也是通过该第一应用服务接收用户设备发送的初始化交易请求,并透传给该FIDO服务器,具体的可参照步骤101。 When the user equipment wants to initiate a transaction, the user agent can send an Initialization Transaction request to the FIDO through the user agent, and the FIDO server receives the initial transaction request in the same manner as that shown in step 101, and also passes the first The application service receives the initial transaction request sent by the user equipment, and transparently transmits the request to the FIDO server. For details, refer to step 101.
步骤107,响应于该初始化交易请求,向该用户设备发送交易认证请求,该交易认证请求中包含交易信息。Step 107: In response to the initializing the transaction request, send a transaction authentication request to the user equipment, where the transaction authentication request includes transaction information.
FIDO服务器在接收到该初始化交易请求后,向该用户设备发送包含交易信息(即Transaction Text,也可以称为交易文本),该交易信息例如可以包括:交易金额,还可以包括交易对象等其他相关信息。该用户设备在接收到该交易认证请求后,即可得到该交易信息。而后,该用户设备(中的FIDO客户端)会通过该用户设备上的认证器对使用该用户设备的第一用户进行验证,其验证方法与步骤103中所述的方法相同。其中,步骤107中向该用户设备发送的交易认证请求中也可以包括验证策略(Policy),该验证策略与步骤103中所示的验证策略想用,也是用于规定验证方式、支持/不支持的认证器以及秘钥保护方式,当用户设备收到认证请求后,首先根据该验证策略来选择符合该验证策略的认证器,然后再使用该认证器来进行用户的验证,具体可参展步骤103。另外,步骤107中向该用户设备发送的交易认证请求中,还可以包含挑战值,其作用与步骤102中向用户设备发送的挑战值的作用相同,用户设备可以在接收到交易认证请求后,可以利用该用户设备的认证私钥对该挑战值进行签名,并将挑战值签名通过交易认证响应与该交易信息的哈希值以及该哈希值的签名一起发送给FIDO服务器,以便FIDO服务器收到交易认证响应后利用该认证公钥对该挑战值签名进行验证。After receiving the initial transaction request, the FIDO server sends the transaction information (ie, the transaction text, which may also be referred to as a transaction text) to the user equipment, and the transaction information may include, for example, the transaction amount, and may also include other related items such as the transaction object. information. After receiving the transaction authentication request, the user equipment can obtain the transaction information. Then, the user equipment (of the FIDO client) authenticates the first user using the user equipment through the authenticator on the user equipment, and the verification method is the same as that described in step 103. The transaction authentication request sent to the user equipment in step 107 may also include a verification policy (Policy), which is used in the verification policy shown in step 103, and is also used to specify the verification mode, support/non-support. The authenticator and the key protection mode, after the user equipment receives the authentication request, first select an authenticator that conforms to the verification policy according to the verification policy, and then use the authenticator to perform the user verification. . In addition, the transaction authentication request sent to the user equipment in step 107 may further include a challenge value, which has the same function as the challenge value sent to the user equipment in step 102, and the user equipment may receive the transaction authentication request after receiving the transaction authentication request. The challenge value may be signed by using the authentication private key of the user equipment, and the challenge value signature is sent to the FIDO server through the transaction authentication response together with the hash value of the transaction information and the signature of the hash value, so that the FIDO server receives The challenge value signature is verified using the authentication public key after the transaction authentication response.
步骤108,通过该第一应用服务接收该用户设备发送的交易认证响应,该交易认证响应中包含该交易信息的哈希值以及该哈希值的签名,该哈希值的签名是该用户设备利用与该认证私钥对该哈希值进行签名得到的。Step 108: Receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, where the signature of the hash value is the user equipment The hash value is signed with the authentication private key.
在该第一用户通过验证后,该用户设备(中的FIDO客户端)可以解锁存储在认证器中的该认证私钥,然后向该第一用户显示该交易信息,在用户确认该交易信息无误后(例如用户点击关于该交易信息的确认按键后,可以认为用户已对该交易信息确认无误),计算出该交易信息的哈希值,并用已经解锁的该认证私钥对该哈希值进行签名,从而得到该哈希值的签名。然后向FIDO服务器发送该交易认证响应,该FIDO服务器即可通过该第一应用服务接收到该用户设备发送的交易认证响应。After the first user passes the verification, the user equipment (the FIDO client) can unlock the authentication private key stored in the authenticator, and then display the transaction information to the first user, and the user confirms that the transaction information is correct. After (for example, after the user clicks the confirmation button about the transaction information, the user can be considered as having confirmed the transaction information), the hash value of the transaction information is calculated, and the hash value is performed with the authenticated private key that has been unlocked. Sign the signature to get the signature of the hash value. The transaction authentication response is then sent to the FIDO server, and the FIDO server can receive the transaction authentication response sent by the user equipment through the first application service.
其中,该认证私钥即步骤103中所述的认证私钥,其生成方法可参照步 骤103,以及图3所示的方法。The authentication private key is the authentication private key described in step 103, and the generating method can refer to the step. Step 103, and the method shown in FIG.
步骤109,从该区块链中获取该认证公钥。Step 109: Acquire the authentication public key from the blockchain.
步骤110,利用该认证公钥对该认证响应中的该哈希值的签名进行验证。Step 110: Verify the signature of the hash value in the authentication response by using the authentication public key.
FIDO服务器在接收到该交易认证响应后,可以从区块链中读取与该第一用户以及该第一应用服务对应的认证公钥,从而就找到了与该认证私钥对应的认证公钥,然后利用该认证公钥对该认证响应中的该哈希值的签名进行验证。当该哈希值的签名通过验证后,即可说明接收到的交易认证响应中的该哈希值是合法有效的,从而该本次交易也就通过了认证。After receiving the transaction authentication response, the FIDO server may read the authentication public key corresponding to the first user and the first application service from the blockchain, thereby finding the authentication public key corresponding to the authentication private key. And then using the authentication public key to verify the signature of the hash value in the authentication response. When the signature of the hash value is verified, it can be stated that the hash value in the received transaction authentication response is legally valid, and thus the current transaction passes the authentication.
另外,需要说明的是,也可以在步骤106至步骤110所示的交易认证流程之前,可以不进行步骤101至步骤105所示的认证流程,可以直接进行步骤106至步骤110所示的交易认证流程。例如,一些场景下,通常需要先进行用户登录,才可以进行付款操作,该场景下可以先执行步骤101至步骤105所示的认证流程以进行用户登录,然后当发生付款/转账行为时再执行步骤106至步骤110所示的交易认证流程以便完成交易。但是在某场景下,可以允许不进行用户登录而直接进行付款/转账行为,此时可以直接进行步骤106至步骤110所示的交易认证流程来完成交易。In addition, it should be noted that before the transaction authentication process shown in steps 106 to 110, the authentication process shown in steps 101 to 105 may not be performed, and the transaction authentication shown in step 106 to step 110 may be directly performed. Process. For example, in some scenarios, you need to log in to the user before you can perform the payment operation. In this scenario, you can perform the authentication process shown in steps 101 to 105 to log in to the user, and then execute the payment/transfer behavior. The transaction authentication process shown in steps 106 to 110 is completed to complete the transaction. However, in a certain scenario, the payment/transfer behavior can be directly performed without performing user login. At this time, the transaction authentication process shown in steps 106 to 110 can be directly performed to complete the transaction.
由于上述各个实施例中所使用的认证公钥和认证私钥均是在用户注册流程中生成,并存储在区块链中的,因此下面对本公开提供的基于区块链的FIDO认证方法中关于用户注册的流程进行说明,图3是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证方法的流程图,方法应用于FIDO服务器,且该方法执行于图1或图2所示的方法之前,如图3所示,该方法包括:Since both the authentication public key and the authentication private key used in the above various embodiments are generated in the user registration process and stored in the blockchain, the following is a blockchain-based FIDO authentication method provided by the present disclosure. The flow of user registration is described. FIG. 3 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure. The method is applied to a FIDO server, and the method is implemented in FIG. 1 or Before the method shown in Figure 2, as shown in Figure 3, the method includes:
步骤111,通过该第一应用服务接收该用户设备发送的初始化注册请求。Step 111: Receive an initial registration request sent by the user equipment by using the first application service.
其中,当用户设备要进行用户注册时,可以通过其用户代理向FIDO发送初始注册请求(Initiate Registration),FIDO服务器接收该初始注册请求的方式与步骤101所示的方式相同,也是通过该第一应用服务接收用户设备发送的初始注册请求,并透传给该FIDO服务器,具体的可参照步骤101。When the user equipment is to perform user registration, the user agent may send an initial registration request (FI) to the FIDO, and the FIDO server receives the initial registration request in the same manner as that shown in step 101. The application service receives the initial registration request sent by the user equipment, and transparently transmits the request to the FIDO server. For details, refer to step 101.
步骤112,响应于该初始化注册请求,向该用户设备发送注册请求,该注册请求中包含验证策略,该验证策略包含该第一应用服务所支持的验证方 式和认证器种类。Step 112: In response to the initial registration request, send a registration request to the user equipment, where the registration request includes an authentication policy, where the verification policy includes a verification party supported by the first application service. Type and authenticator type.
示例的,该验证策略中可以规定允许使用的验证方式(如允许使用指纹或者虹膜),支持/不支持的认证器类型(例如支持/不支持某些规定厂商生产的认证器,或者支持/不支持某些规定厂商生产的且ID符合一定要求的认证器),以及秘钥保护方式(例如采用的加密算法等),当用户设备收到注册请求后,首先根据该验证策略来选择符合该验证策略的认证器,然后再使用该认证器来接收用户首次输入的验证信息,例如用户在注册时,认证器需要接收用户首次输入的指纹、虹膜、人脸或者声纹并存储,以便作为后续认证过程中的身份认证依据。For example, the verification policy may specify the authentication mode that is allowed to be used (such as allowing fingerprints or irises), the type of authenticator supported/unsupported (for example, support/non-support for certain certified vendors, or support/no) Supporting certain certifiers that are produced by the manufacturer and having IDs that meet certain requirements, and key protection methods (such as encryption algorithms used). When the user equipment receives the registration request, it first selects the verification according to the verification policy. The authenticator of the policy, and then use the authenticator to receive the authentication information input by the user for the first time. For example, when the user registers, the authenticator needs to receive the fingerprint, iris, face or voiceprint input by the user for the first time and store it for subsequent authentication. The basis for identity authentication in the process.
步骤113,通过该第一应用服务接收该用户设备发送的注册响应,该注册响应中包含该认证公钥,以及该认证公钥的签名。该认证公钥和所述认证私钥是该用户设备通过符合该验证策略的认证器进行该第一用户的注册后生成的密钥对,该认证公钥的签名是该用户设备利用该认证器的鉴权私钥对该认证公钥进行签名得到的。Step 113: Receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key and a signature of the authentication public key. The authentication public key and the authentication private key are key pairs generated after the user equipment performs registration of the first user by using an authenticator that conforms to the verification policy, and the signature of the authentication public key is that the user equipment uses the authenticator. The authentication private key is obtained by signing the authentication public key.
示例的,在认证器接收用户首次输入的验证信息并存储后,可以根据该认证器内置的预设算法或根据上述验证策略中规定的预设算法为该第一用户生成包括上述的认证公钥和认证私钥的密钥对。另外,用户设备发起注册流程时,可以告知FIDO服务器该用户设备的想要注册的用户信息,例如设置的该第一用户的用户名,因此FIDO服务器在向用户设备发送注册请求时,注册请求中还可以包括该用户名、第一应用服务的AppID,在生成上述的密钥对后可以与该用户名和第一应用服务建立绑定关系,从而该密钥对与该第一用户以及第一应用服务对应。然后,该用户设备(中的FIDO客户端)使用内置于认证器内的鉴权私钥(Attestation Key)对该认证公钥进行签名,得到该认证公钥的签名,然后将该认证公钥的签名通过该注册响应发送至FIDO服务器,然后该FIDO服务器就可以通过该第一应用服务接收到该注册响应,并获取其中包含的该认证公钥的签名,然后FIDO服务器可以执行步骤114。另外,步骤112中向该用户设备发送的注册请求中,还可以包含挑战值,其作用与步骤102中向用户设备发送的挑战值的作用相同,用户设备可以在接收到注册请求后,可以将该挑战值结合规定信息进行一定计算, 并将计算后得到的计算值利用该认证器的鉴权私钥进行签名,然后将该计算值的签名通过该注册响应与该认证公钥的签名一起发送给FIDO服务器,以便FIDO服务器收到注册响应后,利用该认证器的鉴权公钥对计算值的签名进行验证。For example, after the authenticator receives the verification information input by the user for the first time and stores the identifier, the authentication public key including the foregoing may be generated for the first user according to a preset algorithm built in the authenticator or according to a preset algorithm specified in the verification policy. And the key pair that authenticates the private key. In addition, when the user equipment initiates the registration process, the FIDO server may be notified of the user information of the user equipment that is to be registered, for example, the user name of the first user is set, so the FIDO server registers the request when sending the registration request to the user equipment. The user name and the AppID of the first application service may be further included, and after the key pair is generated, a binding relationship may be established with the user name and the first application service, so that the key pair is associated with the first user and the first application. Service correspondence. Then, the user equipment (the FIDO client) signs the authentication public key using an authentication key (Attestation Key) built in the authenticator, obtains the signature of the authentication public key, and then the authentication public key The signature is sent to the FIDO server through the registration response, and then the FIDO server can receive the registration response through the first application service, and obtain the signature of the authentication public key contained therein, and then the FIDO server can perform step 114. In addition, the registration request sent to the user equipment in step 112 may further include a challenge value, which has the same function as the challenge value sent to the user equipment in step 102. After receiving the registration request, the user equipment may The challenge value is combined with the prescribed information to perform certain calculations. And calculating the calculated value obtained by using the authentication private key of the authenticator, and then sending the signature of the calculated value to the FIDO server through the registration response together with the signature of the authentication public key, so that the FIDO server receives the registration. After the response, the signature of the calculated value is verified by the authenticator of the authenticator.
步骤114,从该区块链中获取该认证器的鉴权公钥。Step 114: Obtain an authentication public key of the authenticator from the blockchain.
步骤115,利用该鉴权公钥对该认证响应中的该认证公钥的签名进行验证。Step 115: Verify the signature of the authentication public key in the authentication response by using the authentication public key.
FIDO服务器在接收到该注册响应后,可以从区块链中读取与该鉴权私钥匹配的鉴权公钥,然后利用该鉴权公钥对该认证公钥的签名进行验证。其中,该鉴权公钥是预先配置并存储在区块链中的,关于认证器的鉴权密钥管理维护,可以采用两种管理维护方式:第一种,在区块链中给认证器厂家开放管理权限,由认证器厂家直接向区块链中添加、修改/删除认证器的鉴权密钥,即可以理解为在区块链网络中添加认证器厂家的节点,并为该节点所使用的账户开放向区块链中添加、修改/删除认证器的鉴权密钥的权限;第二种给FIDO服务器所使用的账户开放管理权限,从而允许FIDO服务器向区块链中添加、修改/删除认证器的鉴权密钥。After receiving the registration response, the FIDO server may read the authentication public key matching the authentication private key from the blockchain, and then verify the signature of the authentication public key by using the authentication public key. The authentication public key is pre-configured and stored in the blockchain. For the authentication key management and maintenance of the authenticator, two management and maintenance modes can be adopted: first, the authenticator is given in the blockchain. The manufacturer opens the management authority, and the authentication device directly adds or modifies/deletes the authentication key of the authenticator to the blockchain, which can be understood as adding the node of the authenticator manufacturer in the blockchain network, and for the node The account used is open to add, modify/delete the authentication key of the authenticator to the blockchain; the second opens the administrative authority to the account used by the FIDO server, thereby allowing the FIDO server to add and modify the blockchain. / Delete the authentication key of the authenticator.
无论是由认证器厂家,还是FIDO服务器或者二者共同对区块链中的鉴权密钥进行管理,均可以利用在区块链上的智能合约来实现,在智能合约中可以对不同账户的权限进行限制和设定,例如:设置FIDO服务器具有增加/修改/注销用户的权限,以及添加/修改/删除认证器鉴权密钥的权限,认证器厂家仅具有添加/修改/删除认证器鉴权密钥的权限。Whether it is managed by the authenticator manufacturer or the FIDO server or both, the authentication keys in the blockchain can be managed by using smart contracts on the blockchain. In smart contracts, different accounts can be used. Permissions are restricted and set, for example, the FIDO server has the authority to add/modify/deregister users, and the authority to add/modify/delete the authenticator authentication key. The authenticator only has the Add/Modify/Delete Authenticator The right of the right key.
下面以FIDO服务器为例,对在区块链中进行认证器信息的一次维护过程进行说明:The FIDO server is taken as an example to describe the maintenance process of the authenticator information in the blockchain:
首先,该FIDO服务器在该区块链中发起用于认证器管理的第一交易(Transaction),该第一交易中包括该FIDO服务器的账户,智能合约的账户,待执行的管理操作,以及该第一交易的签名。其中该第一交易的签名是该FIDO服务器利用该FIDO服务器的私钥对该第一交易进行签名得到的,该智能合约中记录有该FIDO服务器的账户的操作权限。该第一交易用于利用该智能合约在区块链中执行该待执行的管理操作,其中该待执行的管理操作 可以为添加认证器信息、修改认证器信息或删除认证器信息。其中,认证器信息,除了包含上述的认证器鉴权秘钥外,还可以包括:认证器编号(Authenticator Attestation ID,AAID),认证器版本,公钥编码类型,认证器支持的密码算法,认证器证书等信息,也就是说FIDO服务器和认证器厂家除了维护认证器鉴权密钥外,还可以维护上述的其他信息。智能合约(Smart Contract)实际上是存储在区块链上的可执行代码,不是严格意义上的账户因其不一定设有实际拥有人,但其特性和行为在很多情况下能够被看作是一种受编程逻辑控制的机器账户。First, the FIDO server initiates a first transaction (Transaction) for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and the The signature of the first transaction. The signature of the first transaction is obtained by the FIDO server signing the first transaction by using the private key of the FIDO server, and the operation authority of the account of the FIDO server is recorded in the smart contract. The first transaction is for performing the management operation to be performed in the blockchain by using the smart contract, wherein the management operation to be performed You can add authenticator information, modify authenticator information, or delete authenticator information. The Authenticator information, in addition to the above-mentioned authenticator authentication key, may further include: an Authenticator Attestation ID (AAID), an authenticator version, a public key encoding type, a cryptographic algorithm supported by the authenticator, and authentication. Information such as the certificate, that is, the FIDO server and the authenticator can maintain the above information in addition to the authentication key. Smart Contract is actually executable code stored in the blockchain. It is not strictly an account because it does not necessarily have an actual owner, but its characteristics and behavior can be seen as A machine account controlled by programming logic.
其次,该FIDO服务器在发起该第一交易后,该第一交易会被发布到区块链网络中,区块链网络中的其他节点,首先会根据该FIDO服务器的公钥,对该第一交易的签名进行验证,当该第一交易的签名通过验证后,会根据该第一交易所要调用的智能合约的内容来判断该FIDO服务器的账户是否具有进行该待执行的管理操作的权限。Secondly, after the FIDO server initiates the first transaction, the first transaction is released to the blockchain network, and other nodes in the blockchain network firstly are first based on the public key of the FIDO server. The signature of the transaction is verified. When the signature of the first transaction is verified, it is determined whether the account of the FIDO server has the right to perform the management operation to be executed according to the content of the smart contract to be called by the first transaction.
示例的,在智能合约中可以规定FIDO服务器的调用接口的权限,例如:允许FIDO服务器及认证器厂家调用添加认证器接口、修改认证器接口和读取认证器接口,其中,添加认证器接口用于在区块链中新增一个新的认证器的信息,修改认证器接口用于修改认证器的某个信息或所有信息,删除认证器接口用于删除某个认证器的信息,因此其他节点可以根据智能合约中所规定的该FIDO服务器的账户被允许调用的接口权限就可以判断该FIDO服务器的账户是否具有进行该待执行的管理操作的权限。For example, in the smart contract, the authority of the calling interface of the FIDO server can be specified, for example, the FIDO server and the authenticator manufacturer are allowed to call the add-on authentication interface, modify the authenticator interface, and read the authenticator interface, where the authenticator interface is added. Adding a new authenticator information to the blockchain, modifying the authenticator interface to modify a certain information or all information of the authenticator, and deleting the authenticator interface for deleting the information of an authenticator, so other nodes The account of the FIDO server can be judged whether the account of the FIDO server has the right to perform the management operation to be executed according to the interface authority of the FIDO server whose account is allowed to be called as specified in the smart contract.
当该第一交易通过了其他各个节点(也可能是区块链网络中指定的部分节点)的验证,并且其他各个节点均确认该FIDO服务器的账户具有进行该待执行的管理操作的权限时,其他各个节点均执行该智能合约,从而即可完成该待执行的管理操作,从而实现该FIDO服务器对认证器的维护管理,认证器厂家的节点在区块链中对认证器的维护流程与FIDO服务器相同,不再赘述。When the first transaction passes the verification of other various nodes (which may also be part of the nodes specified in the blockchain network), and each of the other nodes confirms that the account of the FIDO server has the authority to perform the management operation to be performed, The other smart nodes execute the smart contract, so that the management operation to be performed can be completed, thereby realizing the maintenance and management of the authenticator by the FIDO server, and the node of the authenticator manufacturer maintains the authenticator in the blockchain and FIDO. The server is the same and will not be described again.
在现有的FIDO***中,用户信息和认证器信息都是存储在FIDO服务器的加密认证秘钥参考数据库(Cryptographic Authentication Key Reference Database),而认证器信息的维护是通过FIDO元数据服务(FIDO Metadata  Service)来实现的。由此可见,在本公开实施例所示的基于区块链的FIDO认证方法中,通过区块链替代了上述的加密认证秘钥参考数据库和FIDO元数据服务来实现用户信息和认证器信息的存储以及认证器信息的维护。相比FIDO服务器传统的中心化的架构,本公开实施例所示出的基于区块链的FIDO认证方法更安全。In the existing FIDO system, the user information and the authenticator information are stored in the FIDO server's Cryptographic Authentication Key Reference Database, and the authenticator information is maintained through the FIDO metadata service (FIDO Metadata). Service) to achieve. It can be seen that, in the blockchain-based FIDO authentication method shown in the embodiment of the present disclosure, the above-mentioned encrypted authentication key reference database and FIDO metadata service are replaced by a blockchain to implement user information and authenticator information. Storage and maintenance of authenticator information. The blockchain based FIDO authentication method shown in the embodiments of the present disclosure is more secure than the traditional centralized architecture of the FIDO server.
步骤116,当该认证公钥的签名通过验证时,将该认证公钥存储在该区块链中。Step 116: When the signature of the authentication public key passes the verification, the authentication public key is stored in the blockchain.
其中,除了将认证公钥存储在区块链中之外,实际上还需要将该认证公钥与注册的该第一用户,以及所使用的第一应用服务建立绑定关系,以该第一用户为例,在区块链中,与该第一用户的认证公钥一起存储的还有:该第一用户的用户名或者用户编号(userID),该第一应用服务的应用编号(AppID)等信息,然后将该认证公钥的公钥编号(KeyID)和该用户编号以及该应用编号建立绑定关系并存储。In addition to storing the authentication public key in the blockchain, the authentication public key is actually required to establish a binding relationship with the registered first user and the used first application service. For example, in the blockchain, together with the authentication public key of the first user, the first user's user name or user ID (userID), the first application service application number (AppID) is stored. And so on, and then the public key number (KeyID) of the authentication public key is associated with the user number and the application number and stored.
图4是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证方法的流程图,方法应用于FIDO服务器,如图4所示,该方法还可以包括:FIG. 4 is a flowchart of still another blockchain-based FIDO authentication method according to an exemplary embodiment of the present disclosure. The method is applied to a FIDO server. As shown in FIG. 4, the method may further include:
步骤117,通过该第一应用服务接收该用户设备发送的初始化注销请求。Step 117: Receive an initial logout request sent by the user equipment by using the first application service.
其中,当用户设备要注销某个用户时,可以通过其用户代理向FIDO发送初始化注销请求,FIDO服务器接收该初始化注销请求的方式与步骤101所示的方式相同,也是通过该第一应用服务接收用户设备发送的初始化注销请求,并透传给该FIDO服务器,具体的可参照步骤101。When the user equipment wants to cancel a certain user, the user can send an initial write-out request to the FIDO through the user agent. The manner in which the FIDO server receives the initial write-out request is the same as that shown in step 101, and is also received by the first application service. The initial logout request sent by the user equipment is transparently transmitted to the FIDO server. For details, refer to step 101.
步骤118,响应于该初始化注销请求,向该区块链中写入用于将指定用户的用户信息设置为无效的数据,其中该用户信息包括:所述指定用户的认证公钥,以及该指定用户的认证公钥与该指定用户、该第一应用服务的对应关系。 Step 118, in response to the initializing the logout request, writing data for setting the user information of the specified user to be invalid to the blockchain, wherein the user information includes: the authentication public key of the specified user, and the designation Correspondence between the user's authentication public key and the specified user and the first application service.
这是由于对于区块链来说,数据一旦写入就无法删除,因此需要写入一个新的数据,用于标记该指定用户的用户信息已设置为无效的数据,由于向区块链写入的数据都会带有时间戳,因此当再次读取与该指定用户相关的信息时,以新写入的数据为准,因此当发现最新写入的关于该指定用户的数据 标记该指定用户的用户信息已设置为无效数据时,可以认为该指定用户已被注销。This is because for the blockchain, once the data is written, it cannot be deleted. Therefore, a new data needs to be written to mark the user information of the specified user as invalid data, because the block chain is written. The data will be time-stamped, so when the information related to the specified user is read again, the newly written data will prevail, so when the latest written data about the specified user is found When the user information marking the specified user has been set to invalid data, the specified user can be considered to have been logged out.
通过上述技术方案,本公开用区块链来替代原有的FIDO服务器中的数据库,使得FIDO服务器作为区块链中的一个节点,而认证公钥等相关用户信息存储在区块链中,由于区块链具有不可篡改、不可伪造、可追溯的特点,因此能够提高用户存储的安全性。并且由于区块链网络是基于P2P网络,FIDO服务器可能是整个网络中的任一节点,因此能够降低FIDO服务器被攻击的可能性。因此,能够解决现有FIDO***易受到攻击而造成信息泄露、被篡改或出现***故障的问题,提高FIDO***的安全性。Through the above technical solution, the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain, The blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage. And since the blockchain network is based on a P2P network, the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and improve the security of the FIDO system.
图5是根据本公开一示例性实施例示出的一种基于区块链的FIDO认证装置的框图,如图5所示,应用于FIDO服务器,该装置500包括:FIG. 5 is a block diagram of a blockchain-based FIDO authentication apparatus, as shown in FIG. 5, applied to a FIDO server, the apparatus 500 includes:
接收模块501,用于通过第一应用服务接收用户设备发送的基于第一用户的初始化认证请求,该FIDO服务器为该第一应用服务对应的FIDO服务器,该FIDO服务器为区块链网络中的一个节点;The receiving module 501 is configured to receive, by using the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is one of the blockchain networks. node;
认证响应模块502,用于响应于该初始化认证请求,向该用户设备发送认证请求,该认证请求中包含挑战值;The authentication response module 502 is configured to send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request;
接收模块501,还用于通过该第一应用服务接收该用户设备发送的认证响应,该认证响应中包含挑战值签名,该挑战值签名是该用户设备利用认证私钥对该挑战值进行签名得到的,该认证私钥与该第一用户以及该第一应用服务对应;The receiving module 501 is further configured to receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is that the user equipment uses the authentication private key to sign the challenge value. The authentication private key corresponds to the first user and the first application service;
读取模块503,用于从该区块链中获取该认证私钥对应的认证公钥;The reading module 503 is configured to obtain, from the blockchain, an authentication public key corresponding to the authentication private key;
认证模块504,用于利用该认证公钥对该认证响应中的该挑战值签名进行验证。The authentication module 504 is configured to verify the challenge value signature in the authentication response by using the authentication public key.
可选的,图6是根据本公开一示例性实施例示出的另一种基于区块链的FIDO认证装置的框图,该装置500还包括:交易响应模块505和交易验证模块506;Optionally, FIG. 6 is a block diagram of another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure, the apparatus 500 further includes: a transaction response module 505 and a transaction verification module 506;
接收模块501,还用于通过该第一应用服务接收该用户设备发送的基于该第一用户的初始化交易请求;The receiving module 501 is further configured to receive, by using the first application service, an initializing transaction request sent by the user equipment based on the first user;
交易响应模块505,用于响应于该初始化交易请求,向该用户设备发送 交易认证请求,该交易认证请求中包含交易信息;a transaction response module 505, configured to send to the user equipment in response to the initial transaction request a transaction authentication request, the transaction authentication request including transaction information;
接收模块501,还用于通过该第一应用服务接收该用户设备发送的交易认证响应,该交易认证响应中包含该交易信息的哈希值以及该哈希值的签名,该哈希值的签名是该用户设备利用与该认证私钥对该哈希值进行签名得到的;The receiving module 501 is further configured to receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, and the signature of the hash value The user equipment is obtained by signing the hash value with the authentication private key;
读取模块503,还用于从该区块链中获取该认证公钥;The reading module 503 is further configured to obtain the authentication public key from the blockchain;
交易验证模块506,用于利用该认证公钥对该认证响应中的该哈希值的签名进行验证。The transaction verification module 506 is configured to verify the signature of the hash value in the authentication response by using the authentication public key.
需要说明的是,图6所示的基于区块链的FIDO认证装置500,是在包括:接收模块501、认证响应模块502、读取模块503、认证模块504的情况下还包括交易响应模块505和交易验证模块506,实际上也可以在不包括认证响应模块502和认证模块504的情况下,包含交易响应模块505和交易验证模块506(图中未示出)。It should be noted that the block chain-based FIDO authentication apparatus 500 shown in FIG. 6 further includes a transaction response module 505 including a receiving module 501, an authentication response module 502, a reading module 503, and an authentication module 504. And the transaction verification module 506, in fact, may also include a transaction response module 505 and a transaction verification module 506 (not shown) without including the authentication response module 502 and the authentication module 504.
可选的,图7是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证装置的框图,该装置500还包括:注册响应模块507、秘钥验证模块508和存储模块509;Optionally, FIG. 7 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure. The apparatus 500 further includes: a registration response module 507, a secret key verification module 508, and a storage module. 509;
接收模块501,用于在该通过第一应用服务接收用户设备发送的初始化认证请求之前,或在通过该第一应用服务接收该用户设备发送的基于该第一用户的初始化交易请求之前,通过该第一应用服务接收该用户设备发送的初始化注册请求;The receiving module 501 is configured to: before receiving the initial authentication request sent by the user equipment by using the first application service, or before receiving, by using the first application service, the initial transaction request sent by the user equipment based on the first user, Receiving, by the first application service, an initial registration request sent by the user equipment;
注册响应模块507,用于响应于该初始化注册请求,向该用户设备发送注册请求,该注册请求中包含验证策略,该验证策略包含该第一应用服务所支持的验证方式和认证器种类;The registration response module 507 is configured to send a registration request to the user equipment in response to the initial registration request, where the registration request includes an authentication policy, where the verification policy includes a verification mode and an authenticator type supported by the first application service;
接收模块501,还用于通过该第一应用服务接收该用户设备发送的注册响应,该注册响应中包含该认证公钥,以及该认证公钥的签名,该认证公钥和该认证私钥是该用户设备通过符合该验证策略的认证器进行该第一用户的注册后生成的密钥对,该认证公钥的签名是该用户设备利用该认证器的鉴权私钥对该认证公钥进行签名得到的;The receiving module 501 is further configured to receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public key and the authentication private key are The user equipment performs a key pair generated by the registration of the first user by using an authenticator that conforms to the verification policy, and the signature of the authentication public key is that the user equipment uses the authentication private key of the authenticator to perform the authentication public key. Signature
读取模块503,还用于从该区块链中获取该认证器的鉴权公钥; The reading module 503 is further configured to obtain an authentication public key of the authenticator from the blockchain;
秘钥验证模块508,用于利用该鉴权公钥对该认证响应中的该认证公钥的签名进行验证;The key verification module 508 is configured to use the authentication public key to verify the signature of the authentication public key in the authentication response;
存储模块509,用于当该认证公钥的签名通过验证时,将该认证公钥存储在该区块链中。The storage module 509 is configured to store the authentication public key in the blockchain when the signature of the authentication public key is verified.
可选的,图8是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证装置的框图,该装置500还包括:注销模块510;Optionally, FIG. 8 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure, the apparatus 500 further includes: a logout module 510;
接收模块501,用于通过该第一应用服务接收该用户设备发送的初始化注销请求;The receiving module 501 is configured to receive, by using the first application service, an initial logout request sent by the user equipment;
注销模块510,用于响应于该初始化注销请求,向该区块链中写入用于将指定用户的用户信息设置为无效的数据,其中该用户信息包括:该指定用户的认证公钥,以及该指定用户的认证公钥与该指定用户、该第一应用服务的对应关系。The logout module 510 is configured to, in response to the initial logout request, write data to the blockchain for setting user information of the specified user to be invalid, wherein the user information includes: an authentication public key of the specified user, and The corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
可选的,图9是根据本公开一示例性实施例示出的又一种基于区块链的FIDO认证装置的框图,该装置500还包括,认证器管理模块511,用于:Optionally, FIG. 9 is a block diagram of still another blockchain-based FIDO authentication apparatus according to an exemplary embodiment of the present disclosure. The apparatus 500 further includes an authenticator management module 511, configured to:
该FIDO服务器在该区块链中发起用于认证器管理的第一交易,该第一交易中包括该FIDO服务器的账户,该智能合约的账户,待执行的管理操作,以及该第一交易的签名,该第一交易的签名是该FIDO服务器利用该FIDO服务器的私钥对该第一交易进行签名得到的,该智能合约中记录有该FIDO服务器的账户的操作权限;The FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and a first transaction Signing, the signature of the first transaction is obtained by the FIDO server using the private key of the FIDO server to sign the first transaction, and the smart contract records the operation authority of the account of the FIDO server;
该第一交易用于利用该智能合约在该区块链中执行该待执行的管理操作,该待执行的管理操作包括:添加认证器信息、修改认证器信息或删除认证器信息。The first transaction is for performing the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding the authenticator information, modifying the authenticator information, or deleting the authenticator information.
通过上述技术方案,本公开用区块链来替代原有的FIDO服务器中的数据库,使得FIDO服务器作为区块链中的一个节点,而认证公钥等相关用户信息存储在区块链中,由于区块链具有不可篡改、不可伪造、可追溯的特点,因此能够提高用户存储的安全性。并且由于区块链网络是基于P2P网络,FIDO服务器可能是整个网络中的任一节点,因此能够降低FIDO服务器被攻击的可能性。因此,能够解决现有FIDO***易受到攻击而造成信息泄露、被篡改或出现***故障的问题,提高FIDO***的安全性。 Through the above technical solution, the present disclosure replaces the database in the original FIDO server with a blockchain, so that the FIDO server is used as a node in the blockchain, and related user information such as the authentication public key is stored in the blockchain, The blockchain has the characteristics of being non-tamperable, unforgeable, and traceable, thus improving the security of user storage. And since the blockchain network is based on a P2P network, the FIDO server may be any node in the entire network, thus reducing the possibility of the FIDO server being attacked. Therefore, it can solve the problem that the existing FIDO system is vulnerable to information leakage, tampering or system failure, and improve the security of the FIDO system.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。With regard to the apparatus in the above embodiments, the specific manner in which the respective modules perform the operations has been described in detail in the embodiment relating to the method, and will not be explained in detail herein.
图10是根据本公开一示例性实施例示出的一种基于区块链的FIDO***的结构图,如图10所示,该***包括:至少一个用户设备10,至少一个线上快速身份认证FIDO服务器20,以及区块链***30;FIG. 10 is a structural diagram of a blockchain-based FIDO system according to an exemplary embodiment of the present disclosure. As shown in FIG. 10, the system includes: at least one user equipment 10, at least one online fast identity authentication FIDO. Server 20, and blockchain system 30;
其中,区块链***30包括区块链网络和区块链,该区块链由区块链网络中的节点共同维护,每个FIDO服务器20包括上述的图6至图9任一所式的基于区块链的FIDO认证装置600,每个FIDO服务器20为该区块链网络中的一个节点,且每个FIDO服务器对应一个或多个应用服务。其中,用户设备10中包括用户代理、FIDO客户端和FIDO认证器,FIDO服务器20属于可信赖方,该可信赖方还包含应用服务(的服务器),用户设备20和应用服务之间可以基于UAF协议交互,应用服务能够将用户设备发送的消息(请求/响应等)传给FIDO服务器。The blockchain system 30 includes a blockchain network and a blockchain, and the blockchain is jointly maintained by nodes in the blockchain network, and each FIDO server 20 includes any of the above-described FIGS. 6-9. Based on the blockchain-based FIDO authentication device 600, each FIDO server 20 is a node in the blockchain network, and each FIDO server corresponds to one or more application services. The user equipment 10 includes a user agent, a FIDO client, and a FIDO authenticator. The FIDO server 20 belongs to a trusted party, and the trusted party further includes an application service server. The user device 20 and the application service may be based on the UAF. Protocol interaction, the application service can transmit messages (requests/responses, etc.) sent by the user equipment to the FIDO server.
图10所示的FIDO***中一个应用服务对应一个FIDO服务器,当存在多个应用服务时,可以对应的设置多个FIDO服务器,其结构可以如图11所示;可选的,如图12所示,也可以采用多个应用服务使用同一个FIDO服务器的结构,或者如图13所示,也可以采用两种方式混合的结构。In the FIDO system shown in FIG. 10, one application service corresponds to one FIDO server. When there are multiple application services, multiple FIDO servers can be set correspondingly, and the structure thereof can be as shown in FIG. 11; optionally, as shown in FIG. It is also possible to use a structure in which a plurality of application services use the same FIDO server, or as shown in FIG. 13, a structure in which two modes are mixed.
图14是根据一示例性实施例示出的一种电子设备1400的框图。例如,电子设备1400可以被提供为一服务器。参照图14,电子设备1400包括处理器1422,其数量可以为一个或多个,以及存储器1432,用于存储可由处理器1422执行的计算机程序。存储器1432中存储的计算机程序可以包括一个或一个以上的每一个对应于一组指令的模块。此外,处理器1422可以被配置为执行该计算机程序,以执行上述的基于区块链的FIDO认证方法。FIG. 14 is a block diagram of an electronic device 1400, according to an exemplary embodiment. For example, the electronic device 1400 can be provided as a server. Referring to FIG. 14, the electronic device 1400 includes a processor 1422, which may be one or more, and a memory 1432 for storing a computer program executable by the processor 1422. The computer program stored in memory 1432 can include one or more modules each corresponding to a set of instructions. Moreover, the processor 1422 can be configured to execute the computer program to perform the blockchain-based FIDO authentication method described above.
另外,电子设备1400还可以包括电源组件1426和通信组件1450,该电源组件1426可以被配置为执行电子设备1400的电源管理,该通信组件1450可以被配置为实现电子设备1400的通信,例如,有线或无线通信。此外,该电子设备1400还可以包括输入/输出(I/O)接口1458。电子设备1400可以操作基于存储在存储器1432的操作***,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM等等。 Additionally, electronic device 1400 can also include a power supply component 1426 and a communication component 1450 that can be configured to perform power management of electronic device 1400, which can be configured to enable communication of electronic device 1400, eg, wired Or wireless communication. Additionally, the electronic device 1400 can also include an input/output (I/O) interface 1458. The electronic device 1400 can operate based on an operating system stored in the memory 1432, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, and the like.
在另一示例性实施例中,还提供了一种包括程序指令的计算机可读存储介质,例如包括程序指令的存储器1432,上述程序指令可由电子设备1400的处理器1422执行以完成上述的基于区块链的FIDO认证方法。In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions, such as a memory 1432 comprising program instructions executable by a processor 1422 of an electronic device 1400 to perform the above-described region based FIDO certification method for blockchain.
以上结合附图详细描述了本公开的优选实施方式,但是,本公开并不限于上述实施方式中的具体细节,在本公开的技术构思范围内,可以对本公开的技术方案进行多种简单变型,这些简单变型均属于本公开的保护范围。The preferred embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings. However, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solutions of the present disclosure within the scope of the technical idea of the present disclosure. These simple variations are all within the scope of the disclosure.
另外需要说明的是,在上述具体实施方式中所描述的各个具体技术特征,在不矛盾的情况下,可以通过任何合适的方式进行组合,为了避免不必要的重复,本公开对各种可能的组合方式不再另行说明。It should be further noted that the specific technical features described in the above specific embodiments may be combined in any suitable manner without contradiction. In order to avoid unnecessary repetition, the present disclosure is applicable to various possibilities. The combination method will not be described separately.
此外,本公开的各种不同的实施方式之间也可以进行任意组合,只要其不违背本公开的思想,其同样应当视为本公开所公开的内容。 In addition, any combination of various embodiments of the present disclosure may be made as long as it does not deviate from the idea of the present disclosure, and should also be regarded as the disclosure of the present disclosure.

Claims (11)

  1. 一种基于区块链的FIDO认证方法,其特征在于,应用于线上快速身份认证FIDO服务器,所述方法包括:A blockchain-based FIDO authentication method, characterized in that it is applied to an online fast identity authentication FIDO server, and the method includes:
    通过第一应用服务接收用户设备发送的基于第一用户的初始化认证请求,所述FIDO服务器为所述第一应用服务对应的FIDO服务器,所述FIDO服务器为区块链网络中的一个节点;Receiving, by the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is a node in a blockchain network;
    响应于所述初始化认证请求,向所述用户设备发送认证请求,所述认证请求中包含挑战值;Sending an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initializing the authentication request;
    通过所述第一应用服务接收所述用户设备发送的认证响应,所述认证响应中包含挑战值签名,所述挑战值签名是所述用户设备利用认证私钥对所述挑战值进行签名得到的,所述认证私钥与所述第一用户以及所述第一应用服务对应;Receiving, by the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is obtained by the user equipment signing the challenge value by using an authentication private key. The authentication private key corresponds to the first user and the first application service;
    从所述区块链中获取所述认证私钥对应的认证公钥;Obtaining, from the blockchain, an authentication public key corresponding to the authentication private key;
    利用所述认证公钥对所述认证响应中的所述挑战值签名进行验证;Verifying the challenge value signature in the authentication response by using the authentication public key;
    和/或,and / or,
    通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求;Receiving, by the first application service, an initialization transaction request sent by the user equipment based on the first user;
    响应于所述初始化交易请求,向所述用户设备发送交易认证请求,所述交易认证请求中包含交易信息;Transmitting, to the user equipment, a transaction authentication request, where the transaction authentication request includes transaction information, in response to the initializing a transaction request;
    通过所述第一应用服务接收所述用户设备发送的交易认证响应,所述交易认证响应中包含所述交易信息的哈希值以及所述哈希值的签名,所述哈希值的签名是所述用户设备利用与所述认证私钥对所述哈希值进行签名得到的;Receiving, by the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, and the signature of the hash value is The user equipment is obtained by signing the hash value with the authentication private key;
    从所述区块链中获取所述认证公钥;Obtaining the authentication public key from the blockchain;
    利用所述认证公钥对所述认证响应中的所述哈希值的签名进行验证。The signature of the hash value in the authentication response is verified using the authentication public key.
  2. 根据权利要求1所述的方法,其特征在于,在所述通过第一应用服务接收用户设备发送的初始化认证请求之前,或在所述通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求之前,所述 方法还包括:The method according to claim 1, wherein before the initial authentication request sent by the user equipment is received by the first application service, or the receiving by the user equipment is received by the first application service Before the first user initiates a transaction request, the The method also includes:
    通过所述第一应用服务接收所述用户设备发送的初始化注册请求;Receiving, by the first application service, an initial registration request sent by the user equipment;
    响应于所述初始化注册请求,向所述用户设备发送注册请求,所述注册请求中包含验证策略,所述验证策略包含所述第一应用服务所支持的验证方式和认证器种类;And in response to the initializing the registration request, sending a registration request to the user equipment, where the registration request includes an authentication policy, where the verification policy includes a verification mode and an authenticator type supported by the first application service;
    通过所述第一应用服务接收所述用户设备发送的注册响应,所述注册响应中包含所述认证公钥,以及所述认证公钥的签名,所述认证公钥和所述认证私钥是所述用户设备通过符合所述验证策略的认证器进行所述第一用户的注册后生成的密钥对,所述认证公钥的签名是所述用户设备利用所述认证器的鉴权私钥对所述认证公钥进行签名得到的;Receiving, by the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public key and the authentication private key are The user equipment performs a key pair generated by the registration of the first user by using an authenticator that meets the verification policy, and the signature of the authentication public key is an authentication private key of the user equipment using the authenticator. Signing the authentication public key;
    从所述区块链中获取所述认证器的鉴权公钥;Obtaining an authentication public key of the authenticator from the blockchain;
    利用所述鉴权公钥对所述认证响应中的所述认证公钥的签名进行验证;Using the authentication public key to verify the signature of the authentication public key in the authentication response;
    当所述认证公钥的签名通过验证时,将所述认证公钥存储在所述区块链中。When the signature of the authentication public key passes verification, the authentication public key is stored in the blockchain.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    通过所述第一应用服务接收所述用户设备发送的初始化注销请求;Receiving, by the first application service, an initial logout request sent by the user equipment;
    响应于所述初始化注销请求,向所述区块链中写入用于将指定用户的用户信息设置为无效的数据,其中所述用户信息包括:所述指定用户的认证公钥,以及所述指定用户的认证公钥与所述指定用户、所述第一应用服务的对应关系。And in response to the initializing the logout request, writing data for setting user information of the specified user to be invalid to the blockchain, wherein the user information includes: an authentication public key of the specified user, and the Corresponding relationship between the authentication public key of the user and the specified user and the first application service.
  4. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    所述FIDO服务器在所述区块链中发起用于认证器管理的第一交易,所述第一交易中包括所述FIDO服务器的账户,所述智能合约的账户,待执行的管理操作,以及所述第一交易的签名,所述第一交易的签名是所述FIDO服务器利用所述FIDO服务器的私钥对所述第一交易进行签名得到的,所述智能合约中记录有所述FIDO服务器的账户的操作权限;The FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of the smart contract, a management operation to be performed, and a signature of the first transaction, the signature of the first transaction is obtained by the FIDO server signing the first transaction by using a private key of the FIDO server, and the FIDO server is recorded in the smart contract Operational authority of the account;
    所述第一交易用于利用所述智能合约在所述区块链中执行所述待执行 的管理操作,所述待执行的管理操作包括:添加认证器信息、修改认证器信息或删除认证器信息。The first transaction is for performing the to-be-executed in the blockchain using the smart contract The management operation to be performed includes: adding the authenticator information, modifying the authenticator information, or deleting the authenticator information.
  5. 一种基于区块链的FIDO认证装置,其特征在于,应用于线上快速身份认证FIDO服务器,所述装置包括:A blockchain-based FIDO authentication device, characterized in that it is applied to an online fast identity authentication FIDO server, the device comprising:
    接收模块,用于通过第一应用服务接收用户设备发送的基于第一用户的初始化认证请求,所述FIDO服务器为所述第一应用服务对应的FIDO服务器,所述FIDO服务器为区块链网络中的一个节点;a receiving module, configured to receive, by using the first application service, a first user-based initialization authentication request sent by the user equipment, where the FIDO server is a FIDO server corresponding to the first application service, where the FIDO server is in a blockchain network a node;
    认证响应模块,用于响应于所述初始化认证请求,向所述用户设备发送认证请求,所述认证请求中包含挑战值;An authentication response module, configured to send an authentication request to the user equipment, where the authentication request includes a challenge value, in response to the initial authentication request;
    所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的认证响应,所述认证响应中包含挑战值签名,所述挑战值签名是所述用户设备利用认证私钥对所述挑战值进行签名得到的,所述认证私钥与所述第一用户以及所述第一应用服务对应;The receiving module is further configured to receive, by using the first application service, an authentication response sent by the user equipment, where the authentication response includes a challenge value signature, where the challenge value signature is that the user equipment uses an authentication private key pair The challenge value is obtained by signature, and the authentication private key corresponds to the first user and the first application service;
    读取模块,用于从所述区块链中获取所述认证私钥对应的认证公钥;a reading module, configured to acquire, from the blockchain, an authentication public key corresponding to the authentication private key;
    认证模块,用于利用所述认证公钥对所述认证响应中的所述挑战值签名进行验证;An authentication module, configured to verify, by using the authentication public key, the challenge value signature in the authentication response;
    和/或,and / or,
    所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求;The receiving module is further configured to receive, by using the first application service, an initializing transaction request that is sent by the user equipment based on the first user;
    交易响应模块,用于响应于所述初始化交易请求,向所述用户设备发送交易认证请求,所述交易认证请求中包含交易信息;a transaction response module, configured to send a transaction authentication request to the user equipment in response to the initializing transaction request, where the transaction authentication request includes transaction information;
    所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的交易认证响应,所述交易认证响应中包含所述交易信息的哈希值以及所述哈希值的签名,所述哈希值的签名是所述用户设备利用与所述认证私钥对所述哈希值进行签名得到的;The receiving module is further configured to receive, by using the first application service, a transaction authentication response sent by the user equipment, where the transaction authentication response includes a hash value of the transaction information and a signature of the hash value, The signature of the hash value is obtained by the user equipment by using the authentication private key to sign the hash value;
    所述读取模块,还用于从所述区块链中获取所述认证公钥;The reading module is further configured to obtain the authentication public key from the blockchain;
    交易验证模块,用于利用所述认证公钥对所述认证响应中的所述哈希值的签名进行验证。 And a transaction verification module, configured to verify, by using the authentication public key, a signature of the hash value in the authentication response.
  6. 根据权利要求5所述的装置,其特征在于,所述装置还包括:注册响应模块、秘钥验证模块和存储模块;The device according to claim 5, wherein the device further comprises: a registration response module, a secret key verification module, and a storage module;
    所述接收模块,用于在所述通过第一应用服务接收用户设备发送的初始化认证请求之前,或在所述通过所述第一应用服务接收所述用户设备发送的基于所述第一用户的初始化交易请求之前,通过所述第一应用服务接收所述用户设备发送的初始化注册请求;The receiving module is configured to: before receiving, by the first application service, an initial authentication request sent by the user equipment, or before receiving, by the first application service, the first user that is sent by the user equipment Receiving, by the first application service, an initialization registration request sent by the user equipment, before initializing the transaction request;
    所述注册响应模块,用于响应于所述初始化注册请求,向所述用户设备发送注册请求,所述注册请求中包含验证策略,所述验证策略包含所述第一应用服务所支持的验证方式和认证器种类;The registration response module is configured to send a registration request to the user equipment in response to the initial registration request, where the registration request includes an authentication policy, where the verification policy includes an authentication method supported by the first application service. And the type of authenticator;
    所述接收模块,还用于通过所述第一应用服务接收所述用户设备发送的注册响应,所述注册响应中包含所述认证公钥,以及所述认证公钥的签名,所述认证公钥和所述认证私钥是所述用户设备通过符合所述验证策略的认证器进行所述第一用户的注册后生成的密钥对,所述认证公钥的签名是所述用户设备利用所述认证器的鉴权私钥对所述认证公钥进行签名得到的;The receiving module is further configured to receive, by using the first application service, a registration response sent by the user equipment, where the registration response includes the authentication public key, and a signature of the authentication public key, where the authentication public The key and the authentication private key are key pairs generated by the user equipment after the registration of the first user by the authenticator conforming to the verification policy, and the signature of the authentication public key is the user equipment utilization Declaring the authentication private key of the authenticator to sign the authentication public key;
    所述读取模块,还用于从所述区块链中获取所述认证器的鉴权公钥;The reading module is further configured to obtain an authentication public key of the authenticator from the blockchain;
    所述秘钥验证模块,用于利用所述鉴权公钥对所述认证响应中的所述认证公钥的签名进行验证;The secret key verification module is configured to verify, by using the authentication public key, a signature of the authentication public key in the authentication response;
    所述存储模块,用于当所述认证公钥的签名通过验证时,将所述认证公钥存储在所述区块链中。The storage module is configured to store the authentication public key in the blockchain when the signature of the authentication public key is verified.
  7. 根据权利要求5或6所述的装置,其特征在于,所述装置还包括:注销模块;The device according to claim 5 or 6, wherein the device further comprises: a logout module;
    所述接收模块,用于通过所述第一应用服务接收所述用户设备发送的初始化注销请求;The receiving module is configured to receive, by using the first application service, an initial logout request sent by the user equipment;
    所述注销模块,用于响应于所述初始化注销请求,向所述区块链中写入用于将指定用户的用户信息设置为无效的数据,其中所述用户信息包括:所述指定用户的认证公钥,以及所述指定用户的认证公钥与所述指定用户、所述第一应用服务的对应关系。 The logout module is configured to, in response to the initializing the logout request, write data to the blockchain for setting user information of the specified user to be invalid, wherein the user information includes: the specified user And a corresponding relationship between the authentication public key of the specified user and the specified user and the first application service.
  8. 根据权利要求5或6所述的装置,其特征在于,所述装置还包括:认证器管理模块,用于:The device according to claim 5 or 6, wherein the device further comprises: an authenticator management module, configured to:
    所述FIDO服务器在所述区块链中发起用于认证器管理的第一交易,所述第一交易中包括所述FIDO服务器的账户,智能合约的账户,待执行的管理操作,以及所述第一交易的签名,所述第一交易的签名是所述FIDO服务器利用所述FIDO服务器的私钥对所述第一交易进行签名得到的,所述智能合约中记录有所述FIDO服务器的账户的操作权限;The FIDO server initiates a first transaction for authenticator management in the blockchain, the first transaction including an account of the FIDO server, an account of a smart contract, a management operation to be performed, and the a signature of the first transaction, the signature of the first transaction is obtained by the FIDO server using the private key of the FIDO server to sign the first transaction, and the account of the FIDO server is recorded in the smart contract Operational authority;
    所述第一交易用于利用所述智能合约在所述区块链中执行所述待执行的管理操作,所述待执行的管理操作包括:添加认证器信息、修改认证器信息或删除认证器信息。The first transaction is used to perform the management operation to be performed in the blockchain by using the smart contract, and the management operation to be performed includes: adding authenticator information, modifying authenticator information, or deleting an authenticator information.
  9. 一种基于区块链的FIDO***,其特征在于,所述***包括:至少一个用户设备,至少一个线上快速身份认证FIDO服务器,以及区块链网络;A blockchain-based FIDO system, characterized in that the system comprises: at least one user equipment, at least one online fast identity authentication FIDO server, and a blockchain network;
    其中,每个所述FIDO服务器包括权利要求6-10任一所述的基于区块链的FIDO认证装置,每个所述FIDO服务器为所述区块链网络中的一个节点,且每个所述FIDO服务器对应一个或多个应用服务。Wherein each of the FIDO servers includes the blockchain-based FIDO authentication device of any one of claims 6-10, each of the FIDO servers being a node in the blockchain network, and each of the The FIDO server corresponds to one or more application services.
  10. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1-4中任一项所述方法的步骤。A computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the method of any of claims 1-4.
  11. 一种电子设备,其特征在于,包括:An electronic device, comprising:
    权利要求10中所述的计算机可读存储介质;以及The computer readable storage medium of claim 10;
    一个或者多个处理器,用于执行所述计算机可读存储介质中的计算机程序。 One or more processors for executing a computer program in the computer readable storage medium.
PCT/CN2017/086029 2017-05-25 2017-05-25 Method, device and system for fido authentication based on blockchain WO2018214133A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201780002556.6A CN108064440B (en) 2017-05-25 2017-05-25 FIDO authentication method, device and system based on block chain
PCT/CN2017/086029 WO2018214133A1 (en) 2017-05-25 2017-05-25 Method, device and system for fido authentication based on blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/086029 WO2018214133A1 (en) 2017-05-25 2017-05-25 Method, device and system for fido authentication based on blockchain

Publications (1)

Publication Number Publication Date
WO2018214133A1 true WO2018214133A1 (en) 2018-11-29

Family

ID=62142056

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/086029 WO2018214133A1 (en) 2017-05-25 2017-05-25 Method, device and system for fido authentication based on blockchain

Country Status (2)

Country Link
CN (1) CN108064440B (en)
WO (1) WO2018214133A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3499795A4 (en) * 2016-08-10 2020-01-22 Samsung SDS Co., Ltd. Authentication system and method, and user equipment, authentication server, and service server for performing same method
CN112565175A (en) * 2019-09-26 2021-03-26 富士通株式会社 Communication relay program, relay device, communication relay method, and communication system
TWI728678B (en) * 2019-06-18 2021-05-21 開曼群島商創新先進技術有限公司 Block chain-based enterprise certification and certification tracing method, device and equipment
US20220014367A1 (en) * 2018-12-13 2022-01-13 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
US11985126B2 (en) 2019-06-19 2024-05-14 Elta Systems Ltd. Methods and systems for trusted web authentication

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108846557A (en) * 2018-05-29 2018-11-20 厦门哈希科技有限公司 A kind of data capture method based on block chain, device, storage medium, terminal device and system
CN108881421A (en) * 2018-06-05 2018-11-23 天津大学 Cloud service Data Audit method based on block chain
TR201808119A2 (en) * 2018-06-07 2018-07-23 Elektronik Bilgi Guevenligi Anonim Sirketi METHOD OF IDENTIFICATION OF E-SIGNATURE AND BLOCKCHAIN LAYERS
CN110708269B (en) * 2018-07-10 2022-04-12 北京京东尚科信息技术有限公司 Block chain data transmission method, block chain node and computer readable storage medium
CN109039649B (en) * 2018-08-03 2021-08-06 北京大学深圳研究生院 Key management method and device based on block chain in CCN and storage medium
CN109325074A (en) * 2018-08-29 2019-02-12 上海常仁信息科技有限公司 A kind of the digging mine robot cluster system and application method of block chain
CN109257342B (en) 2018-09-04 2020-05-26 阿里巴巴集团控股有限公司 Block chain cross-chain authentication method, system, server and readable storage medium
CN109272433B (en) * 2018-09-10 2020-09-04 南京理工大学 Intelligent car offering system based on block chain technology
CN111555892B (en) * 2018-09-14 2021-02-26 腾讯科技(深圳)有限公司 Communication system, method and storage medium
CN110932858B (en) * 2018-09-19 2023-05-02 阿里巴巴集团控股有限公司 Authentication method and system
CN109525400A (en) * 2018-11-01 2019-03-26 联想(北京)有限公司 Security processing, system and electronic equipment
CN109361681B (en) * 2018-11-12 2021-10-15 北京天融信网络安全技术有限公司 Method, device and equipment for authenticating national secret certificate
CN109361514A (en) * 2018-11-19 2019-02-19 海尔优家智能科技(北京)有限公司 Method for network authorization, device, relevant device and storage medium
CN109740319B (en) * 2018-12-06 2021-03-12 中国联合网络通信集团有限公司 Digital identity verification method and server
CN109587154B (en) * 2018-12-14 2021-10-15 金蝶软件(中国)有限公司 Digital identity verification method, device, computer equipment and storage medium
CN109327481B (en) * 2018-12-17 2021-12-14 北京信息科技大学 Block chain-based unified online authentication method and system for whole network
CN109617977B (en) * 2018-12-24 2021-12-03 绿盟科技集团股份有限公司 Webpage request processing method and device
CN110046482A (en) * 2018-12-25 2019-07-23 阿里巴巴集团控股有限公司 Identity verification method and its system
CN109615890A (en) * 2018-12-29 2019-04-12 中链科技有限公司 Traffic lights switching method and system based on block chain
CN109767215A (en) * 2018-12-29 2019-05-17 杭州趣链科技有限公司 A kind of online block chain identity identifying method based on a variety of private key storage modes
CN109743167A (en) * 2019-01-07 2019-05-10 殷鹏 The safe identification authentication method of big data based on block chain
CN109831545B (en) 2019-01-31 2020-10-09 中国互联网络信息中心 Domain name abuse processing method and system based on block chain
CN109981637B (en) * 2019-03-21 2021-07-16 浙江工商大学 Multi-source cross composite authentication method for Internet of things based on block chain
WO2019179541A2 (en) 2019-03-27 2019-09-26 Alibaba Group Holding Limited Improving integrity of communications between blockchain networks and external data sources
CN110147668A (en) * 2019-04-01 2019-08-20 深圳天顺智慧能源科技有限公司 A kind of equipment authentication method and device based on block chain
CN110096857B (en) * 2019-05-07 2021-03-19 百度在线网络技术(北京)有限公司 Authority management method, device, equipment and medium for block chain system
CN111339522A (en) * 2019-05-15 2020-06-26 深圳市文鼎创数据科技有限公司 Online quick identity authentication method, online quick identity authentication device and card reader
CN112446701B (en) * 2019-09-03 2024-04-05 上海唯链信息科技有限公司 Identity authentication method, equipment and storage device based on blockchain
CN110519062B (en) * 2019-09-19 2021-10-29 腾讯科技(深圳)有限公司 Identity authentication method, authentication system and storage medium based on block chain
CN112669033A (en) * 2019-10-15 2021-04-16 深圳市文鼎创数据科技有限公司 Transaction authentication method based on FIDO equipment and FIDO equipment
CN110784395B (en) * 2019-11-04 2023-02-21 航天信息股份有限公司 Mail safety login method and system based on FIDO authentication
CN111464535A (en) * 2020-03-31 2020-07-28 中国电子科技集团公司第三十研究所 Cross-domain trust transfer method based on block chain
CN111935075A (en) * 2020-06-23 2020-11-13 浪潮云信息技术股份公司 Block chain-based digital identity signing and issuing method, equipment and medium
CN114697061B (en) * 2020-12-29 2023-05-09 ***通信有限公司研究院 Access control method, device, network side equipment, terminal and blockchain node
CN112651037B (en) * 2020-12-31 2024-01-16 深圳前海微众银行股份有限公司 Out-of-chain data access method and system for block chain system
CN112733127B (en) * 2021-01-13 2024-02-20 杭州甘道智能科技有限公司 Bidirectional authentication method and system based on blockchain
CN113343264A (en) * 2021-06-24 2021-09-03 北京八分量信息科技有限公司 Block chain-based data tamper-proof system and method
CN113507380B (en) * 2021-09-10 2021-12-17 浙江大学 Privacy protection remote unified biometric authentication method and device and electronic equipment
CN114401100A (en) * 2021-10-02 2022-04-26 杭州荔藤网络科技有限公司 Cross-application platform login method and system for block chain account
TWI828001B (en) * 2021-11-11 2024-01-01 翁仲和 System for using multiple security levels to verify customer identity and transaction services and method thereof
CN115459920A (en) * 2022-08-25 2022-12-09 浪潮云信息技术股份公司 Certificateless alliance chain identity authentication method and system based on intelligent contract

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101611872B1 (en) * 2015-11-05 2016-04-12 에스지에이솔루션즈 주식회사 An authentication method using FIDO(Fast IDentity Online) and certificates
CN105827571A (en) * 2015-01-06 2016-08-03 华为技术有限公司 UAF (Universal Authentication Framework) protocol based multi-modal biological characteristic authentication method and equipment
CN106416189A (en) * 2014-04-14 2017-02-15 万事达卡国际股份有限公司 Systems, apparatus and methods for improved authentication

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160105285A1 (en) * 2014-10-14 2016-04-14 Qualcomm Incorporated Deriving cryptographic keys from biometric parameters
US10891383B2 (en) * 2015-02-11 2021-01-12 British Telecommunications Public Limited Company Validating computer resource usage
EP3292484B1 (en) * 2015-05-05 2021-07-07 Ping Identity Corporation Identity management service using a block chain
CN105701372B (en) * 2015-12-18 2019-04-09 布比(北京)网络技术有限公司 A kind of building of block chain identity and verification method
CN106100847B (en) * 2016-06-14 2021-10-26 惠众商务顾问(北京)有限公司 Method and device for verifying identity information of asymmetric encryption block chain

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106416189A (en) * 2014-04-14 2017-02-15 万事达卡国际股份有限公司 Systems, apparatus and methods for improved authentication
CN105827571A (en) * 2015-01-06 2016-08-03 华为技术有限公司 UAF (Universal Authentication Framework) protocol based multi-modal biological characteristic authentication method and equipment
KR101611872B1 (en) * 2015-11-05 2016-04-12 에스지에이솔루션즈 주식회사 An authentication method using FIDO(Fast IDentity Online) and certificates

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3499795A4 (en) * 2016-08-10 2020-01-22 Samsung SDS Co., Ltd. Authentication system and method, and user equipment, authentication server, and service server for performing same method
US20220014367A1 (en) * 2018-12-13 2022-01-13 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
TWI728678B (en) * 2019-06-18 2021-05-21 開曼群島商創新先進技術有限公司 Block chain-based enterprise certification and certification tracing method, device and equipment
US11985126B2 (en) 2019-06-19 2024-05-14 Elta Systems Ltd. Methods and systems for trusted web authentication
CN112565175A (en) * 2019-09-26 2021-03-26 富士通株式会社 Communication relay program, relay device, communication relay method, and communication system
EP3799351A1 (en) * 2019-09-26 2021-03-31 Fujitsu Limited Communication relay program, relay device communication relay method, and communication system
US11671403B2 (en) 2019-09-26 2023-06-06 Fujitsu Limited Relay device, non-transitory computer-readable storage medium and communication system

Also Published As

Publication number Publication date
CN108064440A (en) 2018-05-22
CN108064440B (en) 2021-04-09

Similar Documents

Publication Publication Date Title
WO2018214133A1 (en) Method, device and system for fido authentication based on blockchain
JP7121459B2 (en) Blockchain authentication via hard/soft token verification
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
KR102117584B1 (en) Local device authentication
Lundkvist et al. Uport: A platform for self-sovereign identity
CN108667612B (en) Trust service architecture and method based on block chain
US7571489B2 (en) One time passcode system
US10187373B1 (en) Hierarchical, deterministic, one-time login tokens
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
WO2018219056A1 (en) Authentication method, device, system and storage medium
US20130145442A1 (en) System and method for privilege delegation and control
US20070130463A1 (en) Single one-time password token with single PIN for access to multiple providers
JP2018503199A (en) Account recovery protocol
Wang et al. EIDM: A ethereum-based cloud user identity management protocol
TW200810488A (en) Policy driven, credential delegation for single sign on and secure access to network resources
KR102118962B1 (en) Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network
CA2942765C (en) Persistent authentication system incorporating one time pass codes
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
ES2665887T3 (en) Secure data system
US11811739B2 (en) Web encryption for web messages and application programming interfaces
Togan et al. A smart-phone based privacy-preserving security framework for IoT devices
KR102012262B1 (en) Key management method and fido authenticator software authenticator
KR20210006329A (en) Remote biometric identification
Abdelrazig Abubakar et al. Blockchain-based identity and authentication scheme for MQTT protocol
US11985229B2 (en) Method, first device, first server, second server and system for accessing a private key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17910595

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 24/04/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 17910595

Country of ref document: EP

Kind code of ref document: A1