WO2021018088A1 - Trusted authentication method, network device, system and storage medium - Google Patents

Trusted authentication method, network device, system and storage medium Download PDF

Info

Publication number
WO2021018088A1
WO2021018088A1 PCT/CN2020/104859 CN2020104859W WO2021018088A1 WO 2021018088 A1 WO2021018088 A1 WO 2021018088A1 CN 2020104859 W CN2020104859 W CN 2020104859W WO 2021018088 A1 WO2021018088 A1 WO 2021018088A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
network access
node
plan
blockchain
Prior art date
Application number
PCT/CN2020/104859
Other languages
French (fr)
Chinese (zh)
Inventor
吴超
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021018088A1 publication Critical patent/WO2021018088A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention relates to the field of communication technology, in particular to a trusted authentication method, network equipment, system and storage medium.
  • the trusted authentication of network equipment is a content that has attracted much attention in the field of computer security. How does the blockchain service network confirm whether the newly connected network device is legal and reliable, how does the running network device confirm whether the received instruction is legal and reliable, and how to confirm whether the operation log is legal and reliable (that is, whether it has not been tampered with) Delete) etc., these contents are related to the security and availability of the entire service network. Therefore, the trusted authentication of network equipment has attracted much attention.
  • the server network of the blockchain has the characteristics of distributed data storage, point-to-point transmission, consensus mechanism (consensus), encryption algorithm, unchangeable, unforgeable, etc. Therefore, it can be used to collectively maintain a set of reliable data records in a decentralized and trustless manner.
  • data blocks (or blocks for short) are stored in a chain and distributed to multiple nodes (nodes).
  • the generation of data blocks requires a set of consensus algorithms for trusted authentication, and When the data block is being transmitted and accessed, the security of the data block is guaranteed by cryptography; after the data block is authenticated and trusted, the smart contract of the blockchain can be used to perform operations.
  • the trusted authentication of network equipment is mainly responsible for the central node to verify the legitimacy of the network equipment, and then split the legal network equipment information record into multiple copies, which are distributed to the backup node in the service network.
  • the specific process is as follows:
  • Network equipment that has not been trusted for authentication namely: networked device, which can be called a node in the blockchain network, and sends an authentication request to the central node; the central node returns the authentication result to the networked device; the networked device confirms according to the authentication result If the authentication is passed, it will send a backup database address allocation request to the central node; after receiving the allocation request, the central node returns the available backup database address; assuming that the available backup database address includes database 1 (database1, db1) and db2, the The network access device splits the information record of the network access device as a legal network device into two copies and sends them to db1 and db2 for storage. As a result, the trusted authentication of the networked devices of the blockchain is completed.
  • the above trusted authentication schemes rely too much on the central node. Once the central node is abnormal, hijacked, or information leaks, it will cause the trusted network equipment to fail to complete the trusted authentication, and the service network cannot guarantee security.
  • the technical problem to be solved by the embodiments of the present invention is to provide a trusted authentication method, network equipment, system and storage medium, reduce the dependence of trusted authentication on the central node, and ensure the security and stability of the service network.
  • an embodiment of the present invention provides a trusted authentication method, including:
  • the authentication initiating device generates a transaction plan, and the transaction plan contains authentication information of a trusted authentication object;
  • the authentication initiating device sends the transaction plan to a node in the blockchain
  • the authentication initiating device confirms that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
  • the aforementioned transaction plan may be sent by the authentication initiating device to nodes in the blockchain network, network group, or sub-network in a broadcast, multicast, or unicast manner.
  • the nodes in the blockchain will authenticate it according to the authentication information and return the transaction validity confirmation. It is understandable that if the authentication fails, or the transaction failure message is received, or no message is received, it can be considered that the transaction validity confirmation has not been received, and the trusted authentication transaction failure can be confirmed.
  • the trusted authentication is executed as a blockchain transaction, which reduces the dependence of the trusted authentication on the central node and ensures the security and stability of the service network.
  • the authentication initiation device is a network access device
  • the trusted authentication object is a network access authentication
  • the authentication initiation device generates a transaction plan including:
  • the network access device generates a network access transaction plan
  • the authentication initiating device sends the transaction plan to the node in the blockchain; including: the network access device sends the network access transaction plan to the node in the blockchain;
  • the authentication initiating device After the authentication initiating device receives the transaction validity confirmation returned by the node in the blockchain, confirming that the trusted authentication succeeds includes: the network access device receives the transaction validity confirmation returned by the node in the blockchain After confirming that the network access transaction is successful.
  • the aforementioned network access transaction plan may be sent by the network access device to the nodes in the blockchain in a manner of broadcast, multicast or unicast.
  • the nodes in the blockchain After the nodes in the blockchain receive the online delivery plan, they will authenticate it and return the transaction valid confirmation. It is understandable that if the authentication fails, you will not receive a valid confirmation of the transaction, and you can confirm that the network access transaction failed.
  • the generation of the network access transaction plan by the network access device includes:
  • an identity certificate of the network access device Acquiring, by the network access device, an identity certificate of the network access device, where the identity certificate is used for a node in the blockchain to identify the network access device;
  • the network access device generates a network access transaction plan of the network access device, and the network access transaction plan includes contract verification information required for network access and the identity certificate.
  • Contract information is the information contained in a smart contract.
  • a smart contract is a piece of contract code deployed in the blockchain system, or a set of commitments defined in digital form, including an agreement on which contract participants can execute the commitments.
  • the sending the network access transaction plan to a node in the blockchain includes:
  • the endorsement node After receiving the endorsement result returned by the endorsement node, send a transaction request to the ordering node; the transaction request includes the endorsement result and the transaction proposal;
  • the confirming that the network access transaction is successful after receiving the valid confirmation of the transaction returned by the node in the blockchain includes:
  • sending a transaction request to the ordering node includes:
  • the plan response includes the transaction result of the online transaction plan and endorsement information;
  • the endorsement information is used to identify whether the endorsing node is an endorsement of the online transaction plan;
  • the transaction request is sent to the ordering node, and the transaction proposal, the transaction result, and the endorsement information are carried in the transaction request, or in the transaction request Carry the transaction result and the endorsement information.
  • the above threshold can be set according to the scale of the blockchain. For example, when the scale of the blockchain is extremely small, for example, there is only one node, then the threshold can be 1, and the endorsing node can be the networked device itself; if the endorsing node is more More, then you can set a certain ratio or a certain number as the threshold.
  • the contract verification information includes: contract identification, contract method, and network access parameter information.
  • the acquiring, by the network access device, the identity certificate of the network access device includes:
  • the network access device invokes the certificate service through the client software development kit SDK, initiates registration and registration with the certificate service; and receives the identity certificate assigned by the certificate service to the network access device.
  • an embodiment of the present invention provides a trusted authentication method, including:
  • the authentication initiating device is a network access device
  • the trusted authentication object is a network access authentication
  • the receiving transaction plan sent by the authentication initiating device includes:
  • the obtaining authentication information of a trusted authentication object from the transaction plan includes:
  • the using the authentication information to verify the transaction plan includes: verifying the transaction plan according to the contract verification information to obtain the transaction result; and generating endorsement information; the endorsement information is used to identify whether it is the transaction State the endorsement of the online transaction plan;
  • the method further includes: sending the transaction result and the endorsement information to the network access device.
  • the verification of the transaction plan based on the contract verification information to obtain the transaction result includes:
  • the transaction plan is verified according to the contract verification information, and a chain code function is called using the transaction plan as an input parameter to obtain a transaction result.
  • the method further includes:
  • the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
  • Block is used to record the storage of data in the blockchain system.
  • the process of verifying the block of a transaction proposal belongs to a transaction block.
  • a transaction block refers to a collection of transactions gathered in a block, which can then be hashed and added to the blockchain.
  • embodiments of the present invention provide a network device authentication method, including:
  • the ordering node receives the transaction request sent by the network access device, and obtains the transaction proposal, transaction result, and endorsement information carried in the transaction;
  • the transaction result is the transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement Information is the information whether the node in the blockchain is endorsed by the network access transaction plan;
  • a transaction validity confirmation is sent to the network access device.
  • embodiments of the present invention provide a network device, where the network device is an authentication initiating device and includes:
  • a plan generation unit for generating a transaction plan, the transaction plan containing authentication information of a trusted authentication object
  • a sending unit configured to send the transaction plan to a node in the blockchain
  • the confirmation unit is used to confirm that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
  • the authentication initiating device is a network access device
  • the trusted authentication object is network access authentication
  • the plan generation unit is used to generate a network access transaction plan
  • the sending unit is configured to send the network access transaction plan to a node in the blockchain
  • the confirmation unit is configured to confirm the success of the network access transaction after receiving the transaction validity confirmation returned by the node in the blockchain.
  • the plan generation unit is configured to obtain an identity certificate of the network-accessed device, and the identity certificate is used for a node in the blockchain to identify the network-accessed device;
  • the network access transaction plan includes the contract verification information required for network access and the identity certificate.
  • the sending unit is configured to send the network access transaction plan to the endorsing node in the blockchain; after receiving the endorsement result returned by the endorsing node, send the transaction to the ordering node Request; include the endorsement result and the transaction proposal in the transaction request;
  • the confirmation unit is configured to confirm the success of the network access transaction after receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal.
  • the sending unit is configured to, after receiving the endorsement result returned by the endorsing node, send a transaction request to the ordering node, including: receiving a plan reply returned by the endorsing node,
  • the plan response includes the transaction result of the online transaction plan and endorsement information;
  • the endorsement information is used to identify whether the endorsing node is the endorsement of the online transaction plan; the number of endorsement nodes of the endorsement reaches the threshold, then the ordering node Sending the transaction request, carrying the transaction proposal, the transaction result, and the endorsement information in the transaction request, or carrying the transaction result and the endorsement information in the transaction request.
  • the contract verification information includes: contract identification, contract method, and network access parameter information.
  • the plan generation unit configured to obtain the identity certificate of the network access device includes: invoking the certificate service through the client software development kit SDK, and initiates registration and registration with the certificate service; receiving the The certificate service is an identity certificate allocated by the network access device.
  • embodiments of the present invention provide a blockchain node, including:
  • the receiving unit is used to receive the transaction plan sent by the authentication initiating device
  • An information acquisition unit for acquiring authentication information of a trusted authentication object from the transaction plan
  • the verification unit is configured to use the authentication information to verify the transaction plan.
  • the authentication initiating device is a network access device
  • the trusted authentication object is network access authentication
  • the receiving unit is configured to receive the network access transaction plan sent by the network access device
  • the information acquisition unit is configured to obtain, from the network access transaction plan, the contract verification information required for the network access device to access the network and the identity certificate of the network access device; the identity certificate is used to identify the network access device;
  • the verification unit is configured to verify the transaction plan according to the contract verification information to obtain a transaction result
  • the nodes of the blockchain also include:
  • the information generating unit is used to generate endorsement information; the endorsement information is used to identify whether it is an endorsement of the network access transaction plan;
  • the sending unit is configured to send the transaction result and the endorsement information to the network access device.
  • the verification unit is configured to verify the transaction plan according to the contract verification information, and use the transaction plan as an input parameter to call a chain code function to obtain a transaction result.
  • the receiving unit is further configured to, after the sending the transaction result and the endorsement information to the network access device, the method further includes:
  • the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
  • the embodiments of the present invention provide a blockchain node, including:
  • the receiving unit is used to receive the transaction request sent by the network access device
  • the acquiring unit is used to acquire the transaction proposal, transaction result, and endorsement information carried in the transaction;
  • the transaction result is a transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement information is a blockchain Whether the node in is the information endorsed by the network access transaction plan;
  • the sending unit sends the block of the transaction proposal, as well as the transaction result and endorsement information, to the node in the blockchain; after the node in the blockchain has passed the verification, it sends the transaction valid to the network access device confirm.
  • an embodiment of the present invention provides a blockchain network, including: network access devices and blockchain nodes; the network access devices are used to execute any one of the methods provided in one aspect.
  • the nodes of the blockchain include: an endorsement node and an ordering node, the endorsing node is used to execute any one of the methods provided in the two aspects; the ordering node is used to execute The method provided by three aspects.
  • an embodiment of the present invention provides a blockchain node, including: a processor, a memory, and a communication interface; wherein the processor, the memory, and the communication interface are connected in a communicative manner, and the Program codes are stored in the memory;
  • the processor is configured to read the program code and cooperate with the communication interface to implement any one of the method procedures provided in the embodiments of the present invention.
  • the embodiment of the present invention also provides a storage medium, the storage medium stores program code, the program code includes program instructions, and the program instructions cooperate with the communication interface when executed by the processor to implement the method embodiments The method flow of any one of them.
  • Ten aspects of the embodiments of the present invention also provide a software program, the software program includes program code; the program code includes program instructions, when the program instructions are executed by a processor in cooperation with the communication interface to achieve the embodiment of the present invention provides Any one of the method flow.
  • FIG. 1 is a schematic diagram of the process structure of a method according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of the system structure of an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method according to an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a method according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of the structure of a network device according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a node structure of a blockchain according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a node structure of a blockchain according to an embodiment of the present invention.
  • Fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present invention.
  • Blockchain can be used to solve the trust and security issues of transactions. It has the following characteristics:
  • Data recording in the blockchain is completed by multiple nodes distributed in different locations, and each node records complete data. Therefore, these nodes can participate in monitoring the legitimacy of data, and can also serve as a trusted source of operation records.
  • each block node stores complete data in a block chain style, while traditional distributed storage is divided into multiple storages according to certain specifications. Therefore, the blockchain can avoid a single node being destroyed and losing data.
  • Node status The data between the block nodes in the blockchain is stored independently, with equal status, and the consistency of storage is guaranteed by the consensus mechanism. Distributed storage generally allocates backup nodes through a central node. When the central node is hijacked or abnormally controlled, the data is at risk of being tampered with or deleted.
  • the data stored on the blockchain is public to the network, but the account information of each blockchain node is highly encrypted, and only the data owner can access or modify it with authorization, thus ensuring the security of the data.
  • it is public to some nodes in the blockchain, so it is not necessary to obtain authorization from the data owner again for some nodes.
  • All bookkeeping nodes in the blockchain reach an agreement through a consensus mechanism to determine that the data is valid and prevent tampering by malicious nodes in the network.
  • This consensus mechanism has the characteristics of "the minority obeys the majority” and "everyone is equal”.
  • Each node can propose a consensus result, but the consensus result with the most votes (the number of votes for each node can be pre-allocated by the administrator) is all The end result that all nodes agree with. Therefore, it is necessary to control more than 51% of the block nodes in the entire network to falsify data, and when there are enough block nodes in the actual network, this is almost impossible.
  • Blockchain is currently divided into three categories:
  • Any individual or group can initiate a transaction, and the transaction can be effectively confirmed by the blockchain, and anyone can participate in the consensus process. It is a completely decentralized blockchain, but the transaction speed is low.
  • pre-selected nodes are designated as bookkeepers within a certain group, and the generation of each block is determined by all pre-selected nodes (the pre-selected nodes participate in the consensus process), and other access nodes can participate in the transaction, but the accounting process (Essentially, it is custodial accounting, but it becomes distributed accounting), any node can perform limited query through the open API of the blockchain. It is a weakly centralized blockchain, but the transaction performance is high.
  • Private blockchain private blockchain
  • the embodiment of the present invention provides a trusted authentication method, which is applied to a blockchain network, as shown in FIG. 1, including:
  • the authentication initiating device generates a transaction plan, and the transaction plan contains authentication information of a trusted authentication object;
  • the aforementioned authentication initiating device is a device that initiates trusted authentication, for example, a device that needs to perform a trusted authentication object, and more specifically, it may be: a network access device in network access authentication.
  • the above authentication information is the information required to perform authentication on a certain authentication object in the blockchain, such as contract verification information, identity certificates, etc.
  • the authentication initiating device sends the transaction plan to a node in the blockchain
  • the node in the blockchain can be any node in the blockchain.
  • the node in the blockchain After receiving the transaction plan, the node in the blockchain will authenticate the transaction plan according to the authentication information, and the verification will return the transaction validity confirmation.
  • the nodes in the blockchain can also be divided into endorsement nodes and accounting nodes; the endorsement node obtains the authentication result after receiving the transaction plan according to the authentication information and then obtains the authentication result and whether the transaction plan endorses the information, and then returns it to The authentication initiating device; then the authentication initiating device sends a transaction request containing the transaction proposal, the above-mentioned authentication result and the endorsement information to the ordering node, and then the accounting node performs re-authentication accordingly. If the authentication is passed, the transaction valid confirmation is returned .
  • the authentication initiating device may send a transaction request to the ordering node after the number of nodes endorsing the transaction plan reaches the threshold.
  • the authentication initiating device confirms that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
  • the above-mentioned transaction plan can be broadcast to the nodes in the blockchain by the authentication initiating device. If the transaction plan needs to be sent to the endorsing node, the endorsing node can also be a node within a certain range. After receiving the submitted plan, the nodes in the blockchain will authenticate it according to the authentication information and return the transaction validity confirmation. It is understandable that if the authentication fails, you will not receive a valid confirmation of the transaction, and it can be confirmed that the transaction with trusted authentication has failed.
  • the trusted authentication is executed as a blockchain transaction, which reduces the dependence of the trusted authentication on the central node and ensures the security and stability of the service network.
  • the network-connected device performs network-access authentication as an example of trusted authentication.
  • multiple nodes in the blockchain network can be selected as master nodes, responsible for participating in trusted authentication based on the consensus mechanism And log bookkeeping, and the remaining nodes as participating nodes only participate in transaction generation. It can solve the problems of low reliability, low security and high performance requirements of the central node in existing solutions.
  • other trusted authentication can also refer to the embodiment of the present invention, so the network access authentication should not be understood as a unique limitation to the embodiment of the present invention.
  • the first implementation example is a first implementation example:
  • this embodiment takes the network access authentication of any network device in the blockchain network as a block chain transaction.
  • nodes there are the following four types of nodes in the blockchain network (each physical device can have multiple node roles at the same time, which will not be explained one by one):
  • Certificate service (certificate authority, CA):
  • the security authentication module of the blockchain network equipment is responsible for checking the management and maintenance of all the certificates of the blockchain.
  • the SDK is executed on the side of the authentication initiating device, such as the network access device.
  • certificates such as identity certificates, registration certificates, transaction certificates, communication certificates, etc.
  • Initiate a transaction plan construct a transaction request, and monitor network messages to determine whether the transaction is successfully authenticated.
  • Peer nodes include endorser peers and committer peers, collectively referred to as Peer nodes.
  • the purpose of the endorsement node is to do endorsement check and authentication for transactions in the blockchain network.
  • the purpose of the accounting node is to record transaction logs and maintain the blockchain and ledger structure.
  • the same physical device in the blockchain network can act as both an endorsement node and an accounting node, or it can act as an accounting node alone.
  • the transactions of the blockchain network are sorted, and the sorted transactions are packaged into blocks at a fixed time interval.
  • the network-connected device invokes the certificate service CA through the client SDK, registers and registers with the certificate service CA, and obtains an identity certificate used to identify the network-connected device in the blockchain;
  • the above-mentioned identity certificate is the identity certificate of the above-mentioned network access device, which may or may not be a client signature; if it is not a client signature, it may be a signature based on the identity certificate that is agreed to be generated. Its purpose is to encrypt network messages related to the networked device, for example: device keys can be generated from identity credentials, and network messages can be signed by the keys; device keys can also be distributed based on identity credentials and other information, etc.
  • the connected device creates a network access transaction proposal (proposal) through the client SDK, and the network access transaction proposal sends the contract identification, contract method and parameter information and client signature to be called this time to one or more endorsements node.
  • the above parameter information may include: network access account, media access control address (MAC) address of network access device, personal identification number (PIN) code or identification, etc.
  • MAC media access control address
  • PIN personal identification number
  • the network access device, endorsement node, ordering node, and accounting node may all be the same device; since the number of nodes in the blockchain network gradually increases from 1, it is the first time the blockchain network was founded. One node can issue an endorsement to itself. After the scale of the blockchain network increases, the number of endorsement nodes can be required to match the scale of the blockchain. Specifically, it can be as follows: when the scale of the blockchain network is increased to a certain scale, the network access transaction plan can be required to be sent to a certain percentage of nodes in the blockchain; when the scale of the blockchain network is further increased, it can be required to be sent to the blockchain. A number of nodes send the network access transaction plan.
  • the endorsing node After receiving the transaction proposal (Proposal), the endorsing node starts to verify the contract method in the network access transaction plan.
  • the specific content of verification can include the following aspects:
  • network messages are encrypted by the sender's private key, and the receiver uses the public key to decrypt it; thereby ensuring the integrity of the message; therefore, the above-mentioned online transaction plan is intact and is encrypted by the sender of the transaction proposal.
  • the network access transaction plan has not been submitted before to prevent replay attacks
  • the means to prevent replay attacks include:
  • Selective replay protection The user manually changes the transaction.
  • Transaction lock technology broadcast the transaction lock to the entire network; the transaction lock will lock the digital assets associated with the transaction; the original transaction assets are locked and cannot be modified during the verification of the transaction by the master node.
  • the endorsing node uses the public key to verify whether the proposal is legal.
  • the public key and the private key are paired, but they are irreversible, and the private key cannot be derived from the public key. Therefore, only the device that generates the network transaction proposal can use to write/modify the network transaction proposal, and then encrypt it with the private key; all endorsing nodes can use the corresponding public key to decrypt and read the proposal, but it cannot be modified.
  • the ACL policy of the device is generally pre-allocated by the administrator, or the ACL policy of all networked devices may be the same, which is not uniquely restricted in the embodiment of the present invention.
  • the endorsing node takes the above-mentioned online transaction plan as an input parameter, and calls the chain code function.
  • the chain code function calculates the transaction result according to the current ledger status.
  • the transaction result can include the return value, read-write set, etc.
  • the blockchain ledger will not be updated.
  • the above transaction result is signed by the endorsing node, it is returned to the client with the yes/no endorsement result. This part of the content can be called a proposal reply; the transaction result does not cause the ledger to be updated, so it can be called a simulated transaction result .
  • the above return value is pre-stored by the endorsing node to represent a specific transaction; the above read and write set includes a read set and a write set. If the transaction is a read operation r, then the read set is (r, r-result); if the transaction is a write Operation w, the write set is (w, w-result); the above proposal response also requires the above endorsing node to sign with its private key.
  • the client of the connected device After receiving the proposal reply returned by the endorsing node, the client of the connected device determines whether the transaction result carried in it is consistent with the result of the network access transaction plan, and whether it has received enough proposal replies from the endorsing node (refer to this step Execution of the predetermined endorsement strategy), if there is not enough endorsement, the network access authentication will be suspended, and the transaction of this network access authentication will be discarded. At this time, the network equipment cannot access the network; otherwise, the transaction proposal, simulated transaction result and endorsement information will be packaged A transaction request is formed and signed and sent to the ordering node.
  • the above endorsement strategy mainly refers to whether the endorsing node meets the policy requirements; if there are n endorsing nodes in the entire block network, it is not actually necessary for all nodes to return to confirm that the transaction is valid. Whether it needs to be confirmed by the entire network, or how many nodes are confirmed, can be pre-defined by the endorsement policy.
  • the ordering node After the ordering node receives the transaction request sent from the client SDK of the networked device, it performs consensus ordering, packs the transaction proposal into a block, and sends it to the accounting node.
  • the accounting node After receiving the block, the accounting node will verify the transaction in the block, check whether the input and output dependent on the transaction meets the current state of the blockchain, verify whether the endorsement strategy meets the requirements, and verify the block after passing the verification. Append to the local blockchain and update the ledger.
  • the specific content involved in this step includes:
  • Run the verification logic that is, check the endorsement strategy
  • the check endorsement strategy can be a verification system chaincode (VSCC) check endorsement strategy, which is a system contract program for verification purposes. It mainly includes: verifying whether the endorsement is valid by checking whether the certificate is valid and whether the signature is generated by the corresponding certificate; whether the number of endorsements meets the predefined endorsement strategy, and whether the endorsement block comes from the expected endorsement node.
  • VSCC verification system chaincode
  • the second implementation example is a first implementation example.
  • this embodiment regards the network access authentication of any network device in the blockchain network as a block chain transaction. It is assumed that any physical device in the blockchain network participates in the authentication and accounting of transactions. It mainly includes: the network-connected device initiates a transaction request through the client SKD and broadcasts the transaction request to the nodes in the blockchain network; the node in the blockchain that receives the transaction request performs transaction validity verification, and the node that completes the verification first will Multiple transactions are packaged into blocks and sent to other nodes. After receiving the blocks, other nodes add new blocks to the blockchain, and finally complete the transaction.
  • Figure 5 including:
  • the connected device calls the certificate service CA through the client SDK, registers and registers with the service center, and obtains an identity certificate;
  • the network access device creates a network access transaction proposal (proposal) through the client SDK.
  • the network access transaction proposal broadcasts the contract identification, contract method and parameter information and client signature to the blockchain network to be called this time.
  • the above-mentioned parameter information may include: network access account, network access device MAC address, PIN code or identification, etc.
  • the above client signature can use the signature of the identity certificate.
  • the node that receives the above-mentioned network access transaction plan collects the hash value of multiple transactions into the block, and each block may have multiple transactions; each node passes the proof of work (POW) or Consensus algorithms such as proof of stake (POS) verify transactions.
  • POW proof of work
  • POS proof of stake
  • the node that completes the verification the fastest will broadcast its block to other nodes; in Figure 5, it is indicated that node 1 completes the verification first, and node 2 to node n Receive the block sent by node 1.
  • the node 1 will return the network access transaction confirmation to the client SDK.
  • the above-mentioned other nodes confirm whether the transaction is valid after receiving the block sent by the node that completed the verification first, confirm that there is no repeated transaction and the signature is valid, then accept the block, the block is officially added to the blockchain, and cannot be tampered with;
  • the node that receives the block is used as the accounting node to update the local ledger, and will return the network transaction confirmation to the client SDK.
  • the embodiment of the present invention provides a network device.
  • the network device is an authentication initiating device and includes:
  • the plan generating unit 601 is configured to generate a transaction plan, the transaction plan containing authentication information of a trusted authentication object;
  • the sending unit 602 is configured to send the transaction plan to a node in the blockchain
  • the confirmation unit is used to confirm that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
  • the authentication initiating device is a network access device
  • the trusted authentication object is network access authentication
  • the plan generation unit 601 is used to generate a network access transaction plan
  • the sending unit 602 is configured to send the network access transaction plan to a node in the blockchain;
  • the confirmation unit 603 is configured to confirm the success of the network access transaction after receiving the transaction validity confirmation returned by the node in the blockchain.
  • the plan generation unit 601 is configured to obtain an identity certificate of the network access device, and the identity certificate is used for a node in the blockchain to identify the network access device; to generate the network access device
  • the network access transaction plan includes the contract verification information required for network access and the identity certificate.
  • the sending unit 602 is configured to send the network access transaction plan to the endorsing node in the blockchain; after receiving the endorsement result returned by the endorsing node, send it to the ordering node Transaction request; Include the endorsement result and transaction proposal in the transaction request;
  • the confirmation unit 603 is configured to confirm the success of the network access transaction after receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal.
  • the sending unit 602 is configured to send a transaction request to the ordering node after receiving the endorsement result returned by the endorsing node, including: receiving the plan reply returned by the endorsing node,
  • the response to the plan includes the transaction result of the online transaction plan and endorsement information;
  • the endorsement information is used to identify whether the endorsing node is the endorsement of the online transaction plan; the number of endorsement nodes reaches the threshold, then the order
  • the node sends the transaction request, and carries the transaction proposal, the transaction result, and the endorsement information in the transaction request, or carries the transaction result and the endorsement information in the transaction request.
  • the contract verification information includes: contract identification, contract method, and network access parameter information.
  • the plan generation unit 601 for obtaining the identity certificate of the network access device includes: invoking the certificate service through the client software development kit SDK, and initiates registration and registration with the certificate service;
  • the certificate service is an identity certificate allocated by the network access device.
  • the embodiment of the present invention provides a block chain node.
  • the block chain node can correspond to the functions of the endorsement node or the accounting node mentioned above, including:
  • the receiving unit 701 is configured to receive the transaction plan sent by the authentication initiating device
  • the information obtaining unit 702 is configured to obtain authentication information of a trusted authentication object from the transaction plan;
  • the verification unit 703 is configured to verify the transaction plan using the authentication information.
  • the authentication initiating device is a network access device
  • the trusted authentication object is network access authentication
  • the receiving unit 701 is configured to receive a network access transaction plan sent by a network access device
  • the information obtaining unit 702 is configured to obtain, from the network access transaction plan, the contract verification information required for the network access device to access the network and the identity certificate of the network access device; the identity certificate is used to identify the network access device;
  • the verification unit 703 is configured to verify the transaction plan according to the contract verification information to obtain a transaction result
  • the nodes of the blockchain also include:
  • the information generating unit 704 is configured to generate endorsement information; the endorsement information is used to identify whether it is an endorsement of the network access transaction plan;
  • the sending unit 705 is configured to send the transaction result and the endorsement information to the network access device.
  • the verification unit 703 is configured to verify the transaction plan according to the contract verification information, and call the chain code function with the transaction plan as an input parameter to obtain the transaction result.
  • the receiving unit 701 is further configured to, after the sending the transaction result and the endorsement information to the network access device, the method further includes:
  • the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
  • the embodiment of the present invention provides a node of a blockchain, and the node of the blockchain can correspond to the sorting node in the foregoing, as shown in FIG. 8, including:
  • the receiving unit 801 is configured to receive a transaction request sent by a network access device
  • the obtaining unit 802 is configured to obtain the transaction proposal, transaction result, and endorsement information carried in the transaction;
  • the transaction result is a transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement information is a block Whether the node in the chain is the information endorsed by the network access transaction plan;
  • the sending unit 803 sends the block of the transaction proposal, as well as the transaction result and endorsement information, to the node in the blockchain; after the node in the blockchain passes the verification, sends the transaction to the network access device Effective confirmation.
  • the embodiment of the present invention provides a blockchain network, as shown in FIG. 2, which includes: network access equipment and blockchain nodes; the network access equipment is used to execute any one of the methods provided on the one hand.
  • the nodes of the blockchain include: an endorsement node and an ordering node, and the endorsement node.
  • the embodiment of the present invention also provides a network device.
  • the network device can be a network access device or a node in a blockchain. As shown in FIG. 9, it includes a processor 901, a memory 902, and a communication interface 903; The processor 901, the memory 902, and the communication interface 903 are connected in a communicative manner;
  • the memory 902 includes but is not limited to random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), or A portable read-only memory (compact disc read-only memory, CD-ROM), the memory 902 is used for related instructions and data.
  • the communication interface 903 is used to receive and send data.
  • the processor 901 may be one or more central processing units (CPUs).
  • CPUs central processing units
  • the processor 901 is a CPU
  • the CPU may be a single-core CPU or a multi-core CPU.
  • the processor 901 in the network device is used to read the above-mentioned program code in cooperation with the above-mentioned communication interface 903 to implement any method process provided by the embodiment of the invention that is executed by the network-connected device; or, the above-mentioned processor 901 is used to read the above-mentioned program
  • the code cooperates with the aforementioned communication interface 903 to implement any method process provided by the embodiment of the invention that is executed by a node of the blockchain.
  • the communication interface 903 can correspond to the receiving and sending related functional units in the software-defined network device of the previous embodiment.
  • the functions of other functional units in the software-defined network device of the previous embodiment can be determined by the processor 901 execution.
  • the embodiment of the present invention also provides a storage medium, and the storage medium stores program code, the program code includes program instructions, and when the program instructions are executed by a processor, they cooperate with a communication interface to implement any one provided by the embodiments of the present invention. Item method flow.
  • the embodiment of the present invention also provides a software program, the above software program includes program code; the above program code includes program instructions, and the above program instructions cooperate with a communication interface when executed by a processor to realize any of the functions provided by the embodiments of the present invention. Method flow.
  • the above-mentioned storage medium may be any computer-readable storage medium, and when the software program is executed, it may include the processes of the above-mentioned method embodiments.
  • the aforementioned storage media include: ROM or random storage RAM, magnetic disks or optical discs and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Finance (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Development Economics (AREA)
  • Technology Law (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A trusted authentication method, a network device, a system and a storage medium. Said method comprises: an authentication initiation device generating a transaction plan, the transaction plan containing authentication information of a trusted authentication object; the authentication initiation device sending the transaction plan to a node in a blockchain; and the authentication initiation device confirming that the trusted authentication succeeds after having received a valid transaction confirmation returned by the node in the blockchain. In this embodiment, the trusted authentication is executed as a blockchain transaction, reducing the dependency of the trusted authentication on a central node, and ensuring the security and stability of a service network.

Description

可信认证方法,网络设备、***及存储介质Trusted authentication method, network equipment, system and storage medium
[根据细则91更正 18.08.2020] 
本申请要求于2019年7月30日提交中国专利局、申请号为201910695902.4、申请名称为“可信认证方法,网络设备、***及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。[Corrected 18.08.2020 according to Rule 91]
This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910695902.4, and the application name is "trusted authentication method, network equipment, system and storage medium" on July 30, 2019, the entire content of which is by reference Incorporated in this application.
技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种可信认证方法,网络设备、***及存储介质。The present invention relates to the field of communication technology, in particular to a trusted authentication method, network equipment, system and storage medium.
背景技术Background technique
在区块链(blockchain)中,网络设备的可信认证(trusted authentication)属于计算机安全领域备受关注的内容。区块链的服务网络如何确认新接入的网络设备是否合法可信、运行中的网络设备如何确认接收到的指令是否合法可信,以及如何确认操作日志是否合法可信(即是否未被篡改删除)等,这些内容均关系到整个服务网络的安全性和可用性。因此,网络设备的可信认证备受关注。In the blockchain (blockchain), the trusted authentication of network equipment is a content that has attracted much attention in the field of computer security. How does the blockchain service network confirm whether the newly connected network device is legal and reliable, how does the running network device confirm whether the received instruction is legal and reliable, and how to confirm whether the operation log is legal and reliable (that is, whether it has not been tampered with) Delete) etc., these contents are related to the security and availability of the entire service network. Therefore, the trusted authentication of network equipment has attracted much attention.
区块链的服务器网络具有分布式数据存储、点对点传输、共识机制(consensus)、加密算法、不可更改、不可伪造等特性。因此,可以用于去中心化和去信任方式集体维护一套可靠数据记录。在区块链中,数据区块(或简称为区块)以链式存储并分布式保存到多个节点(node)中,数据区块的生成需要一套共识算法进行可信认证,并在该数据区块被传输、被访问过程中,由密码学保证数据区块的安全;数据区块经认证可信之后,可以利用区块链的智能合约执行操作。The server network of the blockchain has the characteristics of distributed data storage, point-to-point transmission, consensus mechanism (consensus), encryption algorithm, unchangeable, unforgeable, etc. Therefore, it can be used to collectively maintain a set of reliable data records in a decentralized and trustless manner. In the blockchain, data blocks (or blocks for short) are stored in a chain and distributed to multiple nodes (nodes). The generation of data blocks requires a set of consensus algorithms for trusted authentication, and When the data block is being transmitted and accessed, the security of the data block is guaranteed by cryptography; after the data block is authenticated and trusted, the smart contract of the blockchain can be used to perform operations.
目前的网络设备的可信认证主要由中心节点负责校验网络设备的合法性,然后将合法网络设备信息记录拆分成多份,分布式保存到服务网络中备份节点。以入网设备的入网认证为例,具体流程如下:At present, the trusted authentication of network equipment is mainly responsible for the central node to verify the legitimacy of the network equipment, and then split the legal network equipment information record into multiple copies, which are distributed to the backup node in the service network. Take the network access authentication of networked devices as an example, the specific process is as follows:
未经可信认证的网络设备,即:入网设备,该入网设备在区块链网络中可用称为节点,向中心节点发送认证请求;中心节点向入网设备返回认证结果;入网设备根据认证结果确认认证通过,则向中心节点发送备份数据库地址的分配请求;中心节点在接收到分配请求后,返回可用的备份数据库地址;假定该可用的备份数据库地址包含数据库1(database1,db1)和db2,该入网设备将该入网设备属于合法网络设备的信息记录拆分成两份,分别发往db1和db2保存。由此,完成区块链的入网设备的可信认证。Network equipment that has not been trusted for authentication, namely: networked device, which can be called a node in the blockchain network, and sends an authentication request to the central node; the central node returns the authentication result to the networked device; the networked device confirms according to the authentication result If the authentication is passed, it will send a backup database address allocation request to the central node; after receiving the allocation request, the central node returns the available backup database address; assuming that the available backup database address includes database 1 (database1, db1) and db2, the The network access device splits the information record of the network access device as a legal network device into two copies and sends them to db1 and db2 for storage. As a result, the trusted authentication of the networked devices of the blockchain is completed.
以上可信认证方案对中心节点依赖度太高,一旦出现中心节点异常、被劫持,或信息泄露等情况,则会导致可信网络设备无法完成可信认证,服务网络也无法保证安全性。The above trusted authentication schemes rely too much on the central node. Once the central node is abnormal, hijacked, or information leaks, it will cause the trusted network equipment to fail to complete the trusted authentication, and the service network cannot guarantee security.
发明内容Summary of the invention
本发明实施例所要解决的技术问题在于提供一种可信认证方法,网络设备、***及存储介质,减少可信认证对中心节点的依赖,保证服务网络的安全稳定。The technical problem to be solved by the embodiments of the present invention is to provide a trusted authentication method, network equipment, system and storage medium, reduce the dependence of trusted authentication on the central node, and ensure the security and stability of the service network.
一方面,本发明实施例提供了一种可信认证方法,包括:On the one hand, an embodiment of the present invention provides a trusted authentication method, including:
认证发起设备生成交易预案,所述交易预案中包含可信认证对象的认证信息;The authentication initiating device generates a transaction plan, and the transaction plan contains authentication information of a trusted authentication object;
所述认证发起设备向区块链中的节点发送所述交易预案;The authentication initiating device sends the transaction plan to a node in the blockchain;
所述认证发起设备在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功。The authentication initiating device confirms that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
在本实施例中,上述交易预案可以由认证发起设备以广播、组播,或者单播的方式发送给区块链网络、网络组或者子网络中的节点。区块链中的节点收到交预案后会根据认证信息对其进行认证后返回交易有效确认。可以理解的是,如果认证未通过,或者收到交易失败的消息,或者没有收到任何消息,都可以认为没有收到交易有效确认,则可以确认可信认证的交易失败。In this embodiment, the aforementioned transaction plan may be sent by the authentication initiating device to nodes in the blockchain network, network group, or sub-network in a broadcast, multicast, or unicast manner. After receiving the submitted plan, the nodes in the blockchain will authenticate it according to the authentication information and return the transaction validity confirmation. It is understandable that if the authentication fails, or the transaction failure message is received, or no message is received, it can be considered that the transaction validity confirmation has not been received, and the trusted authentication transaction failure can be confirmed.
本实施例通过将可信认证,作为区块链交易执行,减少了可信认证对中心节点的依赖,保证服务网络的安全稳定。In this embodiment, the trusted authentication is executed as a blockchain transaction, which reduces the dependence of the trusted authentication on the central node and ensures the security and stability of the service network.
在一种可能的实现方式中,所述认证发起设备为入网设备,所述可信认证对象为入网认证,所述认证发起设备生成交易预案包括:In a possible implementation manner, the authentication initiation device is a network access device, the trusted authentication object is a network access authentication, and the authentication initiation device generates a transaction plan including:
所述入网设备生成入网交易预案;The network access device generates a network access transaction plan;
所述认证发起设备向区块链中的节点发送所述交易预案;包括:所述入网设备向区块链中的节点发送所述入网交易预案;The authentication initiating device sends the transaction plan to the node in the blockchain; including: the network access device sends the network access transaction plan to the node in the blockchain;
所述认证发起设备在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功包括:所述入网设备在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功。After the authentication initiating device receives the transaction validity confirmation returned by the node in the blockchain, confirming that the trusted authentication succeeds includes: the network access device receives the transaction validity confirmation returned by the node in the blockchain After confirming that the network access transaction is successful.
在本实施例中,上述入网交易预案可以由入网设备以广播、组播或者单播的方式发送给区块链中的节点。区块链中的节点收到入网交预案后会对其进行认证后返回交易有效确认。可以理解的是,如果认证未通过,将不会收到交易有效确认,可以确认入网交易失败。In this embodiment, the aforementioned network access transaction plan may be sent by the network access device to the nodes in the blockchain in a manner of broadcast, multicast or unicast. After the nodes in the blockchain receive the online delivery plan, they will authenticate it and return the transaction valid confirmation. It is understandable that if the authentication fails, you will not receive a valid confirmation of the transaction, and you can confirm that the network access transaction failed.
在一种可能的实现方式中,所述入网设备生成入网交易预案包括:In a possible implementation, the generation of the network access transaction plan by the network access device includes:
所述入网设备获取所述入网设备的身份证书,所述身份证书用于区块链中的节点识别所述入网设备;Acquiring, by the network access device, an identity certificate of the network access device, where the identity certificate is used for a node in the blockchain to identify the network access device;
所述入网设备生成所述入网设备的入网交易预案,在所述入网交易预案中包含入网所需的合约验证信息以及所述身份证书。The network access device generates a network access transaction plan of the network access device, and the network access transaction plan includes contract verification information required for network access and the identity certificate.
合约信息是智能合约所包含的信息,智能合约是部署在区块链***中的一段合约代码,或一套以数字形式定义的承诺,包括合约参与方可以在其上执行承诺的协议。Contract information is the information contained in a smart contract. A smart contract is a piece of contract code deployed in the blockchain system, or a set of commitments defined in digital form, including an agreement on which contract participants can execute the commitments.
在一种可能的实现方式中,所述向区块链中的节点发送所述入网交易预案包括:In a possible implementation, the sending the network access transaction plan to a node in the blockchain includes:
向所述区块链中的背书节点发送所述入网交易预案;Sending the network access transaction plan to the endorsing node in the blockchain;
接收所述背书节点返回的背书结果后,向排序节点发送交易请求;在所述交易请求中包含所述背书结果以及交易提案;After receiving the endorsement result returned by the endorsement node, send a transaction request to the ordering node; the transaction request includes the endorsement result and the transaction proposal;
所述在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功包括:The confirming that the network access transaction is successful after receiving the valid confirmation of the transaction returned by the node in the blockchain includes:
在接收到所述区块链中的记账节点针对所述交易提案返回的交易有效确认后,确认入网交易成功。After receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal, it is confirmed that the network access transaction is successful.
在一种可能的实现方式中,所述接收所述背书节点返回的背书结果后,向排序节点发送交易请求包括:In a possible implementation manner, after receiving the endorsement result returned by the endorsement node, sending a transaction request to the ordering node includes:
接收所述背书节点返回的预案回复,在所述预案回复中包含所述入网交易预案的交易结果以及背书信息;所述背书信息用于标识所述背书节点是否为所述入网交易预案背书;Receiving a plan response returned by the endorsing node, where the plan response includes the transaction result of the online transaction plan and endorsement information; the endorsement information is used to identify whether the endorsing node is an endorsement of the online transaction plan;
背书的背书节点数量达到阈值,则向所述排序节点发送所述交易请求,在所述交易请求中携带所述交易提案、所述交易结果以及所述背书信息,或者,在所述交易请求中携带所述交易结果以及所述背书信息。If the number of endorsing nodes for endorsement reaches the threshold, the transaction request is sent to the ordering node, and the transaction proposal, the transaction result, and the endorsement information are carried in the transaction request, or in the transaction request Carry the transaction result and the endorsement information.
上述阈值可以依据区块链规模设定,例如:区块链规模极小的情况下,例如仅有1个节点,那么该阈值可以是1,该背书节点可以是入网设备自己;如果背书节点较多,那么可以设定某个比值,或者某个数量作为阈值。The above threshold can be set according to the scale of the blockchain. For example, when the scale of the blockchain is extremely small, for example, there is only one node, then the threshold can be 1, and the endorsing node can be the networked device itself; if the endorsing node is more More, then you can set a certain ratio or a certain number as the threshold.
在一种可能的实现方式中,所述合约验证信息包括:合约标识、合约方法以及入网的参数信息。In a possible implementation manner, the contract verification information includes: contract identification, contract method, and network access parameter information.
在一种可能的实现方式中,所述入网设备获取所述入网设备的身份证书包括:In a possible implementation manner, the acquiring, by the network access device, the identity certificate of the network access device includes:
所述入网设备通过客户端的软件开发工具包SDK调用证书服务,向证书服务发起注册和登记;接收所述证书服务为所述入网设备分配的身份证书。The network access device invokes the certificate service through the client software development kit SDK, initiates registration and registration with the certificate service; and receives the identity certificate assigned by the certificate service to the network access device.
二方面,本发明实施例提供了一种可信认证方法,包括:In the second aspect, an embodiment of the present invention provides a trusted authentication method, including:
接收认证发起设备发送的交易预案;Receive the transaction plan sent by the authentication initiating device;
从所述交易预案中获取可信认证对象的认证信息;Obtain the authentication information of the trusted authentication object from the transaction plan;
使用所述认证信息对所述交易预案进行验证。Use the authentication information to verify the transaction plan.
在一种可能的实现方式中,所述认证发起设备为入网设备,所述可信认证对象为入网认证,所述接收认证发起设备发送的交易预案;包括:In a possible implementation manner, the authentication initiating device is a network access device, the trusted authentication object is a network access authentication, and the receiving transaction plan sent by the authentication initiating device includes:
接收入网设备发送的入网交易预案;Receive network access transaction plans sent by network access equipment;
所述从所述交易预案中获取可信认证对象的认证信息包括:The obtaining authentication information of a trusted authentication object from the transaction plan includes:
从所述入网交易预案中获得所述入网设备入网所需的合约验证信息以及所述入网设备的身份证书;所述身份证书用于识别所述入网设备;Obtain the contract verification information required for the network access of the network access device and the identity certificate of the network access device from the network access transaction plan; the identity certificate is used to identify the network access device;
所述使用所述认证信息对所述交易预案进行验证包括:依据所述合约验证信息对所述交易预案进行验证,得到交易结果;以及,生成背书信息;所述背书信息用于标识是否为所述入网交易预案背书;The using the authentication information to verify the transaction plan includes: verifying the transaction plan according to the contract verification information to obtain the transaction result; and generating endorsement information; the endorsement information is used to identify whether it is the transaction State the endorsement of the online transaction plan;
所述方法还包括:向所述入网设备发送所述交易结果以及所述背书信息。The method further includes: sending the transaction result and the endorsement information to the network access device.
在一种可能的实现方式中,所述依据所述合约验证信息对所述交易预案进行验证,得到交易结果包括:In a possible implementation manner, the verification of the transaction plan based on the contract verification information to obtain the transaction result includes:
依据所述合约验证信息对所述交易预案进行验证,将所述交易预案作为输入参数调用链码函数得到交易结果。The transaction plan is verified according to the contract verification information, and a chain code function is called using the transaction plan as an input parameter to obtain a transaction result.
在一种可能的实现方式中,在所述向所述入网设备发送所述交易结果以及所述背书信息之后,所述方法还包括:In a possible implementation manner, after the sending the transaction result and the endorsement information to the network access device, the method further includes:
接收来自排序节点发送的所述入网设备的交易提案的区块、交易结果以及背书信息;Receiving the block, transaction result and endorsement information of the transaction proposal of the network access device sent by the ordering node;
根据所述交易结果以及所述背书信息,所述区块中的交易进行校验,在校验通过后更新账本,向所述入网设备发送交易有效确认。According to the transaction result and the endorsement information, the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
其中,区块(Block)用于记录区块链***中数据的存储。交易提案的区块进行校验的过程属于交易区块(transaction block),交易区块是指聚集到一个块中的交易的集合, 然后可以将其散列并添加到区块链中。Among them, Block is used to record the storage of data in the blockchain system. The process of verifying the block of a transaction proposal belongs to a transaction block. A transaction block refers to a collection of transactions gathered in a block, which can then be hashed and added to the blockchain.
三方面,本发明实施例提供了一种网络设备认证方法,包括:In three aspects, embodiments of the present invention provide a network device authentication method, including:
排序节点接收入网设备发送的交易请求,获取所述交易中携带交易提案、交易结果以及背书信息;所述交易结果是由所述入网设备使用入网交易预案模拟交易所产生的交易结果,所述背书信息是区块链中的节点是否为所述入网交易预案背书的信息;The ordering node receives the transaction request sent by the network access device, and obtains the transaction proposal, transaction result, and endorsement information carried in the transaction; the transaction result is the transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement Information is the information whether the node in the blockchain is endorsed by the network access transaction plan;
向区块链中的节点发送所述交易提案的区块,以及所述交易结果和背书信息;Send the block of the transaction proposal, as well as the transaction result and endorsement information to the node in the blockchain;
在所述区块链中的节点校验通过后,向所述入网设备发送交易有效确认。After the nodes in the blockchain pass the verification, a transaction validity confirmation is sent to the network access device.
四方面本发明实施例提供了一种网络设备,所述网络设备为认证发起设备,包括:In four aspects, embodiments of the present invention provide a network device, where the network device is an authentication initiating device and includes:
预案生成单元,用于生成交易预案,所述交易预案中包含可信认证对象的认证信息;A plan generation unit for generating a transaction plan, the transaction plan containing authentication information of a trusted authentication object;
发送单元,用于向区块链中的节点发送所述交易预案;A sending unit, configured to send the transaction plan to a node in the blockchain;
确认单元,用于在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功。The confirmation unit is used to confirm that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
在一种可能的实现方式中,所述认证发起设备为入网设备,所述可信认证对象为入网认证,In a possible implementation manner, the authentication initiating device is a network access device, and the trusted authentication object is network access authentication,
所述预案生成单元,用于生成入网交易预案;The plan generation unit is used to generate a network access transaction plan;
所述发送单元,用于向区块链中的节点发送所述入网交易预案;The sending unit is configured to send the network access transaction plan to a node in the blockchain;
所述确认单元,用于在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功。The confirmation unit is configured to confirm the success of the network access transaction after receiving the transaction validity confirmation returned by the node in the blockchain.
在一种可能的实现方式中,所述预案生成单元,用于获取所述入网设备的身份证书,所述身份证书用于区块链中的节点识别所述入网设备;生成所述入网设备的入网交易预案,在所述入网交易预案中包含入网所需的合约验证信息以及所述身份证书。In a possible implementation, the plan generation unit is configured to obtain an identity certificate of the network-accessed device, and the identity certificate is used for a node in the blockchain to identify the network-accessed device; The network access transaction plan includes the contract verification information required for network access and the identity certificate.
在一种可能的实现方式中,所述发送单元,用于向所述区块链中的背书节点发送所述入网交易预案;接收到所述背书节点返回的背书结果后,向排序节点发送交易请求;在所述交易请求中包含所述背书结果以及交易提案;In a possible implementation, the sending unit is configured to send the network access transaction plan to the endorsing node in the blockchain; after receiving the endorsement result returned by the endorsing node, send the transaction to the ordering node Request; include the endorsement result and the transaction proposal in the transaction request;
所述确认单元,用于在接收到所述区块链中的记账节点针对所述交易提案返回的交易有效确认后,确认入网交易成功。The confirmation unit is configured to confirm the success of the network access transaction after receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal.
在一种可能的实现方式中,所述发送单元,用于接收到所述背书节点返回的背书结果后,向排序节点发送交易请求包括:接收到所述背书节点返回的预案回复,在所述预案回复中包含所述入网交易预案的交易结果以及背书信息;所述背书信息用于标识所述背书节点是否为所述入网交易预案背书;背书的背书节点数量达到阈值,则向所述排序节点发送所述交易请求,在所述交易请求中携带所述交易提案、所述交易结果以及所述背书信息,或者,在所述交易请求中携带所述交易结果以及所述背书信息。In a possible implementation, the sending unit is configured to, after receiving the endorsement result returned by the endorsing node, send a transaction request to the ordering node, including: receiving a plan reply returned by the endorsing node, The plan response includes the transaction result of the online transaction plan and endorsement information; the endorsement information is used to identify whether the endorsing node is the endorsement of the online transaction plan; the number of endorsement nodes of the endorsement reaches the threshold, then the ordering node Sending the transaction request, carrying the transaction proposal, the transaction result, and the endorsement information in the transaction request, or carrying the transaction result and the endorsement information in the transaction request.
在一种可能的实现方式中,所述合约验证信息包括:合约标识、合约方法以及入网的参数信息。In a possible implementation manner, the contract verification information includes: contract identification, contract method, and network access parameter information.
在一种可能的实现方式中,所述预案生成单元,用于获取所述入网设备的身份证书包括:通过客户端的软件开发工具包SDK调用证书服务,向证书服务发起注册和登记;接收所述证书服务为所述入网设备分配的身份证书。In a possible implementation manner, the plan generation unit configured to obtain the identity certificate of the network access device includes: invoking the certificate service through the client software development kit SDK, and initiates registration and registration with the certificate service; receiving the The certificate service is an identity certificate allocated by the network access device.
五方面本发明实施例提供了一种区块链的节点,包括:In five aspects, embodiments of the present invention provide a blockchain node, including:
接收单元,用于接收认证发起设备发送的交易预案;The receiving unit is used to receive the transaction plan sent by the authentication initiating device;
信息获取单元,用于从所述交易预案中获取可信认证对象的认证信息;An information acquisition unit for acquiring authentication information of a trusted authentication object from the transaction plan;
验证单元,用于使用所述认证信息对所述交易预案进行验证。The verification unit is configured to use the authentication information to verify the transaction plan.
在一种可能的实现方式中,所述认证发起设备为入网设备,所述可信认证对象为入网认证,In a possible implementation manner, the authentication initiating device is a network access device, and the trusted authentication object is network access authentication,
所述接收单元,用于接收入网设备发送的入网交易预案;The receiving unit is configured to receive the network access transaction plan sent by the network access device;
所述信息获取单元,用于从所述入网交易预案中获得所述入网设备入网所需的合约验证信息以及所述入网设备的身份证书;所述身份证书用于识别所述入网设备;The information acquisition unit is configured to obtain, from the network access transaction plan, the contract verification information required for the network access device to access the network and the identity certificate of the network access device; the identity certificate is used to identify the network access device;
所述验证单元,用于依据所述合约验证信息对所述交易预案进行验证,得到交易结果;The verification unit is configured to verify the transaction plan according to the contract verification information to obtain a transaction result;
所述区块链的节点还包括:The nodes of the blockchain also include:
信息生成单元,用于生成背书信息;所述背书信息用于标识是否为所述入网交易预案背书;The information generating unit is used to generate endorsement information; the endorsement information is used to identify whether it is an endorsement of the network access transaction plan;
发送单元,用于向所述入网设备发送所述交易结果以及所述背书信息。The sending unit is configured to send the transaction result and the endorsement information to the network access device.
在一种可能的实现方式中,所述验证单元,用于依据所述合约验证信息对所述交易预案进行验证,将所述交易预案作为输入参数调用链码函数得到交易结果。In a possible implementation manner, the verification unit is configured to verify the transaction plan according to the contract verification information, and use the transaction plan as an input parameter to call a chain code function to obtain a transaction result.
在一种可能的实现方式中,所述接收单元,还用于在所述向所述入网设备发送所述交易结果以及所述背书信息之后,所述方法还包括:In a possible implementation manner, the receiving unit is further configured to, after the sending the transaction result and the endorsement information to the network access device, the method further includes:
接收来自排序节点发送的所述入网设备的交易提案的区块、交易结果以及背书信息;Receiving the block, transaction result and endorsement information of the transaction proposal of the network access device sent by the ordering node;
根据所述交易结果以及所述背书信息,所述区块中的交易进行校验,在校验通过后更新账本,向所述入网设备发送交易有效确认。According to the transaction result and the endorsement information, the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
六方面,本发明实施例提供了一种区块链的节点,包括:In six aspects, the embodiments of the present invention provide a blockchain node, including:
接收单元,用于接收入网设备发送的交易请求;The receiving unit is used to receive the transaction request sent by the network access device;
获取单元,用于获取所述交易中携带交易提案、交易结果以及背书信息;所述交易结果是由所述入网设备使用入网交易预案模拟交易所产生的交易结果,所述背书信息是区块链中的节点是否为所述入网交易预案背书的信息;The acquiring unit is used to acquire the transaction proposal, transaction result, and endorsement information carried in the transaction; the transaction result is a transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement information is a blockchain Whether the node in is the information endorsed by the network access transaction plan;
发送单元,向区块链中的节点发送所述交易提案的区块,以及所述交易结果和背书信息;在所述区块链中的节点校验通过后,向所述入网设备发送交易有效确认。The sending unit sends the block of the transaction proposal, as well as the transaction result and endorsement information, to the node in the blockchain; after the node in the blockchain has passed the verification, it sends the transaction valid to the network access device confirm.
七方面,本发明实施例提供了一种区块链的网络,包括:入网设备、区块链的节点;所述入网设备用于执行一方面提供的任意一项所述的方法。In seven aspects, an embodiment of the present invention provides a blockchain network, including: network access devices and blockchain nodes; the network access devices are used to execute any one of the methods provided in one aspect.
在一种可能的实现方式中,所述区块链的节点包括:背书节点和排序节点,所述背书节点用于执行二方面提供的任意一项所述的方法;所述排序节点用于执行三方面提供的所述的方法。In a possible implementation, the nodes of the blockchain include: an endorsement node and an ordering node, the endorsing node is used to execute any one of the methods provided in the two aspects; the ordering node is used to execute The method provided by three aspects.
八方面,本发明实施例提供了一种区块链的节点,包括:处理器、存储器以及通信接口;其中所述处理器、所述存储器和所述通信接口以可通信方式连接,在所述存储器中存储有程序代码;In eight aspects, an embodiment of the present invention provides a blockchain node, including: a processor, a memory, and a communication interface; wherein the processor, the memory, and the communication interface are connected in a communicative manner, and the Program codes are stored in the memory;
所述处理器用于读取所述程序代码与所述通信接口配合实现本发明实施例提供的任意一项的方法流程。The processor is configured to read the program code and cooperate with the communication interface to implement any one of the method procedures provided in the embodiments of the present invention.
九方面本发明实施例还提供了一种存储介质,所述存储介质中存储有程序代码,所述 程序代码包括程序指令,所述程序指令当被处理器执行时与通信接口配合实现方法实施例中任意一项的方法流程。In nine aspects, the embodiment of the present invention also provides a storage medium, the storage medium stores program code, the program code includes program instructions, and the program instructions cooperate with the communication interface when executed by the processor to implement the method embodiments The method flow of any one of them.
十方面本发明实施例还提供了一种软件程序,所述软件程序包含程序代码;所述程序代码包括程序指令,所述程序指令当被处理器执行时与通信接口配合实现本发明实施例提供的任意一项的方法流程。Ten aspects of the embodiments of the present invention also provide a software program, the software program includes program code; the program code includes program instructions, when the program instructions are executed by a processor in cooperation with the communication interface to achieve the embodiment of the present invention provides Any one of the method flow.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或背景技术中的技术方案,下面将对本发明实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the background art, the following will describe the drawings that need to be used in the embodiments of the present invention or the background art.
图1为本发明实施例方法流程结构示意图;FIG. 1 is a schematic diagram of the process structure of a method according to an embodiment of the present invention;
图2为本发明实施例***结构示意图;2 is a schematic diagram of the system structure of an embodiment of the present invention;
图3为本发明实施例方法流程示意图;FIG. 3 is a schematic flowchart of a method according to an embodiment of the present invention;
图4为本发明实施例方法流程示意图;FIG. 4 is a schematic flowchart of a method according to an embodiment of the present invention;
图5为本发明实施例方法流程示意图;FIG. 5 is a schematic flowchart of a method according to an embodiment of the present invention;
图6为本发明实施例网络设备结构示意图;6 is a schematic diagram of the structure of a network device according to an embodiment of the present invention;
图7为本发明实施例区块链的节点结构示意图;FIG. 7 is a schematic diagram of a node structure of a blockchain according to an embodiment of the present invention;
图8为本发明实施例区块链的节点结构示意图;FIG. 8 is a schematic diagram of a node structure of a blockchain according to an embodiment of the present invention;
图9为本发明实施例网络设备结构示意图。Fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present invention.
具体实施方式Detailed ways
下面结合本发明实施例中的附图对本发明实施例进行描述。The embodiments of the present invention will be described below in conjunction with the drawings in the embodiments of the present invention.
区块链可以用于解决交易的信任和安全问题,其主要有以下几个特征:Blockchain can be used to solve the trust and security issues of transactions. It has the following characteristics:
1、去中心化的分布式账本。1. Decentralized distributed ledger.
区块链中的数据记录由分布在不同位置的多个节点共同完成,并且每个节点都记录完整的数据。所以这些节点都可以参与监督数据的合法性,同时也可以作为一个操作记录的可信来源。Data recording in the blockchain is completed by multiple nodes distributed in different locations, and each node records complete data. Therefore, these nodes can participate in monitoring the legitimacy of data, and can also serve as a trusted source of operation records.
与传统分布式存储主要的区别有两点:There are two main differences from traditional distributed storage:
数据结构:在区块链中每个区块节点都按照块链式存储完整的数据,而传统分布式存储按一定规格分成多份存储。因此区块链可以避免单个节点被破坏而丢失数据的情况。Data structure: In the blockchain, each block node stores complete data in a block chain style, while traditional distributed storage is divided into multiple storages according to certain specifications. Therefore, the blockchain can avoid a single node being destroyed and losing data.
节点地位:在区块链中的区块节点之间的数据是独立存储、地位相等,依靠共识机制保证存储的一致性。而分布式存储一般是通过中心节点分配备份节点,当中心节点被劫持或异常控制,则数据面临被篡改或删除的风险。Node status: The data between the block nodes in the blockchain is stored independently, with equal status, and the consistency of storage is guaranteed by the consensus mechanism. Distributed storage generally allocates backup nodes through a central node. When the central node is hijacked or abnormally controlled, the data is at risk of being tampered with or deleted.
2、非对称加密和授权技术。2. Asymmetric encryption and authorization technology.
存储在区块链上的数据在对于网络是公开的,但是每个区块链节点的账户信息是高度加密的,只有数据拥有者授权才能访问或者修改,从而保证了数据的安全。另外,对于某些数据而言对于区块链中的某些节点是公开的,因此对于该某些节点而言可以不用再次获得数据拥有者的授权。The data stored on the blockchain is public to the network, but the account information of each blockchain node is highly encrypted, and only the data owner can access or modify it with authorization, thus ensuring the security of the data. In addition, for some data, it is public to some nodes in the blockchain, so it is not necessary to obtain authorization from the data owner again for some nodes.
3、基于共识机制的自治。3. Autonomy based on consensus mechanism.
区块链中的所有记账节点之间通过共识机制达成一致,从而认定数据有效,并防止被网络中的恶意节点篡改。这种共识机制具备“少数服从多数”、“人人平等”特点,每个节点都能提出共识结果,但具有最多票数(每个节点的票数可以由管理员预分配)的共识结果才是所有节点都认同的最终结果。所以需要控制整个网络51%以上区块节点才有可能伪造数据,而当实际网络中区块节点足够多的情况下,这几乎不可能。All bookkeeping nodes in the blockchain reach an agreement through a consensus mechanism to determine that the data is valid and prevent tampering by malicious nodes in the network. This consensus mechanism has the characteristics of "the minority obeys the majority" and "everyone is equal". Each node can propose a consensus result, but the consensus result with the most votes (the number of votes for each node can be pre-allocated by the administrator) is all The end result that all nodes agree with. Therefore, it is necessary to control more than 51% of the block nodes in the entire network to falsify data, and when there are enough block nodes in the actual network, this is almost impossible.
4、智能合约,当区块数据被网络中的区块节点认证可信之后,相关节点可以根据预先定义好的一系列规则合约进行后续操作。4. Smart contracts. After the block data is authenticated and trusted by the block nodes in the network, the related nodes can perform follow-up operations according to a series of predefined rules and contracts.
区块链目前主要分为三类:Blockchain is currently divided into three categories:
一、公有链(public blockchains):1. Public blockchains:
任何个体或者团体都可以发起交易,且交易能够获得该区块链的有效确认,任何人都可以参与其共识过程。是完全去中心化的区块链,但是交易速度较低。Any individual or group can initiate a transaction, and the transaction can be effectively confirmed by the blockchain, and anyone can participate in the consensus process. It is a completely decentralized blockchain, but the transaction speed is low.
二、联盟链(consortium blockchains):2. Consortium blockchains:
由某个群体内部指定多个预选的节点为记账人,每个块的生成由所有的预选节点共同决定(预选节点参与共识过程),其他接入节点可以参与交易,但不过问记账过程(本质上还是托管记账,只是变成分布式记账),任何节点可以通过该区块链开放的API进行限定查询。是弱中心化的区块链,但是交易性能较高。Multiple pre-selected nodes are designated as bookkeepers within a certain group, and the generation of each block is determined by all pre-selected nodes (the pre-selected nodes participate in the consensus process), and other access nodes can participate in the transaction, but the accounting process (Essentially, it is custodial accounting, but it becomes distributed accounting), any node can perform limited query through the open API of the blockchain. It is a weakly centralized blockchain, but the transaction performance is high.
三、私有链(private blockchain):3. Private blockchain (private blockchain):
仅使用区块链进行记账,可以是一个公司,也可以是个人,独享该区块链的写入权限,本链与其他的分布式存储方案没有太大区别。Only use the blockchain for accounting. It can be a company or an individual, and has exclusive write access to the blockchain. This chain is not much different from other distributed storage solutions.
本发明实施例提供了一种可信认证方法,应用于区块链的网络中,如图1所示,包括:The embodiment of the present invention provides a trusted authentication method, which is applied to a blockchain network, as shown in FIG. 1, including:
101:认证发起设备生成交易预案,所述交易预案中包含可信认证对象的认证信息;101: The authentication initiating device generates a transaction plan, and the transaction plan contains authentication information of a trusted authentication object;
上述认证发起设备是发起可信认证的设备,例如:有需要执行可信认证对象的设备,更具体地,可以是:在入网认证中的入网设备。The aforementioned authentication initiating device is a device that initiates trusted authentication, for example, a device that needs to perform a trusted authentication object, and more specifically, it may be: a network access device in network access authentication.
以上认证信息是在区块链中,对某一认证对象执行认证所需的信息,例如:合约验证信息、身份证书等。The above authentication information is the information required to perform authentication on a certain authentication object in the blockchain, such as contract verification information, identity certificates, etc.
102:所述认证发起设备向区块链中的节点发送所述交易预案;102: The authentication initiating device sends the transaction plan to a node in the blockchain;
本步骤中区块链中的节点可以是任意区块链中的节点,在区块链中的节点收到交易预案后会根据认证信息对交易预案进行认证,认证通过会返回交易有效确认。In this step, the node in the blockchain can be any node in the blockchain. After receiving the transaction plan, the node in the blockchain will authenticate the transaction plan according to the authentication information, and the verification will return the transaction validity confirmation.
另外,区块链中的节点还可以分为背书节点和记账节点;其中背书节点在收到交易预案后依据认证信息执行认证后获得认证结果以及是否为该交易预案背书的信息,然后返回给该认证发起设备;然后由该认证发起设备向排序节点发送包含交易提案以及上述认证结果以及是否背书的信息的交易请求,然后由记账节点据此进行再次认证,如果认证通过则返回交易有效确认。In addition, the nodes in the blockchain can also be divided into endorsement nodes and accounting nodes; the endorsement node obtains the authentication result after receiving the transaction plan according to the authentication information and then obtains the authentication result and whether the transaction plan endorses the information, and then returns it to The authentication initiating device; then the authentication initiating device sends a transaction request containing the transaction proposal, the above-mentioned authentication result and the endorsement information to the ordering node, and then the accounting node performs re-authentication accordingly. If the authentication is passed, the transaction valid confirmation is returned .
在以上流程中,认证发起设备可以在为该交易预案背书的节点数达到阈值以后才向排序节点发送交易请求。In the above process, the authentication initiating device may send a transaction request to the ordering node after the number of nodes endorsing the transaction plan reaches the threshold.
103:所述认证发起设备在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功。103: The authentication initiating device confirms that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
上述交易预案可以由认证发起设备以广播的方式发送给区块链中的节点。如果交易预 案需要发给背书节点,那么背书节点也可以是确定范围内的节点。区块链中的节点收到交预案后会根据认证信息对其进行认证后返回交易有效确认。可以理解的是,如果认证未通过,将不会收到交易有效确认,可以确认可信认证的交易失败。The above-mentioned transaction plan can be broadcast to the nodes in the blockchain by the authentication initiating device. If the transaction plan needs to be sent to the endorsing node, the endorsing node can also be a node within a certain range. After receiving the submitted plan, the nodes in the blockchain will authenticate it according to the authentication information and return the transaction validity confirmation. It is understandable that if the authentication fails, you will not receive a valid confirmation of the transaction, and it can be confirmed that the transaction with trusted authentication has failed.
本实施例通过将可信认证,作为区块链交易执行,减少了可信认证对中心节点的依赖,保证服务网络的安全稳定。In this embodiment, the trusted authentication is executed as a blockchain transaction, which reduces the dependence of the trusted authentication on the central node and ensures the security and stability of the service network.
以下实施例以入网设备执行入网认证作为可信认证的实例进行举例说明,在以下实施例的举例中,可以选取区块链的网络中多个节点作为主节点,负责基于共识机制参与可信认证及日志记账,其余节点作为参与节点,只参与交易生成。可以解决现有方案可靠性低、安全性低和中心节点性能要求高的问题。可以理解的是其他可信认证也可以参考本发明实施例,因此入网认证不应理解为对本发明实施例的唯一性限定。在以下举例中,分为两种实施例,具体如下:In the following embodiment, the network-connected device performs network-access authentication as an example of trusted authentication. In the example of the following embodiment, multiple nodes in the blockchain network can be selected as master nodes, responsible for participating in trusted authentication based on the consensus mechanism And log bookkeeping, and the remaining nodes as participating nodes only participate in transaction generation. It can solve the problems of low reliability, low security and high performance requirements of the central node in existing solutions. It is understandable that other trusted authentication can also refer to the embodiment of the present invention, so the network access authentication should not be understood as a unique limitation to the embodiment of the present invention. In the following examples, there are two embodiments, which are specifically as follows:
第一种实施举例:The first implementation example:
如图2所示,本实施例将区块链网络中任一网络设备的入网认证作为区块链的一笔交易。假设区块链网络中存在以下四种节点(每个物理设备可以同时存在多种节点角色,后续不再一一说明):As shown in Figure 2, this embodiment takes the network access authentication of any network device in the blockchain network as a block chain transaction. Assume that there are the following four types of nodes in the blockchain network (each physical device can have multiple node roles at the same time, which will not be explained one by one):
1、证书服务(certificate authority,CA):1. Certificate service (certificate authority, CA):
区块链网络设备的安全认证模块,负责检查区块链所有证书的管理维护。The security authentication module of the blockchain network equipment is responsible for checking the management and maintenance of all the certificates of the blockchain.
2、客户端软件开发工具包(Software Development Kit,SDK)。该SDK在认证发起设备一侧执行,例如:入网设备。2. Client software development kit (Software Development Kit, SDK). The SDK is executed on the side of the authentication initiating device, such as the network access device.
从服务中心获取证书(如身份证书、注册证书、交易证书、通信证书等)。Obtain certificates (such as identity certificates, registration certificates, transaction certificates, communication certificates, etc.) from the service center.
发起交易预案,构造交易请求,监听网络消息判断交易是否被成功认证。Initiate a transaction plan, construct a transaction request, and monitor network messages to determine whether the transaction is successfully authenticated.
3、Peer节点,包含背书节点(endorser peer)、记账节点(committer peer),统称为Peer节点。3. Peer nodes include endorser peers and committer peers, collectively referred to as Peer nodes.
其中,背书节点的用途是:为区块链网络内交易做背书检查和认证。区块链网络中可以仅有部分节点作为背书节点。Among them, the purpose of the endorsement node is to do endorsement check and authentication for transactions in the blockchain network. There can be only some nodes in the blockchain network as endorsing nodes.
记账节点的用途是:记录交易日志,维护区块链及账本结构。区块链网络中的同一物理设备可以既做背书节点又做记账节点,也可以单独作为记账节点。The purpose of the accounting node is to record transaction logs and maintain the blockchain and ledger structure. The same physical device in the blockchain network can act as both an endorsement node and an accounting node, or it can act as an accounting node alone.
4、排序节点:4. Sorting node:
利用区块链网络的共识机制,对块链网络的交易排序,并将排序的交易按照固定时间间隔打包成区块。Using the consensus mechanism of the blockchain network, the transactions of the blockchain network are sorted, and the sorted transactions are packaged into blocks at a fixed time interval.
请一并参阅图3所示流程,具体如下:Please also refer to the process shown in Figure 3 as follows:
301:入网设备通过客户端SDK调用证书服务CA,向证书服务CA进行注册和登记,获取用于在区块链中标识所述入网设备的身份证书;301: The network-connected device invokes the certificate service CA through the client SDK, registers and registers with the certificate service CA, and obtains an identity certificate used to identify the network-connected device in the blockchain;
上述身份证书是上述入网设备的身份凭证,可以是客户端签名也可以不是;在不是客户端签名的情况下,其可以是同意生成的基于身份证书的签名。其用途在于,与该入网设备相关网络消息的加密,例如:可以由身份凭证生成设备密钥,由密钥对网络消息签名;还可以基于身份凭证和其余信息分配设备密钥,等。The above-mentioned identity certificate is the identity certificate of the above-mentioned network access device, which may or may not be a client signature; if it is not a client signature, it may be a signature based on the identity certificate that is agreed to be generated. Its purpose is to encrypt network messages related to the networked device, for example: device keys can be generated from identity credentials, and network messages can be signed by the keys; device keys can also be distributed based on identity credentials and other information, etc.
302:入网设备通过客户端SDK创建好入网交易预案(proposal),入网交易预案把带有本次入网要调用的合约标识、合约方法和参数信息以及客户端签名等信息发送给一个或多个背书节点。302: The connected device creates a network access transaction proposal (proposal) through the client SDK, and the network access transaction proposal sends the contract identification, contract method and parameter information and client signature to be called this time to one or more endorsements node.
以上参数信息可以包括:入网账户、入网设备的媒体访问控制地址(media access control address,MAC)地址、个人身份证号码(personal identification number,PIN)码或标识等。The above parameter information may include: network access account, media access control address (MAC) address of network access device, personal identification number (PIN) code or identification, etc.
在本实施例中,入网设备、背书节点、排序节点以及记账节点可以均是同一设备;由于区块链网络中的节点数量是从1逐渐增多的,因此在区块链网络初创时的第1个节点可以发给自己背书,在区块链网络规模增大后,可以要求背书节点数量与区块链规模相适应。具体可以是:区块链网络规模增大到一定规模,可以要求向区块链中一定比例的节点发送该入网交易预案;在区块链网络规模进一步增大,可以要求向区块链中一定数量的节点发送该入网交易预案。In this embodiment, the network access device, endorsement node, ordering node, and accounting node may all be the same device; since the number of nodes in the blockchain network gradually increases from 1, it is the first time the blockchain network was founded. One node can issue an endorsement to itself. After the scale of the blockchain network increases, the number of endorsement nodes can be required to match the scale of the blockchain. Specifically, it can be as follows: when the scale of the blockchain network is increased to a certain scale, the network access transaction plan can be required to be sent to a certain percentage of nodes in the blockchain; when the scale of the blockchain network is further increased, it can be required to be sent to the blockchain. A number of nodes send the network access transaction plan.
303:背书节点收到交易提案(Proposal)后,开始对上述入网交易预案中的合约方法进行验证。303: After receiving the transaction proposal (Proposal), the endorsing node starts to verify the contract method in the network access transaction plan.
在本步骤中,验证的具体内容可以包括如下几个方面:In this step, the specific content of verification can include the following aspects:
1、该入网交易预案是完好的;1. The online transaction plan is intact;
由于在区块链中,网络消息由发送方私钥加密,接收方利用公钥解密;从而保证报文的完整性;因此,上述网交易预案是完好的,由交易提案的发送方加密保证。Since in the blockchain, network messages are encrypted by the sender's private key, and the receiver uses the public key to decrypt it; thereby ensuring the integrity of the message; therefore, the above-mentioned online transaction plan is intact and is encrypted by the sender of the transaction proposal.
2、该入网交易预案以前没有提交过,防止重放攻击;2. The network access transaction plan has not been submitted before to prevent replay attacks;
防止重放攻击的手段包括:The means to prevent replay attacks include:
强制性重放保护:在硬分叉的新账本上添加特殊标记,确保新账本交易在旧账本无效。强制性保护会在发生硬分叉时自动执行。Mandatory replay protection: Add a special mark to the new ledger of the hard fork to ensure that the new ledger transaction is invalid on the old ledger. Mandatory protection will be automatically executed in the event of a hard fork.
选择性重放保护:用户手动更改交易。Selective replay protection: The user manually changes the transaction.
交易锁技术:将交易锁广播到整个网络;交易锁会锁定交易关联的数字资产;交易在主节点验证期间,原交易资产被锁定不能修改。Transaction lock technology: broadcast the transaction lock to the entire network; the transaction lock will lock the digital assets associated with the transaction; the original transaction assets are locked and cannot be modified during the verification of the transaction by the master node.
3、该入网交易预案携带的客户端签名是否合法;3. Whether the client signature carried in the network access transaction plan is legal;
由于入网交易提案由该入网交易提案的生成设备利用私钥签名加密,因此背书节点利用公钥校验提案是否合法。Since the network access transaction proposal is encrypted by the generation device of the network access transaction proposal using the private key signature, the endorsing node uses the public key to verify whether the proposal is legal.
公钥与私钥是成对的,但是不可逆,不能通过公钥推导出私钥。所以只有入网交易提案的生成设备可以利用写入/修改入网交易提案,然后利用私钥加密;所有背书节点能利用对应的公钥解密读取提案,但是不可修改。The public key and the private key are paired, but they are irreversible, and the private key cannot be derived from the public key. Therefore, only the device that generates the network transaction proposal can use to write/modify the network transaction proposal, and then encrypt it with the private key; all endorsing nodes can use the corresponding public key to decrypt and read the proposal, but it cannot be modified.
4、入网设备是否有区块链写策略,即访问控制列表(access control list,ACL)权限检查。4. Whether the network access device has a blockchain write strategy, that is, access control list (ACL) permission check.
入网设备是否有区块链写的权限,由ACL规则确认。设备的ACL策略一般由管理员预分配,或者,所有入网设备ACL策略可以一样,对此本发明实施例不作唯一性限制。Whether the connected device has the permission to write on the blockchain is confirmed by ACL rules. The ACL policy of the device is generally pre-allocated by the administrator, or the ACL policy of all networked devices may be the same, which is not uniquely restricted in the embodiment of the present invention.
验证通过后,背书节点把上述入网交易预案作为输入参数,调用链码函数,由链码函数根据当前的账本状态计算出交易结果,该交易结果可以包括返回值,读写集等。此时,区块链账本不会被更新。上述交易结果在被背书节点签名后与是/否的背书结果一同返回给 客户端,该部分内容可以被称为提案回复;该交易结果由于并不会导致账本更新,因此可以称为模拟交易结果。After the verification is passed, the endorsing node takes the above-mentioned online transaction plan as an input parameter, and calls the chain code function. The chain code function calculates the transaction result according to the current ledger status. The transaction result can include the return value, read-write set, etc. At this time, the blockchain ledger will not be updated. After the above transaction result is signed by the endorsing node, it is returned to the client with the yes/no endorsement result. This part of the content can be called a proposal reply; the transaction result does not cause the ledger to be updated, so it can be called a simulated transaction result .
上述返回值是背书节点预存的,用于代表特定交易;上述读写集包含读集和写集,如果交易是读操作r,那读集合就是(r,r-result);如果交易是一个写操作w,那写集合就是(w,w-result);上述提案回复也需要上述背书节点利用其私钥签名。The above return value is pre-stored by the endorsing node to represent a specific transaction; the above read and write set includes a read set and a write set. If the transaction is a read operation r, then the read set is (r, r-result); if the transaction is a write Operation w, the write set is (w, w-result); the above proposal response also requires the above endorsing node to sign with its private key.
304:入网设备的客户端收到背书节点返回的提案回复后,判断其中携带的交易结果与入网交易预案的结果是否一致,以及是否收到足够多的背书节点返回的提案回复(本步骤可以参照预定的背书策略执行),如果没有足够的背书,则中止本次入网认证,舍弃本次入网认证的交易,此时入网设备无法接入网络;否则,将交易提案、模拟交易结果和背书信息打包组成一个交易请求并签名发给排序节点。304: After receiving the proposal reply returned by the endorsing node, the client of the connected device determines whether the transaction result carried in it is consistent with the result of the network access transaction plan, and whether it has received enough proposal replies from the endorsing node (refer to this step Execution of the predetermined endorsement strategy), if there is not enough endorsement, the network access authentication will be suspended, and the transaction of this network access authentication will be discarded. At this time, the network equipment cannot access the network; otherwise, the transaction proposal, simulated transaction result and endorsement information will be packaged A transaction request is formed and signed and sent to the ordering node.
以上背书策略主要指背书节点是否满足策略要求;如果整个区块网络中有n个背书节点,实际上并不需要所有节点返回确认该交易有效。是需要全网确认,还是多少个节点确认,是可以有背书策略预先规定的。The above endorsement strategy mainly refers to whether the endorsing node meets the policy requirements; if there are n endorsing nodes in the entire block network, it is not actually necessary for all nodes to return to confirm that the transaction is valid. Whether it needs to be confirmed by the entire network, or how many nodes are confirmed, can be pre-defined by the endorsement policy.
305:排序节点收到来自入网设备的客户端SDK发送的交易请求后,进行共识排序,并将交易提案打包成区块,发送给记账节点。305: After the ordering node receives the transaction request sent from the client SDK of the networked device, it performs consensus ordering, packs the transaction proposal into a block, and sends it to the accounting node.
306:记账节点收到区块后,会对区块中的交易进行校验,检查交易依赖的输入输出是否符合当前区块链的状态,验证背书策略是否满足要求,验证通过后将区块追加到本地的区块链,更新账本。306: After receiving the block, the accounting node will verify the transaction in the block, check whether the input and output dependent on the transaction meets the current state of the blockchain, verify whether the endorsement strategy meets the requirements, and verify the block after passing the verification. Append to the local blockchain and update the ledger.
本步骤具体涉及的内容包括:The specific content involved in this step includes:
1、运行验证逻辑,即检查背书策略;1. Run the verification logic, that is, check the endorsement strategy;
检查背书策略可以是验证***链码(validation system chaincode,VSCC)检查背书策略,属于验证用途的***合约程序。主要包括:通过检查证书是否有效、签名是否是对应证书生成来校验背书是否有效;背书数量是否符合预定义的背书策略,该背书区块,是否来自于预期的背书节点。The check endorsement strategy can be a verification system chaincode (VSCC) check endorsement strategy, which is a system contract program for verification purposes. It mainly includes: verifying whether the endorsement is valid by checking whether the certificate is valid and whether the signature is generated by the corresponding certificate; whether the number of endorsements meets the predefined endorsement strategy, and whether the endorsement block comes from the expected endorsement node.
2、在区块中指明哪些交易是有效和无效的;2. Specify which transactions are valid and invalid in the block;
3、在内存或文件***上把区块加入区块链;3. Add blocks to the blockchain on the memory or file system;
4、将区块内的有效交易写入状态数据库;4. Write valid transactions in the block to the state database;
5、发出事件(event)消息,使得客户端SDK监听到哪些交易是有效的或无效的。5. Send event messages so that the client SDK can monitor which transactions are valid or invalid.
307:客户端SDK监听到记账节点发出的入网交易确认之后,该入网设备的入网可信认证流程完成。307: After the client SDK monitors the network access transaction confirmation sent by the accounting node, the network access trusted authentication process of the network access device is completed.
第二种实施举例:The second implementation example:
如图4所示,本实施例将区块链网络中任一网络设备的入网认证作为区块链的一笔交易。假设区块链网络中任一实体物理设备都参与交易的认证与记账。主要包括:入网设备通过客户端SKD发起交易请求,将交易请求广播到区块链网络中的节点;收到交易请求的区块链中的节点执行交易有效性验证,最先完成验证的节点将多个交易打包成区块发给其他节点,其他节点接收到区块后将新区块添加到区块链,最后完成交易。具体流程如图5所示,包括:As shown in FIG. 4, this embodiment regards the network access authentication of any network device in the blockchain network as a block chain transaction. It is assumed that any physical device in the blockchain network participates in the authentication and accounting of transactions. It mainly includes: the network-connected device initiates a transaction request through the client SKD and broadcasts the transaction request to the nodes in the blockchain network; the node in the blockchain that receives the transaction request performs transaction validity verification, and the node that completes the verification first will Multiple transactions are packaged into blocks and sent to other nodes. After receiving the blocks, other nodes add new blocks to the blockchain, and finally complete the transaction. The specific process is shown in Figure 5, including:
501:入网设备通过客户端SDK调用证书服务CA,向服务中心进行注册和登记,并获 取身份证书;501: The connected device calls the certificate service CA through the client SDK, registers and registers with the service center, and obtains an identity certificate;
502:入网设备通过客户端SDK创建好入网交易预案(proposal),该入网交易预案把带有本次入网要调用的合约标识、合约方法和参数信息以及客户端签名等信息广播给区块链网络内其他节点;502: The network access device creates a network access transaction proposal (proposal) through the client SDK. The network access transaction proposal broadcasts the contract identification, contract method and parameter information and client signature to the blockchain network to be called this time. Other nodes within;
上述参数信息可以包括:入网账户、入网设备MAC地址、PIN码或标识等。上述客户端签名可以使用身份证书的签名。The above-mentioned parameter information may include: network access account, network access device MAC address, PIN code or identification, etc. The above client signature can use the signature of the identity certificate.
503:收到上述入网交易预案的节点将多个交易的哈希(Hash)值收集到区块中,每个区块可能多笔交易;每个节点通过工作证明(proof of work,POW)或权益证明(proof of stake,POS)等共识算法验证交易,最快完成验证的节点会将自己的区块广播给其他节点;在图5中示意为节点1最先完成验证,节点2~节点n接收节点1发送的区块。该节点1会返回入网交易确认有效给客户端SDK。503: The node that receives the above-mentioned network access transaction plan collects the hash value of multiple transactions into the block, and each block may have multiple transactions; each node passes the proof of work (POW) or Consensus algorithms such as proof of stake (POS) verify transactions. The node that completes the verification the fastest will broadcast its block to other nodes; in Figure 5, it is indicated that node 1 completes the verification first, and node 2 to node n Receive the block sent by node 1. The node 1 will return the network access transaction confirmation to the client SDK.
504:上述其他节点接收到最先完成验证的节点发送的区块之后确认交易是否有效,确认没有重复交易且签名有效,则接受该区块,区块正式加入区块链,无法篡改;504: The above-mentioned other nodes confirm whether the transaction is valid after receiving the block sent by the node that completed the verification first, confirm that there is no repeated transaction and the signature is valid, then accept the block, the block is officially added to the blockchain, and cannot be tampered with;
在本步骤中接收到区块的节点作为记账节点更新本地账本,还会返回入网交易确认有效给客户端SDK。In this step, the node that receives the block is used as the accounting node to update the local ledger, and will return the network transaction confirmation to the client SDK.
505:客户端SDK监听到入网交易确认有效之后,该设备入网可信认证流程完成。505: After the client SDK monitors that the network access transaction is confirmed to be valid, the trusted authentication process for the device to access the network is completed.
在后续实施例中提供了执行以上方法流程的设备,具体内容可以参考前文实施例的说明,不再一一赘述。In the subsequent embodiments, a device for executing the above method flow is provided, and the specific content can be referred to the description of the previous embodiment, which will not be repeated one by one.
本发明实施例提供了一种网络设备,如图6所示,所述网络设备为认证发起设备,包括:The embodiment of the present invention provides a network device. As shown in FIG. 6, the network device is an authentication initiating device and includes:
预案生成单元601,用于生成交易预案,所述交易预案中包含可信认证对象的认证信息;The plan generating unit 601 is configured to generate a transaction plan, the transaction plan containing authentication information of a trusted authentication object;
发送单元602,用于向区块链中的节点发送所述交易预案;The sending unit 602 is configured to send the transaction plan to a node in the blockchain;
确认单元,用于在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功。The confirmation unit is used to confirm that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
在一种可能的实现方式中,所述认证发起设备为入网设备,所述可信认证对象为入网认证,In a possible implementation manner, the authentication initiating device is a network access device, and the trusted authentication object is network access authentication,
所述预案生成单元601,用于生成入网交易预案;The plan generation unit 601 is used to generate a network access transaction plan;
所述发送单元602,用于向区块链中的节点发送所述入网交易预案;The sending unit 602 is configured to send the network access transaction plan to a node in the blockchain;
所述确认单元603,用于在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功。The confirmation unit 603 is configured to confirm the success of the network access transaction after receiving the transaction validity confirmation returned by the node in the blockchain.
在一种可能的实现方式中,所述预案生成单元601,用于获取所述入网设备的身份证书,所述身份证书用于区块链中的节点识别所述入网设备;生成所述入网设备的入网交易预案,在所述入网交易预案中包含入网所需的合约验证信息以及所述身份证书。In a possible implementation, the plan generation unit 601 is configured to obtain an identity certificate of the network access device, and the identity certificate is used for a node in the blockchain to identify the network access device; to generate the network access device The network access transaction plan includes the contract verification information required for network access and the identity certificate.
在一种可能的实现方式中,所述发送单元602,用于向所述区块链中的背书节点发送所述入网交易预案;接收到所述背书节点返回的背书结果后,向排序节点发送交易请求;在所述交易请求中包含所述背书结果以及交易提案;In a possible implementation, the sending unit 602 is configured to send the network access transaction plan to the endorsing node in the blockchain; after receiving the endorsement result returned by the endorsing node, send it to the ordering node Transaction request; Include the endorsement result and transaction proposal in the transaction request;
所述确认单元603,用于在接收到所述区块链中的记账节点针对所述交易提案返回的 交易有效确认后,确认入网交易成功。The confirmation unit 603 is configured to confirm the success of the network access transaction after receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal.
在一种可能的实现方式中,所述发送单元602,用于接收到所述背书节点返回的背书结果后,向排序节点发送交易请求包括:接收到所述背书节点返回的预案回复,在所述预案回复中包含所述入网交易预案的交易结果以及背书信息;所述背书信息用于标识所述背书节点是否为所述入网交易预案背书;背书的背书节点数量达到阈值,则向所述排序节点发送所述交易请求,在所述交易请求中携带所述交易提案、所述交易结果以及所述背书信息,或者,在所述交易请求中携带所述交易结果以及所述背书信息。In a possible implementation, the sending unit 602 is configured to send a transaction request to the ordering node after receiving the endorsement result returned by the endorsing node, including: receiving the plan reply returned by the endorsing node, The response to the plan includes the transaction result of the online transaction plan and endorsement information; the endorsement information is used to identify whether the endorsing node is the endorsement of the online transaction plan; the number of endorsement nodes reaches the threshold, then the order The node sends the transaction request, and carries the transaction proposal, the transaction result, and the endorsement information in the transaction request, or carries the transaction result and the endorsement information in the transaction request.
在一种可能的实现方式中,所述合约验证信息包括:合约标识、合约方法以及入网的参数信息。In a possible implementation manner, the contract verification information includes: contract identification, contract method, and network access parameter information.
在一种可能的实现方式中,所述预案生成单元601,用于获取所述入网设备的身份证书包括:通过客户端的软件开发工具包SDK调用证书服务,向证书服务发起注册和登记;接收所述证书服务为所述入网设备分配的身份证书。In a possible implementation, the plan generation unit 601 for obtaining the identity certificate of the network access device includes: invoking the certificate service through the client software development kit SDK, and initiates registration and registration with the certificate service; The certificate service is an identity certificate allocated by the network access device.
本发明实施例提供了一种区块链的节点,如图7所示,该区块链节点可以对应到前文中的背书节点或和记账节点的功能,包括:The embodiment of the present invention provides a block chain node. As shown in Fig. 7, the block chain node can correspond to the functions of the endorsement node or the accounting node mentioned above, including:
接收单元701,用于接收认证发起设备发送的交易预案;The receiving unit 701 is configured to receive the transaction plan sent by the authentication initiating device;
信息获取单元702,用于从所述交易预案中获取可信认证对象的认证信息;The information obtaining unit 702 is configured to obtain authentication information of a trusted authentication object from the transaction plan;
验证单元703,用于使用所述认证信息对所述交易预案进行验证。The verification unit 703 is configured to verify the transaction plan using the authentication information.
在一种可能的实现方式中,所述认证发起设备为入网设备,所述可信认证对象为入网认证,In a possible implementation manner, the authentication initiating device is a network access device, and the trusted authentication object is network access authentication,
所述接收单元701,用于接收入网设备发送的入网交易预案;The receiving unit 701 is configured to receive a network access transaction plan sent by a network access device;
所述信息获取单元702,用于从所述入网交易预案中获得所述入网设备入网所需的合约验证信息以及所述入网设备的身份证书;所述身份证书用于识别所述入网设备;The information obtaining unit 702 is configured to obtain, from the network access transaction plan, the contract verification information required for the network access device to access the network and the identity certificate of the network access device; the identity certificate is used to identify the network access device;
所述验证单元703,用于依据所述合约验证信息对所述交易预案进行验证,得到交易结果;The verification unit 703 is configured to verify the transaction plan according to the contract verification information to obtain a transaction result;
所述区块链的节点还包括:The nodes of the blockchain also include:
信息生成单元704,用于生成背书信息;所述背书信息用于标识是否为所述入网交易预案背书;The information generating unit 704 is configured to generate endorsement information; the endorsement information is used to identify whether it is an endorsement of the network access transaction plan;
发送单元705,用于向所述入网设备发送所述交易结果以及所述背书信息。The sending unit 705 is configured to send the transaction result and the endorsement information to the network access device.
在一种可能的实现方式中,所述验证单元703,用于依据所述合约验证信息对所述交易预案进行验证,将所述交易预案作为输入参数调用链码函数得到交易结果。In a possible implementation, the verification unit 703 is configured to verify the transaction plan according to the contract verification information, and call the chain code function with the transaction plan as an input parameter to obtain the transaction result.
在一种可能的实现方式中,所述接收单元701,还用于在所述向所述入网设备发送所述交易结果以及所述背书信息之后,所述方法还包括:In a possible implementation manner, the receiving unit 701 is further configured to, after the sending the transaction result and the endorsement information to the network access device, the method further includes:
接收来自排序节点发送的所述入网设备的交易提案的区块、交易结果以及背书信息;Receiving the block, transaction result and endorsement information of the transaction proposal of the network access device sent by the ordering node;
根据所述交易结果以及所述背书信息,所述区块中的交易进行校验,在校验通过后更新账本,向所述入网设备发送交易有效确认。According to the transaction result and the endorsement information, the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
本发明实施例提供了一种区块链的节点,该区块链的节点可以对应到前文中的排序节点,如图8所示,包括:The embodiment of the present invention provides a node of a blockchain, and the node of the blockchain can correspond to the sorting node in the foregoing, as shown in FIG. 8, including:
接收单元801,用于接收入网设备发送的交易请求;The receiving unit 801 is configured to receive a transaction request sent by a network access device;
获取单元802,用于获取所述交易中携带交易提案、交易结果以及背书信息;所述交易结果是由所述入网设备使用入网交易预案模拟交易所产生的交易结果,所述背书信息是区块链中的节点是否为所述入网交易预案背书的信息;The obtaining unit 802 is configured to obtain the transaction proposal, transaction result, and endorsement information carried in the transaction; the transaction result is a transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement information is a block Whether the node in the chain is the information endorsed by the network access transaction plan;
发送单元803,向区块链中的节点发送所述交易提案的区块,以及所述交易结果和背书信息;在所述区块链中的节点校验通过后,向所述入网设备发送交易有效确认。The sending unit 803 sends the block of the transaction proposal, as well as the transaction result and endorsement information, to the node in the blockchain; after the node in the blockchain passes the verification, sends the transaction to the network access device Effective confirmation.
本发明实施例提供了一种区块链的网络,如图2所以,包括:入网设备、区块链的节点;所述入网设备用于执行一方面提供的任意一项所述的方法。The embodiment of the present invention provides a blockchain network, as shown in FIG. 2, which includes: network access equipment and blockchain nodes; the network access equipment is used to execute any one of the methods provided on the one hand.
在一种可能的实现方式中,所述区块链的节点包括:背书节点和排序节点,所述背书节点。In a possible implementation manner, the nodes of the blockchain include: an endorsement node and an ordering node, and the endorsement node.
本发明实施例还提供了一种网络设备,该网络设备可以是入网设备,也可以是区块链中的节点,如图9所示,包括:处理器901、存储器902以及通信接口903;其中上述处理器901、上述存储器902和上述通信接口903以可通信方式连接;The embodiment of the present invention also provides a network device. The network device can be a network access device or a node in a blockchain. As shown in FIG. 9, it includes a processor 901, a memory 902, and a communication interface 903; The processor 901, the memory 902, and the communication interface 903 are connected in a communicative manner;
存储器902包括但不限于是随机存储记忆体(random access memory,RAM)、只读存储器(read-only memory,ROM)、可擦除可编程只读存储器(erasable programmable read only memory,EPROM)、或便携式只读存储器(compact disc read-only memory,CD-ROM),该存储器902用于相关指令及数据。通信接口903用于接收和发送数据。The memory 902 includes but is not limited to random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), or A portable read-only memory (compact disc read-only memory, CD-ROM), the memory 902 is used for related instructions and data. The communication interface 903 is used to receive and send data.
处理器901可以是一个或多个中央处理器(central processing unit,CPU),在处理器901是一个CPU的情况下,该CPU可以是单核CPU,也可以是多核CPU。The processor 901 may be one or more central processing units (CPUs). When the processor 901 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
该网络设备中的处理器901用于读取上述程序代码与上述通信接口903配合实现发明实施例提供的任意一项由入网设备执行的方法流程;或者,上述处理器901用于读取上述程序代码与上述通信接口903配合实现发明实施例提供的任意一项由区块链的节点执行的方法流程。The processor 901 in the network device is used to read the above-mentioned program code in cooperation with the above-mentioned communication interface 903 to implement any method process provided by the embodiment of the invention that is executed by the network-connected device; or, the above-mentioned processor 901 is used to read the above-mentioned program The code cooperates with the aforementioned communication interface 903 to implement any method process provided by the embodiment of the invention that is executed by a node of the blockchain.
在本实施例中,通信接口903可以对应到前文实施例的软件定义网络的设备中接收和发送相关的功能单元,前文实施例的软件定义网络的设备中的其他功能单元的功能可以由处理器901执行。In this embodiment, the communication interface 903 can correspond to the receiving and sending related functional units in the software-defined network device of the previous embodiment. The functions of other functional units in the software-defined network device of the previous embodiment can be determined by the processor 901 execution.
本发明实施例还提供了一种存储介质,上述存储介质中存储有程序代码,上述程序代码包括程序指令,上述程序指令当被处理器执行时与通信接口配合实现本发明实施例提供的任意一项的方法流程。The embodiment of the present invention also provides a storage medium, and the storage medium stores program code, the program code includes program instructions, and when the program instructions are executed by a processor, they cooperate with a communication interface to implement any one provided by the embodiments of the present invention. Item method flow.
本发明实施例还提供了一种软件程序,上述软件程序包含程序代码;上述程序代码包括程序指令,上述程序指令当被处理器执行时与通信接口配合实现本发明实施例提供的任意一项的方法流程。The embodiment of the present invention also provides a software program, the above software program includes program code; the above program code includes program instructions, and the above program instructions cooperate with a communication interface when executed by a processor to realize any of the functions provided by the embodiments of the present invention. Method flow.
上述存储介质可以为任意的计算机可读取存储介质中,该软件程序在执行时,可包括如上述各方法实施例的流程。而前述的存储介质包括:ROM或随机存储记忆体RAM、磁碟或者光盘等各种可存储程序代码的介质。The above-mentioned storage medium may be any computer-readable storage medium, and when the software program is executed, it may include the processes of the above-mentioned method embodiments. The aforementioned storage media include: ROM or random storage RAM, magnetic disks or optical discs and other media that can store program codes.

Claims (28)

  1. 一种可信认证方法,其特征在于,包括:A trusted authentication method, characterized in that it includes:
    认证发起设备生成交易预案,所述交易预案中包含可信认证对象的认证信息;The authentication initiating device generates a transaction plan, and the transaction plan contains authentication information of a trusted authentication object;
    所述认证发起设备向区块链中的节点发送所述交易预案;The authentication initiating device sends the transaction plan to a node in the blockchain;
    所述认证发起设备在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功。The authentication initiating device confirms that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
  2. 根据权利要求1所述方法,其特征在于,所述认证发起设备为入网设备,所述可信认证对象为入网认证,所述认证发起设备生成交易预案包括:The method according to claim 1, wherein the authentication initiating device is a network access device, the trusted authentication object is a network access authentication, and generating a transaction plan by the authentication initiation device comprises:
    所述入网设备生成入网交易预案;The network access device generates a network access transaction plan;
    所述认证发起设备向区块链中的节点发送所述交易预案;包括:所述入网设备向区块链中的节点发送所述入网交易预案;The authentication initiating device sends the transaction plan to the node in the blockchain; including: the network access device sends the network access transaction plan to the node in the blockchain;
    所述认证发起设备在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功包括:所述入网设备在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功。After the authentication initiating device receives the transaction validity confirmation returned by the node in the blockchain, confirming that the trusted authentication succeeds includes: the network access device receives the transaction validity confirmation returned by the node in the blockchain After confirming that the network access transaction is successful.
  3. 根据权利要求2所述方法,其特征在于,所述入网设备生成入网交易预案包括:The method according to claim 2, wherein the generation of the network access transaction plan by the network access device comprises:
    所述入网设备获取所述入网设备的身份证书,所述身份证书用于区块链中的节点识别所述入网设备;Acquiring, by the network access device, an identity certificate of the network access device, where the identity certificate is used for a node in the blockchain to identify the network access device;
    所述入网设备生成所述入网设备的入网交易预案,在所述入网交易预案中包含入网所需的合约验证信息以及所述身份证书。The network access device generates a network access transaction plan of the network access device, and the network access transaction plan includes contract verification information required for network access and the identity certificate.
  4. 根据权利要求3所述方法,其特征在于,所述向区块链中的节点发送所述入网交易预案包括:The method according to claim 3, wherein the sending the network access transaction plan to a node in the blockchain comprises:
    向所述区块链中的背书节点发送所述入网交易预案;Sending the network access transaction plan to the endorsing node in the blockchain;
    接收所述背书节点返回的背书结果后,向排序节点发送交易请求;在所述交易请求中包含所述背书结果以及交易提案;After receiving the endorsement result returned by the endorsement node, send a transaction request to the ordering node; the transaction request includes the endorsement result and the transaction proposal;
    所述在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功包括:The confirming that the network access transaction is successful after receiving the valid confirmation of the transaction returned by the node in the blockchain includes:
    在接收到所述区块链中的记账节点针对所述交易提案返回的交易有效确认后,确认入网交易成功。After receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal, it is confirmed that the network access transaction is successful.
  5. 根据权利要求4所述方法,其特征在于,所述接收所述背书节点返回的背书结果后,向排序节点发送交易请求包括:The method according to claim 4, wherein after receiving the endorsement result returned by the endorsement node, sending a transaction request to the ordering node comprises:
    接收所述背书节点返回的预案回复,在所述预案回复中包含所述入网交易预案的交易结果以及背书信息;所述背书信息用于标识所述背书节点是否为所述入网交易预案背书;Receiving a plan response returned by the endorsing node, where the plan response includes the transaction result of the online transaction plan and endorsement information; the endorsement information is used to identify whether the endorsing node is an endorsement of the online transaction plan;
    背书的背书节点数量达到阈值,则向所述排序节点发送所述交易请求,在所述交易请求中携带所述交易提案、所述交易结果以及所述背书信息,或者,在所述交易请求中携带 所述交易结果以及所述背书信息。If the number of endorsing nodes for endorsement reaches the threshold, the transaction request is sent to the ordering node, and the transaction proposal, the transaction result, and the endorsement information are carried in the transaction request, or in the transaction request Carry the transaction result and the endorsement information.
  6. 根据权利要求3至5任意一项所述方法,其特征在于,所述合约验证信息包括:合约标识、合约方法以及入网的参数信息。The method according to any one of claims 3 to 5, wherein the contract verification information includes: contract identification, contract method, and network access parameter information.
  7. 根据权利要求3至5任意一项所述方法,其特征在于,所述入网设备获取所述入网设备的身份证书包括:The method according to any one of claims 3 to 5, wherein the obtaining the identity certificate of the network access device by the network access device comprises:
    所述入网设备通过客户端的软件开发工具包SDK调用证书服务,向证书服务发起注册和登记;接收所述证书服务为所述入网设备分配的身份证书。The network access device invokes the certificate service through the client software development kit SDK, initiates registration and registration with the certificate service; and receives the identity certificate assigned by the certificate service to the network access device.
  8. 一种可信认证方法,其特征在于,包括:A trusted authentication method, characterized in that it includes:
    接收认证发起设备发送的交易预案;Receive the transaction plan sent by the authentication initiating device;
    从所述交易预案中获取可信认证对象的认证信息;Obtain the authentication information of the trusted authentication object from the transaction plan;
    使用所述认证信息对所述交易预案进行验证。Use the authentication information to verify the transaction plan.
  9. 根据权利要求8所述方法,其特征在于,所述认证发起设备为入网设备,所述可信认证对象为入网认证,所述接收认证发起设备发送的交易预案;包括:8. The method according to claim 8, wherein the authentication initiating device is a network access device, the trusted authentication object is a network access authentication, and the receiving transaction plan sent by the authentication initiating device; comprising:
    接收入网设备发送的入网交易预案;Receive network access transaction plans sent by network access equipment;
    所述从所述交易预案中获取可信认证对象的认证信息包括:The obtaining authentication information of a trusted authentication object from the transaction plan includes:
    从所述入网交易预案中获得所述入网设备入网所需的合约验证信息以及所述入网设备的身份证书;所述身份证书用于识别所述入网设备;Obtain the contract verification information required for the network access of the network access device and the identity certificate of the network access device from the network access transaction plan; the identity certificate is used to identify the network access device;
    所述使用所述认证信息对所述交易预案进行验证包括:依据所述合约验证信息对所述交易预案进行验证,得到交易结果;以及,生成背书信息;所述背书信息用于标识是否为所述入网交易预案背书;The using the authentication information to verify the transaction plan includes: verifying the transaction plan according to the contract verification information to obtain the transaction result; and generating endorsement information; the endorsement information is used to identify whether it is the transaction State the endorsement of the online transaction plan;
    所述方法还包括:向所述入网设备发送所述交易结果以及所述背书信息,或者,在所述交易请求中携带所述交易结果以及所述背书信息。The method further includes: sending the transaction result and the endorsement information to the network access device, or carrying the transaction result and the endorsement information in the transaction request.
  10. 根据权利要求9所述方法,其特征在于,所述依据所述合约验证信息对所述交易预案进行验证,得到交易结果包括:The method according to claim 9, wherein said verifying said transaction plan according to said contract verification information, and obtaining a transaction result comprises:
    依据所述合约验证信息对所述交易预案进行验证,将所述交易预案作为输入参数调用链码函数得到交易结果。The transaction plan is verified according to the contract verification information, and a chain code function is called using the transaction plan as an input parameter to obtain a transaction result.
  11. 根据权利要求9或10所述方法,其特征在于,在所述向所述入网设备发送所述交易结果以及所述背书信息之后,所述方法还包括:The method according to claim 9 or 10, wherein after the sending the transaction result and the endorsement information to the network access device, the method further comprises:
    接收来自排序节点发送的所述入网设备的交易提案的区块、交易结果以及背书信息;Receiving the block, transaction result and endorsement information of the transaction proposal of the network access device sent by the ordering node;
    根据所述交易结果以及所述背书信息,所述区块中的交易进行校验,在校验通过后更新账本,向所述入网设备发送交易有效确认。According to the transaction result and the endorsement information, the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
  12. 一种网络设备认证方法,其特征在于,包括:A network device authentication method, characterized in that it includes:
    排序节点接收入网设备发送的交易请求,获取所述交易中携带交易提案、交易结果以及背书信息;所述交易结果是由所述入网设备使用入网交易预案模拟交易所产生的交易结果,所述背书信息是区块链中的节点是否为所述入网交易预案背书的信息;The ordering node receives the transaction request sent by the network access device, and obtains the transaction proposal, transaction result, and endorsement information carried in the transaction; the transaction result is the transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement Information is the information whether the node in the blockchain is endorsed by the network access transaction plan;
    向区块链中的节点发送所述交易提案的区块,以及所述交易结果和背书信息;Send the block of the transaction proposal, as well as the transaction result and endorsement information to the node in the blockchain;
    在所述区块链中的节点校验通过后,向所述入网设备发送交易有效确认。After the nodes in the blockchain pass the verification, a transaction validity confirmation is sent to the network access device.
  13. 一种网络设备,所述网络设备为认证发起设备,其特征在于,包括:A network device, which is an authentication initiating device, characterized in that it comprises:
    预案生成单元,用于生成交易预案,所述交易预案中包含可信认证对象的认证信息;A plan generation unit for generating a transaction plan, the transaction plan containing authentication information of a trusted authentication object;
    发送单元,用于向区块链中的节点发送所述交易预案;A sending unit, configured to send the transaction plan to a node in the blockchain;
    确认单元,用于在收到所述区块链中的节点返回的交易有效确认后,确认可信认证成功。The confirmation unit is used to confirm that the trusted authentication is successful after receiving the transaction validity confirmation returned by the node in the blockchain.
  14. 根据权利要求13所述方法,其特征在于,所述认证发起设备为入网设备,所述可信认证对象为入网认证,The method according to claim 13, wherein the authentication initiating device is a network access device, and the trusted authentication object is network access authentication,
    所述预案生成单元,用于生成入网交易预案;The plan generation unit is used to generate a network access transaction plan;
    所述发送单元,用于向区块链中的节点发送所述入网交易预案;The sending unit is configured to send the network access transaction plan to a node in the blockchain;
    所述确认单元,用于在收到所述区块链中的节点返回的交易有效确认后,确认入网交易成功。The confirmation unit is configured to confirm the success of the network access transaction after receiving the transaction validity confirmation returned by the node in the blockchain.
  15. 根据权利要求14所述网络设备,其特征在于,The network device according to claim 14, wherein:
    所述预案生成单元,用于获取所述入网设备的身份证书,所述身份证书用于区块链中的节点识别所述入网设备;生成所述入网设备的入网交易预案,在所述入网交易预案中包含入网所需的合约验证信息以及所述身份证书。The plan generation unit is configured to obtain the identity certificate of the network access device, and the identity certificate is used for the node in the blockchain to identify the network access device; generate the network access transaction plan of the network access device, and then the network access transaction The plan includes contract verification information and the identity certificate required for network access.
  16. 根据权利要求15所述网络设备,其特征在于,The network device according to claim 15, wherein:
    所述发送单元,用于向所述区块链中的背书节点发送所述入网交易预案;接收到所述背书节点返回的背书结果后,向排序节点发送交易请求;在所述交易请求中包含所述背书结果以及交易提案;The sending unit is configured to send the network access transaction plan to the endorsement node in the blockchain; after receiving the endorsement result returned by the endorsement node, send a transaction request to the ordering node; the transaction request includes The endorsement result and transaction proposal;
    所述确认单元,用于在接收到所述区块链中的记账节点针对所述交易提案返回的交易有效确认后,确认入网交易成功。The confirmation unit is configured to confirm the success of the network access transaction after receiving the valid confirmation of the transaction returned by the accounting node in the blockchain for the transaction proposal.
  17. 根据权利要求16所述网络设备,其特征在于,The network device according to claim 16, wherein:
    所述发送单元,用于接收到所述背书节点返回的背书结果后,向排序节点发送交易请求包括:接收到所述背书节点返回的预案回复,在所述预案回复中包含所述入网交易预案的交易结果以及背书信息;所述背书信息用于标识所述背书节点是否为所述入网交易预案背书;背书的背书节点数量达到阈值,则向所述排序节点发送所述交易请求,在所述交易请求中携带所述交易提案、所述交易结果以及所述背书信息,或者,在所述交易请求中携 带所述交易结果以及所述背书信息。The sending unit is configured to, after receiving the endorsement result returned by the endorsing node, send a transaction request to the ordering node, including: receiving a plan reply returned by the endorsing node, and the plan reply includes the network access transaction plan Transaction results and endorsement information; the endorsement information is used to identify whether the endorsing node is the endorsement of the network access transaction plan; the number of endorsing endorsing nodes reaches the threshold, then the transaction request is sent to the ordering node, in the The transaction request carries the transaction proposal, the transaction result, and the endorsement information, or the transaction request carries the transaction result and the endorsement information.
  18. 根据权利要求15至17任意一项所述网络设备,其特征在于,所述合约验证信息包括:合约标识、合约方法以及入网的参数信息。The network device according to any one of claims 15 to 17, wherein the contract verification information includes: contract identification, contract method, and network access parameter information.
  19. 根据权利要求15至17任意一项所述网络设备,其特征在于,The network device according to any one of claims 15 to 17, wherein:
    所述预案生成单元,用于获取所述入网设备的身份证书包括:通过客户端的软件开发工具包SDK调用证书服务,向证书服务发起注册和登记;接收所述证书服务为所述入网设备分配的身份证书。The plan generation unit for obtaining the identity certificate of the network-connected device includes: invoking the certificate service through the client software development kit SDK, and initiates registration and registration with the certificate service; receiving the certificate service assigned to the network-connected device Identity certificate.
  20. 一种区块链的节点,其特征在于,包括:A block chain node is characterized in that it includes:
    接收单元,用于接收认证发起设备发送的交易预案;The receiving unit is used to receive the transaction plan sent by the authentication initiating device;
    信息获取单元,用于从所述交易预案中获取可信认证对象的认证信息;An information acquisition unit for acquiring authentication information of a trusted authentication object from the transaction plan;
    验证单元,用于使用所述认证信息对所述交易预案进行验证。The verification unit is configured to use the authentication information to verify the transaction plan.
  21. 根据权利要求20所述区块链的节点,其特征在于,所述认证发起设备为入网设备,所述可信认证对象为入网认证,The node of the blockchain according to claim 20, wherein the authentication initiating device is a network access device, and the trusted authentication object is a network access authentication,
    所述接收单元,用于接收入网设备发送的入网交易预案;The receiving unit is configured to receive the network access transaction plan sent by the network access device;
    所述信息获取单元,用于从所述入网交易预案中获得所述入网设备入网所需的合约验证信息以及所述入网设备的身份证书;所述身份证书用于识别所述入网设备;The information acquisition unit is configured to obtain, from the network access transaction plan, the contract verification information required for the network access device to access the network and the identity certificate of the network access device; the identity certificate is used to identify the network access device;
    所述验证单元,用于依据所述合约验证信息对所述交易预案进行验证,得到交易结果;The verification unit is configured to verify the transaction plan according to the contract verification information to obtain a transaction result;
    所述区块链的节点还包括:The nodes of the blockchain also include:
    信息生成单元,用于生成背书信息;所述背书信息用于标识是否为所述入网交易预案背书;The information generating unit is used to generate endorsement information; the endorsement information is used to identify whether it is an endorsement of the network access transaction plan;
    发送单元,用于向所述入网设备发送所述交易结果以及所述背书信息。The sending unit is configured to send the transaction result and the endorsement information to the network access device.
  22. 根据权利要求21所述区块链的节点,其特征在于,The node of the blockchain according to claim 21, characterized in that,
    所述验证单元,用于依据所述合约验证信息对所述交易预案进行验证,将所述交易预案作为输入参数调用链码函数得到交易结果。The verification unit is configured to verify the transaction plan according to the contract verification information, and use the transaction plan as an input parameter to call a chain code function to obtain a transaction result.
  23. 根据权利要求21或22所述区块链的节点,其特征在于,The node of the blockchain according to claim 21 or 22, characterized in that:
    所述接收单元,还用于在所述向所述入网设备发送所述交易结果以及所述背书信息之后,所述方法还包括:The receiving unit is further configured to, after the sending the transaction result and the endorsement information to the network access device, the method further includes:
    接收来自排序节点发送的所述入网设备的交易提案的区块、交易结果以及背书信息;Receiving the block, transaction result and endorsement information of the transaction proposal of the network access device sent by the ordering node;
    根据所述交易结果以及所述背书信息,所述区块中的交易进行校验,在校验通过后更新账本,向所述入网设备发送交易有效确认。According to the transaction result and the endorsement information, the transaction in the block is verified, the ledger is updated after the verification is passed, and the transaction valid confirmation is sent to the network access device.
  24. 一种区块链的节点,其特征在于,包括:A block chain node is characterized in that it includes:
    接收单元,用于接收入网设备发送的交易请求;The receiving unit is used to receive the transaction request sent by the network access device;
    获取单元,用于获取所述交易中携带交易提案、交易结果以及背书信息;所述交易结果是由所述入网设备使用入网交易预案模拟交易所产生的交易结果,所述背书信息是区块链中的节点是否为所述入网交易预案背书的信息;The acquiring unit is used to acquire the transaction proposal, transaction result, and endorsement information carried in the transaction; the transaction result is a transaction result generated by the network access device using the network access transaction plan to simulate a transaction, and the endorsement information is a blockchain Whether the node in is the information endorsed by the network access transaction plan;
    发送单元,向区块链中的节点发送所述交易提案的区块,以及所述交易结果和背书信息;在所述区块链中的节点校验通过后,向所述入网设备发送交易有效确认。The sending unit sends the block of the transaction proposal, as well as the transaction result and endorsement information, to the node in the blockchain; after the node in the blockchain has passed the verification, it sends the transaction valid to the network access device confirm.
  25. 一种区块链的网络,包括:入网设备、区块链的节点;其特征在于,A blockchain network, including: network access equipment and blockchain nodes; characterized in that:
    所述入网设备用于执行权利要求1至7任意一项所述的方法。The network access device is used to execute the method according to any one of claims 1 to 7.
  26. 根据权利要求25所述网络,特征值在于,所述区块链的节点包括:背书节点和排序节点,所述背书节点用于执行权利要求8至11任意一项所述的方法;所述排序节点用于执行权利要求12所述的方法。The network according to claim 25, characterized in that the nodes of the blockchain include: an endorsement node and an ordering node, the endorsing node is used to execute the method according to any one of claims 8 to 11; the ordering The node is used to execute the method described in claim 12.
  27. 一种区块链的节点,包括:处理器、存储器以及通信接口;其中所述处理器、所述存储器和所述通信接口以可通信方式连接,其特征在于,A node of a blockchain includes: a processor, a memory, and a communication interface; wherein the processor, the memory, and the communication interface are connected in a communicative manner, characterized in
    在所述存储器中存储有程序代码;Program code is stored in the memory;
    所述处理器用于读取所述程序代码与所述通信接口配合实现权利要求1至12任意一项的方法流程。The processor is configured to read the program code and cooperate with the communication interface to implement the method flow of any one of claims 1 to 12.
  28. 一种存储介质,其特征在于,所述存储介质中存储有程序代码,所述程序代码包括程序指令,所述程序指令当被处理器执行时与通信接口配合实现权利要求1至12任意一项的方法流程。A storage medium, wherein a program code is stored in the storage medium, the program code includes program instructions, and the program instructions cooperate with a communication interface to implement any one of claims 1 to 12 when executed by a processor Method flow.
PCT/CN2020/104859 2019-07-30 2020-07-27 Trusted authentication method, network device, system and storage medium WO2021018088A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910695902.4A CN112311735B (en) 2019-07-30 2019-07-30 Credible authentication method, network equipment, system and storage medium
CN201910695902.4 2019-07-30

Publications (1)

Publication Number Publication Date
WO2021018088A1 true WO2021018088A1 (en) 2021-02-04

Family

ID=74230223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/104859 WO2021018088A1 (en) 2019-07-30 2020-07-27 Trusted authentication method, network device, system and storage medium

Country Status (2)

Country Link
CN (1) CN112311735B (en)
WO (1) WO2021018088A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995167A (en) * 2021-02-20 2021-06-18 国网冀北电力有限公司计量中心 Kafka mechanism-based power utilization information acquisition method, block chain network and user side
CN113014676A (en) * 2021-04-21 2021-06-22 联通雄安产业互联网有限公司 System and method for storing Internet of things data into block chain based on SIM card
CN113362181A (en) * 2021-07-20 2021-09-07 永旗(北京)科技有限公司 Transaction method and system based on block chain
CN113360575A (en) * 2021-06-10 2021-09-07 广东浪潮智慧计算技术有限公司 Method, device, equipment and storage medium for supervising transaction data in alliance chain
CN113379419A (en) * 2021-06-25 2021-09-10 远光软件股份有限公司 Transaction information access method and system and computer equipment
CN113779605A (en) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 Industrial internet Handle identification system analysis authentication method based on alliance chain
CN114745135A (en) * 2022-04-19 2022-07-12 西南石油大学 Block chain system for energy transaction based on V-raft consensus algorithm
CN115967697A (en) * 2022-12-27 2023-04-14 暨南大学 Mail blacklist sharing method based on block chain
CN116055069A (en) * 2023-04-03 2023-05-02 北京微芯感知科技有限公司 Distributed CA (conditional access) implementation method based on block chain
CN116633560A (en) * 2023-06-13 2023-08-22 北京交通大学 Privacy protection and supervision method for block chain multicast transaction mode

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112950209B (en) * 2021-03-31 2023-05-09 苏州热工研究院有限公司 Nuclear power experience feedback information management method and system based on block chain
CN113240418B (en) * 2021-04-23 2024-01-12 上海和数软件有限公司 Block chain-based intelligent access control method and equipment for private data
CN113379420B (en) * 2021-06-25 2023-03-31 远光软件股份有限公司 Block chain execution intelligent contract method, computer equipment and block chain system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108235806A (en) * 2017-12-28 2018-06-29 深圳达闼科技控股有限公司 Method, device and system for safely accessing block chain, storage medium and electronic equipment
CN108416589A (en) * 2018-03-08 2018-08-17 深圳前海微众银行股份有限公司 Connection method, system and the computer readable storage medium of block chain node
EP3474172A1 (en) * 2017-10-19 2019-04-24 Bundesdruckerei GmbH Access control using a blockchain
US20190213333A1 (en) * 2017-12-01 2019-07-11 Alan Health And Science D/B/A Onpaceplus Decentralized data authentication system for creation of integrated lifetime health records
CN110049141A (en) * 2019-05-24 2019-07-23 南京工程学院 Internet of Things distributed authentication method and its framework based on block chain

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462472A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 The methods, devices and systems of data encryption and decryption
US10528551B2 (en) * 2017-09-29 2020-01-07 Oracle International Corporation System and method for providing a representational state transfer proxy service for a blockchain cloud service
CN108921551B (en) * 2018-06-11 2021-07-27 西安纸贵互联网科技有限公司 Alliance block chain system based on Kubernetes platform
CN108833081B (en) * 2018-06-22 2021-01-05 中国人民解放军国防科技大学 Block chain-based equipment networking authentication method
CN109840771A (en) * 2019-04-01 2019-06-04 西安电子科技大学 A kind of block chain intimacy protection system and its method based on homomorphic cryptography

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3474172A1 (en) * 2017-10-19 2019-04-24 Bundesdruckerei GmbH Access control using a blockchain
US20190213333A1 (en) * 2017-12-01 2019-07-11 Alan Health And Science D/B/A Onpaceplus Decentralized data authentication system for creation of integrated lifetime health records
CN108235806A (en) * 2017-12-28 2018-06-29 深圳达闼科技控股有限公司 Method, device and system for safely accessing block chain, storage medium and electronic equipment
CN108416589A (en) * 2018-03-08 2018-08-17 深圳前海微众银行股份有限公司 Connection method, system and the computer readable storage medium of block chain node
CN110049141A (en) * 2019-05-24 2019-07-23 南京工程学院 Internet of Things distributed authentication method and its framework based on block chain

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995167A (en) * 2021-02-20 2021-06-18 国网冀北电力有限公司计量中心 Kafka mechanism-based power utilization information acquisition method, block chain network and user side
CN112995167B (en) * 2021-02-20 2023-05-26 国网冀北电力有限公司计量中心 Kafka mechanism-based electricity consumption information acquisition method, blockchain network and user terminal
CN113014676B (en) * 2021-04-21 2023-11-03 联通雄安产业互联网有限公司 System and method for storing data of Internet of things into blockchain based on SIM card
CN113014676A (en) * 2021-04-21 2021-06-22 联通雄安产业互联网有限公司 System and method for storing Internet of things data into block chain based on SIM card
CN113360575A (en) * 2021-06-10 2021-09-07 广东浪潮智慧计算技术有限公司 Method, device, equipment and storage medium for supervising transaction data in alliance chain
CN113360575B (en) * 2021-06-10 2024-02-13 广东浪潮智慧计算技术有限公司 Method, device, equipment and storage medium for supervising transaction data in alliance chain
CN113379419A (en) * 2021-06-25 2021-09-10 远光软件股份有限公司 Transaction information access method and system and computer equipment
CN113379419B (en) * 2021-06-25 2022-08-16 远光软件股份有限公司 Transaction information access method and system and computer equipment
CN113362181A (en) * 2021-07-20 2021-09-07 永旗(北京)科技有限公司 Transaction method and system based on block chain
CN113362181B (en) * 2021-07-20 2023-11-24 佳乔(深圳)投资有限公司 Transaction method and system based on blockchain
CN113779605A (en) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 Industrial internet Handle identification system analysis authentication method based on alliance chain
CN114745135A (en) * 2022-04-19 2022-07-12 西南石油大学 Block chain system for energy transaction based on V-raft consensus algorithm
CN115967697A (en) * 2022-12-27 2023-04-14 暨南大学 Mail blacklist sharing method based on block chain
CN116055069B (en) * 2023-04-03 2023-06-27 北京微芯感知科技有限公司 Distributed CA (conditional access) implementation method based on block chain
CN116055069A (en) * 2023-04-03 2023-05-02 北京微芯感知科技有限公司 Distributed CA (conditional access) implementation method based on block chain
CN116633560A (en) * 2023-06-13 2023-08-22 北京交通大学 Privacy protection and supervision method for block chain multicast transaction mode
CN116633560B (en) * 2023-06-13 2024-03-08 北京交通大学 Privacy protection and supervision method for block chain multicast transaction mode

Also Published As

Publication number Publication date
CN112311735A (en) 2021-02-02
CN112311735B (en) 2021-11-19

Similar Documents

Publication Publication Date Title
WO2021018088A1 (en) Trusted authentication method, network device, system and storage medium
US11651109B2 (en) Permission management method, permission verification method, and related apparatus
US11349674B2 (en) Digital certificate management method and apparatus, computer device, and storage medium
US12010138B2 (en) Secure blockchain-based consensus
US20200382326A1 (en) Digital certificate verification method and apparatus, computer device, and storage medium
CN110771120B (en) System and method for blockchain based authentication
CN101981889B (en) Secure communications in computer cluster systems
CN108696358B (en) Digital certificate management method and device, readable storage medium and service terminal
US7428749B2 (en) Secure delegation using public key authorization
JP2021512569A (en) Blockchain data processing method, management side, client side, converter and medium
WO2023024742A1 (en) Data processing method and apparatus, and computer device and storage medium
JP2020523838A (en) System and method for addressing security-related vulnerabilities in off-blockchain channels in the event of network failure
US20240022571A1 (en) Blockchain folding
CN111881481B (en) Medical data processing method, device, equipment and storage medium based on blockchain
US11121876B2 (en) Distributed access control
US20230037932A1 (en) Data processing method and apparatus based on blockchain network, and computer device
EP3966997B1 (en) Methods and devices for public key management using a blockchain
CN114240433A (en) Data processing method and system based on block chain
US20200394162A1 (en) Operation management method for distributed ledger system, operation management system for distributed ledger system, and operation management program for distributed ledger system
CN114567491A (en) Medical record sharing method and system based on zero trust principle and block chain technology
JP6742557B2 (en) Authentication system
CN111737766B (en) Method for judging validity of digital certificate signature data in block chain
CN111768189B (en) Charging pile operation method, device and system based on block chain
CN113271207A (en) Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium
CN115001707B (en) Device authentication method based on block chain and related device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20846882

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20846882

Country of ref document: EP

Kind code of ref document: A1