CN-121984681-A - Cross-domain authentication method based on combination of blockchain and attribute encryption

Abstract

The invention relates to a cross-domain authentication method based on combination of blockchain and attribute encryption, belonging to the technical field of network security. The method comprises the following steps of initiating identity authentication, completing the identity authentication by local trust, uploading and publishing the identity authentication result, acquiring the identity authentication result, implementing cross-domain application access, requesting home domain authentication by application, and performing home domain authentication. The invention realizes the information such as quick synchronization, authentication control, authentication result sharing and the like among a plurality of identity authentication servers by using the blockchain technology, ensures the controllability and the security of the synchronization information by using the random attribute encryption information, designs the identity authentication method combining the uplink and the downlink of the chain, and has flexible, efficient and safe identity authentication capability and user experience.

Inventors

• GAO JINGSHENG
• HAN LEI
• GUO XIAOXIAO
• WEI DAIXIAO
• ZHANG MAN

Assignees

• 北京计算机技术及应用研究所

Dates

Publication Date

20260505

Application Date

20260225

Claims (10)

1. 1. A cross-domain authentication method based on combination of blockchain and attribute encryption is characterized by comprising the following steps: s1, initiating identity authentication, namely initiating an authentication request to an authentication server of a local trust domain by a user through an authentication terminal carrying a digital certificate; s2, the local trust completes identity authentication, namely the local trust domain completes user identity authentication, namely authentication is completed through an identity authentication server of the local trust domain; s3, after the local trust domain completes authentication, encrypting the authentication result by an attribute encryption method, issuing the authentication result to an authentication terminal, and synchronously linking the authentication terminal; S4, acquiring an identity authentication result, wherein the authentication server of each node on the blockchain synchronously acquires the authentication result; S5, implementing cross-domain application access, namely, a user carries an authentication result and accesses the corresponding trust domain application in a cross-domain mode, and after receiving a request, the application extracts an encrypted authentication result; s6, the application requests the home domain to verify the identity, namely the cross-domain application accesses a local identity authentication server of the home domain, and the encrypted authentication result is handed to the identity authentication server of the home domain to request to verify the identity of the user; S7, home domain identity verification, namely after receiving a request, a local identity authentication server of the home domain compares the received authentication result with an on-chain authentication result, if the authentication result is inconsistent, authentication failure information is returned, if the authentication result is consistent, decryption operation is executed for further verification, because attribute encryption is adopted in the method, if a user does not have corresponding attribute access authority, decryption fails, authentication failure results are returned, if decryption succeeds, the authentication results are further verified, such as time validity, identity validity and whether repeated verification is carried out, if verification succeeds, corresponding user information is returned, and authentication failure is returned if verification fails.
2. 2. The method for cross-domain authentication based on combination of blockchain and attribute encryption as in claim 1, further comprising providing a local information configuration management function including trust domain information, authentication node basic information, administrator rights, external service ports, local node device certificates, and blockchain communication nodes; Registering an application information function including an application name, an access address and an external service port with the trust internal authentication server, and returning an identity authentication service address and port information to the authentication server by the authentication server; The information uplink comprises self basic information uplink and authentication result uplink, so that other identity authentication nodes can acquire corresponding information conveniently; the basic information comprises trust domain basic information, an authentication server certificate and application service information, wherein the application service information comprises an application name, an access address and a port number; the other nodes verify the validity of the identity authentication server based on the certificate after receiving the information, store the corresponding information to the local after passing the verification, and synchronize the domain information and the application information to the identity authentication terminal to support the identity cross-domain access behavior initiated by the identity authentication terminal; An administrator completes the authentication authorization management function and ensures that each trust domain identity authentication server has the recognition authority on the authentication result; the administrator logs in the system, based on various applications synchronized on the blockchain, each trust domain and identity authentication server information thereof, configures a user cross-domain access authentication strategy, and legal authentication servers of other trust domains can read, namely set dynamic authorization of cross-domain authentication; the identity authentication server provides cross-domain identity authentication service to the outside, completes the comparison of the authentication results under the chain, and returns the authentication results to the corresponding application in the local trust domain based on the analysis and the further verification of the authentication results by the attribute identity; When a user accesses an application in a cross-domain manner, the verification of user identity assertion is completed, the validity of the user identity is verified, and the user identity is returned to the application user information; the identity authentication server monitors the data on the chain, and legal data is synchronized to the local in time.
3. 3. The blockchain-based and attribute encryption-combined cross-domain authentication method of claim 1, wherein the method defines the configuration information format to include: A data head for identifying the data type, wherein 16 is adopted for identification, and the length is 4 bytes; A source identifier, which is used for identifying the identity of a sender of the data and has a length of 4 bytes; The receiving identification length is used for calculating a plurality of receiving identifications; receiving identifications, identifying data receivers, wherein the data length of each identification is 4 bytes, and the receiving identifications are fixed to be 'x' when a message is broadcast; The data body, specifically the data content, is identified by the data length.
4. 4. The cross-domain authentication method based on blockchain and attribute encryption as recited in claim 3, further comprising supporting attribute encryption, distributing a public key to each identity authentication server, wherein the process is completed by the authentication server and a public key infrastructure, the public key infrastructure is used for generating the public key and distributing the public key to the authentication server, the authentication server firstly receives a public key certificate from a public key base and locally verifies the validity of the certificate, the authentication server uses the public key infrastructure public key to encrypt certificate server identification and basic information and sends the basic information to the public key infrastructure together with the self certificate, wherein the basic information comprises authentication server address information, the public key base encrypts the public key by using the public key of the authentication server after receiving the basic information, the public key is sent to the authentication server in an off-line mode, and the authentication server completes local storage after receiving data.
5. 5. The method for cross-domain authentication based on combination of blockchain and attribute encryption as recited in claim 3, further comprising the steps that each identity authentication server issues self-certificate information to the blockchain in the process of opening, and packages the self-certificate information according to the definition of the configuration information format, wherein a receiver mark is 'x', which indicates that each server can receive the certificate information, sets a message header to an attribute for issuing the certificate information synchronously, ensures that each identity authentication server can recognize the certificate information, and downloads the certificate information.
6. 6. The cross-domain authentication method based on the combination of blockchain and attribute encryption as recited in claim 3, wherein the cross-domain authentication control information uplink is control information for configuring cross-domain access, and the method further comprises the steps of authorizing the attribute and achieving one-to-one synchronization of information configuration in a public key encryption mode.
7. 7. The cross-domain authentication method based on the combination of blockchain and attribute encryption according to claim 6, wherein the authentication server a issues configuration information, and the destination domain authentication server B receives the configuration information, comprising the following steps: 1) The method comprises the steps of generating control data, wherein A designates an attribute value required by decryption, namely B needs to use the designated attribute value to generate a decryption key when decrypting an authentication result; 2) Data packaging, namely packaging the control data according to the definition of the configuration information format; 3) Encrypting the public key, and encrypting the data length and the data body by using the public key of the opposite party; 4) The data is uplink, and the data uplink of the packaged data is completed through block chain transaction; 5) The method comprises the steps of synchronizing data, synchronously receiving uplink transactions by other authentication servers connected with the blockchain node after the data is uplink, analyzing data packets through the transactions, extracting data header information, defining an analysis data format according to a configuration information format, extracting a receiver identifier, checking whether the identifier list has the identifier of the receiver identifier or not, and discarding if the identifier list has the identifier; 6) And decrypting the data body and the data length based on the private key of the user and storing the data body and the data length into a database.
8. 8. The cross-domain authentication method based on blockchain in combination with attribute encryption as in claim 3, wherein cross-domain access traffic between user trust domain a and trust domain B comprises: 1) The local authentication comprises that a user carries an identity authentication carrier and sends an authentication request to an identity authentication server through a user authentication terminal, wherein the identity authentication server A verifies identity credentials submitted by the user and application information to be accessed to generate an authentication result, which is called an authentication bill; 2) The authentication result package is defined according to a configuration information format, and based on application information accessed by a user, authentication server related information of a trust domain where the application is located is identified, if the application belongs to the local domain, the package is abandoned; 3) Attribute encryption, namely setting attribute authority according to published attribute information, generating an encryption key to encrypt a data body and a data length by combining a public key, and updating a data packet; 4) The data is uplink, namely the packet data is uplink in a block chain transaction mode; 5) After the data is uplink, the identity authentication server B inquires the updating of the block chain link point node to acquire the data; 6) The identity authentication server B checks the data format, builds a decryption key based on the attribute value and the public key, and decrypts the data to obtain an authentication bill; 7) The user cross-domain access, wherein the user carries bill access cross-domain application, the cross-domain application receives an access request and submits an identity authentication server B to verify the identity of the user; 8) After receiving the request, the identity authentication server B completes the comparison of the link-up and link-down results and returns the comparison result; 9) And (4) processing the application service, namely after receiving the result, the application server returns corresponding service information by combining with the authority setting of the application server.
9. 9. The cross-domain authentication method based on the combination of blockchain and attribute encryption according to claim 8, wherein 5) -6) and 7) -8) are carried out in parallel, and step 7) is possible to take precedence over 5) due to network delay, and a timeout waiting mechanism is set, and illegal access is considered if data is not received.
10. 10. A blockchain-based cross-domain authentication system in combination with attribute encryption that implements the method of any of claims 1-9, the system comprising: The user identity carrier is a user identity credential carrier, and a USBKey or a smart card is adopted to embed a digital certificate; the identity authentication terminal is a terminal device for initiating identity authentication; the identity authentication server is deployed in each trust domain and provides identity authentication service for providing identity authentication and cross-domain access for the domain; The blockchain node is used for providing a blockchain account book for storing and releasing cross-domain identity information, storing an authentication result and sharing media, and integrating the blockchain account book with an identity authentication server according to actual needs; and the application system is deployed in each trust domain and provides business application services for the local domain and the outside.

Description

Cross-domain authentication method based on combination of blockchain and attribute encryption Technical Field The invention belongs to the technical field of network security, and particularly relates to a cross-domain authentication method based on combination of blockchain and attribute encryption. Background The identity authentication system is an indispensable component in a modern information system, is mainly used for providing user identity authentication service for applications, prevents illegal users from randomly accessing information system resources, ensures system access security, and is a first gate of information system security. With the continuous development of self business, large enterprises, governments, banks and other institutions, the information system is changed continuously, and the characteristics of distributed deployment and hierarchical management are presented. The cross-domain access of legal users is one of the technical problems to be solved by the identity authentication system. Conventional authentication systems mainly have two modes for supporting applications for users to dynamically access different trust domains, as shown in fig. 1. The trust domain, namely the identity authentication system and the guaranteed business application system are defined as a trust domain. The general idea of the two modes is as follows: (1) And (3) home authentication, and collecting information by a target domain. The mode is that the user completes authentication in the trust domain where the user is located, and the target domain adopts the authentication mode of the home domain. The mode 1 is divided into two stages, wherein the stage 1 user accesses an authentication server of a local domain to complete identity authentication, and the stage 2 sends an authentication result to other trust domain authentication servers, and the authentication is passed after the result is checked. (2) Mode 2 target domain direct authentication. The access terminal directly re-authenticates upon cross-domain access, as schematically illustrated in mode 2 in fig. 1. The above mode has mainly the following problems: (1) Under the scene of mode 1, a pairwise mutual trust mechanism is required to be established for cross-domain identity authentication, the process needs to transmit signature certificates, and if a plurality of cross-domain access requirements exist, the transmission data quantity of the pairwise mutual trust mechanism is larger. (2) In the mode 2 scenario, the re-authentication is not friendly to the user experience, the user needs to explicitly perform the second authentication, if multiple domains are accessed, multiple authentications are required, one authentication cannot be performed, and the access is performed everywhere. (3) Mode 1 and mode 2 are inefficient due to the configuration and sharing involved across authentication servers. Administrators configured across different trust domains need to master the authentication terminal and information of each trust domain accurately, so that the configuration workload is large and the working efficiency is low. The workload would be quite enormous if there were multiple domain accesses. In addition, if a domain needs to revoke access to terminals outside the domain, a large number of configurations are also required. Disclosure of Invention First, the technical problem to be solved The technical problem to be solved by the invention is how to provide a cross-domain authentication method based on the combination of blockchain and attribute encryption so as to solve the problems of two cross-domain modes of the traditional identity authentication system. (II) technical scheme In order to solve the technical problems, the invention provides a cross-domain authentication method based on the combination of blockchain and attribute encryption, which comprises the following steps: s1, initiating identity authentication, namely initiating an authentication request to an authentication server of a local trust domain by a user through an authentication terminal carrying a digital certificate; s2, the local trust completes identity authentication, namely the local trust domain completes user identity authentication, namely authentication is completed through an identity authentication server of the local trust domain; s3, after the local trust domain completes authentication, encrypting the authentication result by an attribute encryption method, issuing the authentication result to an authentication terminal, and synchronously linking the authentication terminal; S4, acquiring an identity authentication result, wherein the authentication server of each node on the blockchain synchronously acquires the authentication result; S5, implementing cross-domain application access, namely, a user carries an authentication result and accesses the corresponding trust domain application in a cross-domain mode, and after receiving a request, the applic