Invention content
It is a primary object of the present invention to propose a kind of identity identifying method, system and computer readable storage medium, purportSafely and effectively authentication is carried out to block chain participant realizing.
To achieve the above object, the present invention provides a kind of identity identifying method, is applied to identity authorization system, the identityVerification System includes agency's server and transaction node, and the identity identifying method includes the following steps:
Agency's server obtains when receiving block chain transaction request and the identity of checking request person is believedBreath;
When being verified, agency's server obtains the letter of identity of the requestor and via the requestService message after person's signature signs again to the service message by the agency's private key pre-saved;
Agency's server is by the service message after signing again, the identity card of the agency pre-savedBook, and be sent to and the transaction request via the letter of identity of service message, the requestor after requestor signatureCorresponding transaction node;
The transaction node according to it is described sign again after service message, the agency letter of identity, and viaThe letter of identity of service message, the requestor after requestor's signature, to the agency and requestor's bodyThe validity of part is authenticated.
Preferably, agency's server obtains and the step of identity information of checking request person includes:
Agency's server obtains the identity information of the requestor carried in the transaction request;
Agency's server judges to whether there is the identity of the requestor in preset identity information databaseInformation, if so, judging that the identity information of the requestor is verified.
Preferably, the identity information of the requestor includes at least one in access password, device identification and biological characteristicKind.
Preferably, the letter of identity of service message, the agency after the transaction node is signed again according to,And the letter of identity of the service message, the requestor after signing via the requestor, to the agency and described askThe step of validity of the person's of asking identity is authenticated include:
The transaction node judges whether the letter of identity of the agency is effective;
If the letter of identity of the agency is effective, the transaction node is according to the letter of identity of the agencyWith it is described sign again after service message, the validity of agency's identity is authenticated;
When the identity of the agency is authenticated to be effective, the transaction node judges the identity card of the requestorWhether book is effective;
If the letter of identity of the requestor is effective, the transaction node is according to the letter of identity and warp of the requestorService message after being signed by the requestor, is authenticated the validity of requestor's identity.
Preferably, the transaction node judges that the whether effective step of the letter of identity of the agency includes:
Whether the transaction node judges the letter of identity of the agency in the preset term of validity;
If the letter of identity of the agency, in the preset term of validity, the transaction node obtains preset trustRoot certificate, and judge whether the letter of identity of the agency is issued by the corresponding certification authority of the trust root certificateHair;
If the letter of identity of the agency is issued by the corresponding certification authority of the trust root certificate,The transaction node judges that the letter of identity of the agency is from certification authority website downloadable authentication revocation listIt is no to be present in the certificate revocation list;
If the letter of identity of the agency is not present in the certificate revocation list, the agency is judgedLetter of identity be effective.
Preferably, the transaction node according to the letter of identity of the agency and it is described sign again after business reportText, the step of being authenticated to the validity of agency's identity include:
The transaction node reads the public key of the agency from the letter of identity of the agency;
The transaction node according to the public key of the agency to it is described sign again after service message carry out sign test, ifIt is verified, then judges that the identity of the agency is effective.
Preferably, the identity authorization system further includes certification authority server, and agency's server existsWhen receiving block chain transaction request, obtain and checking request person identity information the step of before, further include:
Agency's server initiates letter of identity application request to the certification authority server;
The certification authority server obtains the identity letter of the applicant carried in the letter of identity application requestThe public key of breath and applicant, and anonymization processing is made to the identity information of the applicant;
The certification authority server is by the identity information of anonymization treated the applicant and the applicationThe public key of person is bound, and to generate the letter of identity of the applicant, and the letter of identity of the applicant is handed down to instituteState agency's server.
Preferably, the applicant includes the agency and triggers the requestor of the block chain transaction request.
In addition, to achieve the above object, the present invention also provides a kind of identity authorization system, the identity authorization system packetIt includes:Agency's server, transaction node and authentication program, the authentication program is by agency's serverThe step of identity identifying method as described above being realized when being executed with the transaction node.
In addition, to achieve the above object, it is described computer-readable the present invention also provides a kind of computer readable storage mediumAuthentication program is stored on storage medium, the authentication program realizes identity as described above when being executed by processorThe step of authentication method.
Identity identifying method proposed by the present invention, the external authentication by using agency and transaction node internal authenticationThe double-deck authentication mode being combined, that is, agency's server is when receiving block chain transaction request, first to requestor'sIdentity information carries out external certificate, after being verified, then agency and requestor's identity is carried out on block chain transaction nodeInternal authentication.This bilayer authentication mode ensure that the agency and block chain transaction requester for participating in the transaction of block chainIdentity is authentic and valid, is conducive to the authenticity and the safety that ensure the transaction of block chain.
Specific implementation mode
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The primary solutions of the embodiment of the present invention are:Agency's server when receiving block chain transaction request,Obtain the identity information of simultaneously checking request person;When being verified, agency server obtain requestor letter of identity andService message after signing via requestor signs again to service message by the agency's private key pre-saved;GenerationReason authority server is signed by the service message after signing again, the letter of identity of the agency pre-saved, and via requestorThe letter of identity of service message, requestor after name is sent to transaction node corresponding with transaction request;Transaction node is according to againThe letter of identity of service message, agency after signature, and service message, requestor after signing via requestor identityCertificate is authenticated the validity of agency and requestor's identity.
Finance block chain has participant more at present, and identity is complicated, and not fully credible feature, thus how rightBlock chain participant carry out safely and effectively authentication, to ensure block chain transaction authenticity and safety be at present urgentlyProblem to be solved.
Identity identifying method proposed by the present invention, the external authentication by using agency and transaction node internal authenticationThe double-deck authentication mode being combined, that is, agency's server is when receiving block chain transaction request, first to requestor'sIdentity information carries out external certificate, after being verified, then agency and requestor's identity is carried out on block chain transaction nodeInternal authentication.This bilayer authentication mode ensure that the agency and block chain transaction requester for participating in the transaction of block chainIdentity is authentic and valid, is conducive to the authenticity and the safety that ensure the transaction of block chain.
As shown in Figure 1, the terminal structure schematic diagram for the hardware running environment that Fig. 1, which is the embodiment of the present invention, to be related to.
Terminal of the embodiment of the present invention is agency's server and transaction node, which can be PC, can alsoIt is the packaged type terminal device that smart mobile phone, tablet computer, pocket computer etc. have display function.
As shown in Figure 1, the terminal may include:Processor 1001, such as CPU, network interface 1004, user interface1003, memory 1005, communication bus 1002.Wherein, communication bus 1002 is for realizing the connection communication between these components.User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional user interface1003 can also include standard wireline interface and wireless interface.Network interface 1004 may include optionally that the wired of standard connectsMouth, wireless interface (such as WI-FI interfaces).Memory 1005 can be high-speed RAM memory, can also be stable memory(non-volatile memory), such as magnetic disk storage.Memory 1005 optionally can also be independently of aforementioned processor1001 storage device.
It will be understood by those skilled in the art that the restriction of the not structure paired terminal of terminal structure shown in Fig. 1, can wrapIt includes than illustrating more or fewer components, either combines certain components or different components arrangement.
As shown in Figure 1, as may include that operating system, network are logical in a kind of memory 1005 of computer storage mediaBelieve module, Subscriber Interface Module SIM and authentication program.
In terminal shown in Fig. 1, network interface 1004 is mainly used for connecting background server, is carried out with background serverData communicate;User interface 1003 is mainly used for connecting client (user terminal), with client into row data communication;And processor1001 can be used for calling the authentication program stored in memory 1005, and execute following operation:
Agency's server obtains when receiving block chain transaction request and the identity of checking request person is believedBreath;
When being verified, agency's server obtains the letter of identity of the requestor and via the requestService message after person's signature signs again to the service message by the agency's private key pre-saved;
Agency's server is by the service message after signing again, the identity card of the agency pre-savedBook, and be sent to and the transaction request via the letter of identity of service message, the requestor after requestor signatureCorresponding transaction node;
The transaction node according to it is described sign again after service message, the agency letter of identity, and viaThe letter of identity of service message, the requestor after requestor's signature, to the agency and requestor's bodyThe validity of part is authenticated.
Further, processor 1001 can call the authentication program stored in memory 1005, also execute followingOperation:
Agency's server obtains the identity information of the requestor carried in the transaction request;
Agency's server judges to whether there is the identity of the requestor in preset identity information databaseInformation, if so, judging that the identity information of the requestor is verified.
Further, the identity information of the requestor include in access password, device identification and biological characteristic at leastIt is a kind of.
Further, processor 1001 can call the authentication program stored in memory 1005, also execute followingOperation:
The transaction node judges whether the letter of identity of the agency is effective;
If the letter of identity of the agency is effective, the transaction node is according to the letter of identity of the agencyWith it is described sign again after service message, the validity of agency's identity is authenticated;
When the identity of the agency is authenticated to be effective, the transaction node judges the identity card of the requestorWhether book is effective;
If the letter of identity of the requestor is effective, the transaction node is according to the letter of identity and warp of the requestorService message after being signed by the requestor, is authenticated the validity of requestor's identity.
Further, processor 1001 can call the authentication program stored in memory 1005, also execute followingOperation:
Whether the transaction node judges the letter of identity of the agency in the preset term of validity;
If the letter of identity of the agency, in the preset term of validity, the transaction node obtains preset trustRoot certificate, and judge whether the letter of identity of the agency is issued by the corresponding certification authority of the trust root certificateHair;
If the letter of identity of the agency is issued by the corresponding certification authority of the trust root certificate,The transaction node judges that the letter of identity of the agency is from certification authority website downloadable authentication revocation listIt is no to be present in the certificate revocation list;
If the letter of identity of the agency is not present in the certificate revocation list, the agency is judgedLetter of identity be effective.
Further, processor 1001 can call the authentication program stored in memory 1005, also execute followingOperation:
The transaction node reads the public key of the agency from the letter of identity of the agency;
The transaction node according to the public key of the agency to it is described sign again after service message carry out sign test, ifIt is verified, then judges that the identity of the agency is effective.
Further, processor 1001 can call the authentication program stored in memory 1005, also execute followingOperation:
Agency's server initiates letter of identity application request to the certification authority server;
The certification authority server obtains the identity letter of the applicant carried in the letter of identity application requestThe public key of breath and applicant, and anonymization processing is made to the identity information of the applicant;
The certification authority server is by the identity information of anonymization treated the applicant and the applicationThe public key of person is bound, and to generate the letter of identity of the applicant, and the letter of identity of the applicant is handed down to instituteState agency's server.
Further, the applicant includes the agency and triggers the requestor of the block chain transaction request.
Based on above-mentioned hardware configuration, each embodiment of identity identifying method of the present invention is proposed.
It is the flow diagram of identity identifying method first embodiment of the present invention with reference to Fig. 2, Fig. 2.The present embodiment identity is recognizedCard method is applied to identity authorization system, which includes agency's server and transaction node, practical applicationIn, agency can be business bank or other financial services providers, and transaction node is that block chain participant is tradedWhen involved block chain node.The identity identifying method includes:
Step S10, agency's server obtain and checking request person when receiving block chain transaction requestIdentity information;
In the step, agency's server receives block chain transaction request first, under normal circumstances, block chain transactionRequest is triggered by block chain participant;Then, agency's server parses the block chain transaction request received, withThe identity information of the requestor wherein carried is got, certain agency's server can also be asked receiving the transaction of block chainAfter asking, requestor is prompted to input the identity information of oneself;Later, agency's server believes the identity of the requestor gotBreath is verified.
In one embodiment, the identity information of the requestor includes in access password, device identification and biological characteristicAt least one, wherein access password includes but not limited to user name, password, dynamic password, short message verification code etc., equipment markKnow including but not limited to MAC (Media Access Control, media access control) address of equipment, unique identification numberDeng biological characteristic includes but not limited to fingerprint, vocal print, iris etc..Specifically, access password, device identification and life can be based onA kind of identity information in object feature is verified, and such as only with the verification mode of user name+password, can also combine a variety of bodiesPart information is verified, and such as uses the verification mode of user name+password+fingerprint, and when specific implementation can be flexibly arranged.
Above-mentioned steps S10 may further include:Agency's server obtains to be carried in the transaction requestThe identity information of requestor;Agency's server judges to whether there is the request in preset identity information databaseThe identity information of person, if so, judging that the identity information of the requestor is verified.
In the person's of making requests on authentication, agency's server can obtain the requestor's carried in transaction requestThen identity information judges the identity information that whether there is requestor in preset identity information database, wherein identity informationData-base recording is all in the identity information of the block chain participants of agency's registration;If being deposited in identity information databaseIn the identity information of requestor, illustrate that requestor registers in agency, agency's server can decision request at this timeThe identity information of person is verified.
Step S20, when being verified, agency's server obtain the requestor letter of identity and viaService message after requestor's signature signs the service message by the agency's private key pre-saved againName;
After the identity information of requestor is verified, agency's server further parses transaction request,With the service message after getting the letter of identity of the requestor wherein carried and signing via requestor.Wherein, requestorLetter of identity is issued by certification authority (CA, Certificate Authority), and CA is responsible for distribution & management numberThe authoritative institution of word certificate.
In the transaction of block chain, requestor has the unsymmetrical key of oneself, i.e. public key and private key, and requestor passes through oneselfPrivate key sign to service message after, the service message after signature is sent to agency's server;Agency takesBusiness device also has the unsymmetrical key of oneself, and service message after signature via requestor is received when acting on behalf of authority serverAfterwards, it is signed again to the service message by the own private key pre-saved, the service message sent after signing again can be withRegard requestor and the behavior that agency can not deny as.
Step S30, agency's server is by the service message after signing again, the agency pre-savedLetter of identity, and via the requestor sign after service message, the requestor letter of identity be sent to it is describedThe corresponding transaction node of transaction request;
In the step, agency's server is by the service message after signing again, the agency that pre-savesLetter of identity, and via the requestor sign after service message, the requestor letter of identity be sent to together with it is upperState the corresponding transaction node of transaction request.Wherein, it is corresponding with transaction request transaction include but not limited to the same trade contract, transfer accounts,Remittance, clearance and quick payment etc.;The letter of identity of agency is equally issued by certification authority CA.
Step S40, the transaction node according to it is described sign again after service message, the agency identity cardBook, and service message, the requestor after signing via the requestor letter of identity, to the agency and describedThe validity of requestor's identity is authenticated.
In the step, transaction node according to receive it is above-mentioned sign again after service message, the agency bodyPart certificate, and service message, the requestor after signing via the requestor letter of identity, to the agency andThe validity of requestor's identity is authenticated.
When the validity to agency and requestor's identity is authenticated, the identity based on PKI may be usedAuthentication techniques, the validity of the service message after first verifying that the letter of identity of agency and signing again, then checking request personLetter of identity and the validity of service message after signing via the requestor illustrate generation when being both verifiedReason mechanism is true agency, and requestor is true block chain participant.Due in network data transmission, attackingThe information that person may forge or intercept requests person and agency send, to carry out illegal transaction, therefore, to agency andRequestor carries out dual-identity authentication, can ensure that the agency to participate in business and requestor are legal, to ensure thatThe safety of block chain transaction.
When agency and requestor's identity are authenticated to be effective, transaction node is executed and is merchandised with the block chainCorresponding transactional operation is asked, in the process, agency's server can also record transaction node and be based on digital asset moneyPacket carries out the detailed log information of relevant operation, and auxiliary card is provided to track the unlawful activities such as the crime of robber's brush, anti money washing for the later stageAccording to support.
The identity identifying method that the present embodiment proposes, by using recognizing inside the external authentication of agency and transaction nodeDemonstrate,prove the double-deck authentication mode being combined, that is, agency's server is when receiving block chain transaction request, first to requestorIdentity information carry out external certificate, after being verified, then agency and requestor's body are carried out on block chain transaction nodeThe internal authentication of part.This bilayer authentication mode ensure that the agency for participating in the transaction of block chain and block chain transaction requesterIdentity be authentic and valid, be conducive to ensure block chain transaction authenticity and safety.
Further, it is based on identity identifying method first embodiment of the present invention, proposes identity identifying method second of the present inventionEmbodiment.
It is the refinement step schematic diagram of step S40 in identity identifying method second embodiment of the present invention with reference to Fig. 3, Fig. 3.BaseIn above-mentioned embodiment shown in Fig. 2, step S40 may include:
Step S41, the transaction node judge whether the letter of identity of the agency is effective;
If the letter of identity of the agency is effective, S42 is thened follow the steps, the transaction node is according to the proxy machineThe letter of identity of structure and it is described sign again after service message, the validity of agency's identity is authenticated;
When the identity of the agency is authenticated to be effective, step S43 is executed, is asked described in the transaction node judgementWhether the letter of identity for the person of asking is effective;
If the letter of identity of the requestor is effective, S44 is thened follow the steps, the transaction node is according to the requestor'sLetter of identity and via the requestor sign after service message, the validity of requestor's identity is authenticated.
In the present embodiment, transaction node is in the letter of identity for receiving the service message after signing again, agency, andAfter letter of identity via service message, requestor after requestor signature, need successively to agency and requestorThe validity of identity be authenticated.
First, transaction node judges whether the letter of identity of agency is effective.
It is the refinement step schematic diagram of step S41 in Fig. 3, above-mentioned steps S41 with reference to Fig. 4, Fig. 4 in a judgment modeIt may further include:
Whether step S411, the transaction node judge the letter of identity of the agency in the preset term of validity;
If the letter of identity of the agency in the preset term of validity, thens follow the steps S412, the transaction nodePreset trust root certificate is obtained, and judges the letter of identity of the agency whether by the corresponding card of the trust root certificateBook issuing organization is issued;
If the letter of identity of the agency is issued by the corresponding certification authority of the trust root certificate,Step S413 is executed, the transaction node judges the proxy machine from certification authority website downloadable authentication revocation listThe letter of identity of structure whether there is in the certificate revocation list;
If the letter of identity of the agency is not present in the certificate revocation list, S414 is thened follow the steps, is sentencedThe letter of identity of the fixed agency is effective.
Specifically, transaction node can read the term of validity of the certificate from the letter of identity of agency first, if working asThe preceding time in the term of validity, then illustrates that the certificate is not out of date, and transaction node is preset at clear by the acquisition of itself browser at this timeThe trust root certificate look in device, and judge the letter of identity of agency whether by the corresponding certificate authority of the trust root certificateMechanism is issued, wherein and certification authority can be root of trust, can also be the two level certification authority under root of trust,If judging, the letter of identity of agency is issued by the corresponding certification authority of the trust root certificate, transaction nodeFurther from corresponding certification authority website downloadable authentication revocation list (CRL, Certificate RevocationList), and judge that the letter of identity of agency whether there is in the certificate revocation list, if being not present, illustrate to act on behalf ofThe letter of identity of mechanism is not revoked, and the letter of identity of i.e. judgement agency is effective at this time.By this judgment mode,Realize the accurate judgement of the validity to the letter of identity of agency.
Certainly, in more judgment modes, can also select the term of validity, the legitimacy of certification authority of certificate withAnd certificate is in one or both of certificate revocation list with the presence or absence of being judged, when specific implementation, can be flexibly arranged.
When judging that the letter of identity of agency is effective, transaction node further according to the letter of identity of agency andService message after signing again is authenticated the validity of agency's identity, and specific authentication mode is:Transaction node is from generationThe public key for reading agency in the letter of identity of mechanism is managed, and the service message after signing again is tested by the public keyLabel illustrate that the service message after this signs again is to judge agency at this time transmitted by the agency if being verifiedIdentity is effective, otherwise the identity of judgement agency is invalid, when it is invalid to judge the identity of agency, is terminatedThis block chain merchandises and returns to identity invalid information to agency's server.
When the identity of agency is authenticated to be effective, transaction node further judge requestor letter of identity whetherEffectively, if the letter of identity of requestor is effective, letter of identity further according to requestor and after signing via the requestorService message is authenticated the validity of requestor's identity.Wherein, judge whether the letter of identity of requestor is effective and rightThe concrete mode that the validity of requestor's identity is authenticated can refer to the above-mentioned authentication mode to agency, not go to live in the household of one's in-laws on getting married hereinIt states.
Further, it is the flow diagram of identity identifying method 3rd embodiment of the present invention with reference to Fig. 5, Fig. 5.Based on upperThe embodiment stated, the identity authorization system further includes certification authority server, before step S10, can also include:
Step S50, agency's server initiates letter of identity application to the certification authority server asksIt asks;
Step S60, the certification authority server obtain the applicant carried in the letter of identity application requestIdentity information and applicant public key, and anonymization processing is made to the identity information of the applicant;
Step S70, the certification authority server by the identity information of anonymization treated the applicant andThe public key of the applicant is bound, to generate the letter of identity of the applicant, and by the letter of identity of the applicantIt is handed down to agency's server.
Further, applicant includes agency and triggers the requestor of the block chain transaction request.
In the present embodiment, before carrying out block chain transaction, transaction initiator and agency are required for issuing to certificateMechanism application letter of identity is sent out, is prepared with providing premise for follow-up authentication.When agency applies for the letter of identity of itselfWhen, letter of identity application request directly is initiated to certification authority server, when transaction initiator applies for the identity card of itself, can be with agency by agreement mechanism to certification authority application letter of identity when book, agency needs to the true of applicant at this timeReal identity information is verified, and after being verified, then is initiated letter of identity application to certification authority server and is asked,In, the public key of the identity information and applicant of applicant is carried in letter of identity application request.
When certification authority server receives the letter of identity application request that agency's server is sent, obtainThe public key of the identity information and applicant of the applicant carried in letter of identity application request, and to the identity information of applicantMake anonymization processing, anonymization processing shows as mapping of the true identity to identity, such as ID → ID ', anonymizationMapping relations only have certification authority oneself to know, to reach the purpose of " foreground is voluntary, backstage real name ";Then, certificateIssuing organization server binds anonymization treated the identity information of applicant and the public key of applicant, to generate ShenPlease person letter of identity, and the letter of identity of applicant is handed down to agency's server, thus completes issuing for letter of identityHair.
The present invention also provides a kind of identity authorization systems.
Identity authorization system of the present invention includes:Agency's server, transaction node and authentication program, the identityAuthentication procedure realizes identity identifying method as described above when being executed by agency's server and the transaction nodeStep.
Wherein, authentication program is performed realized method and can refer to each implementation of identity identifying method of the present inventionExample, details are not described herein again.
The present invention also provides a kind of computer readable storage mediums.
Authentication program is stored on computer readable storage medium of the present invention, the authentication program is by processorThe step of identity identifying method as described above is realized when execution.
Wherein, the authentication program run on the processor is performed realized method and can refer to the present inventionThe each embodiment of identity identifying method, details are not described herein again.
It should be noted that herein, the terms "include", "comprise" or its any other variant are intended to non-rowHis property includes, so that process, method, article or system including a series of elements include not only those elements, andAnd further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsicElement.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including thisThere is also other identical elements in the process of element, method, article or system.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment sideMethod can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many casesThe former is more preferably embodiment.Based on this understanding, technical scheme of the present invention substantially in other words does the prior artGoing out the part of contribution can be expressed in the form of software products, which is stored in one as described aboveIn storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions use so that a station terminal equipment (can be mobile phone,Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hairEquivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skillsArt field, is included within the scope of the present invention.