Authentication method and device based on blockchain

[0043] In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

[0044] It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other. The present application will be described in detail below with reference to the accompanying drawings and embodiments.

[0045] Fig. 1(a) is a schematic diagram of a blockchain-based authentication system architecture according to an embodiment of the present invention.

[0046] As shown in FIG. 1( a ), the system architecture may include: a blockchain 100 , a network 200 , and blockchain nodes 110 , 120 , 130 , 140 , 150 and 160 . The blockchain 100 can be regarded as a distributed unified ledger, and all participants (blockchain nodes 110-160) jointly determine the accounting content. Each participant saves a full amount of data, and any individual participant cannot tamper with the data. According to different interaction scenarios, blockchain nodes can be terminal nodes, authentication server nodes, merchant nodes, third-party nodes and bank nodes, etc. Each node can be a variety of electronic devices. These electronic devices include, but are not limited to, personal computers, smartphones, tablets, personal digital assistants, servers, etc. These electronic devices may be installed with various communication client applications, such as instant messaging tools, email clients, social platform software, audio and video software, and the like. Among them, these electronic devices have memory and logical operation processors, control elements and so on. These electronic devices can send data requests, or can receive data requests, and can also analyze, verify, and store data.

[0047] The network 200 is used as a medium for providing communication links between blockchain nodes 110-160. Specifically, the network may include various connection types, such as wired, wireless communication links, or optical fiber cables.

[0048] It can be understood that the number of blockchain 100, network 200 and blockchain nodes 110-160 in Figure 1(a) is schematic and can be flexibly configured according to actual needs.

[0049] Fig. 1(b) is a schematic diagram of a block chain node structure according to an embodiment of the present invention.

[0050] As shown in Figure 1(b), the blockchain node 110 can be a terminal, such as a smart phone with an Android system. The terminal may include: a digital currency client, a clock clock, a security chip SE, a Javacard API interface, a Javacard operating environment, a Javacard virtual machine, and an underlying OS. It can be understood that the blockchain nodes 120-160 can also be the above-mentioned smart phones, and can also be servers for authenticating data. The clock clock can provide the current time parameter. The security chip SE may store a program for performing operations in each step of authentication.

[0051]In this embodiment, the terminal can encrypt the digital assets to be transferred to ensure that the digital assets can be safely and reliably transferred from one blockchain node to another blockchain node, or from a blockchain node outside the blockchain The outgoing end is transferred to the incoming end outside the blockchain through the blockchain. Among them, the encryption technology can rely on the mature Javacard framework, and form the encryption algorithm structure framework through the encryption algorithm class JAVACard API. The framework may include various keys, various signature algorithms, various encryption algorithms, and the like. The digital currency identity authentication applet based on the hardware SE can use these encryption algorithm classes to establish security logic related to the applet and improve the security level of the applet when it is running. At the same time, these encryption algorithm classes can also be used to provide encryption and decryption services for SE external applications, so as to reflect the feature of SE as a security guarantee in the entire system. Javacard technology has mature international standards, and has obtained qualifications through international testing and certification. Javacard specifications (including JCVM, JCRE, JCAPI specifications) and the security domain management, logical channel and firewall mechanism security mechanisms in the GlobalPlatform specification can effectively resist illegal code attacks and ensure that sensitive data in Applets are not exposed.

[0052] Each of the following embodiments can apply the system architecture shown in FIG. 1(a) and FIG. 1(b) to perform data authentication. For brevity of description, various embodiments may refer to each other.

[0053] figure 2 It is a schematic flow chart of a blockchain-based authentication method according to an embodiment of the present invention.

[0054] like figure 2 As shown, the method includes the following steps: S210, generating a transfer-out private key and a corresponding transfer-out public key for transferring digital assets through the blockchain according to random numbers; S220, encoding the transfer-out public key to generate a transfer-out Incoming address; S230, based on the transfer-out private key, digitally sign the transfer value, transfer-in address and other necessary data of the digital asset to be transferred; S240, based on the transfer value, transfer-in address, digital signature and transfer-out public key, Obtain digital asset transfer data; S250, broadcast the digital asset transfer data to the block chain, so that: the authentication end performs a first-level authentication on the digital asset transfer data, or after the first-level authentication, the server Carry out multi-level authentication on the digital asset transfer data together with the authenticator.

[0055] This embodiment can be applied to the terminal side, and the terminal can serve as an action execution subject of this embodiment, and specifically perform operations in various steps. The security chip SE of the terminal can store a digital currency identity authentication Applet application program, which can realize the following functions: initialization of public key, generation of transfer-in address, signature, verification and other functions.

[0056] In step S210, the security chip SE may use a random number generator to generate a private key Sk. The public key Pk can be obtained by processing the private key Sk through an asymmetric encryption algorithm.

[0057] Generating the corresponding transfer-out public key may include: based on the transfer-out private key, generate by at least one asymmetric encryption algorithm in the elliptic curve encryption algorithm ECC, RSA encryption algorithm, Elgamal encryption algorithm, D-H encryption algorithm, and national secret SM2 algorithm The corresponding transfer-out public key.

[0058] In step S220, the encoding process may be performed using the above-mentioned encryption algorithm. The transfer-in address can be the address of the wallet to be transferred into.

[0059] In step S230, the digital signature may be to use the private key Sk to sign the original data. The raw data of the transaction (or transfer) may include: transfer amount and transfer-in wallet address.

[0060] In step S240, the digital asset transfer data may include: transfer value, transfer-in address, digital signature and transfer-out public key. In this embodiment, the transfer-out signature and transfer-out public key can be added to the original data to generate optimized transaction data. Optimized transaction data can include: transfer amount, transfer-in wallet address, transfer-out signature, and transfer-out public key.

[0061] In step S250, the terminal can send the digital asset transfer data to the authentication end (ie, the authentication server) for authenticating the data through the block chain.

[0062] In the first aspect, when digital assets need to be transferred, this embodiment generates keys and transfer-in addresses by performing a series of processes on random numbers, thereby solving the problems of existing keys and transfer-in addresses such as loss, forgetting, or brute force cracking, and can Improve the ability of hacking.

[0063] In the second aspect, this embodiment improves the accuracy of authentication through one-level or multi-level authentication, and can meet the security requirements of data and transactions in an open blockchain environment.

[0064] In the third aspect, the transfer of digital assets through the blockchain in this embodiment can quickly process data, making the data open, transparent, and tamper-proof.

[0065] As a first modified embodiment of the embodiment shown in Figure 1, in figure 2 The following steps are added on the basis of the illustrated embodiment: S260, receiving encrypted data from the authenticator, the encrypted data is generated by the authenticator using the transferred public key to encrypt the random number seed; S270, using the transferred private key to encrypt the received The encrypted data is decrypted to obtain the random number seed. This embodiment can be applied to a scenario where the transfer amount is small (for example, the upper limit of transfer is 999 yuan). In this embodiment, only the server at the authentication end needs to perform the first-level authentication.

[0066] In this embodiment, the public key Pk is sent to the authentication server through the digital currency APP through the blockchain, and the authentication server generates a random number seed Seed and uses Pk to encrypt E(seed, PK), and returns to the digital currency APP through the blockchain , the security chip SE digital currency applet decrypts E(seed, PK) with the private key Sk and saves the random number seed seed.

[0067] As the second modified embodiment of the embodiment shown in Figure 1, the following steps can be added on the basis of the first modified embodiment: S280, receiving the current time parameter and the first OTP (One-time Password, dynamic password) from the authenticator value, the first OTP value is obtained by hashing the random number seed and the current time parameter.

[0068] As the third modified embodiment of the embodiment shown in Figure 1, the following steps can be added on the basis of the second modified embodiment: S2100, the second OTP value obtained by hashing the random number seed and the current time parameter; S2110 , verify whether the first OTP value and the second OTP value are equal; S2120, when the verification result indicates that they are equal, the digital asset transfer data passes the multi-level authentication. This embodiment may be two-level authentication, that is, the authenticator performs the first authentication, and then the client performs the second authentication. This embodiment can be applied to introduce a means of providing additional identity authentication when the transfer amount is large (for example, greater than 1000 yuan). In this case, the receiving party's digital currency APP initiates a large-value transaction authentication application to the authentication server, and the authentication server performs Hash calculation on the initial random number seed and the current time time, generates an OTP value, and returns it to the digital currency APP. The digital currency APP will return the received OTP value and the current time to the security chip SE identity authentication Applet, and the Applet will use its own saved initial random number seed and the current time to calculate the OTP', when the result of OTP=OTP' is consistent , through verification, the transaction data is digitally signed, and returned to the transaction initiator through the blockchain to complete the transaction.

[0069] In this embodiment, the client generates OTP values, and the client (SE) authenticates a large payment scheme, which enhances the client's authentication rights, and is more scientific and reasonable than the client generating OTP values ​​and being authenticated by the server.

[0070] In some embodiments, encoding the transfer-out public key and generating the transfer-in address (i.e., S220) may include the following steps: S221, obtaining a hash value of the public key through a hash operation on the transfer-out public key; S222, for Set the first version data for the public key hash value; S223, set the tail verification data for the public key hash value; S224, encode the public key hash value with the first version data and tail verification data set, and generate the transferred address.

[0071] In some embodiments, the step of setting tail verification data for the public key hash value (ie, S223) may include: S2231, performing a preset number of hash operations on the public key hash value with the header version data set; S2232, extracting a specified part of data in the result of the operation, and generating tail check data.

[0072] In some embodiments, the preset times are 2 times, and the multi-levels are 2 levels.

[0073] For example, first use a random number generator to generate a "private key", and the "private key" is processed into a "public key" through the ECC algorithm. The "public key" can be calculated through the known "private key", but the "private key" cannot be reversed when the "public key" is known. The public key gets the "public key hash" through the hash algorithm, but the "public key" cannot be obtained through the "public key hash". Link the one-byte address version number to the "public key hash" header, and Perform two hash operations, and use the first 4 bytes of the result as the verification value of the public key hash, and connect it to the end. This result is encoded using an encryption algorithm to obtain a "wallet address".

[0074] In the above embodiments, the digital currency identity authentication applet loaded in the hardware SE can be used to sign the transaction on the block chain (digital currency transaction), which improves the security and reliability of the transaction.

[0075] image 3 It is a schematic flow chart of obtaining digital asset transfer data according to an embodiment of the present invention.

[0076] like image 3 As shown, obtaining digital asset transfer data may include: S310, generating the transfer-out private key Sk according to the random number RADOM; S320, performing encryption algorithm processing on the transfer-out private key Sk; S330, generating the transfer-out public key Pk; S340, setting the original Data: transfer amount and transfer-in address; S350, digitally sign the transfer-out private key Sk and the original data; S360, generate the transfer-out signature; S370, add the transfer-out signature and transfer-out public key Pk to the original data to generate Optimized transaction data, optimized transaction data includes: transfer amount, transfer-in address, transfer-out signature, and transfer-out public key Pk.

[0077] Figure 4 It is a schematic flow chart of a blockchain-based authentication method according to another embodiment of the present invention.

[0078] like Figure 4 As shown, the method includes the following steps: S410, the receiving terminal broadcasts the digital asset transfer data in the block chain; S420, after the first-level authentication, the multi-level authentication of the digital asset transfer data is carried out jointly with the terminal; the digital asset transfer data Including: the transfer value of the digital asset to be transferred, the transfer-in address, digital signature, and the transfer-out public key used to transfer the digital asset through the blockchain.

[0079] In some embodiments, performing primary authentication on the received digital asset transfer data includes: performing legality verification on the received digital asset transfer data. For example, after receiving the transaction data, the receiver's digital currency identity authentication Applet decrypts the transaction data through the transfer algorithm to obtain the original transaction data. Check whether the digital signature, transaction data is greater than zero, etc. If the verification is correct, the digital currency will be successfully transferred from the "transfer wallet" to the "transfer wallet" to complete the transaction. A unique serial number is generated in the transaction file and synchronized across the entire network through the blockchain.

[0080] This embodiment can be applied to the authentication terminal side, and the server can act as the action execution subject of this embodiment, and specifically perform operations in various steps. This embodiment and figure 2 The illustrated embodiments have the same concept, but describe the blockchain-based authentication method from different perspectives (the perspective of the authentication end and the perspective of the terminal).

[0081] In some embodiments, the multi-level authentication of the digital asset transfer data together with the terminal includes: generating a random number seed; based on the transferred public key, encrypting the random number seed and generating encrypted data; sending the encrypted data to the terminal side, It is used for the terminal to decrypt the encrypted data and obtain the random number seed.

[0082] performing a hash operation on the random number seed and the current time parameter to obtain the first OTP value; sending the first OTP value to the terminal for the terminal: performing a hash operation on the random number seed and the current time parameter to obtain the second OTP value, It is verified whether the first OTP value and the second OTP value are equal, and when the verification result indicates that they are equal, the multi-level authentication is passed.

[0083] Figure 5 It is a schematic flow chart of a blockchain-based authentication method according to another embodiment of the present invention. This embodiment describes the implementation of the authentication method from the perspective of data interaction between the terminal and the server.

[0084] like Figure 5 As shown, the method includes the following steps:

[0085] S501, the terminal generates a transfer-out private key Sk for transferring digital assets through the blockchain according to the random number;

[0086] S502, the terminal uses an asymmetric encryption algorithm to perform a series of operations on the transferred private key, generates a transferred public key Pk, and sends the public key Pk to the server;

[0087] S503, the server generates a random number seed Seed, encrypts the random number seed based on the transferred public key Pk, generates encrypted data E(Seed, Pk), and sends the encrypted data to the terminal;

[0088] S504. The terminal decrypts the encrypted data with the private key Sk, and obtains and saves a random number seed Seed. The terminal sends optimized transaction data to the server;

[0089] S505, the server judges whether the transfer amount reaches a threshold (for example, the threshold is 1000 yuan);

[0090] S506, when the threshold is not reached, the server performs a first-level authentication on the optimized transaction data;

[0091] S507, when the threshold is reached, the server performs a hash operation on the random number seed Seed and the current time to obtain the OTP value, and sends the current time and the OTP value to the terminal;

[0092] S508, the terminal performs a hash operation on the random number seed Seed and the current time parameter to obtain the OTP' value;

[0093] S509, the terminal verifies whether the OTP value and the OTP' value are equal;

[0094] S510, when the verification result indicates equality, pass the secondary authentication.

[0095] In this embodiment, the security chip of the terminal can use a random number generator to generate a private key Sk, and the private key is processed into a public key Pk through an ECC algorithm. The public key Pk is sent to the authentication server through the digital currency APP through the blockchain, and the authentication server generates a random number seed Seed and uses Pk to encrypt E(seed, Pk), and returns it to the digital currency APP through the blockchain, and the security chip SE digital currency The applet decrypts E(seed, Pk) with the private key Sk and saves the random number seed seed.

[0096] When a transaction is initiated, the transaction data is generated by the transfer-out wallet private key Sk'. The original data of the transaction includes "transfer amount" and "transfer wallet address", and then use the private key Sk' to sign the original data. After the transfer-out private key is processed by the ECC algorithm, the transfer-out public key Pk' is obtained. The transfer-out signature and transfer-out public key are added to the original data to generate optimized transaction data, which is sent to the receiver node digital currency APP through the blockchain.

[0097] After receiving the transaction data, the receiver's digital currency identity authentication Applet decrypts the transaction data through the transfer algorithm to obtain the original transaction data. When the transfer amount is less than 1,000 yuan (that is, the upper limit is 999 yuan), the data is checked, including the digital signature. If the verification is correct, the digital currency will be successfully transferred from the "transfer wallet" to the "transfer wallet" to complete the transaction. A unique serial number is generated in the transaction file and synchronized across the entire network through the blockchain.

[0098] When the transfer amount is greater than 1,000 yuan, a means of providing additional identity authentication is introduced. In this case, the recipient’s digital currency APP initiates a large-value transaction authentication application to the authentication server, and the authentication server performs Hash calculation on the initial random number seed and the current time time to generate an OTP value (that is, the first OTP value), and returns To the digital currency APP. The digital currency APP returns the received OTP value together with the current time to the security chip SE identity authentication Applet, and the Applet uses the initial random number seed saved by itself and the current time to calculate the OTP' (that is, the second OTP value). When OTP=OTP' is the same result, the verification is passed and the transaction is completed.

[0099] It should be noted that those skilled in the art can flexibly adjust the order of the above operation steps according to actual needs, or perform operations such as flexible combination of the above steps, if there is no conflict. For the sake of brevity, various implementation manners are not described in detail. In addition, the contents of the various embodiments may be referred to each other.

[0100] Image 6 It is a schematic structural diagram of a blockchain-based authentication device according to an embodiment of the present invention. This embodiment can be applied to the terminal side.

[0101] like Image 6 As shown, the blockchain-based authentication device 600 may include: a key generation unit 610 , an address generation unit 620 , a digital signature unit 630 , a data generation unit 640 and a data broadcast unit 650 . Among them, the key generation unit 610 can be used to generate the transfer-out private key and the corresponding transfer-out public key for transferring digital assets through the blockchain according to the random number; the address generation unit 620 can be used to encode the transfer-out public key process and generate the transfer-in address; the digital signature unit 630 can be used to digitally sign the transfer value and the transfer-in address of the digital asset to be transferred based on the transfer-out private key; the data generation unit 640 can be used to transfer value based on the transfer-in Address, digital signature and transfer public key to obtain the digital asset transfer data; the data broadcast unit 650 can be used to broadcast the digital asset transfer data to the block chain, so that: the authentication end performs primary authentication on the digital asset transfer data, Or after the first-level authentication, the server and the authentication end jointly perform multi-level authentication on the digital asset transfer data. It can be understood that the digital signature unit 630 can also digitally sign other necessary data.

[0102] It should be noted that the implementation of the functional units or functional modules shown in this embodiment may be hardware, software, firmware or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments employed to perform the required tasks. Programs or code segments can be stored in machine-readable media, or transmitted over transmission media or communication links by data signals carried in carrier waves. "Machine-readable medium" may include any medium that can store or transmit information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like. Code segments may be downloaded via a computer network such as the Internet, an Intranet, or the like.

[0103] as Image 6 A first variant embodiment of the illustrated embodiment can be found in Image 6 Added on the basis of the embodiment: a data receiving unit and a data decryption unit. Wherein, the data receiving unit can be used to receive encrypted data from the authenticator, and the encrypted data is generated by the authenticator by encrypting the random number seed with the transfer-out public key; the data decryption unit can be used to use the transfer-out private key to encrypt the received Encrypted data is decrypted to obtain a random number seed.

[0104] as Image 6 The second modified embodiment of the illustrated embodiment may be based on the first modified embodiment: a data receiving unit. Wherein, the data receiving unit may be further configured to receive the current time parameter and the first OTP value from the authenticator, and the first OTP value is obtained by hashing the random number seed and the current time parameter.

[0105] as Image 6 The third modified embodiment of the illustrated embodiment can be added on the basis of the third modified embodiment: a hash operation unit and a data verification unit. Wherein, the hash operation unit can be used to carry out the second OTP value obtained by hash operation on the random number seed and the current time parameter; the data verification unit can be used to verify whether the first OTP value and the second OTP value are equal, when the verification result When the indications are equal, the digital asset transfer data passes multi-level authentication.

[0106] In some embodiments, the address generating unit may include: a hash operation module, a header setting module, a tail setting module and a data encoding module. Among them, the hash operation module can be used to obtain the public key hash value through hash operation on the transferred public key; the header setting module can be used to set the header version data for the public key hash value; The key hash value sets the tail verification data; the data encoding module can be used to encode the public key hash value with the first version data and tail verification data set to generate the transfer-in address.

[0107] In some embodiments, the tail setting module may include: a hash operation element and a data extraction element. Among them, the hash operation element can be used to perform a preset number of hash operations on the public key hash value with the first version data set; the data extraction element can be used to extract a specified part of the data in the result of the operation, and generate a tail check data.

[0108] In some embodiments, the preset times are 2 times, and the multi-levels are 2 levels. It can be understood that the preset number of times can also be 3 times or 4 times, and the multi-level can also be 3 levels or 4 levels. Since the larger the number, the more complicated the calculation is, when the preset number of times is 2 times and the multi-level is 2 levels, in Under the condition of satisfying the operation speed, the authentication effect is the best.

[0109] In some embodiments, the key generating unit is further configured to: based on the transfer-out private key, use at least one non-transferable encryption algorithm among the elliptic curve encryption algorithm ECC, RSA encryption algorithm, Elgamal encryption algorithm, D-H encryption algorithm, and national secret SM2 algorithm. A symmetric encryption algorithm generates the corresponding transfer-out public key.

[0110] exist Image 6 In each of the shown embodiments, the blockchain-based authentication device 600 may be a mobile terminal.

[0111] Figure 7 is a schematic structural diagram of a blockchain-based authentication device according to another embodiment of the present invention. This embodiment can be applied to the authentication terminal side.

[0112] like Figure 7 As shown, the blockchain-based authentication device 700 may include: a data receiving unit 710 and a data authentication unit 720 . Among them, the data receiving unit 710 can be used to receive the digital asset transfer data broadcast by the terminal in the block chain; the data authentication unit 720 can be used to perform a first-level authentication on the received digital asset transfer data, or after the first-level authentication, Multi-level authentication of digital asset transfer data together with the terminal: digital asset transfer data includes: transfer value of the digital asset to be transferred, transfer-in address, digital signature, and transfer-out public key for transferring digital assets through the blockchain.

[0113] In some embodiments, the data authentication unit may include: a primary authentication module. The first-level authentication module can be used to: verify the legality of the received digital asset transfer data.

[0114]The multi-level authentication module may include: a seed production element, a data encryption element, a data sending element, a hash operation element and a value sending element. Among them: the seed production component can be used to generate random number seeds; the data encryption component can be used to encrypt random number seeds and generate encrypted data based on the transferred public key; the data sending component can be used to send encrypted data to the terminal side, For the terminal to decrypt the encrypted data and obtain the random number seed; the hash operation element can be used to perform hash operation on the random number seed and the current time parameter to obtain the first OTP value; the value sending element can be used to convert the first OTP The value is sent to the terminal for the terminal: the second OTP value obtained by hashing the random number seed and the current time parameter, verifying whether the first OTP value and the second OTP value are equal, and when the verification result indicates that they are equal, pass multiple level certification.

[0115] exist Figure 7 In each of the illustrated embodiments, the blockchain-based authentication device 600 may be an authentication server.

[0116] It should be noted that the devices in the above embodiments can be used as the execution subject in the methods of the above embodiments, and can realize the corresponding processes in the methods. For the sake of brevity, the content in this aspect will not be repeated.

[0117] Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

[0118] Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.