Cross-domain resource access method, apparatus, device, and storage medium
By separating cross-domain authentication and authorization in the consortium blockchain, the problem of data abuse between different resource domains is solved, and the security and effectiveness of cross-domain resource access are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA MOBILE GROUP DESIGN INST
- Filing Date
- 2022-07-13
- Publication Date
- 2026-06-23
AI Technical Summary
It is difficult to conduct effective cross-domain resource access between different resource domains while avoiding data abuse.
When a cross-domain authentication request is received, an endorsement authentication request is constructed, published to the consortium blockchain for trusted authentication, and the trusted authentication response is forwarded when the authentication is successful. Then, a resource authorization request is published and the resource authorization response is read to achieve cross-domain resource access.
This achieves the separation of authentication and authorization during cross-domain access, clarifies the responsibilities of each node, and reduces the risk of data misuse.
Smart Images

Figure CN116962397B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer technology, and in particular to a method, apparatus, device, and storage medium for cross-domain resource access. Background Technology
[0002] Currently, different provinces, municipalities, government departments, units, organizations, and enterprises (hereinafter collectively referred to as resource domains) all possess a large amount of data. The data held by different resource domains form data silos, making it difficult for different resource domains to effectively access cross-domain resources while avoiding data abuse.
[0003] The above content is only used to help understand the technical solution of the present invention and does not represent an admission that the above content is prior art. Summary of the Invention
[0004] The main objective of this invention is to provide a method, apparatus, device, and storage medium for cross-domain resource access, aiming to solve the technical problem that existing technologies struggle to effectively access cross-domain resources while avoiding data misuse.
[0005] To achieve the above objectives, the present invention provides a cross-domain resource access method, the method comprising the following steps:
[0006] Upon receiving a cross-domain authentication request sent by a user node in the first resource domain, an endorsement authentication request is constructed based on the cross-domain authentication request;
[0007] The endorsement authentication request is published to the consortium blockchain so that the global authentication node in the consortium blockchain can perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response when the authentication is successful.
[0008] The trusted authentication response is read from the consortium blockchain and forwarded to the user node so that the user node can respond with a resource authorization request;
[0009] The resource authorization request is published to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request;
[0010] The resource authorization response is read from the consortium blockchain and sent to the user node so that the user node can access cross-domain resources based on the resource authorization response.
[0011] Optionally, the step of constructing an endorsement authentication request based on the cross-domain authentication request includes:
[0012] Extract the cross-domain request parameters and user signature data from the cross-domain authentication request;
[0013] The cross-domain request parameters are encrypted using a preset endorsement private key to generate an endorsement signature;
[0014] A joint signature is generated based on the endorsement signature and the user signature data, and an endorsement authentication request is constructed based on the joint signature and the cross-domain request parameters.
[0015] Optionally, before the step of encrypting the cross-domain request parameters according to the preset endorsement private key to generate an endorsement signature, the method further includes:
[0016] Extract the user node identifier and user signature certificate from the cross-domain request parameters;
[0017] Find the corresponding cache signature certificate based on the user node identifier;
[0018] If the user signature certificate is consistent with the cache signature certificate, then the step of encrypting the cross-domain request parameters according to the preset endorsement private key and generating an endorsement signature is performed.
[0019] Optionally, the step of publishing the endorsement authentication request to the consortium blockchain, so that the global authentication nodes in the consortium blockchain can perform trusted authentication based on the endorsement authentication request, and publish a trusted authentication response when the authentication is successful, includes:
[0020] The endorsement authentication request is published to the consortium blockchain, so that the global authentication node in the consortium blockchain can extract the endorsement request parameters and the joint signature from the endorsement authentication request, perform trusted authentication on the joint signature according to the endorsement request parameters, generate a single communication key when the authentication is successful, extract the user encryption certificate from the endorsement authentication request, and generate and publish a trusted authentication response according to the single communication key, the user encryption certificate and the endorsement request parameters.
[0021] Optionally, the step of forwarding the trusted authentication response to the user node so that the user node responds with a resource authorization request includes:
[0022] The trusted authentication response is forwarded to the user node, so that the user node can decrypt the trusted authentication response using the user's encrypted private key to obtain a random session key, generate a resource authorization request based on the random session key, and then send the resource authorization request back.
[0023] Optionally, the step of publishing the resource authorization request to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request, includes:
[0024] The resource authorization request is published to the consortium blockchain, enabling the target node in the second resource domain to extract node identification data, first encrypted data, and second encrypted data from the resource authorization request. The first encrypted data is decrypted using a pre-shared communication key and the node identification data to obtain a random session key. The second encrypted data is then decrypted using the random session key to obtain a target resource identifier. The corresponding resource access key is located using the target resource identifier. A resource authorization response is generated using the random session key and the resource access key, and the resource authorization response is published to the consortium blockchain.
[0025] Optionally, the step of sending the resource authorization response to the user node, so that the user node can perform cross-domain resource access based on the resource authorization response, includes:
[0026] The resource authorization response is sent to the user node, so that the user node can decrypt the resource authorization response according to the cached random session key to obtain the resource access key, and perform cross-domain resource access according to the resource access key.
[0027] Furthermore, to achieve the above objectives, the present invention also proposes a cross-domain resource access device, which includes the following modules:
[0028] The data receiving module is used to construct an endorsement authentication request based on the cross-domain authentication request when it receives a cross-domain authentication request sent by a user node in the first resource domain.
[0029] The request publishing module is used to publish the endorsement authentication request to the consortium blockchain, so that the global authentication nodes in the consortium blockchain can perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response when the authentication is successful.
[0030] The data reading module is used to read the trusted authentication response from the consortium blockchain and forward the trusted authentication response to the user node, so that the user node can respond with a resource authorization request;
[0031] The authorization request module is used to publish the resource authorization request to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request;
[0032] The authorization response module is used to read the resource authorization response from the consortium blockchain and send the resource authorization response to the user node, so that the user node can access cross-domain resources based on the resource authorization response.
[0033] Furthermore, to achieve the above objectives, the present invention also proposes a cross-domain resource access device, which includes: a processor, a memory, and a cross-domain resource access program stored in the memory and executable on the processor. When the cross-domain resource access program is executed by the processor, it implements the steps of the cross-domain resource access method as described above.
[0034] Furthermore, to achieve the above objectives, the present invention also proposes a computer-readable storage medium storing a cross-domain resource access program, which, when executed, implements the steps of the cross-domain resource access method as described above.
[0035] This invention, upon receiving a cross-domain authentication request from a user node in a first resource domain, constructs an endorsement authentication request based on the cross-domain authentication request; publishes the endorsement authentication request to the consortium blockchain, enabling global authentication nodes in the consortium blockchain to perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response upon successful authentication; reads the trusted authentication response from the consortium blockchain and forwards it to the user node, enabling the user node to respond with a resource authorization request; publishes the resource authorization request to the consortium blockchain, enabling target nodes in a second resource domain to publish a resource authorization response to the consortium blockchain based on the resource authorization request; reads the resource authorization response from the consortium blockchain and sends it to the user node, enabling the user node to access cross-domain resources based on the resource authorization response. By separating the authentication and authorization processes during cross-domain access, consortium blockchain authentication and resource domain authorization are decoupled, and the responsibilities of each node are clearly defined, thereby ensuring cross-domain resource access while reducing the risk of data misuse. Attached Figure Description
[0036] Figure 1 This is a schematic diagram of the structure of an electronic device in the hardware operating environment involved in the embodiments of the present invention;
[0037] Figure 2 This is a flowchart illustrating the first embodiment of the cross-domain resource access method of the present invention;
[0038] Figure 3 This is a schematic diagram of the system structure of the system involved in the cross-domain resource access method of the present invention;
[0039] Figure 4 This is a flowchart illustrating the second embodiment of the cross-domain resource access method of the present invention;
[0040] Figure 5 This is a structural block diagram of the first embodiment of the cross-domain resource access device of the present invention.
[0041] The realization of the objective, functional features and advantages of the present invention will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation
[0042] It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of the invention.
[0043] Reference Figure 1 , Figure 1 This is a schematic diagram of the cross-domain resource access device structure of the hardware operating environment involved in the embodiments of the present invention.
[0044] like Figure 1 As shown, the electronic device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used to enable communication between these components. The user interface 1003 may include a display screen or an input unit such as a keyboard; optionally, the user interface 1003 may also include a standard wired interface or a wireless interface. The network interface 1004 may optionally include a standard wired interface or a wireless interface (such as a Wi-Fi interface). The memory 1005 may be high-speed random access memory (RAM) or stable non-volatile memory (NVM), such as a disk drive. The memory 1005 may also optionally be a storage device independent of the aforementioned processor 1001.
[0045] Those skilled in the art will understand that Figure 1 The structure shown does not constitute a limitation on the electronic device and may include more or fewer components than shown, or combine certain components, or have different component arrangements.
[0046] like Figure 1 As shown, the memory 1005, which serves as a storage medium, may include an operating system, a network communication module, a user interface module, and a cross-domain resource access program.
[0047] exist Figure 1 In the electronic device shown, the network interface 1004 is mainly used for data communication with the network server; the user interface 1003 is mainly used for data interaction with the user; the processor 1001 and the memory 1005 in the electronic device of the present invention can be set in the cross-domain resource access device. The electronic device calls the cross-domain resource access program stored in the memory 1005 through the processor 1001 and executes the cross-domain resource access method provided in the embodiment of the present invention.
[0048] This invention provides a method for cross-domain resource access, referring to... Figure 2 , Figure 2 This is a flowchart illustrating the first embodiment of a cross-domain resource access method according to the present invention.
[0049] In this embodiment, the cross-domain resource access method includes the following steps:
[0050] Step S10: Upon receiving a cross-domain authentication request sent by a user node in the first resource domain, construct an endorsement authentication request based on the cross-domain authentication request.
[0051] It should be noted that the execution subject in this embodiment can be the cross-domain resource access device, which can be a personal computer, server or other electronic device, or a device that can perform the same or similar functions. This embodiment does not limit this. In this embodiment and the following embodiments, the cross-domain resource access device is used as an example to illustrate the cross-domain resource access method of the present invention.
[0052] It should be noted that the first resource domain can be any resource domain in the consortium blockchain, the user node can be any terminal or account used by any user in the first resource domain, and the cross-domain resource access device can be a resource domain trust endorsement node in the first resource domain. When a user node in the first resource domain needs to access data in other resource domains, it will send a cross-domain authentication request to the cross-domain resource access device. Upon receiving the cross-domain authentication request, the cross-domain resource access device will read the relevant data in the cross-domain authentication request, process it further, and thus generate an endorsement authentication request.
[0053] Step S20: Publish the endorsement authentication request to the consortium blockchain so that the global authentication node in the consortium blockchain can perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response when the authentication is successful.
[0054] It should be noted that the global authentication node can be a node belonging to the consortium blockchain. The global authentication node will monitor in real time whether there are any new endorsement authentication requests on the consortium blockchain. If there are, it will read the endorsement authentication request, perform trusted authentication based on the endorsement authentication request, and then publish the trusted authentication response corresponding to the endorsement authentication request to the consortium blockchain when the authentication is successful.
[0055] Furthermore, to facilitate subsequent data authentication, step S20 in this embodiment may include:
[0056] The endorsement authentication request is published to the consortium blockchain, so that the global authentication node in the consortium blockchain can extract the endorsement request parameters and the joint signature from the endorsement authentication request, perform trusted authentication on the joint signature according to the endorsement request parameters, generate a single communication key when the authentication is successful, extract the user encryption certificate from the endorsement authentication request, and generate and publish a trusted authentication response according to the single communication key, the user encryption certificate and the endorsement request parameters.
[0057] It should be noted that the endorsement request parameters may include: the resource identifier of the resource to be accessed across domains, a timestamp, the user identifier of the user node, the user signing certificate, the user encryption certificate, and the node identifier of the trusted endorsement node in the first resource domain. The resource to be accessed across domains can be the target resource that the user node is accessing across domains. The global authentication node can extract the user signing certificate from the endorsement request parameters and then use the public key in the user signing certificate to perform trusted authentication of the joint signature based on the endorsement request parameters. If the authentication is successful, it indicates that the endorsement authentication request indeed originated from the cross-domain resource access device, and the identity is authentic and feasible. Therefore, a trusted authentication response can be generated and published on the consortium blockchain.
[0058] In practical use, the single communication key can be calculated by using the node identifier of the global authentication node and the pre-shared communication key through a preset key generation algorithm. The preset key generation algorithm can be the SM4 national cryptographic algorithm, and the pre-shared communication key can be issued by the symmetric key management system in the consortium blockchain.
[0059] It should be noted that the trusted authentication response may include: the node identifier of the trusted endorsement node in the first resource domain, the user identifier of the user node, the global authentication node identifier, single-communication encrypted data, and certificate encrypted data. The single-communication encrypted data can be obtained by encrypting the data to be encrypted using the single-communication key, and the certificate encrypted data can be obtained by encrypting the data to be encrypted using the user's encrypted certificate. The data to be encrypted may include: the resource identifier of the resource to be accessed across domains, the timestamp, the user identifier of the user node, and the random session key; wherein, the random session key can be generated by the random number generation component of the global authentication node.
[0060] Step S30: Read the trusted authentication response from the consortium blockchain and forward the trusted authentication response to the user node so that the user node can respond with a resource authorization request.
[0061] It should be noted that after the cross-domain resource access device publishes the endorsement authentication request to the consortium blockchain, it will monitor in real time whether a trusted authentication response corresponding to the endorsement authentication request is generated in the consortium blockchain. If it is generated, it means that the endorsement authentication request has passed the authentication of the consortium blockchain. At this time, it can read the trusted authentication response corresponding to the endorsement authentication request from the consortium blockchain and forward the trusted authentication response to the user node. The user node will then read the relevant parameters required for cross-domain access from the trusted authentication response, generate a resource authorization request based on the parameters, and then feed the resource authorization request back to the cross-domain resource access device.
[0062] Furthermore, to facilitate identity authentication by authorized nodes in the second resource domain, the step of forwarding the trusted authentication response to the user node, so that the user node responds with a resource authorization request, may include:
[0063] The trusted authentication response is forwarded to the user node, so that the user node can decrypt the trusted authentication response using the user's encrypted private key to obtain a random session key, generate a resource authorization request based on the random session key, and then send the resource authorization request back.
[0064] It should be noted that the user's encryption private key can be the private key corresponding to the user's encryption certificate. After receiving the trusted authentication response forwarded by the cross-domain resource access device, the user node can read the certificate encryption data in the trusted authentication response, and then decrypt the certificate encryption data using the user's encryption private key to obtain the random session key.
[0065] In practical use, generating a resource authorization request based on a random session key can be achieved by extracting the encrypted data from a single communication in the trusted authentication response as the first encrypted data, symmetrically encrypting the authorization request parameters according to the random session key to obtain the second encrypted data, and then generating the resource authorization request based on the node identifier of the resource domain authorization node in the second resource domain, the global authentication node identifier, the first encrypted data, and the second encrypted data.
[0066] Step S40: Publish the resource authorization request to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request.
[0067] It should be noted that the second resource domain can be the resource domain where the resource to be accessed across domains resides. The target node can be an authorized node within the second resource domain. When the cross-domain resource access device receives a resource authorization request, it publishes the request to the consortium blockchain. At this point, when the target node in the second resource domain detects the existence of a resource authorization request in the consortium blockchain, it reads the data in the request, locates the target resource for the user node's cross-domain access based on that data, grants authorization, and publishes the corresponding resource authorization response to the consortium blockchain upon completion of the authorization.
[0068] Furthermore, to ensure the security of cross-domain resource access, step S40 in this embodiment may include:
[0069] The resource authorization request is published to the consortium blockchain, enabling the target node in the second resource domain to extract node identification data, first encrypted data, and second encrypted data from the resource authorization request. The first encrypted data is decrypted using a pre-shared communication key and the node identification data to obtain a random session key. The second encrypted data is then decrypted using the random session key to obtain a target resource identifier. The corresponding resource access key is located using the target resource identifier. A resource authorization response is generated using the random session key and the resource access key, and the resource authorization response is published to the consortium blockchain.
[0070] It should be noted that the node identifier data can be the node identifier of a globally authenticated node. The random session key is obtained by decrypting the first encrypted data based on the pre-shared communication key and the node identifier data. This can be achieved by calculating a single-use communication key using a preset key generation algorithm based on the pre-shared communication key and the node identifier data, then decrypting the first encrypted data using this single-use communication key, and extracting the random session key from the decrypted data. The target resource identifier can be the resource identifier of the resource to be accessed across domains.
[0071] Understandably, the second encrypted data is generated using symmetric encryption with a random session key. Therefore, if the second encrypted data is decrypted using the random session key and decryption is successful, it indicates that the random session key was generated by the global authentication node. The resource authorization request has been authenticated by the global authentication node and can be authorized for resource access. Thus, the target resource identifier can be read from the decrypted second encrypted data, and the corresponding resource can be found in the second resource domain based on the target resource identifier. The resource access key corresponding to the found resource can be obtained, and then a resource authorization response can be generated based on the random session key and the resource access key. Finally, the resource authorization response is published to the consortium blockchain.
[0072] In practical applications, generating a resource authorization response based on a random session key and a resource access key can be achieved by symmetrically encrypting the resource access key with the random session key to generate an encrypted resource access key, and then generating the resource authorization response based on the encrypted resource access key. To facilitate node identification of the resource authorization response, the node identifier of the resource domain trust endorsement node in the first resource domain, the user node identifier, the resource identifier of the resource to be accessed across domains, and the node identifier of the resource domain authorization node in the second resource domain can also be added to the resource authorization response.
[0073] Step S50: Read the resource authorization response from the consortium blockchain and send the resource authorization response to the user node so that the user node can access cross-domain resources based on the resource authorization response.
[0074] It should be noted that after the cross-domain resource access device publishes a resource authorization request to the consortium blockchain, it will monitor in real time whether there is a resource authorization response corresponding to the resource authorization request on the consortium blockchain. If there is, it will read the resource authorization response from the consortium blockchain and then send the resource authorization response to the user node. At this time, the user node will read the resource access key required for cross-domain resource access from the resource authorization response, and then it can perform cross-domain resource access based on the resource access key.
[0075] Furthermore, in order to enable authorized user nodes to quickly access cross-domain resources, this embodiment sends the resource authorization response to the user node, so that the user node can access cross-domain resources based on the resource authorization response. This step may include:
[0076] The resource authorization response is sent to the user node, so that the user node can decrypt the resource authorization response according to the cached random session key to obtain the resource access key, and perform cross-domain resource access according to the resource access key.
[0077] It should be noted that when a user node generates a resource authorization request, it caches the random session key read from the trusted authentication response. When the user node receives the resource authorization response, it can read the encrypted resource access key from the resource authorization response, and then decrypt the encrypted resource access key using the cached random session key to obtain the resource access key for the resource to be accessed across domains. Then, the user node can directly access the resource to be accessed across domains using the resource access key without having to authorize it again.
[0078] Furthermore, for ease of understanding, please refer to... Figure 3 The present invention describes the cross-domain resource access method, but does not limit the scope of this solution. Figure 3 This is a schematic diagram of the system architecture involved in the cross-domain resource access method of the present invention. For example... Figure 3 As shown, Figure 3 The consortium blockchain comprises multiple resource domains (resource domains A and B are illustrated in the diagram only). Users within a resource domain may request resources from other domains. The entire resource request process is divided into two parts: authentication and authorization. The authentication process is completed by the consortium blockchain's "global authentication node," while the authorization process is completed by the domain to which the requested resource belongs. The consortium blockchain and each resource domain share the same cryptographic system. Each resource domain deploys at least one "resource domain trust endorsement node" and one "resource domain authorization node" on the consortium blockchain; each resource domain also deploys one "secondary CA." The entire consortium blockchain deploys at least two "global authentication nodes," one "primary CA," and one "symmetric key management system." The digital certificate authentication system is divided into two levels: the primary CA is called the root CA, and the secondary CA is called the business CA. The root CA belongs to the consortium blockchain and is the source of the platform's trust system; its main function is to issue root certificates for the business CA. The business CA is owned by each resource domain. Its functions are: to generate and issue signing certificates and private keys for users within its resource domain, and to generate and issue encryption certificates and private keys for users within its resource domain. The symmetric key management system distributes pre-shared communication keys to the global authentication node and resource domain authorization node of the consortium blockchain to facilitate the generation of single-use communication keys and achieve secure communication between them.
[0079] This embodiment, upon receiving a cross-domain authentication request from a user node in the first resource domain, constructs an endorsement authentication request based on the cross-domain authentication request; publishes the endorsement authentication request to the consortium blockchain, enabling global authentication nodes in the consortium blockchain to perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response upon successful authentication; reads the trusted authentication response from the consortium blockchain and forwards it to the user node, enabling the user node to respond with a resource authorization request; publishes the resource authorization request to the consortium blockchain, enabling target nodes in the second resource domain to publish a resource authorization response to the consortium blockchain based on the resource authorization request; reads the resource authorization response from the consortium blockchain and sends it to the user node, enabling the user node to access cross-domain resources based on the resource authorization response. By separating the authentication and authorization processes during cross-domain access, consortium blockchain authentication and resource domain authorization are decoupled, clearly defining the responsibilities of each node, thereby ensuring cross-domain resource access while reducing the risk of data misuse.
[0080] refer to Figure 4 , Figure 4 This is a flowchart illustrating a second embodiment of a cross-domain resource access method according to the present invention.
[0081] Based on the first embodiment described above, the cross-domain resource access method of this embodiment includes the following in step S10:
[0082] Step S101: Upon receiving a cross-domain authentication request sent by a user node in the first resource domain, extract the cross-domain request parameters and user signature data from the cross-domain authentication request.
[0083] It should be noted that if a cross-domain resource access request is received from a user node in the first resource domain, it indicates that the user node needs to perform cross-domain access. In this case, the cross-domain request parameters and user signature data can be read from the cross-domain authentication request. The cross-domain request parameters may include: the resource identifier of the resource to be accessed across domains, a timestamp, the user node's user identifier, the user signature certificate, the user encryption certificate, and the node identifier of the trusted endorsing node in the first resource domain. The user signature data can be obtained by the user node signing the cross-domain request parameters using a preset signature algorithm based on its signature private key. The preset signature algorithm can be the SM2 national cryptographic algorithm, and the signature private key can be issued by the digital certificate authentication system (CA) in the first resource domain.
[0084] Step S102: Encrypt the cross-domain request parameters according to the preset endorsement private key to generate an endorsement signature.
[0085] It should be noted that the preset endorsement private key can be issued by the Certificate Authority (CA) in the first resource domain. The preset endorsement private key has a certain mathematical relationship with the user node's signing private key and is used to generate a joint signature. The cross-domain request parameters are encrypted using the preset endorsement private key. Generating the endorsement signature can be achieved by encrypting the cross-domain request parameters using a preset encryption algorithm based on the preset endorsement private key, and then using the encrypted data as the endorsement signature. The preset encryption algorithm can be the SM2 national cryptographic algorithm.
[0086] Furthermore, to verify the authenticity of user node identities and ensure data security, this embodiment may include the following steps before step S102:
[0087] Extract the user node identifier and user signature certificate from the cross-domain request parameters;
[0088] Find the corresponding cache signature certificate based on the user node identifier;
[0089] If the user signature certificate is consistent with the cache signature certificate, then the step of encrypting the cross-domain request parameters according to the preset endorsement private key and generating an endorsement signature is performed.
[0090] It should be noted that the user node identifier can be the user identifier of the user node. The cross-domain resource access device can store an identifier certificate mapping table, which contains the mapping relationship between each user node identifier and a user signing certificate in the resource domain in which the cross-domain resource access device resides. Finding the corresponding cached signing certificate based on the user node identifier can be done by searching the identifier certificate mapping table based on the user node identifier, and then using the found user signing certificate as the cached signing certificate.
[0091] Understandably, if the user's signature certificate matches the cached signature certificate, it indicates that the user node initiating the cross-domain authentication request is authentic and not forged, thus allowing subsequent steps to proceed. However, if the user's signature certificate does not match the cached signature certificate, it indicates that the user node initiating the cross-domain authentication request is forged, therefore, the cross-domain authentication request can be discarded. If necessary, a corresponding alarm log can be generated and sent to the consortium blockchain administrators for display.
[0092] Step S103: Generate a joint signature based on the endorsement signature and the user signature data, and construct an endorsement authentication request based on the joint signature and the cross-domain request parameters.
[0093] It should be noted that there is a mathematical relationship between the preset endorsement private key and the signature private key in the user node. Therefore, the endorsement signature generated based on the preset endorsement private key can be combined with the user signature data to generate a joint signature.
[0094] In practical use, constructing an endorsement authentication request based on the joint signature and cross-domain request parameters can be achieved by formatting the cross-domain request parameters and joint signature according to the format corresponding to the endorsement authentication request, thereby generating the endorsement authentication request.
[0095] This embodiment extracts cross-domain request parameters and user signature data from a cross-domain authentication request received from a user node in the first resource domain; encrypts the cross-domain request parameters using a preset endorsement private key to generate an endorsement signature; generates a joint signature based on the endorsement signature and the user signature data; and constructs an endorsement authentication request based on the joint signature and the cross-domain request parameters. Since the joint signature is generated based on the user signature data and the endorsement signature when constructing the endorsement authentication request, two-level authentication of the user is achieved, further improving the security of the cross-domain resource access method of this invention.
[0096] Furthermore, this embodiment of the invention also proposes a storage medium storing a cross-domain resource access program, which, when executed by a processor, implements the steps of the cross-domain resource access method described above.
[0097] Reference Figure 5 , Figure 5 This is a structural block diagram of the first embodiment of the cross-domain resource access device of the present invention.
[0098] like Figure 5 As shown, the cross-domain resource access device proposed in this embodiment of the invention includes:
[0099] The data receiving module 10 is used to construct an endorsement authentication request based on the cross-domain authentication request when it receives a cross-domain authentication request sent by a user node in the first resource domain.
[0100] The request publishing module 20 is used to publish the endorsement authentication request to the consortium blockchain, so that the global authentication node in the consortium blockchain can perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response when the authentication is successful.
[0101] Data reading module 30 is used to read the trusted authentication response from the consortium blockchain and forward the trusted authentication response to the user node so that the user node can respond with a resource authorization request;
[0102] Authorization request module 40 is used to publish the resource authorization request to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request;
[0103] The authorization response module 50 is used to read the resource authorization response from the consortium blockchain and send the resource authorization response to the user node, so that the user node can access cross-domain resources based on the resource authorization response.
[0104] This embodiment, upon receiving a cross-domain authentication request from a user node in the first resource domain, constructs an endorsement authentication request based on the cross-domain authentication request; publishes the endorsement authentication request to the consortium blockchain, enabling global authentication nodes in the consortium blockchain to perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response upon successful authentication; reads the trusted authentication response from the consortium blockchain and forwards it to the user node, enabling the user node to respond with a resource authorization request; publishes the resource authorization request to the consortium blockchain, enabling target nodes in the second resource domain to publish a resource authorization response to the consortium blockchain based on the resource authorization request; reads the resource authorization response from the consortium blockchain and sends it to the user node, enabling the user node to access cross-domain resources based on the resource authorization response. By separating the authentication and authorization processes during cross-domain access, consortium blockchain authentication and resource domain authorization are decoupled, clearly defining the responsibilities of each node, thereby ensuring cross-domain resource access while reducing the risk of data misuse.
[0105] Furthermore, the data receiving module 10 is also used to extract cross-domain request parameters and user signature data from the cross-domain authentication request; encrypt the cross-domain request parameters according to a preset endorsement private key to generate an endorsement signature; generate a joint signature according to the endorsement signature and the user signature data, and construct an endorsement authentication request according to the joint signature and the cross-domain request parameters.
[0106] Furthermore, the data receiving module 10 is also used to extract the user node identifier and user signature certificate from the cross-domain request parameters; find the corresponding cached signature certificate according to the user node identifier; if the user signature certificate is consistent with the cached signature certificate, then perform the step of encrypting the cross-domain request parameters according to the preset endorsement private key to generate an endorsement signature.
[0107] Furthermore, the request publishing module 20 is also used to publish the endorsement authentication request to the consortium blockchain, so that the global authentication node in the consortium blockchain can extract the endorsement request parameters and the joint signature from the endorsement authentication request, perform trusted authentication on the joint signature according to the endorsement request parameters, generate a single communication key when the authentication is successful, extract the user encryption certificate from the endorsement authentication request, and generate and publish a trusted authentication response according to the single communication key, the user encryption certificate and the endorsement request parameters.
[0108] Furthermore, the data reading module 30 is also used to forward the trusted authentication response to the user node, so that the user node can decrypt the trusted authentication response using the user's encrypted private key to obtain a random session key, generate a resource authorization request based on the random session key, and feed back the resource authorization request.
[0109] Furthermore, the authorization request module 40 is also used to publish the resource authorization request to the consortium blockchain, so that the target node in the second resource domain can extract node identification data, first encrypted data and second encrypted data from the resource authorization request, and decrypt the first encrypted data according to the pre-shared communication key and the node identification data to obtain a random session key, decrypt the second encrypted data according to the random session key to obtain a target resource identifier, find the corresponding resource access key according to the target resource identifier, generate a resource authorization response according to the random session key and the resource access key, and publish the resource authorization response to the consortium blockchain.
[0110] Furthermore, the authorization response module 50 is also used to send the resource authorization response to the user node, so that the user node can decrypt the resource authorization response according to the cached random session key to obtain the resource access key, and perform cross-domain resource access according to the resource access key.
[0111] It should be understood that the above are merely illustrative examples and do not constitute any limitation on the technical solution of the present invention. In specific applications, those skilled in the art can make settings as needed, and the present invention does not impose any restrictions on this.
[0112] It should be noted that the workflow described above is merely illustrative and does not limit the scope of protection of this invention. In practical applications, those skilled in the art can select some or all of the workflow to achieve the purpose of this embodiment according to actual needs, and no restrictions are imposed here.
[0113] In addition, for technical details not described in detail in this embodiment, please refer to the cross-domain resource access method provided in any embodiment of the present invention, which will not be repeated here.
[0114] Furthermore, it should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or system. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or system that includes that element.
[0115] The sequence numbers of the above embodiments of the present invention are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.
[0116] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as read-only memory (ROM) / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of the present invention.
[0117] The above are merely preferred embodiments of the present invention and do not limit the scope of the patent. Any equivalent structural or procedural transformations made based on the description and drawings of the present invention, or direct or indirect applications in other related technical fields, are similarly included within the scope of patent protection of the present invention.
Claims
1. A method for cross-domain resource access, characterized in that, The cross-domain resource access method includes the following steps: Upon receiving a cross-domain authentication request sent by a user node in the first resource domain, an endorsement authentication request is constructed based on the cross-domain authentication request; The endorsement authentication request is published to the consortium blockchain so that the global authentication node in the consortium blockchain can perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response when the authentication is successful. The trusted authentication response is read from the consortium blockchain and forwarded to the user node so that the user node can respond with a resource authorization request; The resource authorization request is published to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request; The resource authorization response is read from the consortium blockchain and sent to the user node so that the user node can access cross-domain resources based on the resource authorization response; The step of constructing an endorsement authentication request based on the cross-domain authentication request includes: Extract cross-domain request parameters and user signature data from the cross-domain authentication request. The user signature data is obtained by the user node signing the cross-domain request parameters using a signature private key. The cross-domain request parameters are encrypted using a preset endorsement private key to generate an endorsement signature. Both the preset endorsement private key and the signature private key are issued by the digital certificate authentication system in the first resource domain. There is a mathematical relationship between the preset endorsement private key and the signature private key, which is used to generate a joint signature. A joint signature is generated based on the endorsement signature and the user signature data, and an endorsement authentication request is constructed based on the joint signature and the cross-domain request parameters. The step of publishing the endorsement authentication request to the consortium blockchain, so that the global authentication nodes in the consortium blockchain can perform trusted authentication based on the endorsement authentication request, and publish a trusted authentication response when the authentication is successful, includes: The endorsement authentication request is published to the consortium blockchain, so that the global authentication node in the consortium blockchain can extract the endorsement request parameters and the joint signature from the endorsement authentication request, extract the user signature certificate from the endorsement request parameters, use the public key in the user signature certificate to perform trusted authentication on the joint signature, and publish a trusted authentication response when the authentication is successful.
2. The cross-domain resource access method as described in claim 1, characterized in that, Before the step of encrypting the cross-domain request parameters according to the preset endorsement private key to generate an endorsement signature, the method further includes: Extract the user node identifier and user signature certificate from the cross-domain request parameters; Find the corresponding cache signature certificate based on the user node identifier; If the user signature certificate is consistent with the cache signature certificate, then the step of encrypting the cross-domain request parameters according to the preset endorsement private key and generating an endorsement signature is performed.
3. The cross-domain resource access method as described in claim 1, characterized in that, The step of publishing the endorsement authentication request to the consortium blockchain, so that the global authentication nodes in the consortium blockchain can perform trusted authentication based on the endorsement authentication request, and publish a trusted authentication response when the authentication is successful, includes: The endorsement authentication request is published to the consortium blockchain, so that the global authentication node in the consortium blockchain can extract the endorsement request parameters and the joint signature from the endorsement authentication request, perform trusted authentication on the joint signature according to the endorsement request parameters, generate a single communication key when the authentication is successful, extract the user encryption certificate from the endorsement authentication request, and generate and publish a trusted authentication response according to the single communication key, the user encryption certificate and the endorsement request parameters.
4. The cross-domain resource access method as described in claim 1, characterized in that, The step of forwarding the trusted authentication response to the user node so that the user node responds with a resource authorization request includes: The trusted authentication response is forwarded to the user node, so that the user node can decrypt the trusted authentication response using the user's encrypted private key to obtain a random session key, generate a resource authorization request based on the random session key, and then send the resource authorization request back.
5. The cross-domain resource access method as described in claim 1, characterized in that, The step of publishing the resource authorization request to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request, includes: The resource authorization request is published to the consortium blockchain, enabling the target node in the second resource domain to extract node identification data, first encrypted data, and second encrypted data from the resource authorization request. The first encrypted data is decrypted using a pre-shared communication key and the node identification data to obtain a random session key. The second encrypted data is then decrypted using the random session key to obtain a target resource identifier. The corresponding resource access key is located using the target resource identifier. A resource authorization response is generated using the random session key and the resource access key, and the resource authorization response is published to the consortium blockchain.
6. The cross-domain resource access method as described in claim 1, characterized in that, The step of sending the resource authorization response to the user node, so that the user node can access cross-domain resources based on the resource authorization response, includes: The resource authorization response is sent to the user node, so that the user node can decrypt the resource authorization response according to the cached random session key to obtain the resource access key, and perform cross-domain resource access according to the resource access key.
7. A cross-domain resource access device, characterized in that, The cross-domain resource access device includes the following modules: The data receiving module is used to construct an endorsement authentication request based on the cross-domain authentication request when it receives a cross-domain authentication request sent by a user node in the first resource domain. The request publishing module is used to publish the endorsement authentication request to the consortium blockchain, so that the global authentication nodes in the consortium blockchain can perform trusted authentication based on the endorsement authentication request and publish a trusted authentication response when the authentication is successful. The data reading module is used to read the trusted authentication response from the consortium blockchain and forward the trusted authentication response to the user node, so that the user node can respond with a resource authorization request; The authorization request module is used to publish the resource authorization request to the consortium blockchain, so that the target node in the second resource domain publishes a resource authorization response to the consortium blockchain according to the resource authorization request. The authorization response module is used to read the resource authorization response from the consortium blockchain and send the resource authorization response to the user node, so that the user node can access cross-domain resources based on the resource authorization response; The data receiving module is also used to extract cross-domain request parameters and user signature data from the cross-domain authentication request, wherein the user signature data is obtained by the user node signing the cross-domain request parameters according to the signature private key; The cross-domain request parameters are encrypted using a preset endorsement private key to generate an endorsement signature. Both the preset endorsement private key and the signature private key are issued by the digital certificate authentication system in the first resource domain. There is a mathematical relationship between the preset endorsement private key and the signature private key, which is used to generate a joint signature. A joint signature is generated based on the endorsement signature and the user signature data, and an endorsement authentication request is constructed based on the joint signature and the cross-domain request parameters. The request publishing module is further configured to publish the endorsement authentication request to the consortium blockchain, so that the global authentication node in the consortium blockchain can extract the endorsement request parameters and the joint signature from the endorsement authentication request, extract the user signature certificate from the endorsement request parameters, use the public key in the user signature certificate to perform trusted authentication on the joint signature, and publish a trusted authentication response when the authentication is successful.
8. A cross-domain resource access device, characterized in that, The cross-domain resource access device includes: a processor, a memory, and a cross-domain resource access program stored in the memory and executable on the processor. When the cross-domain resource access program is executed by the processor, it implements the steps of the cross-domain resource access method as described in any one of claims 1-6.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a cross-domain resource access program, which, when executed, implements the steps of the cross-domain resource access method as described in any one of claims 1-6.