Certificate Management And Cross-Domain Authentication Scheme Based On Blockchain

With the development of network,resource-constrained mobile terminals interact more and more frequently with Information Service Entities(ISEs)in the multi-trust domain structure mode.At present,ISE in China is only simple identity management and authentication in the industry,and it is difficult to meet the national regulatory requirements for ISE service quality.Public key-based authentication frameworks are widely used in Information Service trust domains: certificate-based Public Key Infrastructure(PKI)and Identity-Based Cryptosystem(IBC).These two frameworks are becoming more and more perfect,but there are still some problems,such as the relatively complex use of certificates in PKI domain,the prominent problem of key escrow in IBC domain,and the existing schemes cannot meet the cross-domain authentication requirements of ISE between PKI and IBC domains.The application of blockchain technology in the field of identity authentication has been paid more and more attention.Its core advantages are decentralization,data security,transparency,anti-tampering and unforgeability.These advantages provide some ideal characteristics to solve problems above.Therefore,the following work has been done in this thesis: Firstly,the block-chain structure and different trust domain models of PKI are compared and analyzed comprehensively.Because the nodes are controllable and the other characteristics of the blockchain are retained,the ISE-BCBM model suitable for the information service PKI trust domain is designed on the basis of the consortium blockchain,and the basic framework of the model is designed.On ISE-BCBM model,in order to optimize the certificate structure and management mechanism of X.509 certificate,the blockchain certificate structure and storage interface suitable for ISE-BCBM model are designed.The whole life cycle management mechanism of certificate is studied,and the application of blockchain certificate in the scenario of local authentication and cross-domain authentication is described.After analysis and comparison,we can see that blockchain certificates have advantages in simplifying the use of certificates.Secondly,the key escrow problem in IBC domain is optimized based on the ideal characteristics of decentralized trust of blockchain.Referring to the idea of multi-PKG,the key generation algorithm in domestic SM9 algorithm is improved.The blockchain domain proxy server BCDA is added in IBC domain to let BCDA cooperate with PKG to complete key generation.BCDA nodes use the nature of blockchain to maintain trust,which saves additional maintenance costs.Some public and private keys generated by BCDA have all the functions of public and private keys,which can participate in cross-domain authentication of subsequent chapters.Finally,BCDA is set as a node to join ISE-BCBM model.Combining blockchain certificate mechanism and improved SM9 key generation algorithm,the generation process of temporary identity of foreign entities is designed,and temporary identity issuance is completed through two-way authentication between ISE-BCBM nodes.Inter-domain authentication protocols(1)and(2)for ISE between PKI and IBC are designed based on temporary identity.After authentication is completed,the completed authentication information is stored on the block chain.Based on the query process of authentication information,a fast re-authentication protocol is designed.The scheme is proved by SOV logic,security properties,communication and computation.The communication burden and storage burden of ISE-BCBM model are quantitatively analyzed.The results show that the scheme has good practicability compared with the existing schemes under the scenario characteristics of information service trust domain.