• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    An apparatus and method are provided for generating a root certificate (150) using a block chain (130) as a certification authority, and generating, revoking, and verifying a certificate based on the block chain. A method for generating a certificate based on a blockchain includes verifying a root certificate of a block (140) included in the blockchain when it is determined that a certificate issuance request transaction is included in the block, and generating a certificate based on information contained in the root certificate and information included in the certificate issuance request transaction.
    公开号:CH713421A2
    申请号:CH00110/18
    申请日:2018-01-31
    公开日:2018-08-15
    发明作者:June Eee Kyoung;Hyup Kim Jong;Koo Shin Hyun
    申请人:Dayli Intelligence Inc;Theloop Inc;
    IPC主号:
    专利说明:

    description
    BACKGROUND
    Field of the Invention The following exemplary embodiments relate to an apparatus and method for generating, revoking, and verifying a certificate using a block chain as a certification authority.
    Background Art A certificate provides evidence to perform functions, such as identification of a certificate holder, forgery protection for a document, or the like. A process of generating, revoking, and verifying the certificate necessarily requires a certification authority.
    Companies and organizations that provide certification services can issue, revoke and verify certificates at the request of customers through a certification authority so that customers can use certificates.
    Such certificate management procedures are unified in a single independent certification authority, and security policies to the certification authority, such as key management for certificate issuance, are concentrated. An accredited certification body has sufficient security strategies; however, a private CA requires a lot of cost for sufficient security policies. Therefore, there is a need for an efficient and reliable security policy for certification authorities.
    A blockchain is also referred to as a public transaction book and is a technology for preventing hacking that can occur when dealing with virtual currency transactions. Existing financial firms record transactions on a centralized server, whereas the blockchain uses a schema to send a transaction history to all users who participate in transactions, as well as to compare transaction histories for each transaction to avoid data tampering. The blockchain applies to Bitcoin, which is a typical online virtual currency. Bitcoins transparently record transaction histories in a transaction book that anyone can read, and various computers that use bitcoins verify the aforementioned record and prevent hacking.
    Instead of being used only as a technology applied to bitcoins, the blockchain can be used to record a variety of data. Accordingly, a blockchain represents a technology with a saving effect of enormous costs for the maintenance and security of a database (DB).
    The embodiments described above are for convenience only and may include information that does not form part of the prior art, including such information that may not be present to those skilled in the art.
    SUMMARY
    Exemplary embodiments relate to an apparatus and method for generating, revoking, and verifying certificates using a blockchain as a certification authority that has the same power and impact for all organizations participating in a blockchain network.
    Exemplary embodiments relate to a method for generating a root certificate and generating a certificate based on the root certificate and a certificate issuance request transaction when it is determined that the certificate issuance request transaction is included.
    Exemplary embodiments relate to a method for revoking a certificate by generating a transaction for revoking the certificate in response to a certificate revocation request being received and adding the transaction to a blockchain containing a block used to generate the certificate Certificate is used.
    Exemplary embodiments relate to a method for verifying a certificate by verifying a signature of the certificate in response to a request for verification of the certificate being received by comparing authentication information contained in a certificate issue request transaction is included, with authentication information included in the certificate, and by determining whether the certificate is revoked.
    According to one aspect, there is provided a method for generating a certificate based on a blockchain, the method comprising: verifying a root certificate of a block contained in a blockchain when it is determined that a certificate issuance request Transaction is contained in the block, and generating a certificate based on information contained in the root certificate and information contained in the certificate issuance request transaction.
    Generating the certificate may include verifying a subject of the root certificate and a serial number of the root certificate, verifying a public key and a subject of the certificate issuance request transaction, verifying a private key generated when the root certificate is generated, generating a serial number of the certificate by adding the serial number of the root certificate to an ordinal number of the certificate issuance request transaction in the block, setting the subject of the root certificate as an issuer of the certificate, setting the subject the certificate issuance request transaction as a subject of the certificate, setting the public key of the certificate issuance request transaction as a public key of the certificate, setting a validity period of the certificate, generating a signature of the certificate based on a sig a natural algorithm, using the private key and authentication information to be signed, containing the serial number of the certificate, the issuer of the certificate, the subject of the certificate, the period of validity of the certificate and the public key of the certificate, and generating the certificate; containing the serial number of the certificate, the issuer of the certificate, the subject of the certificate, the validity period of the certificate, the public key of the certificate, the signature and information that is suitable for identifying the signature algorithm.
    Setting the validity period of the certificate may include setting the validity period of the certificate to a predetermined period of time or a period of time included in the certificate issuance request transaction.
    The method, after verifying the root certificate, may further include verifying a block hash of the block, generating a seed using the block hash, generating a private key of the root certificate, and a public key of the root certificate using the seed, generating a serial number of the root certificate at a predetermined number or block index of the block, generating an issuer of the root certificate based on information that is capable of identifying the blockchain, or generating the issuer of the root certificate by combining the block index and the information capable of identifying the blockchain, generating a subject of the root certificate so that it is the same as the issuer of the root certificate, setting a validity period of the root certificate by adding a predetermined time to a timestamp contained in the block, Ge generating a signature of the root certificate based on a signature algorithm using the private key of the root certificate and authentication information containing the serial number of the root certificate, the issuer of the root certificate, the subject of the root certificate, the validity period of the root certificate Root certificate and the public key of the root certificate, and generate the root certificate containing the serial number of the root certificate, the issuer of the root certificate, the subject of the root certificate, the validity period of the root certificate, the public key of the root certificate, which contains the signature of the root certificate and information that is suitable for identifying the signature algorithm.
    The block hash may be a value obtained by hashing a header of the block using a hash function.
    The block hash may be information contained in the header of the block, and may be a value obtained by hashing information other than the block hash in the header using a hash function.
    According to another aspect, there is provided a method of revoking a certificate based on a blockchain, the method comprising: extracting information about a certificate when a certificate revoke event is detected, generating a transaction to revoke the certificate Certificate, based on the information about the certificate, and transmitting the transaction to a block chain network of a block chain having a block used to generate the certificate so that the transaction is stored in the block chain.
    The method may further include: generating a block containing the transaction and adding the block to the blockchain when the transaction is received over the blockchain network.
    Extracting the information about the certificate may include verifying an issuer included in the certificate and extracting information used to identify the blockchain and the block used to generate the certificate and verifying a serial number included in the certificate, verifying an ordinal number of a certificate issuance request transaction for requesting issuance of a certificate in the block, and extracting information capable of identifying the certificate issuance request transaction.
    The certificate revocation event is in response to a request from a legitimate user with authority of the certificate, or occurs when a request to revoke the certificate is detected based on approval from blockchain network subscribers.
    [0022] According to another aspect, there is provided a method for verifying a certificate based on a blockchain, the method including: determining whether a period of validity of a certificate is valid when a request for verification of the certificate is received, verifying a root certificate Certificate of the certificate, if the validity period of the certificate is determined to be valid, verifying a signature of the certificate using a public key of the root certificate, seeking a certificate issuance request transaction for
    Requesting issuance of the certificate and comparing authentication information included in the certificate issuance request transaction with authentication information included in the certificate, verifying a blockchain used to generate the certificate and determining whether a transaction for requesting revocation of the certificate is included in the blockchain, and determining that the verification of the certificate is successful if verifying the signature of the certificate is successful, if the authentication information included in the certificate Issue Request Transaction is identical to the authentication information contained in the certificate and if the certificate is not revoked.
    Searching the certificate issuance request transaction may include verifying an issuer included in the certificate and verifying information used to identify a block and the blockchain used to generate the certificate Verifying a serial number included in the certificate and verifying an ordinal number of the certificate issuance request transaction in the block, locating the block from the blockchain, verifying the certificate issuance request transaction in the block and verifying a subject and a public key that is the authentication information included in the certificate issuance request transaction, verifying a subject and a public key of the certificate that are the authentication information included in the certificate, and determining if the subject specified in the cert ifikats issuance request transaction is identical to the subject contained in the certificate and determining whether the public key contained in the certificate issuance request transaction is identical to the public key that is included in the certificate.
    Verifying the blockchain may include verifying an issuer included in the certificate and verifying information used to identify the blockchain and determining whether the transaction to request revocation of the certificate is in the blockchain is.
    According to another aspect, there is provided a certificate management apparatus including: a root certificate generator configured to generate a root certificate based on information contained in a block of a blockchain, and a certificate generator configured to generate a certificate based on information contained in the root certificate and information included in a certificate issue request transaction when it is determined the certificate issuance request transaction is contained in the block.
    The certificate management device may further include a certificate revocation facility configured to extract information about the certificate, generate a transaction for revoking the certificate, and to forward the transaction to the block chain on a block chain network so that the transaction is stored in the blockchain when a certificate revocation event is detected.
    The certificate management device may further include a certificate verifier configured to determine whether a validity period of the certificate is valid when a request for verification of the certificate is received, a signature of the certificate verify using a public key of the root certificate when the validity period of the certificate is determined to be valid, a certificate issuance request transaction to search, and authentication information specified in the certificate issuance request form. Transaction is included to compare with authentication information contained in the certificate, to determine whether a transaction for requesting a revocation of the certificate is included in the blockchain, and to determine that the verification of the certificate is successful if a verification of the signature of the certificate is successful if the e authentication information included in the certificate issuance request transaction is identical to the authentication information included in the certificate and if the certificate is not revoked.
    Other aspects of exemplary embodiments will be set forth in part in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure.
    BRIEF DESCRIPTION OF THE DRAWINGS
    These and / or other aspects, features, and advantages of the invention will become apparent and more readily appreciated from the following description of exemplary embodiments in conjunction with the accompanying drawings, in which:
    1 is a diagram illustrating a configuration of a root certificate and a configuration of a block used to generate the root certificate, according to an example embodiment;
    FIG. 2 is a diagram illustrating a configuration of a certificate management apparatus for generating, revoking and verifying a certificate according to an exemplary embodiment; FIG.
    3 is a flowchart illustrating a process of generating a certificate according to an example embodiment;
    4 is a flowchart illustrating in detail a process for generating a certificate according to an example embodiment;
    5 is a flowchart illustrating a process for generating a root certificate according to an example embodiment;
    FIG. 6 is a flowchart illustrating a process for revoking a certificate according to an example embodiment; FIG.
    FIG. 7 is a flowchart illustrating a process for verifying a certificate according to an example embodiment; FIG. and
    8 is a flowchart illustrating a process for verifying a certificate based on information about the certificate according to an example embodiment.
    DETAILED DESCRIPTION
    The following structural and functional descriptions of exemplary embodiments as described herein are for the purpose of describing the example embodiments only as described herein and may be implemented in various forms. It should be understood, however, that these example embodiments are not to be construed as limited to the illustrated forms.
    Various modifications may be made to the exemplary embodiments. As used herein, the examples are not to be construed as limited to the disclosure and should be understood to embrace all changes, equivalents, and substitutions within the spirit and scope of the disclosure.
    Although terms such as "first", "second" and the like are used to explain various components, these components are not limited to such terms. These terms are used only to distinguish one component from another component. For example, within the scope of the present disclosure, a first component may also be referred to a second component, or, similarly, a second component may be referred to a first component.
    When it is stated that one component is "connected" or "contiguous" with another component, it can be understood that one component is directly connected or adjacent to the other component, or that another component is between them two components is intermediate. In addition, it should be noted that when the specification describes that one component is "directly connected" or "directly linked" to another component, there may be other components in between. Similarly, expressions such as "between" and "immediately between" and "adjacent to" and "immediately adjacent to" may also be construed as previously described.
    The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, it is intended that singular forms also include plural forms, unless the context indicates otherwise. It will also be understood that the terms "comprising" and / or "having" - as used in the specification - specify the presence of said features, numbers, steps, operation, elements, components, or combinations thereof, but not the presence or addition excludes one or more other features, numbers, steps, operation, elements, component and / or groups thereof.
    Unless defined otherwise herein, all terms used herein, including technical or scientific terms, have the same meanings as those generally understood by those skilled in the art. Terms defined in commonly used dictionaries should be construed as having a meaning consistent with the contextual meaning in the art, and are not to be construed in an ideal or purely formal sense unless otherwise defined herein.
    Hereinafter, exemplary embodiments will be described with reference to the accompanying drawings. However, the scope of protection should not be construed as limited to the exemplary embodiments as discussed herein. Within the present disclosure, like reference characters refer to like elements throughout the drawings.
    Hereinafter, a device and a method for generating, revoking and verifying certificates using a block chain as a certification authority will be described in detail with reference to FIGS. 1 to 8.
    FIG. 1 is a diagram illustrating a configuration of a root certificate and a configuration of a block used to generate the root certificate according to an exemplary embodiment. FIG.
    Referring to FIG. 1, when a transaction Tx_1 112 is received by a peer 1 110 and a transaction Tx_2 122 is received from a peer 2 120, a block chain network 130 may generate a block 140 that includes the Transactions 112 and 122 includes.
    Block 140 may generally include a Header_Header header and a payload. The payload may include the received transactions 112 and 122. The header may include a block hash (Block_Hash) 141, a block index (Block_index) 142, a timestamp (Time stamp) 143 and a previous block hash (Pre_Block_Hash) 144, and a transaction hash tree (Tx_Hash_Tree) 145 and nonce 146 include.
    The block hash 141 is a value obtained by hashing information by using a hash function, except for the block hash 141, from information contained in the header. Further, the block hash 141 may be a value used as a previous block hash when a next block is generated. The block index 142 may be information suitable for identifying the block 140 in a blockchain. The timestamp 143 may be information indicating a time when the block 140 is generated. The previous block hash 144 may be information indicating a value that will hold by hashing a block preceding the block 140 in the blockchain. The transaction hash tree 145 may be information indicating a hash value on a root of the hash tree that may be obtained by forming a hash tree of all transactions contained in the block 140. The nonce may be a value that allows a given high bit (n-bit) of an output value of SHA-2 (X) to be zero if the block 140 (or the header of the block 140) is an input value.
    A shape of the header of the block 140 is not limited to that of Fig. 1, and the header may have various shapes. For example, the nonce 146 may be removed from the header or another configuration may be added.
    A certificate management device 200 according to FIG. 2 may generate a root certificate 150 based on information about the block 140. The root certificate 150 may include authentication information (TBS_certificate) 151 to be signed, information (Sign_Algorithm) 158 suitable for identifying a signature algorithm, and a signature 159. The authentication information 151 may include a serial number 512, a subject 153, an issuer 154, a validity period 155, a public key 156, and ETC (Ethereum Classic).
    The serial number 512 may be generated to be the same value as the block index 142 of the block 140 or a predetermined number.
    The subject 153 may be generated based on information suitable for identifying a blockchain or generated by combining information suitable for identifying the blockchain with the block index 142 of the block 140.
    The issuer 154 may be generated to be the same value as the subject 153.
    The validity period 155 may be set by adding a predetermined time to the time stamp 143 of the block 140.
    The public key 156 may be generated using a key generation function that uses the block hash 141 of the block 140 as a seed. In addition, a private key may be generated along with the public key 156.
    The signature 159 may be generated using the authentication information 151 and the private key generated together with the public key 156 based on a signature algorithm.
    The information 158 may be information indicating a signature algorithm used to generate the signature 159. The signature algorithm may include, for example but not limited thereto, an Elliptic Curve Digital Signature Algorithm (ECDSA) or a Rivest-Shamir Adleman (RSA).
    FIG. 2 is a diagram illustrating a configuration of a certificate management apparatus 200 for generating, revoking, and verifying a certificate according to an exemplary embodiment.
    Referring to FIG. 2, the certificate management device 200 may be configured using a controller 210, a root certificate generator 212, a certificate generator 214, a certificate revocation device 216, a certificate verifier 218, a communicator 220, and a memory 230 generate, verify, and revoke a certificate.
    The communicator 220 may be a communication interface device including a receiver and a transmitter, and accordingly, the communicator 220 may transmit or receive data via a wire or wirelessly. The communicator 220 may communicate with the blockchain network 130 to search for and receive blocks of a blockchain and to receive a message requesting issuance, revocation, or verification of a certificate.
    The memory 230 may store a block chain received over the block chain network 130 and also store a root certificate and a certificate.
    The root certificate generator 212 may generate the root certificate 150 based on information contained in block 140 of the blockchain. A process of generating the root certificate 150 will be described below with reference to FIG. 5.
    The certificate generator 214 may generate a certificate based on information contained in the root certificate 150 and information contained in a certificate issuance request transaction when it is determined that the certificate Issue Request Transaction is included in block 140. The process of generating a root certificate will be described below with reference to FIGS. 3 and 4.
    The certificate revocation facility 216 may extract information about a certificate when a certificate revocation event is detected, generate a transaction for revoking the certificate, and transmit the transaction to the block chain network 130, such that the Transaction can be stored in the blockchain. A process of revoking the certificate will be described below with reference to FIG. 6.
    The certificate verifier 218 may determine whether a validity period of the certificate is valid when a request for verification of the certificate is received. If the validity period of the certificate is determined to be valid, the certificate verifier 218 may verify a signature using a public key of the root certificate 150, look up a certificate issuance request transaction for requesting issuance of the certificate, authenticate Information included in the certificate issuance request transaction, compare with authentication information included in the certificate, determine whether a transaction for requesting revocation of the certificate is included in the blockchain, and determine that the verification of the certificate is successful if the verification of the signature of the certificate is successful, if the authentication information included in the certificate issuance request transaction is identical to the authentication information included in the certificate, and if so Certificate ni is revoked. A process of verifying the certificate will be described below with reference to FIGS. 7 and 8.
    The controller 210 may control an overall operation of the certificate management device 200. Also, controller 210 may perform one or more functions of root certificate generator 212, certificate generator 214, certificate revoker 216, and certificate verifier 218. The controller 210, the root certificate generator 212, the certificate generator 214, the certificate revocation facility 216, and the certificate verifier 218 are separately illustrated in FIG. 1 to separately describe each function. Thus, controller 210 may include at least one processor configured to perform one or more functions of root certificate generator 212, certificate generator 214, certificate revocation facility 216, and certificate verifier 218 perform. Similarly, the controller 210 may include at least one processor configured to perform a portion of one or more functions of the root certificate generator 212, the certificate generator 214, the certificate revocation device 216, and the certificate verifier. Device 218 to execute.
    Hereinafter, a method for generating, revoking and verifying a certificate based on a blockchain in a certificate management apparatus according to an exemplary embodiment will be described with reference to the drawings.
    FIG. 3 is a flowchart illustrating a process of generating a certificate according to an example embodiment. FIG.
    Referring to FIG. 3, in operation 310, the certificate management device 200 generates a root certificate based on a block contained in a blockchain. A process of generating the root certificate 150 will be described below with reference to FIG. 5.
    When it is determined in operation 320 that a certificate issuance request transaction is included in the block, the certificate management device 200 verifies the root certificate in operation 330.
    In operation 340, the certificate management device 200 generates a certificate based on information contained in the root certificate and information included in the certificate issuance request transaction. The process of generating the certificate will be described below with reference to FIG. 4.
    FIG. 4 is a flowchart illustrating in detail a process of generating a certificate according to an exemplary embodiment. FIG.
    Fig. 4 illustrates an example of the operation 340 of Fig. 3 for generating the certificate based on the information contained in the root certificate and the information included in the certificate issuance request transaction ,
    Referring to FIG. 4, in operation 410, the certificate management device 200 verifies a subject and a serial number contained in the root certificate.
    In operation 412, the certificate management device 200 verifies a subject and a public key included in the certificate issuance request transaction.
    In operation 414, the certificate management device 200 verifies a private key that is generated when the root certificate is generated.
    In operation 416, the certificate management device 200 generates a serial number of the certificate by adding the serial number of the root certificate to an ordinal number of the certificate issuance request transaction in the block.
    In operation 418, the certificate management device 200 sets the subject of the root certificate as an issuer of the certificate.
    In operation 420, the certificate management device 200 sets the subject of the certificate issuance request transaction as a subject of the certificate.
    In operation 422, the certificate management device 200 sets the public key of the certificate issuance request transaction as a public key of the certificate.
    In operation 424, the certificate management device 200 enacts a validity period of the certificate. For example, the certificate management device 200 may set the validity of the root certificate for a predetermined period of time or a period of time included in the certificate issuance request transaction.
    In operation 426, the certificate management device 200 generates a signature of the certificate based on a signature algorithm using the public key and authentication information to be signed and containing the serial number of the certificate, the issuer of the certificate, the subject of the certificate, the validity period of the certificate and the public key of the certificate.
    In operation 428, the certificate management device 200 generates the certificate including the serial number of the certificate, the issuer of the certificate, the subject of the certificate, the validity period of the certificate, the public key of the certificate, the signature, and information. which is suitable for identifying the signature algorithm.
    FIG. 5 is a flowchart illustrating a process of generating a root certificate according to an example embodiment. FIG.
    FIG. 5 illustrates an example of the operation 310 of FIG. 3 for generating a root certificate.
    Referring to FIG. 5, in operation 510, the certificate management apparatus 200 verifies the block hash 141 of the block 140. The block hash 141 may be included in the header of the block 140. If the header of the block 140 does not include the block hash 141, the block hash 141 may be generated based on the header of the block 140. In one example, if the block hash 141 is not included in the header of the block 140, the block hash 141 may be a value obtained by hashing the header using a hash function. As another example, if the block hash 141 is included in the header of the block 140, the block hash 141 may be information that includes a value obtained by hashing information - other than the block hash 141 - in the header of the block hash 140 is obtained using a hash function.
    In operation 512, the certificate management device 200 generates a seed using the block hash 141. The certificate management device 200 may, as a seed, obtain a result value using the block hash 141 or set the block hash 141 as a seed.
    In operation 514, the certificate management device 200 generates a private key and the public key 156 of the root certificate using the seed. The certificate management device 200 may generate the private key and the public key 156 using the seed as an argument value of a key generation function.
    In operation 516, the certificate management device 200 generates the serial number 152 of the root certificate so that it is the same value as a given number or the block index 142 of the block.
    In operation 518, the certificate management device 200 generates the root certificate issuer 154 based on information that is suitable for identifying a blockchain, or generates the root certificate issuer 154 by combining the information that is appropriate is to identify the blockchain and the block index of the block.
    In operation 520, the certificate management device 200 generates the root certificate subject 153 to be the same as the root certificate issuer 154.
    In operation 522, the certificate management device 200 sets the validity period 155 of the root certificate by adding a predetermined time to the time stamp 143 contained in the block.
    In operation 524, the certificate management device 200 generates the signature 159 of the root certificate based on a signature algorithm using the private key of the root certificate and the authentication information 151 containing the serial number 152, the subject 153, the issuer 154, the validity period 155, and the public key 156.
    In operation 526, the certificate management device 200 generates the root certificate 150 including the serial number 152, the subject 153, the issuer 154, the validity period 155, and the public key 156, the information 158, and the signature 159 ,
    6 is a flowchart illustrating a process of revoking a certificate according to an exemplary embodiment.
    Referring to Figure 6, in operation 610, the certificate management device 200 determines whether a certificate revocation event is detected. For example, a certificate revocation event may occur in response to a request from a legitimate user with authority of the certificate, or may be made when a revocation request is detected based on consent from blockchain network subscribers.
    When the certificate revocation event is determined to be detected in operation 610, the certificate management device 200 may extract information about a certificate in operation 620. The certificate management device 200 may verify an issuer included in the certificate, verify information used to identify a blockchain and a block used to generate the certificate, verify a serial number, which is included in the certificate, verify an ordinal number of a certificate issuance request transaction for requesting issuance of the certificate in the block, and extract information suitable for issuing the certificate issuance request transaction and the block corresponding to the certificate issuance request transaction Certificate used to identify.
    In operation 630, the certificate management device 200 generates a transaction for revoking a certificate generated by the certificate issuance request transaction based on the information about the certificate. The generated transaction may contain information that is suitable for identifying the certificate.
    In operation 640, the certificate management device 200 transmits the transaction to a block chain network of the block chain containing the block used to generate the certificate so that the transaction is stored in the block chain. When the blockchain network receives the transaction, a block containing the transaction can be generated and added to the blockchain.
    FIG. 7 is a flowchart illustrating a process of verifying a certificate according to an exemplary embodiment. FIG.
    Referring to Figure 7, when a request for verification of a certificate is received in operation 710, the certificate management device 200 determines in operation 712 whether a validity period of the certificate is valid.
    In operation 712, if the validity period is determined as expired, the certificate management device 200 determines in operation 714 that the verification of the certificate fails.
    In operation 712, when the validity period is determined to be valid, the certificate management device 200 verifies the root certificate of the certificate in operation 716.
    In operation 718, the certificate management device 200 verifies a signature of the certificate using a public key of the root certificate.
    In operation 720, the certificate management apparatus 200 searches a certificate issuance request transaction to request issuance of the certificate, and compares authentication information included in the certificate issuance request transaction with authentication information. Information contained in the certificate.
    In operation 722, the certificate management device 200 verifies a blockchain used to generate the certificate.
    In operation 724, the certificate management apparatus 200 determines whether a transaction for requesting revocation of the certificate is included in the blockchain. For example, by verifying an issuer of the certificate, the certificate management device 200 may verify information used to identify the blockchain and may determine whether a transaction to request revocation of the certificate is included in the blockchain.
    If, as a result of the operation 718, the verification of the signature is successful, if, as a result of the operation 720, the authentication information included in the certificate issuance request transaction is identical to that Authentication information included in the certificate, and if, as a result of operation 724, the certificate is not revoked, the certificate management device 200 determines in operation 726 that the verification of the certificate is successful.
    FIG. 8 is a flowchart illustrating a process of verifying a certificate based on information about the certificate according to an example embodiment.
    Fig. 8 illustrates an example of the operation 720 of Fig. 7 for comparing the authentication information included in the certificate issuance request transaction with the authentication information included in the certificate.
    Referring to Figure 8, in operation 810, the certificate management device 200 verifies an issuer of a certificate and verifies information used to identify a block and block chain used to generate the certificate.
    In operation 812, the certificate management device 200 verifies a serial number of the certificate and verifies an ordinal number of the certificate issuance request transaction for requesting issuance of the certificate in the block.
    In operation 814, the certificate management apparatus 200 searches a block out of the blockchain, verifies the certificate issuance request transaction in the block, and verifies a subject and a public key that are authentication information included in the certificate Exhibit Request transaction is included.
    In operation 816, the certificate management device 200 verifies a subject and a public key, which are authentication information included in the certificate.
    In operation 818, the certificate management device 200 determines whether the subject contained in the certificate issue request transaction is identical to the subject contained in the certificate, and determines whether the public key contained in the certificate issuance request transaction is identical to the public key contained in the certificate.
    Although, as described above with reference to FIGS. 3-8, all operations for generating a root certificate and a certificate, revoking the certificate, and verifying the certificate are performed by the certificate management device, For example, all operations may be performed by another device (such as a peer). For example, a device that does not generate a certificate may receive and verify a certificate.
    [0110] According to exemplary embodiments, a certificate may be generated, verified, and revoked based on a blockchain; and thus it is possible to generate, verify, and revoke a certificate with the same force and effect for all Blockchain subscribers instead of using a separate certification authority.
    The devices, devices, and other components described herein may be implemented using a hardware component, a software component, and / or a combination thereof. A processing device may be implemented using one or more general purpose or special purpose computers, such as a processor, a controller, and an arithmetic logic unit (ALU), a digital signal processor (DSP), a microcomputer , a programmable gate array (FPGA), a Programmable Logic Unit (PLU), a microprocessor, or any other device capable of responding to instructions or executing instructions in a defined manner. The processing device may operate an operating system (OS) and one or more software applications running on the operating system. The processing device may also access data, store data, manipulate data manipulate data, and generate data in response to executing the software. For the sake of simplicity, the singular form is used for the description of the processing unit; However, those skilled in the art will recognize that a processing device may include multiple processing elements and multiple types of processing elements. For example, a processing device may include multiple processors or a processor and a controller. In addition, various processing configurations are possible, such as a parallel processor.
    The software may include a computer program, a piece of code, an instruction, or various combinations thereof, to independently or collectively instruct, or configure the processing device to operate as desired. Software and data may be permanently or temporarily included in any type of machine, component, physical or virtual equipment, computer storage medium or device, or propagated signal wave capable of providing processing device instructions and data or being interpreted by the processing device. The software may also be distributed over networked computer systems so that the software is stored and executed in a decentralized manner. The software and data may be stored by one or more non-transitory computer-readable recording media.
    The methods according to the exemplary embodiments described above may be recorded in non-transitory computer-readable media containing program instructions for implementing various operations of the above-described exemplary embodiments. The media may also, alone or in combination with the program instructions, contain data files, data structures, and the like. The program instructions recorded on the media may be those that are specifically designed and constructed for the purpose of the exemplary embodiments, or they may be of the kind well known and available to those skilled in the computer software art. Examples of non-transitory computer readable media include magnetic media such as hard disks, floppy disks, and magnetic tapes; optical media such as CD-ROM discs, DVDs and / or Blue-Ray discs; magneto-optical media, such as optical discs; and hardware devices specially adapted to store and execute program instructions, such as Read Only Memory (ROM),
    权利要求:
    Claims (10)
    [1]
    Random Access Memory (RAM), flash memory (eg, USB flash memory, memory cards and memory sticks, etc.), and the like. Examples of program instructions include both machine language, such as generated by a compiler, and files containing a high level programming language that can be executed by the computer using an interpreter. The above-described devices may be configured to function as one or more software modules to perform the operations of the above-described exemplary embodiments, or vice versa. While the present disclosure contains specific examples, those skilled in the art will recognize that various changes in form and detail can be made to these examples without departing from the spirit and scope of the claims and their equivalents. The examples described herein are to be construed in a descriptive sense only and are not for the purpose of limitation. Descriptions of features and aspects in each example should be construed to be applicable to similar features and aspects in other examples. Suitable results can be achieved if the described techniques are performed in a different order and / or if components in a described system, architecture, device or circuit are combined and / or replaced in another way or by other components or their equivalents are supplemented. Therefore, the scope of the present disclosure is not defined by the detailed description, but by the claims and their equivalents, and all variations within the scope of the claims and their equivalents are to be construed as included in the disclosure. claims
    A method for generating a certificate based on a blockchain, the method comprising: verifying a root certificate of a block contained in a blockchain when it is determined that a certificate issuance request transaction is included in the block ; and generating a certificate based on information contained in the root certificate and information included in the certificate issuance request transaction.
    [2]
    2. The method of claim 1, wherein generating the certificate comprises: verifying a subject of the root certificate and a serial number of the root certificate; Verifying a public key and a subject of the certificate issuance request transaction; Verifying a private key that is generated when the root certificate is generated; Generating a serial number of the certificate by adding the serial number of the root certificate to an ordinal number of the certificate issuance request transaction in the block; Setting the subject of the root certificate as an issuer of the certificate; Setting the subject of the certificate issuance request transaction as a subject of the certificate; Setting the public key of the certificate issuance request transaction as a public key of the certificate; Setting a validity period of the certificate to a predetermined period of time or a period of time included in the certificate issue request transaction; Generating a signature of the certificate based on a signature algorithm using the private key and authentication information to be signed and containing the serial number of the certificate, the issuer of the certificate, the subject of the certificate, the period of validity of the certificate and the public key of the certificate; and generating the certificate containing the serial number of the certificate, the issuer of the certificate, the subject of the certificate, the period of validity of the certificate, the public key of the certificate, the signature and information that is capable of identifying the signature algorithm.
    [3]
    3. The method of claim 1, wherein the method, after verifying the root certificate, further comprises: verifying a block hash of the block; Generating a seed using the block hash; Generating a private key of the root certificate and a public key of the root certificate using the seed; Generating a serial number of the root certificate at a predetermined number or block index of the block; Generating an issuer of the root certificate based on information that is suitable for identifying the blockchain, or generating an issuer of the root certificate by combining the block index and the information that is appropriate to identify the blockchain; Generating a subject of the root certificate so that it is the same as the issuer of the root certificate; Setting a validity period of the root certificate by adding a predetermined time to a timestamp contained in the block; Generate a signature of the root certificate based on a signature algorithm using the private key of the root certificate and authentication information containing the serial number of the root certificate, the issuer of the root certificate, the subject of the root certificate, the validity period of the root certificate Root certificate and the public key of the root certificate contains; and generating the root certificate, the serial number of the root certificate, the issuer of the root certificate, the subject of the root certificate, the period of validity of the root certificate, the public key of the root certificate, the signature of the root certificate and containing information suitable for identifying the signature algorithm.
    [4]
    A method of revoking a certificate based on a blockchain, the method comprising: extracting information about a certificate when a certificate revocation event is detected; Generating a certificate revocation transaction based on the information about the certificate; and transmitting the transaction to a block chain network of a block chain having a block used to generate the certificate so that the transaction is stored in the block chain.
    [5]
    The method of claim 4, further comprising: generating a block containing the transaction and adding the block to the block chain when the transaction is received over the block chain network, wherein extracting the information about the certificate comprises: verifying a Issuer included in the certificate and extracting information used to identify the blockchain and the block used to generate the certificate; and verifying a serial number included in the certificate, verifying an ordinal number of a certificate issuance request transaction for requesting issuance of a certificate in the block, and extracting information that is appropriate to the certificate issuance request transaction identify.
    [6]
    The method of claim 4, wherein the certificate revocation event occurs in response to a request from a legitimate user with authority of the certificate, or occurs when a revocation request is detected based on an approval from Blockchain network participants established.
    [7]
    7. A method for verifying a certificate based on a blockchain, the method comprising: determining whether a period of validity of a certificate is valid when a request for verification of the certificate is received; Verifying a certificate's root certificate if the validity of the certificate is determined to be valid; Verifying a signature of the certificate using a public key of the root certificate; Seeking a certificate issuance request transaction for requesting issuance of the certificate and comparing authentication information included in the certificate issuance request transaction with authentication information included in the certificate; Verifying a blockchain used to generate the certificate and determining whether a transaction for requesting revocation of the certificate is included in the blockchain; and determining that the verification of the certificate is successful if the verification of the signature of the certificate is successful, if the authentication information included in the certificate issuance request transaction is identical to the authentication information included in the certificate Certificate is included and if the certificate is not revoked.
    [8]
    8. The method of claim 7, wherein searching the certificate issuance request transaction comprises verifying an issuer included in the certificate and verifying information used to identify a block and the blockchain to generate the certificate will be used; Verifying a serial number contained in the certificate and verifying an ordinal number of the certificate issue request transaction in the block; Searching the block from the blockchain, verifying the certificate issuance request transaction in the block, and verifying a subject and a public key that are the authentication information included in the certificate issuance request transaction; Verifying a subject and a public key of the certificate that are the authentication information included in the certificate; and determining whether the subject that is in the certificate issuance request transaction is identical to the subject contained in the certificate and determining whether the public key included in the certificate issuance request Transaction is identical to the public key that is included in the certificate.
    [9]
    9. The method of claim 7, wherein verifying the blockchain comprises: verifying an issuer included in the certificate and verifying information used to identify the blockchain; and determining whether the transaction for requesting the revocation of the certificate is included in the blockchain.
    [10]
    A certificate management apparatus, comprising: a root certificate generator configured to generate a root certificate based on information contained in a block of a blockchain; a certificate generator configured to generate a certificate based on information contained in the root certificate and information included in a certificate issuance request transaction when it is determined that the certificate Issuance request transaction is included in the block; a certificate revocation facility configured to extract information about the certificate, generate a transaction for revoking the certificate, and transmit the transaction to a block chain network of the block chain so that the transaction is stored in the block chain when a certificate revocation event is detected; and a certificate verifier configured to: determine whether a validity period of the certificate is valid when a request for verification of the certificate is received; verify a signature of the certificate using a public key of the root certificate if the validity period of the certificate is determined to be valid; seek a certificate issuance request transaction and compare authentication information contained in the certificate issuance request transaction with authentication information included in the certificate; determine whether a transaction for requesting revocation of the certificate is included in the blockchain; and determine that the verification of the certificate is successful if a verification of the signature of the certificate is successful if the authentication information included in the certificate issuance request transaction is identical to the authentication information that contained in the certificate, and if the certificate is not revoked.
    类似技术:
    公开号 | 公开日 | 专利标题
    CH713421A2|2018-08-15|Apparatus and method for generating, revoking and verifying a certificate using a blockchain as certification authority.
    EP3108610B1|2020-02-12|Method and system for creating and checking the validity of device certificates
    EP3256977B1|2020-08-05|Computer-implemented method for access control
    DE602005002652T2|2008-07-10|System and method for renewing keys used in public-key cryptography
    DE112011100182B4|2021-01-21|Data security device, computing program, terminal and system for transaction verification
    DE112016003625T5|2018-05-03|PEER-TO-PEER CREDENTIALS
    DE102013109513A1|2014-09-25|Procedure for certificate generation and certificate revocation with privacy protection
    DE102016215914A1|2018-03-01|Securing a device usage information of a device
    EP3596653A1|2020-01-22|Issuing virtual documents in a block chain
    EP1805720B1|2010-08-25|Method for securely transmitting data
    DE102012206341A1|2012-10-31|Shared encryption of data
    DE112015002508T5|2017-04-27|Key exchange system, key exchange method, key exchange apparatus, control method therefor, and recording medium for storing control program
    EP3319006A1|2018-05-09|Method for offline authenticity testing of a virtual document
    DE102009030019B3|2010-12-30|System and method for reliable authentication of a device
    EP2442251B9|2016-10-05|Individual updating of computer programs
    DE102015115295A1|2016-03-17|METHOD AND DEVICE FOR PROCESSING DATA
    DE202012101671U1|2012-05-25|Secure electronic signing of information
    EP3956846A1|2022-02-23|Method for directly transmitting electronic coin data sets between terminals and a payment system
    EP3182318B1|2021-06-16|Signature generation by means of a security token
    CN111865595A|2020-10-30|Block chain consensus method and device
    DE102014210282A1|2015-12-03|Generate a cryptographic key
    EP3767513B1|2021-09-15|Method for secure execution of a remote signature, and security system
    DE112019003528T5|2021-04-01|Method for establishing an anonymous digital identity
    DE102020202879A1|2021-09-09|Method and device for certification of an application-specific key and for requesting such certification
    DE102020104904A1|2021-08-26|PROCEDURE, TERMINAL DEVICE, MONITORING INSTANCE AND PAYMENT SYSTEM FOR MANAGING ELECTRONIC COIN DATA RECORDS
    同族专利:
    公开号 | 公开日
    KR20180089668A|2018-08-09|
    KR101937216B1|2019-01-11|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    EP3873051A1|2020-02-26|2021-09-01|Siemens Aktiengesellschaft|Method for validation of a digital certificate|KR101637854B1|2015-10-16|2016-07-08|주식회사 코인플러그|Certificate issuance system and method based on block chain, certificate authentication system and method based on block chain|KR102250081B1|2019-02-22|2021-05-10|데이터얼라이언스 주식회사|Public ledger based autonomous credential management system and method|
    PL3598879T3|2019-03-04|2021-06-14|Advanced New Technologies Co., Ltd.|Methods and devices for processing certificates in blockchain system|
    SG11201908942VA|2019-03-29|2019-10-30|Alibaba Group Holding Ltd|Securely performing cryptographic operations|
    KR20200116009A|2019-03-29|2020-10-08|알리바바 그룹 홀딩 리미티드|Encryption key management based on identity information|
    EP3616360B1|2019-03-29|2021-07-07|Advanced New Technologies Co., Ltd.|Managing cryptographic keys based on identity information|
    KR102218188B1|2019-05-07|2021-02-23|주식회사 한컴위드|Node device for performing certificate management based on a block chain and operating method thereof|
    KR102274169B1|2020-06-16|2021-07-08|소셜인프라테크|System for issuing object with function for preventing object from being tampered|
    法律状态:
    2021-01-29| AZW| Rejection (application)|
    优先权:
    申请号 | 申请日 | 专利标题
    KR1020170014294A|KR101937216B1|2017-02-01|2017-02-01|Apparatus and method for managing certificates using a block chain as a certificate authority|
    [返回顶部]