WO2019127278A1

WO2019127278A1 - Safe access blockchain method, apparatus, system, storage medium, and electronic device

Info

Publication number: WO2019127278A1
Application number: PCT/CN2017/119575
Authority: WO
Inventors: 谢辉; 陈敏; 张跃洋; 庞洪福
Original assignee: Cloudminds Shenzhen Holdings Co Ltd
Current assignee: Cloudminds Shenzhen Holdings Co Ltd
Priority date: 2017-12-28
Filing date: 2017-12-28
Publication date: 2019-07-04
Anticipated expiration: 2020-06-28
Also published as: CN108235806A; CN108235806B

Abstract

Disclosed are a safe access blockchain method, apparatus, system, storage medium, and electronic device. The method comprises: a new node preparing to access a blockchain network acquiring endorsement data obtained by a trusted node preset in the blockchain network using a private key thereof to sign a public key of a target node, and performing signature verification of the endorsement data; if the signature verification passes, then determining that the identity authentication of the target node is successful; the target node queries from the permissions preset by the blockchain network the permission of the public key of the new node corresponding to the account address and, on the basis of the permission, determines whether the identity authentication of the new node is successful. Thus, in the present disclosure, two way authentication of the new node and the target node directly uses the public and private keys of a blockchain network node account and does not require a centralised third party or a digital certificate, avoiding the high level of complexity of issuing digital certificates, and implementing secure access between nodes in a blockchain network.

Description

Method, device, system, storage medium and electronic device for securely accessing blockchain

Technical field

本公开涉及计算机领域，尤其涉及一种安全访问区块链的方法、装置、存储介质及电子设备。The present disclosure relates to the field of computers, and in particular, to a method, an apparatus, a storage medium, and an electronic device for securely accessing a blockchain.

Background technique

区块链是通过去中心化的方式集体维护一个可靠数据库的技术方案。区块链中，节点间通过P2P（Peer-to-Peer，点对点）网络建立相互连接。Blockchain is a technical solution for collectively maintaining a reliable database through decentralization. In the blockchain, nodes are connected to each other through a P2P (Peer-to-Peer) network.

目前的区块链技术中，某节点（例如，新节点，包括各种终端、区块链轻节点、区块链全节点等等）访问区块链网络上的目标节点时，不会去验证目标节点的合法性，目标节点也不会去验证该节点的合法性。然而，在某些对信息安全性要求较高的场景中，这种访问方式可能会导致关键信息的泄露。例如，银行、企业等多个组织同时参与一条区块链来完成业务，参与同一条区块链的不同组织彼此可能会获取到不想让对方获取到的关键信息。因此，区块链网络中节点间访问完成彼此身份认证是势在必行的。而传统的身份认证方式一般通过双方互传第三方机构颁发的数字证书来实现，这种传统的身份认证方式又存在过度中心化，数字证书颁发复杂度高的问题，不适用于去中心化的区块链网络。In the current blockchain technology, a node (for example, a new node, including various terminals, a blockchain light node, a blockchain full node, etc.) does not verify when accessing a target node on the blockchain network. The legitimacy of the target node, the target node will not verify the legitimacy of the node. However, in some scenarios where information security is required, this type of access may lead to the disclosure of critical information. For example, multiple organizations, such as banks and enterprises, participate in a blockchain at the same time to complete the business. Different organizations participating in the same blockchain may acquire key information that they do not want the other party to obtain. Therefore, it is imperative that inter-node access in the blockchain network complete mutual authentication. The traditional identity authentication method is generally implemented by mutual transfer of digital certificates issued by third parties. This traditional identity authentication method is over-centralized, and the problem of high complexity of digital certificate is not applicable to decentralized. Blockchain network.

因此，如何在区块链网络中实现节点间安全互访成为了令人苦恼的问题。Therefore, how to achieve secure mutual access between nodes in a blockchain network has become an annoying problem.

发明内容Summary of the invention

有鉴于此，本公开提供一种安全访问区块链的方法、装置、系统、存储介质及电子设备，用以在区块链网络中实现安全访问。In view of this, the present disclosure provides a method, apparatus, system, storage medium, and electronic device for securely accessing a blockchain for implementing secure access in a blockchain network.

为了实现上述目的，根据本公开实施例的第一方面，提供一种安全访问区块链的方法，应用于准备访问区块链网络中目标节点的新节点，所述方法包括：判断是否需要所述区块链网络中预置的可信节点对所述目标节点背书；在需要所述可信节点对所述目标节点背书的情况下，获取所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据；以及，将所述新节点的公钥提供给所述目标节点，其中，所述新节点的公钥用于使所述目标节点在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对所述新节点的身份认证是否成功；对所述背书数据进行签名验证；如果签名验证通过，确定对所述目标节点的身份认证成功。In order to achieve the above object, according to a first aspect of an embodiment of the present disclosure, a method for securely accessing a blockchain is provided, which is applied to prepare a new node for accessing a target node in a blockchain network, the method comprising: determining whether a need is needed The trusted node preset in the blockchain network endorses the target node; if the trusted node is required to endorse the target node, acquiring the trusted node to use the private key to the target An endorsement data obtained by signing a node public key; and providing a public key of the new node to the target node, wherein a public key of the new node is used to make the target node in the blockchain network Querying, in the preset permission permission, the permission permission of the account address corresponding to the public key of the new node, determining whether the identity authentication of the new node is successful according to the queried permission, and performing signature verification on the endorsement data; If the signature verification is passed, it is determined that the identity authentication of the target node is successful.

根据本公开实施例的第二方面，提供一种安全访问区块链的装置，配置于准备接入或访问区块链网络中目标节点的新节点。该装置包括：判断模块，被配置为判断是否需要所述区块链网络中预置的可信节点对所述目标节点背书。背书获取模块，被配置为在需要所述可信节点对所述目标节点背书的情况下，获取所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据。公钥提供模块，被配置为将所述新节点的公钥提供给所述目标节点，其中，所述新节点的公钥用于使所述目标节点在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对所述新节点的身份认证是否成功。目标身份认证模块，被配置为对所述背书数据进行签名验证，如果签名验证通过，确定对所述目标节点的身份认证成功。According to a second aspect of an embodiment of the present disclosure, there is provided an apparatus for securely accessing a blockchain, configured to prepare to access or access a new node of a target node in a blockchain network. The apparatus includes a determination module configured to determine whether a trusted node preset in the blockchain network is required to endorse the target node. The endorsement obtaining module is configured to acquire, when the trusted node is required to endorse the target node, the endorsement data obtained by the trusted node using the private key to sign the target node public key. a public key providing module configured to provide a public key of the new node to the target node, wherein a public key of the new node is used to enable a license of the target node to be preset in the blockchain network Querying the permission permission of the account address corresponding to the public key of the new node, and determining whether the identity authentication of the new node is successful according to the queried permission. The target identity authentication module is configured to perform signature verification on the endorsement data, and if the signature verification is passed, determine that the identity authentication of the target node is successful.

根据本公开实施例的第三方面，提供一种安全访问区块链的方法，应用于区块链网络中的目标节点。所述方法包括：响应于接收到新节点发出的访问或接入请求，获取所述新节点的公钥；在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限；根据查询出的许可权限确定对所述新节点的身份认证是否成功。According to a third aspect of an embodiment of the present disclosure, there is provided a method of securely accessing a blockchain, applied to a target node in a blockchain network. The method includes: acquiring a public key of the new node in response to receiving an access or access request issued by a new node; querying a public key corresponding to the new node in a permission permission preset by the blockchain network The license right owned by the account address; determining whether the identity authentication of the new node is successful according to the queried permission.

根据本公开实施例的第四方面，提供一种安全访问区块链的装置，配置于区块链网络中的目标节点。所述装置包括：新节点公钥获取模块，被配置为响应于接收到新节点发出的访问或接入请求，获取所述新节点的公钥。新节点权限查询模块，被配置为在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限。新节点身份认证模块，被配置为根据查询出的许可权限确定对所述新节点的身份认证是否成功。According to a fourth aspect of an embodiment of the present disclosure, there is provided an apparatus for securely accessing a blockchain, configured in a target node in a blockchain network. The apparatus includes a new node public key acquisition module configured to acquire a public key of the new node in response to receiving an access or access request issued by the new node. The new node permission query module is configured to query, in the license rights preset by the blockchain network, the permission rights owned by the account address corresponding to the public key of the new node. The new node identity authentication module is configured to determine whether the identity authentication of the new node is successful according to the queried permission.

根据本公开实施例的第五方面，提供一种安全访问区块链的方法，所述方法应用于区块链网络中预置的可信节点。所述方法包括：响应于准备访问区块链网络中目标节点的新节点需要可信节点对目标节点背书，获取所述目标节点的公钥；使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据；将所述背书数据提供给所述新节点，以便使所述新节点通过对所述背书数据进行签名验证确定对所述目标节点的身份认证是否成功。According to a fifth aspect of an embodiment of the present disclosure, there is provided a method of securely accessing a blockchain, the method being applied to a trusted node preset in a blockchain network. The method includes: in response to preparing a new node accessing a target node in a blockchain network, requiring a trusted node to endorse the target node, obtaining a public key of the target node; using the trusted node's own private key to the target The node's public key is signed to obtain endorsement data; the endorsement data is provided to the new node, so that the new node determines whether the identity authentication of the target node is successful by performing signature verification on the endorsement data.

根据本公开实施例的第六方面，提供一种安全访问区块链的装置，所述装置配置于区块链网络中预置的可信节点。所述装置包括：目标公钥获取模块，被配置为响应于准备访问区块链网络中目标节点的新节点需要可信节点对目标节点背书，获取所述目标节点的公钥。签名模块，被配置为使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据。背书提供模块，被配置为将所述背书数据提供给所述新节点，以便使所述新节点对所述背书数据进行签名验证，如果所述新节点签名验证通过，所述新节点确定对所述目标节点的身份认证成功。According to a sixth aspect of an embodiment of the present disclosure, there is provided an apparatus for securely accessing a blockchain, the apparatus being configured with a trusted node preset in a blockchain network. The apparatus includes a target public key acquisition module configured to acquire a public key of the target node in response to a new node that is ready to access a target node in the blockchain network, requiring the trusted node to endorse the target node. The signature module is configured to use the trusted node's own private key to sign the public key of the target node to obtain endorsement data. An endorsement providing module configured to provide the endorsement data to the new node to cause the new node to perform signature verification on the endorsement data, and if the new node signature verification passes, the new node determines a location The identity authentication of the target node is successful.

根据本公开实施例的第七方面，提供一种计算机可读存储介质，所述计算机可读存储介质中包括一个或多个程序，所述一个或多个程序用于执行本公开实施例的第一方面所述的方法。According to a seventh aspect of the embodiments of the present disclosure, there is provided a computer readable storage medium comprising one or more programs for performing the first embodiment of the present disclosure The method described on the one hand.

根据本公开实施例的第八方面，提供一种电子设备，包括：本公开实施例的第七方面所述的计算机可读存储介质；以及，一个或者多个处理器，用于执行所述计算机可读存储介质中的程序。According to an eighth aspect of the embodiments of the present disclosure, there is provided an electronic device comprising: the computer readable storage medium of the seventh aspect of the embodiments of the present disclosure; and one or more processors for executing the computer Read the program in the storage medium.

根据本公开实施例的第九方面，提供一种计算机可读存储介质，所述计算机可读存储介质中包括一个或多个程序，所述一个或多个程序用于执行本公开实施例的第三方面所述的方法。According to a ninth aspect of the embodiments of the present disclosure, there is provided a computer readable storage medium comprising one or more programs for performing the first embodiment of the present disclosure The method described in three aspects.

根据本公开实施例的第十方面，提供一种电子设备，包括：本公开实施例的第九方面所述的计算机可读存储介质；以及，一个或者多个处理器，用于执行所述计算机可读存储介质中的程序。According to a tenth aspect of the embodiments of the present disclosure, there is provided an electronic device comprising: the computer readable storage medium of the ninth aspect of the embodiments of the present disclosure; and one or more processors for executing the computer Read the program in the storage medium.

根据本公开实施例的第十一方面，提供一种计算机可读存储介质，所述计算机可读存储介质中包括一个或多个程序，所述一个或多个程序用于执行本公开实施例的第五方面所述的方法。According to an eleventh aspect of the embodiments of the present disclosure, there is provided a computer readable storage medium comprising one or more programs for performing the embodiments of the present disclosure The method of the fifth aspect.

根据本公开实施例的第十二方面，提供一种电子设备，包括：本公开实施例的第十一方面所述的计算机可读存储介质；以及，一个或者多个处理器，用于执行所述计算机可读存储介质中的程序。According to a twelfth aspect of the embodiments of the present disclosure, there is provided an electronic device comprising: the computer readable storage medium of the eleventh aspect of the embodiments of the present disclosure; and one or more processors for executing A program in a computer readable storage medium.

根据本公开实施例的第十三方面，提供一种安全访问区块链的系统。所述系统包括：本公开实施例的第八方面所述的电子设备所实现的新节点；本公开实施例的第十方面所述的电子设备所实现的目标节点；本公开实施例的第十二方面所述的电子设备所实现的可信节点；其中，所述新节点、目标节点、可信节点属于同一区块链网络。According to a thirteenth aspect of an embodiment of the present disclosure, a system for securely accessing a blockchain is provided. The system includes: a new node implemented by the electronic device according to the eighth aspect of the present disclosure; a target node implemented by the electronic device according to the tenth aspect of the embodiment of the present disclosure; The trusted node implemented by the electronic device of the second aspect; wherein the new node, the target node, and the trusted node belong to the same blockchain network.

通过本公开上述技术方案，准备访问区块链网络的新节点获取区块链网络中预置的可信节点使用自身私钥对目标节点公钥进行签名得到的背书数据，对背书数据进行签名验证，如果签名验证通过，确定对目标节点的身份认证成功，而目标节点在区块链网络预置的许可权限中查询出新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对新节点的身份认证是否成功，可信节点响应于准备访问区块链网络中目标节点的新节点需要可信节点对目标节点背书，获取所述目标节点的公钥，使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据；将所述背书数据提供给所述新节点，因此，本公开新节点与目标节点的双向认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。Through the above technical solution of the present disclosure, a new node preparing to access the blockchain network acquires endorsement data obtained by the trusted node preset in the blockchain network using the private key to sign the target node public key, and performs signature verification on the endorsement data. If the signature verification is passed, it is determined that the identity authentication of the target node is successful, and the target node queries the permission permission of the account address corresponding to the public key of the new node in the permission permission preset by the blockchain network, according to the permission of the query. The authority determines whether the identity authentication of the new node is successful, and the trusted node responds to the new node that is ready to access the target node in the blockchain network, and the trusted node needs to endorse the target node, obtain the public key of the target node, and use the The private key of the target node is signed by the private key of the target node to obtain endorsement data; the endorsement data is provided to the new node, and therefore, the mutual authentication of the new node and the target node of the disclosure directly utilizes the blockchain network. The public and private keys of the node account do not require a centralized third party to participate in the digital certificate, avoiding the digital certificate award Brought about by high complexity, inter-block chain to achieve a secure access network node.

应当理解的是，以上的一般描述和后文的细节描述仅是示例性和解释性的，并不能限制本公开。The above general description and the following detailed description are intended to be illustrative and not restrictive.

DRAWINGS

图1是根据本公开一示例性实施例示出的区块链网络的结构示意图。FIG. 1 is a schematic structural diagram of a blockchain network according to an exemplary embodiment of the present disclosure.

图2是根据本公开第一方面一示例性实施例提供的一种安全访问区块链的方法的流程图。2 is a flow chart of a method of securely accessing a blockchain, according to an exemplary embodiment of the first aspect of the present disclosure.

图3是根据本公开第一方面另一示例性实施例提供的一种安全访问区块链的方法的信令交互示意图。FIG. 3 is a schematic diagram of signaling interaction of a method for securely accessing a blockchain according to another exemplary embodiment of the first aspect of the present disclosure.

图4是根据本公开第二方面一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 4 is a block diagram of an apparatus for securely accessing a blockchain, according to an exemplary embodiment of the second aspect of the present disclosure.

图5是根据本公开第二方面另一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 5 is a block diagram of an apparatus for securely accessing a blockchain, according to another exemplary embodiment of the second aspect of the present disclosure.

图6是根据本公开第二方面又一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 6 is a block diagram of an apparatus for securely accessing a blockchain, according to still another exemplary embodiment of the second aspect of the present disclosure.

图7是根据本公开第三方面一示例性实施例提供的一种安全访问区块链的方法的流程图。FIG. 7 is a flowchart of a method for securely accessing a blockchain according to an exemplary embodiment of the third aspect of the present disclosure.

图8是根据本公开第四方面一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 8 is a block diagram of an apparatus for securely accessing a blockchain, according to an exemplary embodiment of the fourth aspect of the present disclosure.

图9是根据本公开第四方面另一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 9 is a block diagram of an apparatus for securely accessing a blockchain, according to another exemplary embodiment of the fourth aspect of the present disclosure.

图10是根据本公开第四方面又一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 10 is a block diagram of an apparatus for securely accessing a blockchain, according to still another exemplary embodiment of the fourth aspect of the present disclosure.

图11是根据本公开第五方面一示例性实施例提供的一种安全访问区块链的方法的流程图。FIG. 11 is a flowchart of a method for securely accessing a blockchain according to an exemplary embodiment of the fifth aspect of the present disclosure.

图12是根据本公开第六方面一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 12 is a block diagram of an apparatus for securely accessing a blockchain, according to an exemplary embodiment of the sixth aspect of the present disclosure.

图13是根据本公开第六方面另一示例性实施例提供的一种安全访问区块链的装置的框图。FIG. 13 is a block diagram of an apparatus for securely accessing a blockchain, according to another exemplary embodiment of the sixth aspect of the present disclosure.

图14是根据一示例性实施例示出的一种电子设备的框图。FIG. 14 is a block diagram of an electronic device, according to an exemplary embodiment.

具体实施方式Detailed ways

这里将详细地对示例性实施例进行说明，其示例表示在附图中。下面的描述涉及附图时，除非另有表示，不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开相一致的所有实施方式。相反，它们仅是与如所附权利要求书中所详述的、本公开的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are illustrated in the accompanying drawings. The following description refers to the same or similar elements in the different figures unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present disclosure. Instead, they are merely examples of devices and methods consistent with aspects of the present disclosure as detailed in the appended claims.

在介绍本公开提供的安全访问区块链的方法、装置、系统、存储介质及电子设备之前，首先对区块链网络进行简单介绍。如图1所示的区块链网络，是由若干节点所组成的基于P2P的对等网络。区块链网络中的每个节点都维护着一串使用密码学方法相关联产生的区块链。各个节点之间通过广播来获取最新的区块，从而保证各个节点之间的区块是同步维护的。每个节点都有一个描述其身份的账户，这个账户由公私钥对组成。公钥的哈希编码值即为该“账户”的地址。私钥由账户所有人保管，不可公开。Before introducing the method, device, system, storage medium and electronic device of the secure access blockchain provided by the present disclosure, the blockchain network is first introduced briefly. The blockchain network shown in Figure 1 is a P2P-based peer-to-peer network composed of several nodes. Each node in the blockchain network maintains a string of blockchains generated using cryptographic methods. The latest blocks are obtained by broadcasting between the nodes, so that the blocks between the nodes are maintained synchronously. Each node has an account that describes its identity. This account consists of public and private key pairs. The hash coded value of the public key is the address of the "account". The private key is kept by the account owner and cannot be made public.

为了使公开技术方案更加易于理解，再对本公开各个实施例所涉及的可能的区块链网络结构进行介绍。例如，图1是根据一示例性实施例示出的一种区块链网络结构示意图。如图1所示，该区块链网络可以包括：新节点110、目标节点120、可信节点130、管理节点140、参与节点150。其中：In order to make the disclosed technical solution easier to understand, a possible blockchain network structure involved in various embodiments of the present disclosure is introduced. For example, FIG. 1 is a schematic diagram of a blockchain network structure according to an exemplary embodiment. As shown in FIG. 1, the blockchain network may include a new node 110, a target node 120, a trusted node 130, a management node 140, and a participating node 150. among them:

新节点110，可以包括但不限于各种终端、区块链轻节点、区块链全节点等等，需要产生自己的区块链账户，但可以不同步目标区块链网络的任何区块数据。The new node 110 may include, but is not limited to, various terminals, a blockchain light node, a blockchain full node, etc., and needs to generate its own blockchain account, but may not synchronize any block data of the target blockchain network. .

目标节点120，可以包括但不限于各种终端，可以是区块链网络中的任意节点，同步区块链网络的区块数据。The target node 120 may include, but is not limited to, various terminals, and may be any node in the blockchain network, and block the block data of the blockchain network.

可信节点130，可以包括但不限于各种终端，是管理节点140预置到区块链网络中的的默认可信节点，可以有多个。The trusted node 130 may include, but is not limited to, various terminals, and is a default trusted node that the management node 140 presets into the blockchain network, and may have multiple.

管理节点140，可以包括但不限于各种终端，区块链网络中的管理节点，可以配置其它区块链节点账户的许可权限。The management node 140 may include, but is not limited to, various terminals, management nodes in the blockchain network, and may configure the permission rights of other blockchain node accounts.

参与节点150，可以包括但不限于各种终端，区块链网络中除默认可信节点外的任意节点，数量不限。The participating nodes 150 may include, but are not limited to, various terminals, and any number of nodes other than the default trusted nodes in the blockchain network are not limited.

在区块链网络中，各个节点可以通过在对应的节点服务器上运行区块链程序产生自己的区块链节点账户。管理节点140可以通过节点控制平台配置各个节点的许可权限，例如接入许可权限，权限配置以交易的方式发送到区块链网络上，经区块链网络节点的验证后写入区块链，并最终通过P2P网络同步到区块链网络的所有节点中。In a blockchain network, each node can generate its own blockchain node account by running a blockchain program on the corresponding node server. The management node 140 can configure the permission rights of each node through the node control platform, for example, access permission rights, and the rights configuration is sent to the blockchain network by means of transaction, and is written into the blockchain after being verified by the blockchain network node. And finally through the P2P network to all nodes in the blockchain network.

图2是根据本公开第一方面一示例性实施例提供的一种安全访问区块链的方法的流程图。该方法应用于准备访问区块链网络中目标节点的新节点。如图2所示，该方法可以包括：2 is a flow chart of a method of securely accessing a blockchain, according to an exemplary embodiment of the first aspect of the present disclosure. The method is applied to a new node that is ready to access a target node in a blockchain network. As shown in FIG. 2, the method may include:

在步骤210中，新节点判断是否需要所述区块链网络中预置的可信节点对所述目标节点背书。In step 210, the new node determines whether a trusted node preset in the blockchain network is required to endorse the target node.

背书，在本公开中是指节点用节点自身的区块链账户私钥对需要背书的区块链节点的需要背书的数据（如公钥、通信加密数据）进行签名的过程。Endorsement, in the present disclosure, refers to a process in which a node uses a blockchain account private key of a node itself to sign endorean data (such as public key, communication encrypted data) of a blockchain node that needs to be endorsed.

可以理解的是，在本公开中不可信的目标节点即需要被背书。预置为可信节点或经过背书（背书未过期）的目标节点对新节点来说可视为可信节点，无需背书，而未预置为可信节点的目标节点或者未经背书或者背书过期的目标节点即为不可信节点，需要背书。It can be understood that the target node that is not trusted in the present disclosure needs to be endorsed. A target node that is preset as a trusted node or endorsed (endorsed is not expired) can be regarded as a trusted node for the new node, and does not need to endorse, but is not preset as a target node of the trusted node or expires without endorsement or endorsement. The target node is an untrusted node and needs to be endorsed.

本公开中新节点要求背书的可信节点可以在新节点产生自己的节点账户后，由新节点预置。预置的可信节点的节点信息可以包括IP或域名及可信节点的账户公钥。例如，新节点预置默认可信节点的方式可以包括：新节点访问区块链的客户端在内部预置默认可信节点信息，或者，新节点访问区块链的客户端提示用户输入默认可信节点的信息。如果新节点本地没有链内其他节点信息，还可以从可信节点获取其他节点信息，并刷新本地可信节点信息列表，如增/删可信节点及刷新可信节点有效期。In the present disclosure, the trusted node of the new node requesting endorsement can be preset by the new node after the new node generates its own node account. The node information of the preset trusted node may include an IP or a domain name and an account public key of the trusted node. For example, the manner in which the new node presets the default trusted node may include: the client accessing the blockchain by the new node presets the default trusted node information internally, or the client accessing the blockchain by the new node prompts the user to input the default. Information about the node. If the new node does not have other node information in the chain, it can also obtain other node information from the trusted node, and refresh the local trusted node information list, such as adding/removing trusted nodes and refreshing the trusted node validity period.

新节点在完成以上预置后，可以向目标节点发出连接请求。为了防止重放攻击，在新节点对目标节点发出连接请求之后，新节点还可以从目标节点接收随机挑战码，使用新节点自身私钥对随机挑战码进行签名，将签名后的随机挑战码发送给目标节点。After completing the above presets, the new node can issue a connection request to the target node. In order to prevent replay attacks, after the new node issues a connection request to the target node, the new node may also receive a random challenge code from the target node, sign the random challenge code using the new node's own private key, and send the signed random challenge code. Give the target node.

在步骤220中，在需要所述可信节点对所述目标节点背书的情况下，获取所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据。In step 220, if the trusted node is required to endorse the target node, the endorsement data obtained by the trusted node using the private key to sign the target node public key is obtained.

一种可能的实施方式中，新节点将可信节点的IP或域名及背书确定指示发送给目标节点。所述可信节点的列表及有效期可以在所述新节点本地更新维护。In a possible implementation manner, the new node sends the IP or domain name of the trusted node and the endorsement determination indication to the target node. The list of trusted nodes and the validity period can be locally updated and maintained at the new node.

例如，所述背书确定指示可以用于使所述目标节点根据所述可信节点的IP或域名从本地查询出预先存储的、所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据，在所述背书数据未过期的情况下，将所述背书数据发送给所述新节点。在目标节点本地不存在未过期的背书数据的情况下，则可以向可信节点发出相应背书请求，从所述可信节点获得背书数据，将所述背书数据发送给所述新节点。由于该实施方式从目标节点本地获取背书数据，不必每次都从可信节点获取背书数据，有效减轻了可信节点的负担。For example, the endorsement determination indication may be used to cause the target node to pre-store from the local query according to the IP or domain name of the trusted node, and the trusted node performs the target node public key by using its own private key. The endorsement data obtained by the signature transmits the endorsement data to the new node if the endorsement data has not expired. In the case that the target node does not have unexpired endorsement data locally, the corresponding endorsement request may be sent to the trusted node, the endorsement data is obtained from the trusted node, and the endorsement data is sent to the new node. Since the embodiment obtains the endorsement data locally from the target node, it is not necessary to obtain the endorsement data from the trusted node every time, thereby effectively reducing the burden on the trusted node.

再例如，所述背书确定指示可以用于使所述目标节点向所述可信节点发出相应的背书请求，从所述可信节点获得背书数据，将所述背书数据发送给所述新节点。新节点接收所述目标节点针对所述背书确定指示发送的背书数据。在目标节点与可信节点交互的过程中，也可以采用随机挑战码的方式防止重放攻击。另外，为了确保背书数据的安全性，可信节点在接收到目标节点的背书请求后，可以在所述区块链网络预置的许可权限中查询所述目标节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定是否对所述目标节点进行背书，在确定对所述目标节点进行背书的情况下，再使用自身私钥对目标节点的公钥及通信加密数据进行签名得到背书数据。For another example, the endorsement determination indication may be used to cause the target node to issue a corresponding endorsement request to the trusted node, obtain endorsement data from the trusted node, and send the endorsement data to the new node. The new node receives the endorsement data sent by the target node for the endorsement determination indication. In the process of interacting with the trusted node, the random challenge code can also be used to prevent replay attacks. In addition, in order to ensure the security of the endorsement data, after receiving the endorsement request of the target node, the trusted node may query the account address corresponding to the public key of the target node in the permission permission preset by the blockchain network. Permission authority, determining whether to endorse the target node according to the queried permission, and in the case of determining endorsement of the target node, using the private key to sign the public key of the target node and the communication encrypted data Get endorsed data.

可选地，新节点可以将背书确定指示与签名后的随机挑战码一同发送给目标节点。为了减少交互次数，提高认证效率，新节点所产生的通信加密数据同样可以同背书确定指示一同发送给目标节点。所述通信加密数据用于所述新节点与所述目标节点在身份认证通过后使用所述通信加密数据彼此进行加密通信。例如，通信加密数据可以包括：通信加密对称密钥，或者，通信加密随机数。新节点对所述通信加密数据进行加密。例如，一种可能的实施方式中，目标节点可以在接收到新节点的连接请求后，将随机挑战码及自身公钥发送给新节点。这样，新节点就可以使用目标节点公钥对通信加密数据进行加密，将加密后的通信加密数据、背书确定指示及签名后的随机挑战码一同发送给目标节点。在该实施方式中，加密通信用的通信加密数据由新节点客户端产生，并在双向认证过程中传递给对方，从而减少交互次数，提高了认证效率。Optionally, the new node may send the endorsement determination indication to the target node along with the signed random challenge code. In order to reduce the number of interactions and improve the authentication efficiency, the communication encrypted data generated by the new node can also be sent to the target node together with the endorsement determination indication. The communication encrypted data is used by the new node and the target node to perform encrypted communication with each other using the communication encrypted data after the identity authentication is passed. For example, the communication encrypted data may include: a communication encrypted symmetric key, or a communication encrypted random number. The new node encrypts the communication encrypted data. For example, in a possible implementation manner, the target node may send the random challenge code and its own public key to the new node after receiving the connection request of the new node. In this way, the new node can encrypt the communication encrypted data by using the target node public key, and send the encrypted communication encrypted data, the endorsement determination indication, and the signed random challenge code to the target node. In this embodiment, the communication encrypted data for encrypted communication is generated by the new node client and transmitted to the other party in the two-way authentication process, thereby reducing the number of interactions and improving the authentication efficiency.

另一种可能的实施方式中，在需要所述可信节点对所述目标节点背书的情况下，新节点可以将背书请求发送给所述可信节点。接收所述可信节点针对所述背书请求反馈的背书数据。在该实施方式中，新节点直接从可信节点获取背书数据，背书数据不经过目标节点，安全性更高。In another possible implementation manner, in case the trusted node is required to endorse the target node, the new node may send an endorsement request to the trusted node. Receiving endorsement data that the trusted node requests feedback for the endorsement. In this embodiment, the new node directly obtains the endorsement data from the trusted node, and the endorsement data does not pass through the target node, and the security is higher.

在步骤230中，将所述新节点的公钥提供给所述目标节点。In step 230, the public key of the new node is provided to the target node.

其中，所述新节点的公钥用于使所述目标节点在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对所述新节点的身份认证是否成功。例如，此处对应新节点的接入或访问请求，目标节点检查新节点账户在当前区块链上的接入许可权限，即检查新节点的账户在当前区块链网络中是否拥有其对应的接入许可权，如果有，则确定对新节点的身份认证成功。The public key of the new node is used to enable the target node to query the permission rights of the account address corresponding to the public key of the new node in the permission permission preset by the blockchain network, according to the query. The permission determines whether the identity authentication for the new node is successful. For example, here, corresponding to the access or access request of the new node, the target node checks the access permission of the new node account on the current blockchain, that is, checks whether the account of the new node has its corresponding in the current blockchain network. Access permission, if any, determines that the identity authentication for the new node was successful.

在步骤240中，对所述背书数据进行签名验证。In step 240, signature verification is performed on the endorsement data.

在步骤250中，如果签名验证通过，确定对所述目标节点的身份认证成功。In step 250, if the signature verification is passed, it is determined that the identity authentication for the target node is successful.

另外，如果签名验证未通过，则可以确定身份认证失败。In addition, if the signature verification fails, it can be determined that the identity authentication failed.

在新节点与目标节点双方身份认证成功后即可进行通信。After the identity authentication between the new node and the target node is successful, communication can be performed.

可见，通过本公开上述技术方案，准备访问区块链网络的新节点获取区块链网络中预置的可信节点使用自身私钥对目标节点公钥进行签名得到的背书数据，对背书数据进行签名验证，如果签名验证通过，则确定对目标节点的身份认证成功，身份认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。It can be seen that, through the foregoing technical solution of the present disclosure, a new node that is ready to access the blockchain network acquires endorsement data obtained by the trusted node preset in the blockchain network using the private key to sign the target node public key, and performs endorsement data on the endorsement data. Signature verification, if the signature verification is passed, it determines that the identity authentication of the target node is successful. The identity authentication directly utilizes the public and private keys of the blockchain network node account, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the digital certificate issuing office. The high complexity brings about secure access between nodes in the blockchain network.

为了使本公开技术方案更加易于理解，下面再通过以下可能的实施方式的信令交互示意图对本公开技术方案进行详细说明。In order to make the technical solutions of the present disclosure easier to understand, the technical solutions of the present disclosure are further described in detail through the signaling interaction diagrams of the following possible implementation manners.

图3是根据本公开第一方面另一示例性实施例提供的一种安全访问区块链的方法的信令交互示意图。需要说明的是，在新节点与目标节点相互认证之前，新节点可以先产生节点账户，预置可信节点公钥。新节点如本地无链内节点信息，可以从可信节点获取链内节点信息，刷新可信节点信息列表。可信节点则在区块链网络预置可信节点信息，将新节点账户加入区块链。可以理解的是，这些预置操作只需提前完成即可，无需在每次认证之前进行。FIG. 3 is a schematic diagram of signaling interaction of a method for securely accessing a blockchain according to another exemplary embodiment of the first aspect of the present disclosure. It should be noted that before the new node and the target node authenticate each other, the new node may first generate a node account and preset the trusted node public key. The new node, such as the local no-chain intra-node information, can obtain the intra-chain node information from the trusted node and refresh the trusted node information list. The trusted node presets the trusted node information in the blockchain network and adds the new node account to the blockchain. Understandably, these preset operations need only be completed in advance, and do not need to be performed before each authentication.

在步骤310中，新节点向目标节点发出连接请求。In step 310, the new node issues a connection request to the target node.

在步骤311中，新节点从目标节点接收随机挑战码及目标节点公钥。In step 311, the new node receives the random challenge code and the target node public key from the target node.

在步骤312中，新节点使用自身私钥对随机挑战码进行签名。In step 312, the new node signs the random challenge code using its own private key.

在步骤313中，新节点产生通信加密对称密钥，并使用目标节点公钥加密通信加密对称密钥。In step 313, the new node generates a communication encryption symmetric key and encrypts the communication encryption symmetric key using the target node public key.

在另一种可能的实施方式中，为了加强安全性，可以用通信加密随机数来代替加密对称密钥。In another possible implementation, in order to enhance security, a communication encrypted random number may be used instead of the encrypted symmetric key.

在步骤314中，新节点判断目标节点是否可信，也即判断是否需要区块链网络中预置的可信节点对目标节点背书。In step 314, the new node determines whether the target node is trusted, that is, determines whether the trusted node preset in the blockchain network needs to endorse the target node.

在步骤315中，在新节点判定目标节点可信的情况下，将签名后的随机挑战码，加密后的通信加密对称密钥，背书否定指示一同携带在访问或接入请求中发送给目标节点。In step 315, if the new node determines that the target node is trusted, the signed random challenge code, the encrypted communication encryption symmetric key, and the endorsement negative indication are carried together in the access or access request and sent to the target node. .

在步骤316中，在新节点判定目标节点不可信的情况下，也即在需要可信节点对目标节点背书的情况下，将可信节点的IP或域名、签名后的随机挑战码，加密后的通信加密对称密钥，背书确定指示一同携带在访问或接入请求中发送给目标节点。In step 316, when the new node determines that the target node is not trusted, that is, if the trusted node is required to endorse the target node, the IP address of the trusted node or the domain name and the signed random challenge code are encrypted. The communication encrypts the symmetric key, and the endorsement determination indication is carried along with the access or access request to the target node.

在步骤320中，目标节点响应于接收到访问或接入请求，对其中携带的随机挑战码进行签名验证，并根据签名获得新节点的公钥。In step 320, the target node performs signature verification on the random challenge code carried in response to receiving the access or access request, and obtains the public key of the new node according to the signature.

在步骤321中，目标节点在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限。In step 321, the target node queries the permission rights of the account address corresponding to the public key of the new node in the permission permission preset by the blockchain network.

在步骤322中，目标节点根据查询出的许可权限确定对所述新节点的身份认证是否成功。In step 322, the target node determines whether the identity authentication of the new node is successful according to the queried permission.

可以理解的是，新节点的公钥对应的账户地址拥有的许可权限可以包括多种，此处对应新节点的接入或访问请求，目标节点检查新节点账户在当前区块链上的接入许可权限，即检查新节点的账户在当前区块链网络中是否拥有其对应的接入许可权。It can be understood that the account authority corresponding to the account address of the new node of the new node may include multiple types, where the target node checks the access of the new node account on the current blockchain, corresponding to the access or access request of the new node. Permission, that is, checking whether the account of the new node has its corresponding access permission in the current blockchain network.

在步骤323中，目标节点在确定对新节点的身份认证成功的情况下，判断接收到的是背书确定指示还是背书否定指示。In step 323, the target node determines whether the endorsement determination indication or the endorsement negative indication is received in the case that it is determined that the identity authentication of the new node is successful.

在步骤324中，目标节点在判定接收到的是背书确定指示的情况下，根据所述访问或接入请求中携带的可信节点的IP或域名，将通信加密对称密钥携带在背书请求中发送给相应的可信节点。In step 324, if the target node determines that the endorsement determination indication is received, the target node carries the communication encryption symmetric key in the endorsement request according to the IP or domain name of the trusted node carried in the access or access request. Send to the corresponding trusted node.

在另一种可能的实施方式中，为了减轻可信节点的负担，目标节点可以在本地维护可信节点对其的背书，包括背书的有效期限管理。在背书有效期限内，目标节点可以不用再次向可信节点索要背书，减轻了可信节点的负担。具体地，目标节点可以根据可信节点的IP或域名从本地查询出预先存储的、所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据，在所述背书数据未过期的情况下，将所述背书数据发送给所述新节点。可以理解的是，如果本地不存在该可信节点未过期的背书的情况下，则可以通过向该可信节点发送背书请求来获得背书数据。In another possible implementation manner, in order to alleviate the burden on the trusted node, the target node may locally maintain the endorsement of the trusted node, including end-of-life management of the endorsement. Within the validity period of the endorsement, the target node may not need to endorse the trusted node again, which reduces the burden on the trusted node. Specifically, the target node may locally query, according to the IP address or the domain name of the trusted node, the previously stored endorsement data obtained by the trusted node using the private key to sign the target node public key, in the endorsement data. If not expired, the endorsement data is sent to the new node. It can be understood that if there is no endorsement of the trusted node that has not expired locally, the endorsement data can be obtained by sending an endorsement request to the trusted node.

可以理解的是，目标节点在判定接收到的是背书否定指示的情况下，也就意味着新节点判定目标节点可信，目标节点可以使用自身私钥解密通信加密对称密钥，使用自身私钥对解密后的通信加密对称密钥进行签名，并将签名后的通信加密对称密钥发送给新节点，新节点即对接收到的通信加密对称密钥进行签名验证，验证通过后，新节点就可以与目标节点彼此进行通信。It can be understood that, when the target node determines that the endorsement negative indication is received, it means that the new node determines that the target node is trusted, and the target node can decrypt the communication encryption symmetric key by using its own private key, and use its own private key. The decrypted communication encryption symmetric key is signed, and the signed communication encryption symmetric key is sent to the new node, and the new node performs signature verification on the received communication encryption symmetric key. After the verification is passed, the new node is The target nodes can communicate with each other.

在步骤325中，目标节点从可信节点接收随机挑战码。In step 325, the target node receives a random challenge code from the trusted node.

在步骤326中，目标节点使用自身私钥对随机挑战码进行签名。In step 326, the target node signs the random challenge code using its own private key.

在步骤327中，目标节点将签名后的随机挑战码发送给可信节点。In step 327, the target node sends the signed random challenge code to the trusted node.

在步骤330中，可信节点对接收到的随机挑战码进行签名验证，验证通过后获取目标节点的公钥。In step 330, the trusted node performs signature verification on the received random challenge code, and obtains the public key of the target node after the verification is passed.

在步骤331中，可信节点在所述区块链网络预置的许可权限中查询所述目标节点的公钥对应账户地址拥有的许可权限。In step 331, the trusted node queries the permission rights of the target node's public key corresponding account address in the license rights preset by the blockchain network.

在步骤332中，可信节点根据查询出的许可权限确定是否对所述目标节点进行背书。In step 332, the trusted node determines whether to endorse the target node according to the queried permission.

可以理解的是，目标节点的公钥对应账户地址拥有的许可权限可以包括多种，此处对应目标节点的背书请求，可信节点可以检查目标节点账户在当前区块链上的接入许可权限，即检查目标节点的账户在当前区块链网络中是否拥有其对应的接入许可权限。检查通过则可以为目标节点背书，未通过则不予背书。It can be understood that the public key of the target node may have multiple license rights corresponding to the account address, where the trusted node may check the access permission of the target node account on the current blockchain corresponding to the endorsement request of the target node. That is, it checks whether the account of the target node has its corresponding access permission right in the current blockchain network. If the inspection is passed, the target node can be endorsed. If it is not passed, it will not be endorsed.

在步骤333中，可信节点在确定对所述目标节点进行背书的情况下，使用自身私钥对目标节点的公钥及通信加密对称密钥进行签名，得到背书数据。In step 333, the trusted node, when determining to endorse the target node, uses the private key to sign the public key of the target node and the communication encryption symmetric key to obtain endorsement data.

在步骤334中，可信节点将背书数据发送给目标节点。In step 334, the trusted node sends the endorsement data to the target node.

在步骤340中，目标节点使用自身私钥解密通信加密对称密钥，使用自身私钥对通信加密对称密钥进行签名。In step 340, the target node decrypts the communication encryption symmetric key using its own private key and signs the communication encryption symmetric key using its own private key.

在步骤341中，目标节点将签名后的通信加密对称密钥以及背书数据发送给新节点。也即，可信节点通过目标节点将背书数据提供给新节点。In step 341, the target node transmits the signed communication encryption symmetric key and the endorsement data to the new node. That is, the trusted node provides the endorsement data to the new node through the target node.

在步骤342中，新节点通过对接收到的背书数据进行签名验证确定对所述目标节点的身份认证是否成功。In step 342, the new node determines whether the identity authentication of the target node is successful by performing signature verification on the received endorsement data.

可以理解的是，签名验证通过则身份认证成功，签名验证未通过则身份认证失败。It can be understood that if the signature verification succeeds, the identity authentication succeeds, and if the signature verification fails, the identity authentication fails.

在步骤343中，新节点对签名后的通信加密对称密钥进行签名验证，得到目标节点的公钥，如果签名验证通过，新节点确定对所述目标节点的身份认证成功，新节点将目标节点的公钥加入新节点的可信节点列表，并配置其有效期。此后，新节点可以与目标节点彼此进行通信。In step 343, the new node performs signature verification on the signed communication encrypted symmetric key to obtain the public key of the target node. If the signature verification passes, the new node determines that the identity authentication of the target node is successful, and the new node will target the node. The public key is added to the list of trusted nodes of the new node and configured for its validity period. Thereafter, the new node can communicate with the target node with each other.

在用通信加密随机数来代替通信加密对称密钥的情况下，新节点及目标节点在通信之前需根据通信加密随机数来计算加密密钥，使用加密密钥来进行加密通信。其中，通信加密随机数可以是由新节点产生的与明文字节数一样长度的真随机数字节。再进行加密密钥生成时，可以通过与明文一对一的顺序相加或者异或起来生成加密密钥。解密则是做加密的逆运算。In the case where the communication encryption random number is used instead of the communication encryption symmetric key, the new node and the target node need to calculate the encryption key according to the communication encrypted random number before the communication, and use the encryption key to perform the encrypted communication. The communication encrypted random number may be a true random number segment generated by the new node and having the same length as the plaintext byte number. When the encryption key is generated, the encryption key can be generated by adding or XORing the plaintext one-to-one. Decryption is the inverse of encryption.

可见，通过本公开上述技术方案，新节点与目标节点的双向认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。而且，目标节点采用挑战应答的方式以防重放攻击，后续加密通信的加密密钥由新节点客户端产生，并在双向认证过程中传递给对方，减少了交互次数，身份认证效率更高。It can be seen that, through the above technical solution of the present disclosure, the two-way authentication of the new node and the target node directly utilizes the public and private keys of the node of the blockchain network node, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the digital certificate issuance. High complexity enables secure access between nodes in the blockchain network. Moreover, the target node adopts a challenge response manner to prevent replay attacks, and the encryption key of the subsequent encrypted communication is generated by the new node client, and is transmitted to the other party in the two-way authentication process, which reduces the number of interactions, and the identity authentication efficiency is higher.

图4是根据本公开第二方面一示例性实施例提供的一种安全访问区块链的装置400的框图。该装置配置于准备访问区块链网络中目标节点的新节点。如图4所示，该装置可以包括：判断模块410、背书获取模块420、公钥提供模块430、目标身份认证模块440。FIG. 4 is a block diagram of an apparatus 400 for securely accessing a blockchain, according to an exemplary embodiment of the second aspect of the present disclosure. The device is configured to a new node that is ready to access a target node in the blockchain network. As shown in FIG. 4, the apparatus may include: a determining module 410, an endorsement obtaining module 420, a public key providing module 430, and a target identity authentication module 440.

该判断模块410，可以被配置为判断是否需要所述区块链网络中预置的可信节点对所述目标节点背书。The determining module 410 may be configured to determine whether a trusted node preset in the blockchain network is required to endorse the target node.

该背书获取模块420，可以被配置为在需要所述可信节点对所述目标节点背书的情况下，获取所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据。The endorsement obtaining module 420 may be configured to acquire, when the trusted node is required to endorse the target node, the endorsement data obtained by the trusted node using the private key to sign the target node public key. .

该公钥提供模块430，可以被配置为将所述新节点的公钥提供给所述目标节点，其中，所述新节点的公钥用于使所述目标节点在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对所述新节点的身份认证是否成功。The public key providing module 430 may be configured to provide the public key of the new node to the target node, wherein a public key of the new node is used to pre-stage the target node in the blockchain network The permission permission of the account address corresponding to the public key of the new node is queried, and the identity authentication of the new node is determined according to the privileged permission.

该目标身份认证模块440，可以被配置为对所述背书数据进行签名验证，如果签名验证通过，确定对所述目标节点的身份认证成功。The target identity authentication module 440 can be configured to perform signature verification on the endorsement data, and if the signature verification is passed, determine that the identity authentication of the target node is successful.

可见，通过本公开上述技术方案，准备访问区块链网络的新节点获取区块链网络中预置的可信节点使用自身私钥对目标节点公钥进行签名得到的背书数据，对背书数据进行签名验证，如果签名验证通过，确定对目标节点的身份认证成功，身份认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。It can be seen that, through the foregoing technical solution of the present disclosure, a new node that is ready to access the blockchain network acquires endorsement data obtained by the trusted node preset in the blockchain network using the private key to sign the target node public key, and performs endorsement data on the endorsement data. Signature verification, if the signature verification is passed, it is determined that the identity authentication of the target node is successful, and the identity authentication directly utilizes the public and private keys of the blockchain network node account, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the digital certificate issuance. The high complexity has resulted in secure access between nodes in the blockchain network.

图5是根据本公开第二方面另一示例性实施例提供的一种安全访问区块链的装置500的框图。如图5所示，在该装置中，背书获取模块420可以包括：第一请求发送子模块421，可以被配置为在需要所述可信节点对所述目标节点背书的情况下，将所述可信节点的IP或域名及背书确定指示发送给所述目标节点。第一背书接收子模块422，可以被配置为接收所述目标节点针对所述背书确定指示发送的背书数据。FIG. 5 is a block diagram of an apparatus 500 for securely accessing a blockchain, according to another exemplary embodiment of the second aspect of the present disclosure. As shown in FIG. 5, in the apparatus, the endorsement obtaining module 420 may include: a first request sending submodule 421, and may be configured to: if the trusted node is required to endorse the target node, The IP or domain name and endorsement determination indication of the trusted node is sent to the target node. The first endorsement receiving sub-module 422 may be configured to receive endorsement data sent by the target node for the endorsement determination indication.

一种可能的实施方式中，所述背书确定指示可以用于使所述目标节点根据所述可信节点的IP或域名从本地查询出预先存储的、所述可信节点使用自身私钥对所述目标节点公钥进行签名得到的背书数据，在所述背书数据未过期的情况下，将所述背书数据发送给所述新节点。在该实施方式中，在目标节点本地不存在未过期的背书数据的情况下，则可以向可信节点发出相应背书请求，从所述可信节点获得背书数据，将所述背书数据发送给所述新节点。由于该实施方式从目标节点本地获取背书数据，不必每次都从可信节点获取背书数据，有效减轻了可信节点的负担。In a possible implementation manner, the endorsement determination indication may be used to enable the target node to locally query, according to the IP address or the domain name of the trusted node, the pre-stored, trusted node to use its own private key pair. The endorsement data obtained by signing the target node public key is sent to the new node if the endorsement data has not expired. In this embodiment, if there is no unexpired endorsement data locally in the target node, the corresponding endorsement request may be sent to the trusted node, the endorsement data is obtained from the trusted node, and the endorsement data is sent to the Describe the new node. Since the embodiment obtains the endorsement data locally from the target node, it is not necessary to obtain the endorsement data from the trusted node every time, thereby effectively reducing the burden on the trusted node.

另一种可能的实施方式中，所述背书确定指示可以用于使所述目标节点直接向所述可信节点发出相应的背书请求，从所述可信节点获得背书数据，将所述背书数据发送给所述新节点。In another possible implementation manner, the endorsement determination indication may be used to enable the target node to issue a corresponding endorsement request directly to the trusted node, obtain endorsement data from the trusted node, and use the endorsement data Sent to the new node.

图6是根据本公开第二方面又一示例性实施例提供的一种安全访问区块链的装置600的框图。如图6所示，在该装置中，背书获取模块420可以包括：第二请求发送子模块423，可以被配置为在需要所述可信节点对所述目标节点背书的情况下，将背书请求发送给所述可信节点。第二背书接收子模块424，可以被配置为接收所述可信节点针对所述背书请求反馈的背书数据。FIG. 6 is a block diagram of an apparatus 600 for securely accessing a blockchain, according to yet another exemplary embodiment of the second aspect of the present disclosure. As shown in FIG. 6, in the apparatus, the endorsement obtaining module 420 may include: a second request sending submodule 423, which may be configured to request an endorsement if the trusted node is required to endorse the target node Sent to the trusted node. The second endorsement receiving sub-module 424 can be configured to receive endorsement data that the trusted node requests feedback for the endorsement.

在该实施方式中，新节点直接从可信节点获取背书数据，背书数据不经过目标节点，安全性更高。In this embodiment, the new node directly obtains the endorsement data from the trusted node, and the endorsement data does not pass through the target node, and the security is higher.

一可能的实施方式中，如图5及图6所示，该装置还可以包括：通信加密数据产生模块450，可以被配置为产生通信加密数据。其中，所述通信加密数据用于所述新节点与所述目标节点在身份认证通过后使用所述通信加密数据彼此进行加密通信。通信加密数据加密模块451，可以被配置为对所述通信加密数据进行加密。通信加密数据发送模块452，可以被配置为在将所述背书确定指示发送给所述目标节点时，将加密后的所述通信加密数据与所述背书确定指示一同发送给所述目标节点。其中，所述通信加密数据可以包括：通信加密对称密钥，或者，通信加密随机数。In a possible implementation, as shown in FIG. 5 and FIG. 6, the apparatus may further include: a communication encrypted data generating module 450, which may be configured to generate communication encrypted data. The communication encrypted data is used by the new node and the target node to perform encrypted communication with each other using the communication encrypted data after the identity authentication is passed. The communication encrypted data encryption module 451 can be configured to encrypt the communication encrypted data. The communication encrypted data transmitting module 452 may be configured to, when transmitting the endorsement determination indication to the target node, transmit the encrypted communication encrypted data together with the endorsement determination indication to the target node. The communication encrypted data may include: a communication encryption symmetric key, or a communication encryption random number.

通过该实施方式，减少了新节点与目标节点交互次数，提高了认证效率。Through this embodiment, the number of interactions between the new node and the target node is reduced, and the authentication efficiency is improved.

又一可能的实施方式中，如图5及图6所示，该装置还可以包括：挑战码接收模块460，可以被配置为从所述目标节点接收随机挑战码。挑战码签名模块461，可以被配置为使用所述新节点自身私钥对所述随机挑战码进行签名。挑战码发送模块462，可以被配置为将签名后的所述随机挑战码发送给所述目标节点。In another possible implementation manner, as shown in FIG. 5 and FIG. 6, the apparatus may further include: a challenge code receiving module 460, configured to receive a random challenge code from the target node. The challenge code signature module 461 can be configured to sign the random challenge code using the new node's own private key. The challenge code sending module 462 can be configured to send the signed random challenge code to the target node.

通过该实施方式，可以防止重放攻击，提高节点间交互的安全性。With this embodiment, replay attacks can be prevented and the security of interaction between nodes can be improved.

图7是根据本公开第三方面一示例性实施例提供的一种安全访问区块链的方法的流程图。该方法应用于区块链网络中的目标节点。如图7所示，该方法可以包括：FIG. 7 is a flowchart of a method for securely accessing a blockchain according to an exemplary embodiment of the third aspect of the present disclosure. The method is applied to a target node in a blockchain network. As shown in FIG. 7, the method may include:

在步骤710中，目标节点响应于接收到新节点发出的访问或接入请求，获取所述新节点的公钥。In step 710, the target node acquires the public key of the new node in response to receiving an access or access request issued by the new node.

一种可能的实施方式中，目标节点还可以接收所述新节点发送的可信节点的IP或域名及背书确定指示，根据接收到所述背书确定指示，从本地查询出该IP或域名所对应的预先存储的背书数据，其中，所述背书数据是由所述可信节点使用自身私钥对所述目标节点公钥进行签名得到，在所述背书数据未过期的情况下，将所述背书数据发送给所述新节点。例如，在该实施方式中，新节点发送的可信节点的IP或域名及背书确定指示可以携带在新节点发出的访问或接入请求中，目标节点从该访问或接入请求中获得可信节点的IP或域名及背书确定指示。In a possible implementation manner, the target node may further receive an IP address or a domain name and an endorsement determination indication of the trusted node sent by the new node, and according to the receiving the endorsement determination indication, locally query the corresponding IP or domain name. Pre-stored endorsement data, wherein the endorsement data is obtained by the trusted node using the private key to sign the target node public key, and if the endorsement data has not expired, the endorsement is performed Data is sent to the new node. For example, in this embodiment, the IP or domain name and endorsement determination indication of the trusted node sent by the new node may be carried in an access or access request sent by the new node, and the target node obtains the trusted from the access or access request. The IP or domain name of the node and the endorsement determine the indication.

另一种可能的实施方式中，目标节点还可以接收所述新节点发送的可信节点的IP或域名及背书确定指示，根据接收到所述背书确定指示，向所述IP或域名对应的可信节点发出背书请求，其中，所述背书请求用于使所述可信节点获取所述目标节点的公钥，使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据，目标节点从所述可信节点获得所述背书数据，目标节点将所述背书数据发送给所述新节点。In another possible implementation manner, the target node may further receive an IP or a domain name and an endorsement determination indication of the trusted node sent by the new node, and according to the receiving the endorsement determination indication, may correspond to the IP or the domain name. The letter node sends an endorsement request, wherein the endorsement request is used to enable the trusted node to acquire the public key of the target node, and use the trusted node's own private key to sign the public key of the target node to obtain an endorsement Data, the target node obtains the endorsement data from the trusted node, and the target node sends the endorsement data to the new node.

在步骤720中，在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限。In step 720, the license authority owned by the account address corresponding to the public key of the new node is queried in the license authority preset by the blockchain network.

在步骤730中，根据查询出的许可权限确定对所述新节点的身份认证是否成功。In step 730, it is determined whether the identity authentication of the new node is successful according to the queried permission.

通过本公开上述技术方案，由于目标节点在区块链网络预置的许可权限中查询出新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对新节点的身份认证是否成功，因此，身份认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。Through the above technical solution of the present disclosure, the target node determines the license right of the account address corresponding to the public key of the new node in the permission permission preset by the blockchain network, and determines the identity authentication of the new node according to the checked permission. Whether it is successful, therefore, the identity authentication directly utilizes the public and private keys of the blockchain network node account, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the high complexity brought by the digital certificate issuance and realizing the blockchain network. Secure access between nodes.

另外，还可以参考图3所示信令交互示意图来进一步详细了解本公开提供的应用于目标节点的安全访问区块链的方法，在此不再赘述。In addition, the method for the secure access block chain applied to the target node provided by the present disclosure may be further described in detail with reference to the signaling interaction diagram shown in FIG. 3 , and details are not described herein again.

图8是根据本公开第四方面一示例性实施例提供的一种安全访问区块链的装置800的框图。该装置配置于区块链网络中的目标节点。如图8所示，该装置可以包括：新节点公钥获取模块810、新节点权限查询模块820、新节点身份认证模块830。FIG. 8 is a block diagram of an apparatus 800 for securely accessing a blockchain, according to an exemplary embodiment of the fourth aspect of the present disclosure. The device is configured at a target node in a blockchain network. As shown in FIG. 8, the apparatus may include: a new node public key obtaining module 810, a new node authority querying module 820, and a new node identity authentication module 830.

该新节点公钥获取模块810，可以被配置为响应于接收到新节点发出的访问或接入请求，获取所述新节点的公钥。The new node public key obtaining module 810 can be configured to acquire the public key of the new node in response to receiving an access or access request issued by the new node.

该新节点权限查询模块820，可以被配置为在所述区块链网络预置的许可权限中查询所述新节点的公钥对应的账户地址拥有的许可权限。The new node permission query module 820 can be configured to query the license rights owned by the account address corresponding to the public key of the new node in the license rights preset by the blockchain network.

该新节点身份认证模块830，可以被配置为根据查询出的许可权限确定对所述新节点的身份认证是否成功。The new node identity authentication module 830 can be configured to determine whether the identity authentication of the new node is successful according to the queried permission.

图9是根据本公开第四方面另一示例性实施例提供的一种安全访问区块链的装置900的框图。如图9所示，该装置还可以包括：背书指示获取模块840，可以被配置为接收所述新节点发送的可信节点的IP或域名及背书确定指示。背书数据查询模块841，可以被配置为根据接收到所述背书确定指示，从本地查询出该IP或域名所对应的预先存储的背书数据，其中，所述背书数据是由所述可信节点使用自身私钥对所述目标节点公钥进行签名得到。背书发送第一模块842，可以被配置为在所述背书数据未过期的情况下，将所述背书数据发送给所述新节点。FIG. 9 is a block diagram of an apparatus 900 for securely accessing a blockchain, according to another exemplary embodiment of the fourth aspect of the present disclosure. As shown in FIG. 9, the apparatus may further include: an endorsement indication obtaining module 840, configured to receive an IP or domain name and an endorsement determination indication of the trusted node sent by the new node. The endorsement data query module 841 may be configured to, according to the receipt of the endorsement determination indication, locally query the pre-stored endorsement data corresponding to the IP or the domain name, wherein the endorsement data is used by the trusted node. The private key of the target node is signed by the private key. The endorsement sending first module 842 can be configured to send the endorsement data to the new node if the endorsement data has not expired.

图10是根据本公开第四方面又一示例性实施例提供的一种安全访问区块链的装置1000的框图。如图10所示，该装置还可以包括：背书指示获取模块1010，可以被配置为接收所述新节点发送的可信节点的IP或域名及背书确定指示。背书请求发送模块1011，可以被配置为根据接收到所述背书确定指示，向所述IP或域名对应的可信节点发出背书请求，其中，所述背书请求用于使所述可信节点获取所述目标节点的公钥，使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据。背书数据接收模块1012，可以被配置为从所述可信节点获得所述背书数据。背书发送第二模块1013，可以被配置为将所述背书数据发送给所述新节点。FIG. 10 is a block diagram of an apparatus 1000 for securely accessing a blockchain, according to yet another exemplary embodiment of the fourth aspect of the present disclosure. As shown in FIG. 10, the apparatus may further include: an endorsement indication obtaining module 1010, configured to receive an IP or domain name and an endorsement determination indication of the trusted node sent by the new node. The endorsement request sending module 1011 may be configured to issue an endorsement request to the trusted node corresponding to the IP or the domain name according to the received endorsement determination indication, where the endorsement request is used to obtain the trusted node Describe the public key of the target node, and use the trusted node's own private key to sign the public key of the target node to obtain endorsement data. The endorsement data receiving module 1012 can be configured to obtain the endorsement data from the trusted node. The endorsement sending second module 1013 can be configured to send the endorsement data to the new node.

可见，由于本公开上述技术方案中目标节点在区块链网络预置的许可权限中查询出新节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定对新节点的身份认证是否成功，因此，身份认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。It can be seen that, in the foregoing technical solution of the present disclosure, the target node queries the permission permission of the account address corresponding to the public key of the new node in the permission permission preset by the blockchain network, and determines the identity of the new node according to the obtained permission permission. Whether the authentication is successful, therefore, the identity authentication directly utilizes the public and private keys of the blockchain network node account, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the high complexity brought by the digital certificate issuance and realizing the blockchain. Secure access between network nodes.

图11是根据本公开第五方面一示例性实施例提供的一种安全访问区块链的方法的流程图。该方法应用于区块链网络中预置的可信节点。如图11所示，该方法可以包括：FIG. 11 is a flowchart of a method for securely accessing a blockchain according to an exemplary embodiment of the fifth aspect of the present disclosure. The method is applied to a trusted node preset in a blockchain network. As shown in FIG. 11, the method may include:

在步骤1110中，可信节点响应于准备访问区块链网络中目标节点的新节点需要可信节点对目标节点背书，获取所述目标节点的公钥。In step 1110, the trusted node responds to the new node that is ready to access the target node in the blockchain network, and the trusted node needs to endorse the target node to obtain the public key of the target node.

一种可能的实施方式中，可信节点可以响应于接收到所述目标节点发送的背书请求，获取所述目标节点的公钥，其中，所述背书请求是由所述目标节点根据接收到所述新节点发送的可信节点的IP或域名及背书确定指示相应发出的。In a possible implementation manner, the trusted node may acquire the public key of the target node in response to receiving the endorsement request sent by the target node, where the endorsement request is received by the target node according to the The IP or domain name of the trusted node sent by the new node and the endorsement determination indication are correspondingly issued.

另一种可能的实施方式中，可信节点可以响应于从新节点接收到对所述目标节点的背书请求，获取所述目标节点的公钥。In another possible implementation manner, the trusted node may acquire the public key of the target node in response to receiving an endorsement request for the target node from the new node.

在步骤1120中，使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据。In step 1120, the public key of the target node is signed using the trusted node's own private key to obtain endorsement data.

在从目标节点接收背书请求的实施方式中，可信节点还可以在所述区块链网络预置的许可权限中查询所述目标节点的公钥对应的账户地址拥有的许可权限，根据查询出的许可权限确定是否对所述目标节点进行背书，在确定对所述目标节点进行背书的情况下，再进入所述使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据的步骤。In an implementation manner of receiving an endorsement request from the target node, the trusted node may further query, in the permission permission preset by the blockchain network, the permission permission of the account address corresponding to the public key of the target node, according to the query. The permission authority determines whether to endorse the target node, and if it is determined to endorse the target node, re-enter the signature of the public key of the target node by using the private key of the trusted node itself The step of endorsing data.

在步骤1130中，将所述背书数据提供给所述新节点，以便使所述新节点对所述背书数据进行签名验证，如果所述新节点签名验证通过，所述新节点确定对所述目标节点的身份认证成功。In step 1130, the endorsement data is provided to the new node, so that the new node performs signature verification on the endorsement data, and if the new node signature verification passes, the new node determines the target The identity authentication of the node is successful.

例如，在从目标节点接收背书请求的实施方式中，可以将所述背书数据发送给所述目标节点，所述背书数据经过所述目标节点发送给所述新节点。For example, in an embodiment in which an endorsement request is received from a target node, the endorsement data may be sent to the target node, and the endorsement data is sent to the new node via the target node.

再例如，在从新节点接收背书请求的实施方式中，可以将所述背书数据直接发送给所述新节点。As another example, in an embodiment in which an endorsement request is received from a new node, the endorsement data can be sent directly to the new node.

通过本公开上述技术方案，由于可信节点使用自身私钥对所述目标节点的公钥进行签名得到背书数据，将所述背书数据提供给所述新节点，因此，本公开新节点与目标节点的双向认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。Through the above technical solution of the present disclosure, since the trusted node uses the private key to sign the public key of the target node to obtain endorsement data, the endorsement data is provided to the new node, and therefore, the new node and the target node of the present disclosure The two-way authentication directly utilizes the public and private keys of the blockchain network node account, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the high complexity brought by the digital certificate issuance and realizing the secure access between the nodes of the blockchain network. .

另外，还可以参考图3所示信令交互示意图来进一步详细了解本公开提供的应用于可信节点的安全访问区块链的方法，在此不再赘述。In addition, the method for the secure access block chain applied to the trusted node provided by the present disclosure may be further described in detail with reference to the signaling interaction diagram shown in FIG. 3 , and details are not described herein again.

图12是根据本公开第六方面一示例性实施例提供的一种安全访问区块链的装置1200的框图。该装置配置于区块链网络中的可信节点。如图12所示，该装置可以包括：目标公钥获取模块1210、签名模块1220、背书提供模块1230。FIG. 12 is a block diagram of an apparatus 1200 for securely accessing a blockchain, according to an exemplary embodiment of the sixth aspect of the present disclosure. The device is configured on a trusted node in a blockchain network. As shown in FIG. 12, the apparatus may include: a target public key obtaining module 1210, a signature module 1220, and an endorsement providing module 1230.

该目标公钥获取模块1210，可以被配置为响应于准备访问区块链网络中目标节点的新节点需要可信节点对目标节点背书，获取所述目标节点的公钥。The target public key obtaining module 1210 may be configured to acquire a public key of the target node in response to preparing a new node of the target node in the blockchain network to require the trusted node to endorse the target node.

该签名模块1220，可以被配置为使用所述可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据。The signature module 1220 can be configured to use the trusted node's own private key to sign the public key of the target node to obtain endorsement data.

该背书提供模块1230，可以被配置为将所述背书数据提供给所述新节点，以便使所述新节点对所述背书数据进行签名验证，如果所述新节点签名验证通过，所述新节点确定对所述目标节点的身份认证成功。The endorsement providing module 1230 may be configured to provide the endorsement data to the new node, so that the new node performs signature verification on the endorsement data, and if the new node signature verification passes, the new node Determining that the identity authentication of the target node is successful.

一种可能的实施方式中，所述目标公钥获取模块1210可以被配置为响应于接收到所述目标节点发送的背书请求，获取所述目标节点的公钥，其中，所述背书请求是由所述目标节点根据接收到所述新节点发送的可信节点的IP或域名及背书确定指示相应发出的。所述背书提供模块1230可以被配置为将所述背书数据发送给所述目标节点，所述背书数据经过所述目标节点发送给所述新节点。In a possible implementation manner, the target public key obtaining module 1210 may be configured to acquire a public key of the target node in response to receiving an endorsement request sent by the target node, where the endorsement request is The target node is correspondingly sent according to the IP or domain name of the trusted node sent by the new node and the endorsement determination indication. The endorsement providing module 1230 may be configured to send the endorsement data to the target node, and the endorsement data is sent to the new node via the target node.

另一种可能的实施方式中，所述目标公钥获取模块1210可以被配置为响应于从新节点接收到对所述目标节点的背书请求，获取所述目标节点的公钥。所述背书提供模块1230可以被配置为将所述背书数据直接发送给所述新节点。In another possible implementation manner, the target public key obtaining module 1210 may be configured to acquire the public key of the target node in response to receiving an endorsement request to the target node from the new node. The endorsement providing module 1230 can be configured to send the endorsement data directly to the new node.

图13是根据本公开第六方面另一示例性实施例提供的一种安全访问区块链的装置1300的框图。如图13所示，该装置还可以包括：目标权限查询模块1240，可以被配置为在接收到所述目标节点发送的背书请求之后，在所述区块链网络预置的许可权限中查询所述目标节点的公钥对应的账户地址拥有的许可权限。背书确定模块1241，可以被配置为根据查询出的许可权限确定是否对所述目标节点进行背书。所述签名模块1220可以被配置为在所述背书确定模块确定对所述目标节点进行背书的情况下，执行所述使用可信节点自身私钥对所述目标节点的公钥进行签名得到背书数据的步骤。FIG. 13 is a block diagram of an apparatus 1300 for securely accessing a blockchain, according to another exemplary embodiment of the sixth aspect of the present disclosure. As shown in FIG. 13, the apparatus may further include: a target authority querying module 1240, configured to query, in the permission permission preset by the blockchain network, after receiving the endorsement request sent by the target node The license authority owned by the account address corresponding to the public key of the target node. The endorsement determination module 1241 may be configured to determine whether to endorse the target node according to the queried permission. The signing module 1220 may be configured to execute the signing of the public key of the target node by using the trusted node's private key to obtain endorsement data if the endorsement determining module determines to endorse the target node. A step of.

图14是根据一示例性实施例示出的一种电子设备1400的框图。如图14所示，该电子设备1400可以包括：处理器1401，存储器1402，多媒体组件1403，输入/输出（I/O）接口1404，以及通信组件1405。FIG. 14 is a block diagram of an electronic device 1400, according to an exemplary embodiment. As shown in FIG. 14, the electronic device 1400 can include a processor 1401, a memory 1402, a multimedia component 1403, an input/output (I/O) interface 1404, and a communication component 1405.

其中，处理器1401用于控制该电子设备1400的整体操作，以完成上述的安全访问区块链的方法中的全部或部分步骤。存储器1402用于存储各种类型的数据以支持在该电子设备1400的操作，这些数据例如可以包括用于在该电子设备1400上操作的任何应用程序或方法的指令，以及应用程序相关的数据，例如联系人数据、收发的消息、图片、音频、视频等等。该存储器1402可以由任何类型的易失性或非易失性存储设备或者它们的组合实现，例如静态随机存取存储器（Static Random Access Memory，简称SRAM），电可擦除可编程只读存储器（Electrically Erasable Programmable Read-Only Memory，简称EEPROM），可擦除可编程只读存储器（Erasable Programmable Read-Only Memory，简称EPROM），可编程只读存储器（Programmable Read-Only Memory，简称PROM），只读存储器（Read-Only Memory，简称ROM），磁存储器，快闪存储器，磁盘或光盘。多媒体组件1403可以包括屏幕和音频组件。其中屏幕例如可以是触摸屏，音频组件用于输出和/或输入音频信号。例如，音频组件可以包括一个麦克风，麦克风用于接收外部音频信号。所接收的音频信号可以被进一步存储在存储器1402或通过通信组件1405发送。音频组件还包括至少一个扬声器，用于输出音频信号。I/O接口1404为处理器1401和其他接口模块之间提供接口，上述其他接口模块可以是键盘，鼠标，按钮等。这些按钮可以是虚拟按钮或者实体按钮。通信组件1405用于该电子设备1400与其他设备之间进行有线或无线通信。无线通信，例如Wi-Fi，蓝牙，近场通信（Near Field Communication，简称NFC），2G、3G或4G，或它们中的一种或几种的组合，因此相应的该通信组件1405可以包括：Wi-Fi模块，蓝牙模块，NFC模块。The processor 1401 is configured to control the overall operation of the electronic device 1400 to complete all or part of the steps of the method for securely accessing the blockchain. The memory 1402 is configured to store various types of data to support operations at the electronic device 1400, such as may include instructions for any application or method operating on the electronic device 1400, and application related data, For example, contact data, sent and received messages, pictures, audio, video, and so on. The memory 1402 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as a static random access memory (SRAM), an electrically erasable programmable read only memory ( Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read Only Memory (Erasable) Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic memory, flash memory, disk or optical disk. The multimedia component 1403 can include a screen and an audio component. The screen may be, for example, a touch screen, and the audio component is used to output and/or input an audio signal. For example, the audio component can include a microphone for receiving an external audio signal. The received audio signal may be further stored in memory 1402 or transmitted via communication component 1405. The audio component also includes at least one speaker for outputting an audio signal. The I/O interface 1404 provides an interface between the processor 1401 and other interface modules, such as a keyboard, a mouse, a button, and the like. These buttons can be virtual buttons or physical buttons. The communication component 1405 is used for wired or wireless communication between the electronic device 1400 and other devices. Wireless communication, such as Wi-Fi, Bluetooth, Near Field Communication (NFC), 2G, 3G or 4G, or a combination of one or more of them, so the corresponding communication component 1405 can include: Wi-Fi module, Bluetooth module, NFC module.

在一示例性实施例中，电子设备1400可以被一个或多个应用专用集成电路（Application Specific Integrated Circuit，简称ASIC）、数字信号处理器（Digital Signal Processor，简称DSP）、数字信号处理设备（Digital Signal Processing Device，简称DSPD）、可编程逻辑器件（Programmable Logic Device，简称PLD）、现场可编程门阵列（Field Programmable Gate Array，简称FPGA）、控制器、微控制器、微处理器或其他电子元件实现，用于执行上述的安全访问区块链的方法。In an exemplary embodiment, the electronic device 1400 may be configured by one or more application specific integrated circuits (Application Specific) Integrated Circuit (ASIC), Digital Signal Processor (DSP), Digital Signal Processing Device (DSPD), Programmable Logic Device (PLD), field programmable A Field Programmable Gate Array (FPGA), controller, microcontroller, microprocessor or other electronic component implementation for performing the above method of securely accessing a blockchain.

在另一示例性实施例中，还提供了一种包括程序指令的计算机可读存储介质，例如包括程序指令的存储器1402，上述程序指令可由电子设备1400的处理器1401执行以完成上述的安全访问区块链的方法。In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions, such as a memory 1402 comprising program instructions executable by processor 1401 of electronic device 1400 to perform the secure access described above Blockchain approach.

另外，本公开还提供了一种安全访问区块链的系统。在该系统中可以包括至少一个如上述实施例所述的电子设备所实现的新节点，至少一个如上述实施例所述的电子设备所实现的新节点，至少一个如上述实施例所述的电子设备所实现的目标节点，至少一个如上述实施例所述的电子设备所实现的可信节点。其中，如上述实施例所述的电子设备所实现的新节点、如上述实施例所述的电子设备所实现的目标节点、如上述实施例所述的电子设备所实现的可信节点属于同一区块链网络。In addition, the present disclosure also provides a system for securely accessing a blockchain. The system may include at least one new node implemented by the electronic device as described in the above embodiments, at least one new node implemented by the electronic device as described in the above embodiment, at least one electronic device as described in the above embodiment The target node implemented by the device, at least one trusted node implemented by the electronic device as described in the above embodiments. The trusted node implemented by the electronic device as described in the foregoing embodiment, the target node implemented by the electronic device as described in the foregoing embodiment, and the electronic device as described in the foregoing embodiment belong to the same area. Blockchain network.

综上所述，本公开新节点与目标节点的双向认证直接利用了区块链网络节点账户的公私钥，不需要中心化的第三方参与数字证书，避免了数字证书颁发所带来的高复杂度，实现了区块链网络节点间安全访问。In summary, the two-way authentication of the new node and the target node of the present disclosure directly utilizes the public and private keys of the blockchain network node account, and does not require a centralized third party to participate in the digital certificate, thereby avoiding the high complexity brought by the digital certificate issuance. Degrees, achieve secure access between nodes in the blockchain network.

以上结合附图详细描述了本公开的优选实施方式，但是，本公开并不限于上述实施方式中的具体细节，在本公开的技术构思范围内，可以对本公开的技术方案进行多种简单变型，这些简单变型均属于本公开的保护范围。The preferred embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings. However, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solutions of the present disclosure within the scope of the technical idea of the present disclosure. These simple variations are all within the scope of the disclosure.

另外需要说明的是，在上述具体实施方式中所描述的各个具体技术特征，在不矛盾的情况下，可以通过任何合适的方式进行组合，为了避免不必要的重复，本公开对各种可能的组合方式不再另行说明。It should be further noted that the specific technical features described in the above specific embodiments may be combined in any suitable manner without contradiction. In order to avoid unnecessary repetition, the present disclosure is applicable to various possibilities. The combination method will not be described separately.

此外，本公开的各种不同的实施方式之间也可以进行任意组合，只要其不违背本公开的思想，其同样应当视为本公开所公开的内容。In addition, any combination of various embodiments of the present disclosure may be made as long as it does not deviate from the idea of the present disclosure, and should also be regarded as the disclosure of the present disclosure.

Claims

A method for securely accessing a blockchain, the method being applied to prepare to access or access a new node of a target node in a blockchain network, the method comprising:

Determining whether a trusted node preset in the blockchain network is required to endorse the target node;

Obtaining endorsement data obtained by the trusted node using the private key to sign the target node public key, if the trusted node is required to endorse the target node;

And providing a public key of the new node to the target node, wherein a public key of the new node is used to cause the target node to query the new one in a license permission preset by the blockchain network The license authority owned by the account address corresponding to the public key of the node determines whether the identity authentication of the new node is successful according to the queried permission.

Performing signature verification on the endorsement data;

If the signature verification is passed, it is determined that the identity authentication of the target node is successful.

The method according to claim 1, wherein in the case that the trusted node is required to endorse the target node, acquiring the trusted node to use the private key to perform the target node public key The endorsement data obtained by the signature includes:

Sending an IP or domain name and an endorsement determination indication of the trusted node to the target node if the trusted node is required to endorse the target node, the endorsement determination indication is used to make the target node Authorizing, according to the IP address or the domain name of the trusted node, the previously stored endorsement data obtained by the trusted node using the private key to sign the target node public key, where the endorsement data has not expired And sending the endorsement data to the new node, or the endorsement determination indication is used to enable the target node to issue a corresponding endorsement request to the trusted node, and obtain endorsement data from the trusted node, Transmitting the endorsement data to the new node;

Receiving endorsement data sent by the target node for the endorsement determination indication;

or,

Sending an endorsement request to the trusted node if the trusted node is required to endorse the target node;

Receiving endorsement data that the trusted node requests feedback for the endorsement.

The method of claim 2, wherein the method further comprises:

Generating communication encrypted data, wherein the communication encrypted data is used by the new node and the target node to perform encrypted communication with each other using the communication encrypted data after identity authentication is passed;

Encrypting the communication encrypted data;

And transmitting the encrypted communication encrypted data to the target node together with the endorsement determination indication when the endorsement determination indication is sent to the target node.

The method according to claim 3, wherein said communication encrypted data comprises: a communication encryption symmetric key, or a communication encryption random number.

The method of claim 1 further comprising:

Receiving a random challenge code from the target node;

Signing the random challenge code using the new node's own private key;

Sending the signed random challenge code to the target node.

An apparatus for securely accessing a blockchain, wherein the apparatus is configured to prepare to access or access a new node of a target node in a blockchain network, the apparatus comprising:

a determining module, configured to determine whether a trusted node preset in the blockchain network is required to endorse the target node;

The endorsement obtaining module is configured to acquire, when the trusted node is required to endorse the target node, the endorsement data obtained by the trusted node by using the private key to sign the target node public key;

a public key providing module configured to provide a public key of the new node to the target node, wherein a public key of the new node is used to enable a license of the target node to be preset in the blockchain network Querying, in the permission, the permission permission of the account address corresponding to the public key of the new node, and determining whether the identity authentication of the new node is successful according to the obtained permission permission;

The target identity authentication module is configured to perform signature verification on the endorsement data, and if the signature verification is passed, determine that the identity authentication of the target node is successful.

The apparatus according to claim 6, wherein the endorsement acquisition module comprises:

a first request sending submodule configured to send an IP or domain name and an endorsement determination indication of the trusted node to the target node if the trusted node is required to endorse the target node, The endorsement determination indication is used for causing the target node to locally query, according to the IP address or the domain name of the trusted node, the pre-stored endorsement data obtained by the trusted node using the private key to sign the target node public key. Sending the endorsement data to the new node if the endorsement data has not expired, or the endorsement determination indication is used to cause the target node to issue a corresponding endorsement request to the trusted node, Obtaining endorsement data from the trusted node, and transmitting the endorsement data to the new node;

The first endorsement receiving submodule is configured to receive endorsement data sent by the target node for the endorsement determination indication;

or,

The endorsement acquisition module includes:

a second request sending submodule configured to send an endorsement request to the trusted node if the trusted node is required to endorse the target node;

The second endorsement receiving submodule is configured to receive endorsement data that the trusted node requests feedback for the endorsement.

The device according to claim 7, wherein the device further comprises:

a communication encrypted data generating module configured to generate communication encrypted data, wherein the communication encrypted data is used by the new node and the target node to perform encrypted communication with each other using the communication encrypted data after identity authentication is passed;

a communication encrypted data encryption module configured to encrypt the communication encrypted data;

The communication encrypted data transmitting module is configured to, when transmitting the endorsement determination instruction to the target node, transmit the encrypted communication encrypted data together with the endorsement determination indication to the target node.

The apparatus according to claim 8, wherein said communication encrypted data comprises: a communication encryption symmetric key, or a communication encryption random number.

The device according to claim 6, wherein the device further comprises:

a challenge code receiving module configured to receive a random challenge code from the target node;

a challenge code signature module configured to sign the random challenge code using the new node's own private key;

The challenge code sending module is configured to send the signed random challenge code to the target node.

A method for securely accessing a blockchain, the method being applied to a target node in a blockchain network, the method comprising:

Acquiring the public key of the new node in response to receiving an access or access request issued by the new node;

Querying, in the permission permission preset by the blockchain network, a license right owned by an account address corresponding to the public key of the new node;

Determine whether the identity authentication of the new node is successful according to the queried permission.

The method of claim 11 wherein the method further comprises:

Receiving an IP or domain name and an endorsement determination indication of the trusted node sent by the new node;

Receiving, according to the receipt of the endorsement determination indication, the pre-stored endorsement data corresponding to the IP or the domain name, wherein the endorsement data is used by the trusted node to use the private key to the target node public key Signature is obtained;

In the case where the endorsement data has not expired, the endorsement data is transmitted to the new node.

The method of claim 11 wherein the method further comprises:

And sending an endorsement request to the trusted node corresponding to the IP or the domain name according to the receiving the endorsement determination instruction, wherein the endorsement request is used to enable the trusted node to acquire the public key of the target node, using the The trusted node's own private key signs the public key of the target node to obtain endorsement data;

Obtaining the endorsement data from the trusted node;

Transmitting the endorsement data to the new node.

An apparatus for securely accessing a blockchain, wherein the apparatus is disposed at a target node in a blockchain network, the apparatus comprising:

a new node public key obtaining module configured to acquire a public key of the new node in response to receiving an access or access request issued by the new node;

The new node permission query module is configured to query, in the permission permission preset by the blockchain network, the permission permission owned by the account address corresponding to the public key of the new node;

The new node identity authentication module is configured to determine whether the identity authentication of the new node is successful according to the queried permission.

The device according to claim 14, wherein the device further comprises:

The endorsement indication obtaining module is configured to receive an IP or domain name and an endorsement determination indication of the trusted node sent by the new node;

The endorsement data query module is configured to, according to the receipt of the endorsement determination indication, locally query the pre-stored endorsement data corresponding to the IP or the domain name, wherein the endorsement data is used by the trusted node. The key is obtained by signing the target node public key;

The endorsement sends a first module configured to send the endorsement data to the new node if the endorsement data has not expired.

The device according to claim 14, wherein the device further comprises:

The endorsement request sending module is configured to issue an endorsement request to the trusted node corresponding to the IP or the domain name according to the received endorsement determination indication, wherein the endorsement request is used to enable the trusted node to obtain the target a public key of the node, using the trusted node's own private key to sign the public key of the target node to obtain endorsement data;

An endorsement data receiving module configured to obtain the endorsement data from the trusted node;

The endorsement sends a second module configured to send the endorsement data to the new node.

A method for securely accessing a blockchain, the method being applied to a trusted node preset in a blockchain network, the method comprising:

Responding to the new node preparing to access the target node in the blockchain network requires the trusted node to endorse the target node to obtain the public key of the target node;

Using the trusted node's own private key to sign the public key of the target node to obtain endorsement data;

Providing the endorsement data to the new node, so that the new node performs signature verification on the endorsement data, and if the new node signature verification passes, the new node determines that the identity authentication of the target node is successful. .

The method according to claim 17, wherein the responding to preparing a new node of the target node in the blockchain network requires the trusted node to endorse the target node, and obtaining the public key of the target node comprises:

Acquiring a public key of the target node in response to receiving an endorsement request sent by the target node, wherein the endorsement request is an IP or a domain name of the trusted node sent by the target node according to the received new node And the endorsement confirmation instructions are issued accordingly;

The providing the endorsement data to the new node includes:

Transmitting the endorsement data to the target node, and the endorsement data is sent to the new node via the target node.

Acquiring a public key of the target node in response to receiving an endorsement request from the new node to the target node;

The providing the endorsement data to the new node includes:

The endorsement data is sent directly to the new node.

The method according to claim 18, wherein after the receiving the endorsement request sent by the target node, the method further comprises:

Querying, in the permission permission preset by the blockchain network, a license right owned by an account address corresponding to the public key of the target node;

Determining whether to endorse the target node according to the queried permission;

In the case of determining to endorse the target node, the step of using the trusted node's own private key to sign the public key of the target node to obtain endorsement data is entered.

An apparatus for securely accessing a blockchain, wherein the device is configured with a trusted node preset in a blockchain network, and the device includes:

a target public key obtaining module configured to: in response to preparing a new node of the target node in the blockchain network, requiring the trusted node to endorse the target node to acquire a public key of the target node;

a signing module configured to use the trusted node's own private key to sign the public key of the target node to obtain endorsement data;

An endorsement providing module configured to provide the endorsement data to the new node to cause the new node to perform signature verification on the endorsement data, and if the new node signature verification passes, determine the target node Identity authentication is successful.

The apparatus according to claim 21, wherein the target public key obtaining module is configured to acquire a public key of the target node in response to receiving an endorsement request sent by the target node, wherein the endorsement The request is sent by the target node according to the IP or domain name of the trusted node sent by the new node and the endorsement determination indication;

The endorsement providing module is configured to send the endorsement data to the target node, and the endorsement data is sent to the new node via the target node.

The apparatus according to claim 21, wherein the target public key obtaining module is configured to acquire a public key of the target node in response to receiving an endorsement request for the target node from a new node;

The endorsement providing module is configured to send the endorsement data directly to the new node.

The device of claim 22, wherein the device further comprises:

The target authority querying module is configured to, after receiving the endorsement request sent by the target node, query the permission permission of the account address corresponding to the public key of the target node in the permission permission preset by the blockchain network ;

The endorsement determining module is configured to determine whether to endorse the target node according to the queried permission permission;

The signing module is configured to perform, when the endorsement determining module determines to endorse the target node, performing the step of using the trusted node's own private key to sign the public key of the target node to obtain endorsement data. .

A computer readable storage medium, comprising: one or more programs, the one or more programs for performing the method of any one of claims 1 to 5. .

An electronic device, comprising:

The computer readable storage medium of claim 25;

One or more processors for executing a program in the computer readable storage medium.

A computer readable storage medium, comprising: one or more programs, the one or more programs for performing the method of any one of claims 11 to 13 .

An electronic device, comprising:

The computer readable storage medium of claim 27;

A computer readable storage medium, comprising: one or more programs, the one or more programs for performing the method of any one of claims 17 to 20 .

An electronic device, comprising:

The computer readable storage medium of claim 29;

A system for securely accessing a blockchain, the system comprising:

At least one new node implemented by the electronic device of claim 26;

At least one target node implemented by the electronic device of claim 28;

At least one trusted node implemented by the electronic device of claim 30;

The trusted node implemented by the electronic device of claim 26, the target node implemented by the electronic device of claim 28, and the electronic device of claim 30 belong to the same block. Chain network.