CN112311538A - Identity authentication method, device, storage medium and equipment - Google Patents
Identity authentication method, device, storage medium and equipment Download PDFInfo
- Publication number
- CN112311538A CN112311538A CN202011194900.6A CN202011194900A CN112311538A CN 112311538 A CN112311538 A CN 112311538A CN 202011194900 A CN202011194900 A CN 202011194900A CN 112311538 A CN112311538 A CN 112311538A
- Authority
- CN
- China
- Prior art keywords
- party
- authorized party
- identity
- data
- verifiable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 94
- 238000012795 verification Methods 0.000 claims abstract description 113
- 238000013475 authorization Methods 0.000 claims description 165
- 239000000284 extract Substances 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 3
- 230000008901 benefit Effects 0.000 abstract description 11
- 230000008569 process Effects 0.000 description 23
- 238000012797 qualification Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 230000011664 signaling Effects 0.000 description 6
- YSCNMFDFYJUPEF-OWOJBTEDSA-N 4,4'-diisothiocyano-trans-stilbene-2,2'-disulfonic acid Chemical compound OS(=O)(=O)C1=CC(N=C=S)=CC=C1\C=C\C1=CC=C(N=C=S)C=C1S(O)(=O)=O YSCNMFDFYJUPEF-OWOJBTEDSA-N 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- -1 wedding certificates Chemical compound 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Power Engineering (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method, a device, a storage medium and equipment for identity authentication, wherein the method comprises the following steps: after the authorized party sends an authentication request including the identity of the authorized party to the authenticator, the authenticator may generate a random number according to the authentication request and return the random number to the authorized party. The authorized party can generate a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and the verifiable report and the identity of the authorized party stored by the authorized party are sent to the verifying party, so that the verifying party can acquire the identity file of the authorized party from the registration system by using the identity of the authorized party, verify the verifiable report according to the identity file of the authorized party, and return a verification result to the authorized party. And further, based on the advantages of decentralized and external impossibility of the block chain of the registration system, the accuracy and reliability of the identity verification result of the authorized party can be effectively improved.
Description
Technical Field
The present application relates to the field of data processing, and in particular, to a method, an apparatus, a storage medium, and a device for authentication.
Background
At present, the identity authorization mode between the authorizer and the authorized party is usually based on a key pair, so as to hopefully improve the security and reliability of the identity authorization. For example: for the media platform (authorizer), the identity of the user (authorized party) is authorized, and after they respectively issue corresponding digital certificates through a Certificate Authority (CA), the identity relationship between them can be authorized based on the certificate Authority. The certificate authority is the international generic name of the certification authority, and is the authority for issuing, managing and canceling the digital certificate to the applicant of the digital certificate.
However, in an actual scenario, a certificate authority may be maliciously attacked or manipulated, and thus two parties that do not have any association relationship may perform identity authorization, so that the identity authorization relationship is not trusted, and further, the identity authentication result of the authorized party is not trusted, and further data processing operation cannot be performed on the authorized party subsequently.
Disclosure of Invention
In view of this, embodiments of the present application provide an identity authentication method, apparatus, storage medium, and device, so as to improve accuracy and reliability of an identity authentication result of an authorized party.
In a first aspect, an embodiment of the present application provides an identity authentication method, which is applied to an identity authorization blockchain system including an authorized party and an authenticating party, where a registration system is deployed in the identity authorization blockchain system; the method comprises the following steps:
the authorized party sends a verification request to the verifier, wherein the verification request comprises the identity of the authorized party;
the verifier generates a random number according to the verification request and returns the random number to the authorized party;
the authorized party generates a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and sends the verifiable report and the identity of the authorized party stored by the authorized party to the verifying party;
the verifying party acquires the identity file of the authorized party from the registration system by using the identity of the authorized party, verifies the verifiable report according to the identity file of the authorized party and returns a verification result to the authorized party.
In a possible implementation manner, the generating, by the authorized party, an authenticatable report according to the random number and the authenticatable credential data stored by the authorized party specifically includes:
the authorized party signs the random number by using a private key of the authorized party stored by the authorized party to obtain fourth signature data; signing the verifiable certificate data by using a private key of the authorized party to obtain fifth signature data;
the authorized party generating the verifiable report using the nonce, the fourth signature data, the verifiable credential data, the fifth signature data;
the verifying party verifies the verifiable report according to the identity document of the authorized party, and the verifying method specifically comprises the following steps:
and the verifier acquires the public key of the authorized party from the identity file of the authorized party and verifies the fourth signature data and the fifth signature data by using the public key of the authorized party respectively.
In a possible implementation manner, the verifying the fourth signature data and the fifth signature data using the public key of the authorized party respectively specifically includes:
the verifier acquires the random number from the verifiable report, verifies the signature of the fourth signature data by using the public key of the authorized party and the random number, and verifies the signature of the fifth signature data by using the public key of the authorized party and the verifiable certificate data if the signature verification is passed;
or,
and the verifier verifies the signature of the fifth signature data by using the public key of the authorized party and the verifiable certificate data, if the signature verification is passed, the verifier acquires the random number from the verifiable report, and verifies the signature of the fourth signature data by using the public key of the authorized party and the random number.
In a possible implementation manner, after the verifying party verifies the verifiable report according to the identity document of the authorized party, and before the verifying party returns a verification result to the authorized party, the method further includes:
the verifying party acquires the verifiable certificate data from the verifiable report, extracts the identity identification of the authorizing party and the identification of the verifiable certificate data from the acquired verifiable certificate data, and sends the identity identification of the authorizing party and the identification of the verifiable certificate data to the registration system;
the registration system checks whether the identity of the authorized party and the identification of the verifiable certificate data are in a valid verifiable certificate data list, and returns a valid or invalid inquiry result of the authorized party to the verifier;
and the verifying party returns the verification result to the authorized party according to the query result.
In one possible implementation, an authorizer is deployed in the identity authorization blockchain system; the method comprises the following steps:
the authorized party acquires the declaration information of the authorizing party from the registration system, requests the authorizing party to carry out identity authentication on the authorized party according to the identity identification of the authorized party stored by the authorized party, generates an identity authorization request according to the declaration information of the authorizing party and sends the identity authorization request to the authorizing party when the identity authentication result of the authorizing party on the authorized party is passed;
the authorization party generates verifiable certificate data according to the identity authorization request and sends the identification of the verifiable certificate data in the verifiable certificate data to the registration system;
the registration system updates according to the identification of the verifiable certificate data and returns an updating result to the authorized party;
the authorizing party sends the verifiable credential data to the authorized party for storage by the authorized party.
In a possible implementation manner, the method for requesting, by the authorized party, the authorized party to authenticate the authorized party according to the identity of the authorized party stored by the authorized party includes:
the authorized party generates an authentication request according to the identity of the authorized party and sends the authentication request to the authorizing party;
the authorizing party generates a first random number and returns the first random number to the authorized party;
the authorized party signs the first random number according to a private key of the authorized party stored by the authorized party to obtain a first signature result, and sends the first signature result, the first random number and the identity of the authorized party to the authorized party;
and the authorizer acquires the identity file of the authorized party from the registration system according to the identity of the authorized party, acquires the public key of the authorized party from the identity file of the authorized party, and verifies the first signature result by using the acquired public key of the authorized party and the first random number.
In a possible implementation manner, the obtaining, by the authorized party, the declaration information of the authorized party from the registration system specifically includes:
the authorized party acquires the identity of the authorized party and sends the identity of the authorized party to the registration system;
and the registration system retrieves a statement template list bound with the authorizing party according to the identity of the authorizing party and sends the statement template list to the authorized party.
In a possible implementation manner, the authorized party generates an identity authorization request according to the claim information of the authorized party, specifically:
the authorized party selects a required declaration template from the declaration template list of the authorized party, generates declaration data of the authorized party according to the selected declaration template, and generates the identity authorization request according to the declaration data of the authorized party.
In a possible implementation manner, after the authorized party obtains the declaration information of the authorized party, the method further includes: the authorized party generates the declaration data of the authorized party according to the declaration information of the authorizing party; the identity authorization request comprises the declaration data of the authorized party;
the method for generating the verifiable credential data by the authorized party specifically comprises the following steps:
the authorizing party generates the identification of the verifiable certificate data according to a preset rule, and signs the declaration data of the authorized party by using a private key of the authorizing party stored by the authorizing party to obtain the signature of the declaration data of the authorized party;
the authorizing party generates the verifiable credential data based on the authorized party claim data, a signature of the authorized party claim data, and an identification of the verifiable credential data.
In one possible implementation, before the step of sending, by the authorization party, the identifier of the verifiable credential data to the registration system, the method further includes:
the authorized party signs the identification of the verifiable certificate data by using a private key of the authorized party to obtain a signature of the identification of the verifiable certificate data;
before the registration system is updated according to the identifier of the verifiable credential data, the registration system further comprises: the authorized party sends the signature of the verifiable certificate data identification and the identity identification of the authorized party to the registration system;
and the registration system finds the public key corresponding to the authorizer according to the identity of the authorizer, and verifies the signature of the verifiable certificate data identifier by using the public key of the authorizer and the identifier of the verifiable certificate data.
In a possible implementation manner, the registration system updates according to the identifier of the verifiable credential data, specifically: when the signature verification result is passed, the registration system adds the identification of the verifiable credential data to a list of verifiable credential data of an authorized party.
In one possible implementation, the sending, by the authorizer, the verifiable credential data to the authorizee for storage by the authorizee includes:
the authorizing party sending the verifiable credential data and the identity of the authorizing party to the authorized party;
the authorized party sends a query request to the registration system according to the identification of the verifiable certificate data and the identification of the authorized party;
the registration system searches whether the identifier of the verifiable certificate data exists in a verifiable certificate data list of the authorization party or not according to the identity identifier of the authorization party, if so, the registration system indicates that the identifier of the verifiable certificate data is valid, and returns the query result and the identity file of the authorization party corresponding to the identity identifier of the authorization party to the authorized party;
and the authorized party verifies the verifiable certificate data according to the identity document of the authorized party, and if the verification is passed, the verifiable certificate data is confirmed to be legal and is stored.
In one possible implementation manner, the verifying the verifiable credential data by the authorized party according to the identity document of the authorized party specifically includes:
and the authorized party acquires the public key of the authorized party from the identity file of the authorized party, and verifies the signature of the authorized party declaration data in the verifiable certificate data by using the public key of the authorized party and the authorized party declaration data in the verifiable certificate data.
In one possible implementation, the sending, by the authorizer, the verifiable credential data to the authorizee for storage by the authorizee includes:
the authorizing party signs the verifiable certificate data by using a private key and sends the signed verifiable certificate data to the authorized party;
the authorized party sends an entity identity query request to the registration system;
the registration system returns the identity file of the entity stored in advance to the authorized party;
the authorized party uses the identity file of the entity to verify the signed verifiable certificate data, and if the verification is successful, the verifiable certificate data is confirmed to be legal;
and the authorized party sends the result of confirming that the verifiable certificate data is legal to the registration system for inquiry, and if the registration system inquires that the verifiable certificate data is valid, the inquiry result is returned to the authorized party so that the authorized party can store the verifiable certificate data.
In a possible implementation manner, before the authorized party sends the identity authorization request to the authorizing party according to the claim information of the authorizing party, the method further includes:
the authorized party generates a second random number; the identity authorization request also comprises the second random number;
the method includes that the authorizer sends the verifiable credential data to the authorized party so that the authorized party can store the verifiable credential data, and specifically includes:
the authorizing party generates a third random number and generates authentication data and encrypted data of the verifiable certificate data according to the second random number, the third random number and the verifiable certificate data; sending the authentication data, the encrypted data of the verifiable certificate data and the identity of the authorized party stored by the authorized party to the authorized party;
the authorized party acquires the identity file of the authorized party from the registration system according to the identity of the authorized party; and verifying the authentication data according to the identity file of the authorized party, decrypting the encrypted data of the verifiable certificate data to obtain the verifiable certificate data if the authentication is passed, and storing the verifiable certificate data obtained by decryption.
In a possible implementation manner, the generating, by the authorizer, authentication data and encrypted data of the verifiable credential data according to the second random number, the third random number, and the verifiable credential data specifically includes: the authorizer encrypts the third random number by using the public key of the authorized party acquired when the authorizer performs identity verification on the authorized party to obtain encrypted data of the third random number;
the authorizer signs the third random number by using an authorizer private key stored by the authorizer to obtain a signature of the third random number;
and the authorizing party generates a first session key according to the second random number and the third random number, and encrypts the verifiable certificate data by using the first session key to obtain the encrypted data of the verifiable certificate data.
In a possible implementation manner, the verifying the authentication data by the authorized party according to the identity document of the authorized party specifically includes:
the authorized party acquires the public key of the authorized party from the identity file of the authorized party, and decrypts the encrypted data of the third random number by using the private key of the authorized party stored by the authorized party to obtain first decrypted data;
the authorized party verifies the signature of the third random number using the public key of the authorized party and the first decryption data.
In one possible implementation manner, the decrypting, by the authorized party, the encrypted data of the verifiable credential data to obtain the verifiable credential data, and storing the verifiable credential data obtained by the decrypting specifically includes:
if the signature verification is successful, the authorized party generates a second session key according to the second random number and the first decryption data;
the authorized party decrypts the encrypted data of the verifiable certificate data by using the second session key to obtain the verifiable certificate data, extracts the declaration data of the authorized party and the declaration data signature of the authorized party from the verifiable certificate data, verifies the signature of the declaration data of the authorized party by using the public key of the authorized party and the extracted declaration data of the authorized party, and stores the verifiable certificate data if the verification passes.
In one possible implementation manner, before the authorized party saves the verifiable credential data, the method further includes:
the authorized party sending an identification of verifiable credential data in the verifiable credential data to the registration system, which checks whether the identification of verifiable credential data is valid;
and when the verification result is that the identification of the verifiable certificate data is valid and the authorized party passes the verification result of the identity verification data, the authorized party stores the verifiable certificate data.
In a possible implementation manner, before the authorizer generates verifiable credential data according to the identity authorization request, the method further includes:
and the authorizing party performs auditing according to the identity authorization request sent by the authorized party.
In one possible implementation, the target party is the authorizer or the authorized party; the method further comprises the following steps:
the target party generates a corresponding identity and an identity file and performs identity registration to the registration system according to the identity and the identity file; the identity file comprises a corresponding signature verification public key;
and the registration system checks the identity identification and the identity file, if the identity identification and the identity file pass the check, the target party is determined to finish identity registration, and the identity file corresponding to the target party is stored.
In a possible implementation manner, the generating, by the target party, a corresponding identity and an identity file includes:
the target party acquires the current time and sets the type of a key pair, and generates a public key and a private key according to the current time and the type of the key pair;
carrying out Hash operation on the public key to obtain a corresponding Hash value, and using the Hash value as the identity of the target party;
and generating the identity file of the target party according to the identity and the public key.
In a possible implementation manner, the performing identity registration with the registration system according to the identity identifier and the identity file includes: the target party sends the identity identification and the identity file to a registration system;
the registration system audits the identity identifier and the identity file, and comprises:
and the registration system determines whether the identity exists in the stored identity set or not, and if not, sends a random identity to the target party.
In a possible implementation manner, after the sending of the random identifier to the target, the method further includes:
the target party receives the random identifier and signs the random identifier by using the private key to obtain first signature data;
the target party sends the identity file, the random identifier and the first signature data to the registration system;
and the registration system checks the first signature data according to the identity file, determines that the target party completes identity registration if the first signature data passes the check, and stores the identity file corresponding to the target party.
In a possible implementation manner, after the target party generates the identity file, the method further includes: the target party saves the identity file;
after determining that the target party completes identity registration, the method further includes:
the registration system sends the inquiry address of the identity to the target party;
and the target party updates the identity file according to the query address of the identity identification.
In a possible implementation manner, when the target party is the authorized party, the method further includes:
the authorization party generates authorization party identity data and signs the identity data by using the private key to obtain second signature data; the identity data of the authorized party is data which embodies that the authorized party has identity authorization authority;
the authorized party sends the identity file, the identity data and the second signature data to the registration system;
the registration system verifies the second signature data according to the identity file, if the second signature data passes the verification, the identity authorization authority qualification of the authorizer is granted, the identity authorization authority qualification is stored in the identity file stored by the register system, and the registration state and the identity inquiry address of the authorizer are sent to the authorizer;
and the authorized party updates the identity inquiry address into an identity file stored by the authorized party.
In a possible implementation, the method further includes:
the authorization party generates statement information, and signs a statement template inquiry address in the statement information by using the private key to obtain third signature data; the declaration information comprises a declaration template and a declaration template query address;
the authorizing party sends the identity file, the claim template inquiry address in the claim information and the third signature data to the registration system;
the registration system verifies the third signature data according to the identity file stored by the registration system, if the third signature data passes the verification, the registration system stores the declaration information in the identity file stored by the registration system and returns a newly added result of the declaration information to the target party;
and the target party updates the declaration template inquiry address to an identity file stored by the target party.
In a possible implementation manner, before the authorized party sends the identity authorization request to the authorized party, the method further includes: the authorized party sets a security identifier, and sets the type of the security identifier as plaintext return or ciphertext return; the identity authorization request also comprises the security identification;
before the authorizer sends the verifiable credential data to the authorized party, further comprising: the authorized party judges the type of the safety identification, and when the type of the safety identification is plaintext return, the plaintext data of the verifiable certificate data is sent to the authorized party; and when the type of the security identifier is ciphertext return, sending the ciphertext data of the verifiable certificate data to the authorized party.
In a second aspect, an embodiment of the present application provides an identity authentication apparatus, which is applied to an identity authorization blockchain system including an authorizer and an authorized party, where a registration system is deployed in the identity authorization blockchain system; the device comprises:
the authorized party is used for sending a verification request to the verifier, and the verification request comprises the identity of the authorized party;
the verifier is used for generating a random number according to the verification request and returning the random number to the authorized party;
the authorized party is also used for generating a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and sending the verifiable report and the identity of the authorized party stored by the authorized party to the verifier;
the verifying party is further configured to obtain the identity file of the authorized party from the registration system by using the identity of the authorized party, verify the verifiable report according to the identity file of the authorized party, and return a verification result to the authorized party.
In one possible implementation, the authorized party is specifically configured to
Signing the random number by using a private key of an authorized party stored by the random number self to obtain fourth signature data; signing the verifiable certificate data by using a private key of the authorized party to obtain fifth signature data;
generating the verifiable report using the nonce, the fourth signature data, the verifiable credential data, the fifth signature data;
the verifier is specifically configured to:
and acquiring the public key of the authorized party from the identity file of the authorized party, and verifying and signing the fourth signature data and the fifth signature data respectively by using the public key of the authorized party.
In a possible implementation manner, the verifying party is specifically configured to:
obtaining the random number from the verifiable report, verifying the signature of the fourth signature data by using the public key of the authorized party and the random number, and verifying the signature of the fifth signature data by using the public key of the authorized party and the verifiable certificate data if the signature passes;
or,
and verifying the signature of the fifth signature data by using the public key of the authorized party and the verifiable certificate data, if the signature passes, acquiring the random number from the verifiable report, and verifying the signature of the fourth signature data by using the public key of the authorized party and the random number.
In one possible implementation, the verifier is further configured to:
obtaining the verifiable credential data from the verifiable report, extracting the identity of the authorized party and the identity of the verifiable credential data from the obtained verifiable credential data, and sending the identity of the authorized party and the identity of the verifiable credential data to the registration system;
the registration system is further configured to: checking whether the identity of the authorized party and the identity of the verifiable credential data are in a list of valid verifiable credential data, and returning a query result that the authorized party is valid or invalid to the verifier;
the authenticator is further to: and returning the verification result to the authorized party according to the query result.
In one possible implementation, an authorizer is deployed in the identity authorization blockchain system; the device further comprises:
the authorized party is used for acquiring the declaration information of the authorizing party from the registration system, requesting the authorizing party to carry out identity verification on the authorized party according to the identity identification of the authorized party stored by the authorized party, generating an identity authorization request according to the declaration information of the authorizing party and sending the identity authorization request to the authorizing party when the identity verification result of the authorizing party on the authorized party is passed;
the authorization party is used for generating verifiable certificate data according to the identity authorization request and sending the identification of the verifiable certificate data in the verifiable certificate data to the registration system;
the registration system is used for updating according to the identification of the verifiable certificate data and returning an updating result to the authorized party;
the authorizer is further used for sending the verifiable credential data to the authorized party so that the authorized party can store the verifiable credential data.
In one possible implementation, the authorized party is specifically configured to:
generating an authentication request according to the identity of the authorized party, and sending the authentication request to the authorized party;
the authorizer is specifically configured to:
generating a first random number and returning the first random number to the authorized party;
the authorized party is further specifically configured to:
signing the first random number according to a private key of an authorized party stored by the authorization party to obtain a first signature result, and sending the first signature result, the first random number and the identity of the authorized party to the authorization party;
the authorizer is further specifically configured to:
and acquiring the identity file of the authorized party from the registration system according to the identity of the authorized party, acquiring the public key of the authorized party from the identity file of the authorized party, and verifying the signature of the first signature result by using the acquired public key of the authorized party and the first random number.
In one possible implementation, the authorized party is specifically configured to:
acquiring the identity of the authorized party, and sending the identity of the authorized party to the registration system;
the registration system is specifically configured to:
and retrieving a statement template list bound with the authorizing party according to the identity of the authorizing party and sending the statement template list to the authorized party.
In one possible implementation, the authorized party is specifically configured to:
and selecting a required declaration template from the declaration template list of the authorizer, generating declaration data of an authorized party according to the selected declaration template, and generating the identity authorization request according to the declaration data of the authorized party.
In a possible implementation manner, the authorized party is further configured to generate declaration data of the authorized party according to declaration information of the authorizing party; the identity authorization request comprises the declaration data of the authorized party;
the authorizer is specifically configured to:
generating an identifier of the verifiable certificate data according to a preset rule, and signing the declaration data of the authorized party by using a private key of the authorized party stored by the identifier to obtain a signature of the declaration data of the authorized party;
generating the verifiable credential data based on the authorized party claim data, a signature of the authorized party claim data, and an identification of the verifiable credential data.
In one possible implementation, the authorizer is further configured to:
signing the identification of the verifiable certificate data by using a private key of the authorized party to obtain a signature of the verifiable certificate data identification;
sending the signature of the verifiable certificate data identification and the identity identification of the authorized party to the registration system;
the registration system is specifically configured to:
and finding out the public key corresponding to the authorizer according to the identity of the authorizer, and verifying the signature of the verifiable certificate data identifier by using the public key of the authorizer and the identifier of the verifiable certificate data.
In a possible implementation, when the signature verification result is pass, the registration system is specifically configured to add the identification of the verifiable credential data to a list of verifiable credential data of an authorized party.
In a possible implementation manner, the authorizer is specifically configured to:
sending the verifiable credential data and the identity of the authorizing party to the authorized party;
sending a query request to the registration system according to the identification of the verifiable certificate data and the identification of the authorized party;
the registration system is specifically configured to:
retrieving whether the identifier of the verifiable certificate data exists in a verifiable certificate data list of the authorization party or not according to the identity of the authorization party, if so, indicating that the identifier of the verifiable certificate data is valid, and returning the query result and the identity file of the authorization party corresponding to the identity of the authorization party to the authorized party;
the authorized party is further specifically configured to:
and verifying the verifiable certificate data according to the identity document of the authorized party, and if the verifiable certificate data passes the verification, confirming that the verifiable certificate data is legal and storing the legal verifiable certificate data.
In one possible implementation, the authorized party is specifically configured to: a
And acquiring a public key of an authorizer from the identity file of the authorizer, and verifying and signing the signature of the authorized party declaration data in the verifiable certificate data by using the public key of the authorizer and the authorized party declaration data in the verifiable certificate data.
In a possible implementation manner, the authorizer is specifically configured to:
signing the verifiable certificate data by using a private key, and sending the signed verifiable certificate data to the authorized party;
sending an entity identity query request to the registration system;
the registration system is specifically configured to:
returning the identity file of the entity stored in advance to the authorized party;
the authorized party is further specifically configured to:
verifying the signed verifiable certificate data by using the identity file of the entity, and if the verification is successful, confirming that the verifiable certificate data is legal;
and sending a result of confirming that the verifiable certificate data is legal to the registration system for inquiry, and if the registration system inquires that the verifiable certificate data is valid, returning an inquiry result to the authorized party so that the authorized party stores the verifiable certificate data.
In one possible implementation, the authorized party is further configured to:
generating a second random number; the identity authorization request also comprises the second random number;
the authorizer is specifically configured to:
generating a third random number, and generating authentication data and encrypted data of the verifiable certificate data according to the second random number, the third random number and the verifiable certificate data; sending the authentication data, the encrypted data of the verifiable certificate data and the identity of the authorized party stored by the authorized party to the authorized party;
the authorized party is further configured to: acquiring an identity file of the authorized party from the registration system according to the identity of the authorized party; and verifying the authentication data according to the identity file of the authorized party, decrypting the encrypted data of the verifiable certificate data to obtain the verifiable certificate data if the authentication is passed, and storing the verifiable certificate data obtained by decryption.
In a possible implementation manner, the authorizer is specifically configured to:
encrypting the third random number by using the public key of the authorized party acquired when the authorized party performs identity verification on the authorized party by the authorizing party to obtain encrypted data of the third random number;
signing the third random number by using a private key of an authorized party stored by the third random number signing device to obtain a signature of the third random number;
and generating a first session key according to the second random number and the third random number, and encrypting the verifiable certificate data by using the first session key to obtain the encrypted data of the verifiable certificate data.
In one possible implementation, the authorized party is specifically configured to:
acquiring a public key of an authorizer from the identity file of the authorizer, and decrypting the encrypted data of the third random number by using a private key of an authorized party stored by the authorizer to obtain first decrypted data;
and verifying the signature of the third random number by using the public key of the authorized party and the first decryption data.
In one possible implementation, the authorized party is specifically configured to:
if the signature verification is successful, generating a second session key according to the second random number and the first decryption data;
decrypting the encrypted data of the verifiable credential data by using the second session key to obtain the verifiable credential data, extracting the declaration data of the authorized party and the declaration data signature of the authorized party from the verifiable credential data, verifying the signature of the declaration data of the authorized party by using the public key of the authorized party and the extracted declaration data of the authorized party, and storing the verifiable credential data if the verification passes.
In one possible implementation, the authorized party is further configured to:
sending an identification of verifiable credential data in the verifiable credential data to the registration system, the registration system checking whether the identification of verifiable credential data is valid;
and when the verification result is that the identification of the verifiable certificate data is valid and the authorized party passes the verification result of the authentication data, storing the verifiable certificate data.
In one possible implementation, the authorizer is further configured to:
and auditing according to the identity authorization request sent by the authorized party.
In one possible implementation, the target party is the authorizer or the authorized party; the target party is specifically configured to:
generating a corresponding identity and an identity file, and performing identity registration to the registration system according to the identity and the identity file; the identity file comprises a corresponding signature verification public key;
the registration system is specifically configured to: and checking the identity identification and the identity file, if the identity identification and the identity file pass the checking, determining that the target party completes identity registration, and storing the identity file corresponding to the target party.
In one possible implementation, the target party is specifically configured to:
acquiring current time, setting a key pair type, and generating a public key and a private key according to the current time and the key pair type;
carrying out Hash operation on the public key to obtain a corresponding Hash value, and using the Hash value as the identity of the target party;
and generating the identity file of the target party according to the identity and the public key.
In one possible implementation, the target party is specifically configured to:
sending the identity identification and the identity file to a registration system;
the registration system is specifically configured to: and determining whether the identity exists in the stored identity set, and if not, sending a random identity to the target party.
In one possible implementation, the target is further configured to:
receiving the random identifier, and signing the random identifier by using the private key to obtain first signature data;
sending the identity file, the random identifier and the first signature data to the registration system;
the registration system is further configured to: and checking the first signature data according to the identity file, if the first signature data passes the check, determining that the target party completes identity registration, and storing the identity file corresponding to the target party.
In one possible implementation, the target is further configured to:
storing the identity file;
the registration system is further configured to: sending the query address of the identity to the target party;
the target is further to: and updating the identity file according to the query address of the identity identification.
In a possible implementation manner, when the target party is the authorizer, the authorizer is further configured to:
generating identity data of an authorized party, and signing the identity data by using the private key to obtain second signature data; the identity data of the authorized party is data which embodies that the authorized party has identity authorization authority;
sending the identity file and the identity data and the second signature data to the registration system;
the registration system is further configured to: verifying the second signature data according to the identity file, if the second signature data passes the verification, granting the identity authorization authority qualification of the authorizer, storing the identity authorization authority qualification into an identity file stored by the authorizer, and sending the registration state and the identity inquiry address of the authorizer to the authorizer;
the authorizer is further to: and updating the identity inquiry address to an identity file stored in the identity inquiry address.
In one possible implementation, the authorizer is further configured to:
generating declaration information, and signing a declaration template inquiry address in the declaration information by using the private key to obtain third signature data; the declaration information comprises a declaration template and a declaration template query address;
sending the identity file, the claim template inquiry address in the claim information and the third signature data to the registration system;
the registration system is further configured to: verifying the third signature data according to the identity file stored by the third party, if the third signature data passes the verification, storing the declaration information in the identity file stored by the third party, and returning a newly-added result of the declaration information to the target party;
the target is further to: and updating the declaration template inquiry address to an identity file stored in the declaration template inquiry address.
In one possible implementation, the authorized party is further configured to:
setting a safety identification, and setting the type of the safety identification as plaintext return or ciphertext return; the identity authorization request also comprises the security identification;
judging the type of the safety identification, and when the type of the safety identification is plaintext return, sending plaintext data of the verifiable certificate data to the authorized party; and when the type of the security identifier is ciphertext return, sending the ciphertext data of the verifiable certificate data to the authorized party.
Therefore, the embodiment of the application has the following beneficial effects:
according to the technical scheme, the identity authorization blockchain system for identity authentication comprises a registered authorized party and an authenticating party, and a registration system is deployed in the identity authorization blockchain system; after the authorized party sends an authentication request including the identity of the authorized party to the authenticator, the authenticator may generate a random number according to the authentication request and return the random number to the authorized party. The authorized party can generate a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and the verifiable report and the identity of the authorized party stored by the authorized party are sent to the verifying party, so that the verifying party can acquire the identity file of the authorized party from the registration system by using the identity of the authorized party, verify the verifiable report according to the identity file of the authorized party, and return a verification result to the authorized party. And further, based on the advantages of decentralized and external impossibility of the block chain of the registration system, the accuracy and reliability of the identity verification result of the authorized party can be effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a flowchart of an identity verification method according to an embodiment of the present application;
fig. 2 is a flowchart of an identity authorization method provided in an embodiment of the present application;
fig. 3 is a signaling interaction example diagram in an identity registration phase according to an embodiment of the present application;
fig. 4 is a diagram illustrating signaling interaction for identity registration of an authorized party according to an embodiment of the present application;
FIG. 5 is a diagram of an example of signaling interaction for adding a declaration template provided in an embodiment of the present application;
fig. 6 is a block diagram of an identity verification apparatus according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below with reference to the accompanying drawings.
At present, a certificate authority for identity authorization may be maliciously attacked or controlled, so that two parties without any association relationship may be subjected to identity authorization, the identity authorization relationship is not trusted, the identity authentication result of the authorized party is further not trusted, and further data processing operation on the authorized party cannot be performed subsequently.
Therefore, the embodiment of the application provides an identity verification system, and the accuracy and the reliability of the identity verification result of the authorized party are effectively improved based on the decentralized advantage of the block chain and the advantage that the external party cannot be tampered. Next, an identity authorization system provided in the embodiment of the present application is described.
Referring to fig. 1, which shows a flowchart of a method for identity authentication provided in an embodiment of the present application, as shown in fig. 1, the identity authorization blockchain system includes a registered authorized party (Holder), a registration system, and an authenticating party (Verifier). The authorized party may be any type of Entity device (Entity), such as a person, a device, or a virtual website. For example, the authorized party may be a user, a cell phone, an internet of things device, and the like. The Verifier (Verifier) refers to an Entity for verifying Verifiable Credential data (VC), and may be any type of Entity device (Entity), human, device, or virtual website. For example, the verifying party may be a service provider or the like. The identity of the authorized party may be verified using the authenticator and the registration system.
The registration system may be an intelligent contract or other control systems deployed in the identity authorization block chain system, and it should be noted that, in the subsequent embodiments of the present application, the registration system is described as an example of an intelligent contract, and the implementation manners of other control systems may refer to the implementation process of the intelligent contract, and the other implementation processes are not described in detail. The intelligent contract refers to a computer protocol which can realize self-execution (self-execution) and self-verification (self-verification) once formulated and deployed and does not need human intervention. Smart contracts allow trusted transactions to be conducted without third parties, which transactions are traceable and irreversible. The accuracy and the reliability of the identity verification result of the authorized party are improved through the automation of the intelligent contract in the system and the advantage that the outside cannot be tampered.
In an embodiment of the present application, a method for performing identity authentication includes:
s101: the authorized party sends an authentication request to the authenticator, wherein the authentication request comprises the identity of the authorized party.
S102: the authenticator generates a random number (nonce) according to the authentication request and returns the random number (nonce) to the authorized party.
S103: the authorized party generates a Verifiable report (VP) according to the random number (nonce) and the Verifiable credential data stored by the authorized party, and sends the Verifiable report and the identity (which may be defined as DID _ H herein) of the authorized party stored by the authorized party to the verifying party.
The verifiable credential data (VC) stored by the authorized party is obtained and stored through the following steps S201 to S204, and the specific obtaining process can be referred to the detailed description of the following steps S201 to S204.
Specifically, in one possible implementation, the implementation procedure of "the authorized party generates an authenticatable report (VP) from the random number (nonce) and the authenticatable credential data (VC) held by itself" in this step S103 includes the following steps S1031 to S1032:
step S1031: the authorized party signs the random number (nonce) using the authorized party's private key held by the authorized party itself, resulting in signature data (which is defined herein as fourth signature data). And signs the verifiable credential data (VC) using the authorized party's private key, resulting in signature data (defined here as fifth signature data).
Step S1032: the authorized party generates a verifiable report using the random number (nonce), the fourth signature data, the verifiable credential data (VC), and the fifth signature data.
S104: the authenticator acquires the identity Document (DID Document) of the authorized party from the registration system (namely the intelligent contract) by using the identity (DID _ H) of the authorized party, authenticates the verifiable report (VP) according to the identity Document (DID Document) of the authorized party, and returns an authentication result to the authorized party so as to realize the identity authentication of the authorized party.
It should be noted that, in a possible implementation manner, after the verifiable report (VP) is generated through the above steps S1031 to S1032, a specific implementation process of "the verifier verifies the verifiable report (VP) according to the identity Document (DID Document) of the authorized party" in this step M4 is as follows: the verifier acquires the public key of the authorized party from the identity Document (DID Document) of the authorized party, and verifies the acquired fourth signature data and fifth signature data respectively by using the public key of the authorized party. The specific signature verification process comprises the following two implementation modes:
one way is that the verifier may first obtain a random number (nonce) from the verifiable report (VP), then use the public key of the authorized party and the random number (nonce) to verify the fourth signed data, and when the verification passes, use the public key of the authorized party and the verifiable credential data (VC) to verify the fifth signed data.
Alternatively, the verifier may first sign the fifth signature data using the public key of the authorized party and the verifiable credential data (VC), and then upon passing the sign, may obtain a random number (nonce) from the verifiable report (VP) and sign the fourth signature data using the public key of the authorized party and the random number (nonce).
It should be noted that, in an alternative implementation manner, in order to improve the accuracy of the identity verification result of the authorized party, in the step S104, after the verifying party verifies the verifiable report (VP) according to the identity Document (DID Document) of the authorized party, the following steps (1) - (3) may be performed first, and then a more accurate verification result is returned to the authorized party.
Step (1): the authenticating party first obtains the verifiable credential data (VC) from the verifiable report (VP), then extracts the identity of the authorizing party (DID _ H) and the identity of the verifiable credential data (VC _ ID) from the obtained verifiable credential data (VC), and then may send the identity of the authorizing party (DID _ H) and the identity of the verifiable credential data (VC _ ID) to the registration system (i.e., the smart contract) for performing the subsequent step (2).
Step (2): the registration system (i.e. the smart contract) checks whether the identity (DID _ H) of the authorized party and the identity (VC _ ID) of the verifiable credential data are in the list of valid verifiable credential data and returns a query result to the verifying party that the authorized party is valid or invalid, i.e. returns a query result to the verifying party that the identity (VC _ ID) of the verifiable credential data of the authorized party is valid or invalid.
And (3): after receiving the query result indicating that the identification (VC _ ID) of the verifiable credential data of the authorized party is valid or invalid, which is returned by the registration system (i.e., the intelligent contract), the verifier may return the verification result of verifying the verifiable report (VP) to the authorized party if determining that the identification (VC _ ID) of the verifiable credential data of the authorized party is valid, that is, verify the authorized identity, and complete the verification of the VP. If the identification (VC _ ID) of the verifiable certificate data of the authorized party is judged to be invalid, the verification result of verifying the verifiable report (VP) is not returned to the authorized party, namely the authorized identity verification is not passed.
In summary, in the identity authentication method provided in this embodiment, an identity authorization blockchain system for identity authentication includes a registered authorized party and an authenticating party, and a registration system is deployed in the identity authorization blockchain system; after the authorized party sends an authentication request including the identity of the authorized party to the authenticator, the authenticator may generate a random number according to the authentication request and return the random number to the authorized party. The authorized party can generate a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and the verifiable report and the identity of the authorized party stored by the authorized party are sent to the verifying party, so that the verifying party can acquire the identity file of the authorized party from the registration system by using the identity of the authorized party, verify the verifiable report according to the identity file of the authorized party, and return a verification result to the authorized party. And further, based on the advantages of decentralized and external impossibility of the block chain of the registration system, the accuracy and reliability of the identity verification result of the authorized party can be effectively improved.
Next, the embodiment of the present application will describe in detail the generation process of verifiable credential data (VC) corresponding to an authorized party:
in order to generate verifiable credential data (VC) corresponding to an authorized party, identity authorization of the authorized party is implemented. An authorizer is first deployed in the identity authorization blockchain system. Referring to fig. 2, which shows a flowchart of an identity authorization method provided in an embodiment of the present application, as shown in fig. 2, the identity authorization blockchain system includes a registered authorizer (Issuer), an authorized party (Holder), and a registration system. The authorizer may authorize the authorized party, and the authorizer may be any type of Entity device (Entity), may be a person, may be a device, or may be a virtual website. For example, the authorized party may be a service provider or a device manufacturer, etc. Therefore, verifiable certificate data (VC) corresponding to the authorized party can be generated based on the decentralized advantage of the block chain and the advantage that the outside cannot be tampered, and the safety and reliability of identity authorization between the authorized party and the authorized party are effectively improved.
In the embodiment of the application, the method for performing authorized identity authorization comprises the following steps:
s201: the authorized party obtains the declaration information of the authorizing party from the registration system, requests the authorizing party to carry out identity authentication on the authorized party according to the identity identification of the authorized party stored by the authorized party, generates an identity authorization request according to the declaration information of the authorizing party and sends the identity authorization request to the authorizing party when the result of the identity authentication on the authorized party by the authorizing party is passed.
Wherein the claiming information of the authorized party may be used to identify the identity of the authorized party.
For example, for a producer whose authorizer is an authorized party, the identity Claim (Claim) of the authorizer can include production specification information that the authorizer generates the authorized party device, i.e., the identity Claim identifies the identity of the authorizer.
In some possible implementation manners of the embodiment of the present application, the implementation process of the "authorized party obtains the declaration information of the authorized party from the registration system" in step S201 includes the following steps a1-a 2:
step A1: the authorized party obtains the identity of the authorized party and sends the identity of the authorized party to the registration system.
It should be noted that, an authorized party usually discloses its corresponding identification (or "DID") information through a public channel (e.g., an official website), which is defined as DID _ I herein. In order to obtain the claim information of the authorizer, the authorizer needs to first obtain the identity (DID _ I) of the authorizer through the above-mentioned public channel, and then the identity (DID _ I) of the authorizer can be sent to the registration system (i.e. the smart contract).
Step A2: the registration system retrieves the list of claim templates bound to the authorizing party based on the identity of the authorizing party and sends it to the authorized party.
After the authorized party sends the identity (DID _ I) of the authorized party to the registration system (i.e. the smart contract) through step a1, the registration system (i.e. the smart contract) retrieves the declaration template list bound with the authorized party according to the identity (DID _ I) corresponding to the authorized party and sends the declaration template list to the authorized party.
Furthermore, after receiving the declaration template list bound with the authorizer, the authorizer may request the authorizer to perform authentication on the authorizer according to the identity (DID _ H) of the authorizer stored in the authorizer, where the authentication process includes the following steps B1-B4:
step B1: the authorized party generates an authentication request according to the identity of the authorized party and sends the authentication request to the authorized party.
Step B2: the authorizer generates a first random number and returns the first random number to the authorized party.
Upon receiving the authentication request sent by the authorized party, the authorizing party first generates a first random number (which may be defined herein as r1), and then returns the first random number (r1) to the authorized party
Step B3: the authorized party signs the first random number (r1) according to the private key of the authorized party stored by the authorized party to obtain a first signature result, and sends the first signature result, the first random number and the identity (DID _ H) of the authorized party to the authorized party.
Step B4: the authorizer obtains the identity Document (DID Document) of the authorized party from a registration system (namely an intelligent contract) according to the identity (DID _ H) of the authorized party, obtains the public key of the authorized party from the identity Document (DID Document) of the authorized party, and then can use the obtained public key of the authorized party and the first random number (r1) to check and sign the received first signature result.
Therefore, when the authorizing party checks the received first signature result and the obtained check result shows that the identity verification result of the authorized party is passed, the identity authorization request can be generated according to the declaration information of the authorizing party and sent to the authorizing party. The specific process for generating the identity authorization request comprises the following steps: authorized to select a desired Claim template from the list of Claim templates of the authorizing party, generate Claim data of the authorized party (which may be defined herein as Claim _ H) based on the selected Claim template, and generate an identity authorization request based on the Claim data of the authorized party. And sends it to the authorizer to request for identity authorization.
S202: the authorization party generates verifiable certificate data according to the identity authorization request and sends the identification of the verifiable certificate data in the verifiable certificate data to the registration system.
In this embodiment, after receiving the identity authorization request sent by the authorized party, the authorized party further may generate verifiable credential data according to the identity authorization request. The verifiable credential data may be data generated when the authorizing party authorizes the authorized party, and may be used to represent the identity authorization of the authorizing party to the authorized party. In one possible implementation, the Verifiable Credential data includes a Verifiable Credential (VC) or a Verifiable Credential identification. The verifiable credential may be obtained by the authorizing party according to the assertion information of the authorized party, and the verifiable credential identifier may be generated by the authorizing party through a preset identifier generation manner (a manner for generating corresponding verifiable credential identifiers for different authorized parties), such as a random number generation manner.
The following describes how verifiable credentials may be generated.
Specifically, in one possible implementation, after the authorized party acquires the declaration information of the authorizing party, the authorized party may generate declaration data of the authorized party according to the declaration information of the authorizing party; also, claim data of the authorized party may be included in the identity authorization request. Thus, a specific implementation of the process of generating verifiable credential data by an authorized party may include the following steps C1-C2:
step C1: the authorizing party generates an identifier capable of verifying the certificate data according to a preset rule, and signs the declaration data of the authorized party by using a private key of the authorizing party stored by the authorizing party to obtain the signature of the declaration data of the authorized party.
Step C2: the authorizer generates the verifiable credential data based on the authorizee claim data, a signature of the authorizee claim data, and an identification of the verifiable credential data.
Specifically, the authorizer may generate a verifiable credential identifier, i.e., VC _ ID, according to a preset rule, and sign own declaration information included in an identity authorization request sent by the authorizer by using a private key stored by the authorizer itself, so as to obtain a signature of the declaration data of the authorizer (which is defined as sign _ close herein). Verifiable credential data can then be generated based on the authorized party claim data, the signature of the authorized party claim data (sign _ close), and the identification of the verifiable credential data (VC _ ID). The verifiable credential (hereinafter VC for short) can be obtained, for example, by arranging the signature of the claim data and the verifiable credential identification in combination.
It should be noted that, in practical applications, usually, only the verifiable credential identifier (i.e. VC _ ID) in the verifiable credential data is uploaded to the blockchain smart contract after being signed by the authorized party, so as to perform the subsequent step S103. The VC _ ID is contained in the VC data, and the whole VC data is signed by an authorized party and then is sent to the authorized party, so the VC _ ID also has the tamper-proof characteristic and can replace the complete VC data.
It should be further noted that, after receiving the identity authorization request sent by the authorized party, the authorizing party needs to perform an audit according to the identity authorization request sent by the authorized party before generating the verifiable credential data according to the identity authorization request. For example, some personal real-name information or social attribute information of the authorized party, such as name, identification number, business license, etc., needs to be checked to ensure that the authorized party is legal, so as to continue the subsequent identity authorization operation steps, thereby further improving the security and reliability of identity authorization between the authorized party and the authorized party.
In a particular implementation, the VC is issued by an authorizing party, such as an organization or organization, to an authorizing party and is an authentication of a claim provided by the authorized party, the authorizing party being able to use the VC in a related application so that a service provider other than the authorizing party can verify the VC presented by the authorized party through the API.
The basic components of a VC may include: credential Metadata (Credential Metadata), classes, evidence (proffs). The Credential Metadata is some attribute of the VC, such as issue, timestamp, etc., and is signed by issue. Claims: different types of containers may have different fields, and a VC may contain one or a group of containers, as defined by Issuer. Proos is typically a digital signature by Issures. In addition, each VC may also have a corresponding Identifier (Identifier).
For example, the following is an example of a VC:
s203: the registration system updates according to the identification of the verifiable credential data and returns an update result to the authorized party.
The authorization party sends the identification of the verifiable certificate data to the intelligent contract (namely, a registration system) so as to be stored in the intelligent contract, updates the effective verifiable certificate data list of the authorization party and returns an update result to the authorization party. The identity of the verifiable certificate data does not carry the identity information of the authorized party, so that the identity data of the authorized party can be prevented from being leaked, and the data security is ensured.
In addition, the verifiable certificate can be sent to the intelligent contract (namely, the registration system) as verifiable certificate data to be stored in the intelligent contract, the valid verifiable certificate data list of the authorized party is updated, and the updating result is returned to the authorized party.
It should be noted that, in a possible implementation manner, before the authorizing party sends the identifier of the verifiable credential data to the registration system, the authorizing party may also use the private key of the authorizing party to sign the identifier of the verifiable credential data to obtain the signature of the identifier of the verifiable credential data, so that, before the "registration system updates according to the identifier of the verifiable credential data" in this step S103, the following steps D1-D2 may also be performed:
step D1: the authorizing party sends the signature of the verifiable certificate data identification and the identity identification of the authorizing party to the registration system.
Step D2: the registration system finds the public key corresponding to the authorizer according to the identity of the authorizer, and verifies the signature of the verifiable certificate data identifier by using the public key of the authorizer and the identifier of the verifiable certificate data.
Further, the specific implementation process of "the registration system updates according to the identifier of the verifiable credential data" in step S103 is as follows: when the signature verification result is pass, the registration system adds the identification of the verifiable credential data to the list of verifiable credential data of the authorized party.
S204: the authorizing party sends the verifiable credential data to the authorized party for storage by the authorized party.
In this embodiment, after generating the verifiable credential data according to the identity authorization request, the authorizer may send the verifiable credential data to the authorized party, so that the authorized party can store the verifiable credential data, thereby enabling identity authorization of the authorized party.
It should be noted that before sending the identity authorization request to the authorizing party, the authorized party may further set a security identifier, and set the type of the security identifier as plaintext return or ciphertext return. Meanwhile, the security identifier is set in the identity authorization request, namely, the security identifier is also included in the identity authorization request. Therefore, before the authenticatable certificate data are sent to the authorized party, the authorizing party can judge the type of the security identifier firstly, and when the type of the security identifier is plaintext return, the plaintext data of the authenticatable certificate data are sent to the authorized party; and when the type of the security identifier is ciphertext return, sending ciphertext data of the verifiable certificate data to the authorized party. According to the actual situation, the verifiable certificate data is sent to the authorized party through the two implementation modes respectively so as to realize the identity authorization of the authorized party.
In addition, for the convenience of understanding the technical solution, a specific scenario is exemplified below, and generally, the using flow of the DIDs technology is as follows:
in the scene, the following are included: authorized party (Subject/Holder), authorizing party (issue), verifying party (Verifier) and Verifiable Data credential Registry (Verifiable Data Registry). Subject refers to the Entity that generated the Claims, which is also the Entity corresponding to the VC. Holder is the authorized party and is usually the same Entity as Subject. Issuer is the Entity (i.e. the authorizer) issuing a VC to Holder, and needs to authenticate the Claim submitted by Holder for Subject. Verifier is the Entity that verifies the VC, typically the service provider. A veriable Data Registry is a database that is accessible to all Entities, such as a block chain, which assists in the generation and registration of DIDs, registration of VCs, querying and revocation, registration of Issuer's public keys, and the like.
In this example, Subject, issue, and Verifier may register the DID on smart contracts (i.e., DID smart contracts) in the identity authorization blockchain system, respectively. And the issuers may register as authorities, i.e., authorized parties. Verifier can define its own accepted Claim data structure. Subject generates a Claim and submits it to the issue certificate. The Issuer first authenticates the Subject by the authentication means recorded on the DID Document of the Subject. The Issuer then authenticates Claim and signs. The VC is then generated and the hash digest of the VC is added to the list of VCs on the blockchain intelligence contract. The Verifier firstly authenticates the object identity through the DID Document, and then confirms the validity and validity of the VC through the VC or the VC mark on the block chain.
In summary, the identity authorization blockchain system for identity authorization includes a registered authorizer and an authorized party, and a registration system is deployed in the identity authorization blockchain system; the authorized party acquires the declaration information of the authorizing party from the registration system, requests the authorizing party to carry out identity authentication on the authorized party according to the identity identification of the authorized party stored by the authorized party, generates an identity authorization request according to the declaration information of the authorizing party and sends the identity authorization request to the authorizing party when the result of the identity authentication on the authorized party by the authorizing party is passed; the authorization party generates verifiable certificate data according to the identity authorization request, and sends the identification of the verifiable certificate data to the registration system, so that the registration system updates according to the identification of the verifiable certificate data and returns an updating result to the authorization party; the authorizing party may also send the verifiable credential data to the authorized party for storage by the authorized party. Therefore, based on the advantages of decentralized advantages of the block chain and incapability of being tampered outside, the identity authorization system can effectively improve the safety and reliability of identity authorization between the authorizing party and the authorized party, and further can ensure that the identity authorization relationship is credible. And the problems of account authentication of the traditional platform and account authentication of a third party are solved.
Next, the present embodiment will describe two implementation manners of "the authorizing party sends the verifiable credential data to the authorized party for the authorized party to save" in step S204:
(1) the authorizing party sends the verifiable certificate data to the authorized party in the form of plaintext data so as to be stored by the authorized party. The method specifically comprises the following steps E1-E4:
step E1: the authorizing party sends the verifiable credential data and the identity of the authorizing party to the authorized party.
In this embodiment, if the authorizer determines that the type of the security identifier is plaintext backhaul before sending the verifiable credential data to the authorized party, the verifiable credential data and plaintext data of the identity identifier (DID _ I) of the authorizer may be sent to the authorized party.
Step E2: and the authorized party sends a query request to the registration system according to the identification of the verifiable certificate data and the identification of the authorized party.
In this embodiment, after the authorized party receives the verifiable credential data sent by the authorized party and the identity identifier (DID _ I) of the authorized party, further, an inquiry request may be sent to the registration system according to the identifier (VC _ ID) of the verifiable credential data and the identity identifier (DID _ I) of the authorized party, so as to inquire the validity of the identifier (VC _ ID) of the verifiable credential data and the identity identifier (DID _ I) of the authorized party.
Step E3: the registration system searches whether the identification of the verifiable certificate data exists in the verifiable certificate data list of the authorization party or not according to the identification of the authorization party, if so, the identification of the verifiable certificate data is valid, and the inquiry result and the identification file of the authorization party corresponding to the identification of the authorization party are returned to the authorized party.
Step E4: and the authorized party verifies the verifiable certificate data according to the identity document of the authorized party, and if the verification is passed, the verifiable certificate data is confirmed to be legal and is stored.
Specifically, the authorized party may obtain the public key of the authorized party from the identity document of the authorized party, the lockers use the public key of the authorized party and the authorized party declaration data in the verifiable credential data to verify the signature of the authorized party declaration data in the verifiable credential data, and after the verification result shows that the verification of the verification credential data passes, the verifiable credential data is validated and stored.
For example, the following steps are carried out: the entity program of the authorized party acquires a public key (pubKey _ I) from an identity file of the authorized party, checks a signature (sign _ close _ H) of authorized party declaration data (close _ H) in verifiable credential data through a security module (such as a chip or an SIM card of the authorized party), returns a result of the check to the entity program, and if the check is successful, the entity program can determine the validity of the verifiable credential data, further can send the verifiable credential data containing an identifier (VC _ ID) of the verifiable credential data to the security module for storage, and then the security module returns a storage result to the entity program.
(2) The authorizing party sends the verifiable certificate data to the authorized party in the form of ciphertext data so as to be stored by the authorized party.
In a first implementation manner, the specific implementation process of the authorizer sending the verifiable credential data to the authorizee in the form of ciphertext data so that the authorizee saves the data may include the following steps F1-F5:
step F1: the authorizing party signs the verifiable certificate data by using the private key and sends the signed verifiable certificate data to the authorized party.
In this embodiment, if the authorizer determines that the type of the security identifier is ciphertext loopback before sending the verifiable credential data to the authorized party, the authorizer may send the ciphertext data of the verifiable credential data to the authorized party, specifically, the authorizer may first sign the verifiable credential data (e.g., digital signature) using a private key, and then send the signed verifiable credential data to the authorized party.
Step F2: the authorized party sends an entity identity query request to the registration system.
In this embodiment, after the authorized party receives the signed verifiable credential data sent by the authorized party, further, an entity identity query request may be sent to the registration system.
Step F3: the registration system returns the identity file of the entity stored in advance to the authorized party.
Step F4: and the authorized party checks the signed verifiable certificate data by using the identity file of the entity, and if the verification is successful, the verifiable certificate data is confirmed to be legal.
Step F5: and the authorized party sends the result of confirming that the verifiable certificate data is legal to the registration system for inquiry, and if the registration system inquires that the verifiable certificate data is valid, the inquiry result is returned to the authorized party so that the authorized party can store the verifiable certificate data.
In a second implementation manner, the authorized party generates a second random number in advance, and sets the second random number in the identity authorization request, namely, the second random number is included in the identity authorization request. The specific implementation process of the authorizer sending the verifiable credential data to the authorizee in the form of ciphertext data so that the authorizee can save the data may include the following steps G1-G2:
step G1: the authorized party generates a third random number and generates authentication data and encrypted data of the authenticatable certificate data according to the second random number, the third random number and the authenticatable certificate data; and then the authentication data, the encrypted data of the verifiable certificate data and the authorization party identity identification ciphertext stored by the authentication data and the encrypted data are returned to the authorized party.
Step G2: the authorized party acquires the identity file of the authorized party from the registration system according to the identity of the authorized party; and verifying the authentication data according to the identity file of the authorized party, decrypting the encrypted data of the verifiable certificate data to obtain verifiable certificate data when the authentication is passed, and storing the verifiable certificate data obtained by decryption.
In some possible implementations of the embodiment of the present application, a specific implementation process of the "the authenticator generates the authentication data and the encrypted data of the verifiable credential data according to the second random number, the third random number and the verifiable credential data" in the step G1 includes the following steps H1-H3:
step H1: and the authorizing party encrypts the third random number by using the public key of the authorized party acquired when the authorizing party performs identity verification on the authorized party to obtain the encrypted data of the third random number.
Step H2: and the authorizing party signs the third random number by using a private key of the authorizing party stored by the authorizing party to obtain a signature of the third random number.
Step H3: and the authorization party generates a first session key according to the second random number and the third random number, and encrypts the verifiable certificate data by using the first session key to obtain the encrypted data of the verifiable certificate data.
On this basis, the specific implementation process of "verifying the authentication data according to the identity document of the authorized party" in the step G2 includes the following steps I1-I2:
step I1: and the authorized party acquires the public key of the authorized party from the identity file of the authorized party and decrypts the encrypted data of the third random number by using the private key of the authorized party stored by the authorized party to obtain first decrypted data.
It should be noted that the identity file usually includes a plurality of public keys and corresponding key identifiers, and therefore, when the identity file to which the authorizer belongs includes a plurality of keys, the authorizer needs to find out the public key corresponding to the authorizer through the key identifier first, and then can decrypt the encrypted data of the third random number by using the private key of the authorizer stored by the authorizer to obtain the first decrypted data.
Step I2: the authorized party verifies the signature of the third random number using the public key of the authorized party and the first decryption data.
On this basis, the specific implementation process of the authorized party in the step G2 decrypting the encrypted data of the verifiable credential data to obtain the verifiable credential data and storing the verifiable credential data obtained by decryption includes the following steps J1-J2:
step J1: if the verification is successful, the authorized party can generate a second session key according to the second random number and the first decryption data.
Step J2: the authorized party decrypts the encrypted data of the verifiable certificate data by using the second session key to obtain verifiable certificate data, extracts the declaration data of the authorized party and the declaration data signature of the authorized party from the verifiable certificate data, verifies the signature of the declaration data of the authorized party by using the public key of the authorized party and the extracted declaration data of the authorized party, and stores the verifiable certificate data if the verification passes.
In addition, an optional implementation manner is to improve the security and reliability of the identity authorization between the authorizing party and the authorized party. Before the authorized party saves the verifiable certificate data, the identification (VC _ ID) of the verifiable certificate data in the verifiable certificate data can also be sent to the registration system, so that the registration system checks whether the identification of the verifiable certificate data is valid, for example, the validity of the identification (DID _ I) of the authorized party can be verified by checking whether the VC list exists. And when the verification result is that the identification (DID _ I) of the verifiable certificate data is valid and the authorized party passes the verification result of the authentication data, the authorized party can save the verifiable certificate data.
Next, a method for registering an authorizer and an authorized party in an identity authorization blockchain system will be described. In one possible implementation, the authorizing party or the authorized party is taken as an example for explanation.
In this implementation, the target party (specifically, the authorizer or the authorized party) may generate the corresponding identity and the identity file. Wherein, the identity can be used to identify the identity of the target in the identity authorization blockchain system. The target party may also generate a corresponding public-private key pair for verifying the identity of the target party by way of signing and signature verification. The public key generated by the target party can be used as a signature verification public key corresponding to the target party, and the identity file generated by the target party comprises a corresponding signature verification public key and a signature verification mode. When the target party signs through the private key of the target party to obtain the corresponding signature data, the signature data can be subjected to signature release through the signature verification public key and the signature verification mode.
In a specific implementation, the id generated by the target may be Decentralized Identities (DID), that is, id information autonomously generated and controlled by an Entity (Entity).
The DID contains fixed fields and a unique random string to point to a certain Entity. The syntax format is: "method-name" and "method-specific-ID", wherein the method-name is a scheme name, and the method-specific-ID is an ID number generated based on a scene rule.
For example, the DID for an Entity is:
“DID:bhdc:0d7ef5e3c48123……d10edd982e5b65642af8d2a792964”。
in addition, to ensure uniqueness, the DID may be a hash value of a public key held by the entity, and is registered and certified on the blockchain after being generated to ensure uniqueness of each DID.
Decentralized identity documents (Decentralized identities documents, DID documents):
each DID has a corresponding DID document, i.e. identity document, which contains more information about the identity of the target, such as Public Key (Public Key), signature verification method, Service, etc. The DID Document may be stored in user software of the target or in device security hardware, or may be stored in a cloud platform specified by the user after being locally encrypted, which is not limited in the present application.
An example of a DID Document is given below:
the "Public Key" field indicates Public Key data held by the DID entity, the "authentication" field is used to indicate a Public Key (which may be referred from the "Public Key" field, or a new Public Key may be added additionally) that can be used for DID entity identity authentication, and the "Service" field identifies Service content that the current DID entity can provide externally, for example, as a device manufacturer, and may issue Verifiable credentials (Verifiable Credential) for a device produced by itself.
In order to facilitate understanding of the technical solution of the present application, the following describes the relationship between DID, DID Document, and VC.
The DID documents and the DIDs are in a one-to-one relationship, and each DID has a corresponding DID Document to record a public key and an authentication mode thereof.
DID documents and VCs have no direct relationship, but Issuers may need to verify the Entity identity with the documents when issuing a VC.
DID and VC are not simple corresponding relations, DID is used for describing Entity, VC is proof of some attributes of Entity, generally speaking, one DID has a plurality of VCs, one VC at least corresponds to one DID, and under special conditions, VC corresponding to a plurality of DIDs, such as wedding certificates, can exist.
Thus, the target party can perform identity registration with the registration system (i.e. the intelligent contract) according to the identity and the identity file. It should be noted that the identity file includes a corresponding public signature verification key.
Then, the registration system (i.e. the intelligent contract) can check the identity and the identity file, and if the identity passes the check, it is determined that the target party completes identity registration, and the identity file corresponding to the target party is saved.
Specifically, the process of the target generating the corresponding identity and identity file may be: the target party can first set a key type (safeType) and obtain the current time (i.e., timeStamp (timeStamp)), and then randomly generate a pair of public and private keys (pubKey and privKey) according to the key type (safeType) and the current time (timeStamp). The private key can be encrypted and then stored in the chip, then, the public key is subjected to hash operation to obtain a corresponding hash value, the hash value is used as an identity (namely, DID) of the target party, and then, a DID Document (DID Document) of the target party can be generated according to the identity and the public key (pubKey). An optional implementation manner is that after the target party generates the corresponding identity and the identity file, the identity and the identity file can be stored.
On this basis, the target party can send the obtained identity and the obtained identity file to the registration system, so that the registration system can check the identity and the identity file, that is, the registration system can determine whether the identity exists in the previously stored identity set, and if not, the random identity can be sent to the target party.
Further, after the target party receives the random identifier, the target party can sign the random identifier by using a private key to obtain first signature data, and the identity file, the random identifier and the first signature data are sent to the registration system, so that the registration system can check the signature of the first signature data according to the identity file, and if the signature passes, the target party can be determined to complete identity registration, and the identity file corresponding to the target party is stored.
Still further, an optional implementation manner is that after it is determined that the target party completes identity registration, the registration system may send the query address of the identity to the target party, so that the target party updates the identity file according to the query address of the identity.
For example, the following steps are carried out: referring to fig. 3, this figure shows an example of signaling interaction in an identity registration phase provided in an embodiment of the present application, and as shown in fig. 3, a DID entity, that is, the above-mentioned target party, may be an authorizer or an authorizee. The DID entity may be a data processing device that may include a security module and a device program that communicate via a hardware interface. The registration process of the authorized party (holder) or the authorizing party (issuer) includes:
s501: the device program of the entity can obtain the timeStamp (timeStamp) and the set key pair type (safeType).
The timestamp is the current time of acquisition.
S502: the device program sends the key pair type and the timestamp to the security module of the entity, requesting a generation of an identity (DID) from the security module.
S503: the security module randomly generates a pair of public and private keys from the current time (timeStamp) and the key pair type (safeType).
S504: the security module stores the private key, performs hash operation on the public key to obtain a corresponding hash value, and uses the hash value as an identity (DID) of a target party (i.e., a holder or an issuer).
The security module can encrypt the private key and store the encrypted private key in the chip.
S505: the security module generates an identity file (DID Document) by combining a preset template and the incoming current time timeStamp.
S506: the security module returns an identity Document (DID Document) to the device program.
S507: the device program sends the identification (DID) and the identity Document (DID Document) to the registration system, and requests verification (i.e. auditing) of the identification and the identity Document.
Wherein the registration system is built based on a blockchain intelligent contract.
S508: the registration system retrieves whether the identity (DID) is registered (i.e. the registration system needs to determine whether the identity exists in the stored identity set), if not, it indicates that the identity (DID) is available, and S509 is performed.
S509: the registration system sends a random identification (Nonce), such as a random string, to the device program.
S510: the device program requests the security module to sign a random identifier, such as a random string.
S511: the security module signs the random identifier (e.g., a random string) according to a predetermined algorithm (e.g., signature algorithm such as ECDSA, RSA, SM2, etc.) using a private key, and generates signature data (sign _ Nonce), which is defined herein as first signature data.
S512: the security module transmits the first signature data (sign _ Nonce) and the identity Document (DID Document) to the device program.
S513: the device program transmits an identity Document (DID Document), a random number (Nonce), and first signature data (sign _ Nonce) to the registration system, requesting identity (DID) registration.
S514: the registration system acquires a public key from the identity Document (DID Document) and verifies the first signature data (sgin _ Nonce). After the verification is passed, the identity (DID) is registered in the registration system, that is, the identity (DID) is stored in the identity set stored in the registration system, that is, the identity Document (DID Document) corresponding to the target party is stored.
S515: the registration system returns the registration result and the identity lookup address (uri _ did) to the device program.
S516: the device program returns an identity lookup address to the security module.
S517: the security module updates the identity query address to an identity Document (DID Document).
Next, in another possible implementation manner, taking the authorized party as the target party as an example, the identity registration process of the authorized party is described. The method can also specifically comprise the following steps K1-K4:
step K1: the authorization party generates authorization party identity data and signs the identity data by using a private key to obtain second signature data; the identity data of the authorized party refers to data which embodies that the authorized party has identity authorization authority.
Step K2: the authorizer sends the identity document and the identity data and the second signature data to the registration system.
Step K3: and the registration system verifies the second signature data according to the identity file, if the second signature data passes the verification, the identity authorization authority qualification of the authorizer is granted, the identity authorization authority qualification is stored in the identity file stored by the authorizer, and the registration state and the identity inquiry address of the authorizer are sent to the authorizer.
Step K4: and the authorized party updates the identity inquiry address into the identity file stored by the authorized party.
For example, the following steps are carried out: referring to fig. 4, this figure shows a signaling interaction example diagram of identity registration of an authorized party provided in an embodiment of the present application, and as shown in fig. 4, this method includes:
s601: the device program sets the issuer identity and generates the issuer identity data (IssuerData).
The identity data of the authorized party is data which represents that the authorized party has identity authorization authority;
specifically, the Issuer identity may be manually filled in (i.e., the entity object is determined to be an authorizer) and the authorizer identity data may be generated in the device program of the entity object by the user, or the Issuer identity and the authentication information may be automatically set by the device program, and for some DID entity objects providing services to the outside, the Issuer identity may be registered after the DID identity is registered.
S602: the device program of the entity requests the security module to sign the identity data.
S603: the security module of the entity signs the identity data (IssuerData) with a private key, resulting in a signature (sign _ IssuerData), which is defined here as second signature data.
The security module may decrypt the internally stored private key first, and generate second signature data (sign _ IssuerData) for the identity data (IssuerData) according to a preset algorithm using the private key.
S604: the security module returns the second signature data (sign _ IssuerData) to the device program.
S605: the device program sends an identity Document (DID Document), identity data IssuerData and second signature data (sign _ IssuerData) to the registration system to request the identity authority registration of the authorizer (Issuer).
S606: and the registration system checks the second signature data (sign _ IssuerData) according to the public key in the identity file (DID Document), and if the check is successful, registers the Issuer identity, namely, the identity authorization authority qualification is granted, and the identity authorization authority qualification is stored in the identity file (DID Document) stored by the registration system.
S607: the registration system returns a registration status and an identity lookup address (uri _ issuer) to the device program.
S608: the device program sends the identity lookup address (uri _ issuer) to the security module.
S609: the security module updates the identity query address (uri _ issuer) to the identity Document (DID Document) stored in the security module.
Next, the process of adding the claim template to the authorizer and the authorizee will be described in the embodiments of the present application. Specifically, the method comprises the following steps L1-L4:
step L1: the authorization party generates statement information, and signs the statement template inquiry address in the statement information by using a private key to obtain third signature data; wherein the declaration information includes a declaration template and a declaration template query address.
Step L2: and the authorized party sends the identity file, the claim template inquiry address in the claim information and the third signature data to the registration system.
Step L3: and the registration system verifies the third signature data according to the identity file stored by the registration system, if the third signature data passes the verification, the registration system stores the declaration information in the identity file stored by the registration system and returns a newly added result of the declaration information to the target party.
Step L4: the target party updates the claim template address to the identity file stored in the target party.
For example, the following steps are carried out: referring to fig. 5, which illustrates a signaling interaction example diagram of a declaration addition (close) template provided in an embodiment of the present application, as shown in fig. 5, the method includes:
s701: the device program of the entity generates declaration information, where the declaration information includes a declaration template and a declaration template query address (uri _ container).
S702: the device program requests the security module of the entity to sign the claim template query address (uri _ container) in the claim information.
S703: the security module signs the claim template query address (uri _ container) with a built-in private key to obtain signature data (sign _ uri _ container), which is defined here as third signature data.
S704: the security module sends third signature data (sign _ uri _ close) to the device program.
S705: the device program sends an identity file (DID Document), a declaration template query address (uri _ container) and third signature data (sign _ uri _ container) to the registration system to request the addition of the declaration (container) template.
S706: the registration system checks the third signature data (sign _ uri _ container) by using the public key in the identity Document (DID Document), adds the declaration information to which the declaration template inquiry address belongs to the identity Document (DID Document) stored in the registration system after the check is successful, and does not add the declaration template inquiry/acquisition address if the check fails.
S707: the registration system sends the addition result of the declaration template to the device program.
S708: the device program sends the declaration template query address (uri _ container) to the security module.
S709: and the security module updates the declaration template inquiry address (uri _ container) to a Service domain of a DID Document (DID Document) stored in the security module, and returns a new adding state to the device program.
Referring to fig. 6, the present application further provides an identity authentication apparatus, which is applied to an identity authorization blockchain system including an authorized party and an authenticating party, where a registration system is deployed in the identity authorization blockchain system, and the apparatus includes:
an authorized party 801, configured to send an authentication request to the authenticator, where the authentication request includes an identity of the authorized party;
the verifier 802, configured to generate a random number according to the verification request, and return the random number to the authorized party;
the authorized party 801 is further configured to generate a verifiable report according to the random number and the verifiable credential data stored in the authorized party, and send the verifiable report and the identity of the authorized party stored in the authorized party to the verifying party;
the authenticator 802 is further configured to obtain the identity file of the authorized party from the registration system 803 by using the identity of the authorized party, authenticate the verifiable report according to the identity file of the authorized party, and return an authentication result to the authorized party.
In one possible implementation, the authorized party 801 is specifically configured to
Signing the random number by using a private key of an authorized party stored by the random number self to obtain fourth signature data; signing the verifiable certificate data by using a private key of the authorized party to obtain fifth signature data;
generating the verifiable report using the nonce, the fourth signature data, the verifiable credential data, the fifth signature data;
the verifier 802 is specifically configured to:
and acquiring the public key of the authorized party from the identity file of the authorized party, and verifying and signing the fourth signature data and the fifth signature data respectively by using the public key of the authorized party.
In one possible implementation, the verifier 802 is specifically configured to:
obtaining the random number from the verifiable report, verifying the signature of the fourth signature data by using the public key of the authorized party and the random number, and verifying the signature of the fifth signature data by using the public key of the authorized party and the verifiable certificate data if the signature passes;
or,
and verifying the signature of the fifth signature data by using the public key of the authorized party and the verifiable certificate data, if the signature passes, acquiring the random number from the verifiable report, and verifying the signature of the fourth signature data by using the public key of the authorized party and the random number.
In one possible implementation, the verifier 802 is further configured to:
obtaining the verifiable credential data from the verifiable report, extracting the identity of the authorized party and the identity of the verifiable credential data from the obtained verifiable credential data, and sending the identity of the authorized party and the identity of the verifiable credential data to the registration system;
the registration system 803 is further configured to: checking whether the identity of the authorized party and the identity of the verifiable credential data are in a list of valid verifiable credential data, and returning a query result that the authorized party is valid or invalid to the verifier;
the authenticator 802 is further configured to: and returning the verification result to the authorized party according to the query result.
In one possible implementation, an authorizer is deployed in the identity authorization blockchain system; the device further comprises:
the authorized party 801 is configured to obtain the claim information of the authorizing party from the registration system, request the authorizing party to perform identity verification on the authorized party according to the identity identifier of the authorized party stored in the authorized party, generate an identity authorization request according to the claim information of the authorizing party when the identity verification result of the authorizing party on the authorized party is passed, and send the identity authorization request to the authorizing party;
the authorization party is used for generating verifiable certificate data according to the identity authorization request and sending the identification of the verifiable certificate data in the verifiable certificate data to the registration system;
the registration system 803 is configured to update according to the identifier of the verifiable credential data, and return an update result to the authorized party;
the authorizer is further used for sending the verifiable credential data to the authorized party so that the authorized party can store the verifiable credential data.
In one possible implementation, the authorized party 801 is specifically configured to:
generating an authentication request according to the identity of the authorized party, and sending the authentication request to the authorized party;
the authorizer is specifically configured to:
generating a first random number and returning the first random number to the authorized party;
the authorized party 801 is further specifically configured to:
signing the first random number according to a private key of an authorized party stored by the authorization party to obtain a first signature result, and sending the first signature result, the first random number and the identity of the authorized party to the authorization party;
the authorizer is further specifically configured to:
and acquiring the identity file of the authorized party from the registration system according to the identity of the authorized party, acquiring the public key of the authorized party from the identity file of the authorized party, and verifying the signature of the first signature result by using the acquired public key of the authorized party and the first random number.
In one possible implementation, the authorized party 801 is specifically configured to:
acquiring the identity of the authorized party, and sending the identity of the authorized party to the registration system;
the registration system 803 is specifically configured to:
and retrieving a statement template list bound with the authorizing party according to the identity of the authorizing party and sending the statement template list to the authorized party.
In one possible implementation, the authorized party 801 is specifically configured to:
and selecting a required declaration template from the declaration template list of the authorizer, generating declaration data of an authorized party according to the selected declaration template, and generating the identity authorization request according to the declaration data of the authorized party.
In a possible implementation manner, the authorized party 801 is further configured to generate the declaration data of the authorized party according to the declaration information of the authorized party; the identity authorization request comprises the declaration data of the authorized party;
the authorizer is specifically configured to:
generating an identifier of the verifiable certificate data according to a preset rule, and signing the declaration data of the authorized party by using a private key of the authorized party stored by the identifier to obtain a signature of the declaration data of the authorized party;
generating the verifiable credential data based on the authorized party claim data, a signature of the authorized party claim data, and an identification of the verifiable credential data.
In one possible implementation, the authorizer is further configured to:
signing the identification of the verifiable certificate data by using a private key of the authorized party to obtain a signature of the verifiable certificate data identification;
sending the signature of the verifiable certificate data identification and the identity identification of the authorized party to the registration system;
the registration system 803 is specifically configured to:
and finding out the public key corresponding to the authorizer according to the identity of the authorizer, and verifying the signature of the verifiable certificate data identifier by using the public key of the authorizer and the identifier of the verifiable certificate data.
In one possible implementation, when the result of the signature verification is pass, the registration system 803 is specifically configured to add the identification of the verifiable credential data to a list of verifiable credential data of the authorized party.
In a possible implementation manner, the authorizer is specifically configured to:
sending the verifiable credential data and the identity of the authorizing party to the authorized party;
sending a query request to the registration system according to the identification of the verifiable certificate data and the identification of the authorized party;
the registration system 803 is specifically configured to:
retrieving whether the identifier of the verifiable certificate data exists in a verifiable certificate data list of the authorization party or not according to the identity of the authorization party, if so, indicating that the identifier of the verifiable certificate data is valid, and returning the query result and the identity file of the authorization party corresponding to the identity of the authorization party to the authorized party;
the authorized party 801 is further specifically configured to:
and verifying the verifiable certificate data according to the identity document of the authorized party, and if the verifiable certificate data passes the verification, confirming that the verifiable certificate data is legal and storing the legal verifiable certificate data.
In one possible implementation, the authorized party 801 is specifically configured to: a
And acquiring a public key of an authorizer from the identity file of the authorizer, and verifying and signing the signature of the authorized party declaration data in the verifiable certificate data by using the public key of the authorizer and the authorized party declaration data in the verifiable certificate data.
In a possible implementation manner, the authorizer is specifically configured to:
signing the verifiable certificate data by using a private key, and sending the signed verifiable certificate data to the authorized party;
sending an entity identity query request to the registration system;
the registration system 803 is specifically configured to:
returning the identity file of the entity stored in advance to the authorized party;
the authorized party 801 is further specifically configured to:
verifying the signed verifiable certificate data by using the identity file of the entity, and if the verification is successful, confirming that the verifiable certificate data is legal;
and sending a result of confirming that the verifiable certificate data is legal to the registration system for inquiry, and if the registration system inquires that the verifiable certificate data is valid, returning an inquiry result to the authorized party so that the authorized party stores the verifiable certificate data.
In one possible implementation, the authorized party 801 is further configured to:
generating a second random number; the identity authorization request also comprises the second random number;
the authorizer is specifically configured to:
generating a third random number, and generating authentication data and encrypted data of the verifiable certificate data according to the second random number, the third random number and the verifiable certificate data; sending the authentication data, the encrypted data of the verifiable certificate data and the identity of the authorized party stored by the authorized party to the authorized party;
the authorized party 801 is also configured to: acquiring an identity file of the authorized party from the registration system according to the identity of the authorized party; and verifying the authentication data according to the identity file of the authorized party, decrypting the encrypted data of the verifiable certificate data to obtain the verifiable certificate data if the authentication is passed, and storing the verifiable certificate data obtained by decryption.
In a possible implementation manner, the authorizer is specifically configured to:
encrypting the third random number by using the public key of the authorized party acquired when the authorized party performs identity verification on the authorized party by the authorizing party to obtain encrypted data of the third random number;
signing the third random number by using a private key of an authorized party stored by the third random number signing device to obtain a signature of the third random number;
and generating a first session key according to the second random number and the third random number, and encrypting the verifiable certificate data by using the first session key to obtain the encrypted data of the verifiable certificate data.
In one possible implementation, the authorized party 801 is specifically configured to:
acquiring a public key of an authorizer from the identity file of the authorizer, and decrypting the encrypted data of the third random number by using a private key of an authorized party stored by the authorizer to obtain first decrypted data;
and verifying the signature of the third random number by using the public key of the authorized party and the first decryption data.
In one possible implementation, the authorized party 801 is specifically configured to:
if the signature verification is successful, generating a second session key according to the second random number and the first decryption data;
decrypting the encrypted data of the verifiable credential data by using the second session key to obtain the verifiable credential data, extracting the declaration data of the authorized party and the declaration data signature of the authorized party from the verifiable credential data, verifying the signature of the declaration data of the authorized party by using the public key of the authorized party and the extracted declaration data of the authorized party, and storing the verifiable credential data if the verification passes.
In one possible implementation, the authorized party 801 is further configured to:
sending an identification of verifiable credential data in the verifiable credential data to the registration system, the registration system checking whether the identification of verifiable credential data is valid;
and when the verification result is that the identification of the verifiable certificate data is valid and the authorized party passes the verification result of the authentication data, storing the verifiable certificate data.
In one possible implementation, the authorizer is further configured to:
and auditing according to the identity authorization request sent by the authorized party.
In one possible implementation, the target party is the authorizer or the authorized party 801; the target party is specifically configured to:
generating a corresponding identity and an identity file, and performing identity registration to the registration system according to the identity and the identity file; the identity file comprises a corresponding signature verification public key;
the registration system 803 is specifically configured to: and checking the identity identification and the identity file, if the identity identification and the identity file pass the checking, determining that the target party completes identity registration, and storing the identity file corresponding to the target party.
In one possible implementation, the target party is specifically configured to:
acquiring current time, setting a key pair type, and generating a public key and a private key according to the current time and the key pair type;
carrying out Hash operation on the public key to obtain a corresponding Hash value, and using the Hash value as the identity of the target party;
and generating the identity file of the target party according to the identity and the public key.
In one possible implementation, the target party is specifically configured to:
sending the identity identification and the identity file to a registration system;
the registration system 803 is specifically configured to: and determining whether the identity exists in the stored identity set, and if not, sending a random identity to the target party.
In one possible implementation, the target is further configured to:
receiving the random identifier, and signing the random identifier by using the private key to obtain first signature data;
sending the identity file, the random identifier and the first signature data to the registration system;
the registration system 803 is further configured to: and checking the first signature data according to the identity file, if the first signature data passes the check, determining that the target party completes identity registration, and storing the identity file corresponding to the target party.
In one possible implementation, the target is further configured to:
storing the identity file;
the registration system 803 is further configured to: sending the query address of the identity to the target party;
the target is further to: and updating the identity file according to the query address of the identity identification.
In one possible implementation, when the target party is the authorizer, the authorizer is further configured to:
generating identity data of an authorized party, and signing the identity data by using the private key to obtain second signature data; the identity data of the authorized party is data which embodies that the authorized party has identity authorization authority;
sending the identity file and the identity data and the second signature data to the registration system;
the registration system 803 is further configured to: verifying the second signature data according to the identity file, if the second signature data passes the verification, granting the identity authorization authority qualification of the authorizer, storing the identity authorization authority qualification into an identity file stored by the authorizer, and sending the registration state and the identity inquiry address of the authorizer to the authorizer;
the authorizer is further to: and updating the identity inquiry address to an identity file stored in the identity inquiry address.
In one possible implementation, the authorizer is further configured to:
generating declaration information, and signing a declaration template inquiry address in the declaration information by using the private key to obtain third signature data; the declaration information comprises a declaration template and a declaration template query address;
sending the identity file, the claim template inquiry address in the claim information and the third signature data to the registration system;
the registration system 803 is further configured to: verifying the third signature data according to the identity file stored by the third party, if the third signature data passes the verification, storing the declaration information in the identity file stored by the third party, and returning a newly-added result of the declaration information to the target party;
the target is further to: and updating the declaration template inquiry address to an identity file stored in the declaration template inquiry address.
In one possible implementation, the authorized party 801 is further configured to:
setting a safety identification, and setting the type of the safety identification as plaintext return or ciphertext return; the identity authorization request also comprises the security identification;
judging the type of the safety identification, and when the type of the safety identification is plaintext return, sending plaintext data of the verifiable certificate data to the authorized party; and when the type of the security identifier is ciphertext return, sending the ciphertext data of the verifiable certificate data to the authorized party.
In summary, in the apparatus for identity authentication provided in this embodiment, an identity authorization blockchain system for identity authentication includes a registered authorized party and an authenticating party, and a registration system is deployed in the identity authorization blockchain system; after the authorized party sends an authentication request including the identity of the authorized party to the authenticator, the authenticator may generate a random number according to the authentication request and return the random number to the authorized party. The authorized party can generate a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and the verifiable report and the identity of the authorized party stored by the authorized party are sent to the verifying party, so that the verifying party can acquire the identity file of the authorized party from the registration system by using the identity of the authorized party, verify the verifiable report according to the identity file of the authorized party, and return a verification result to the authorized party. And further, based on the advantages of decentralized and external impossibility of the block chain of the registration system, the accuracy and reliability of the identity verification result of the authorized party can be effectively improved.
Further, an embodiment of the present application further provides an identity authentication device, including: a processor and a memory;
the processor is used for storing program codes and transmitting the program codes to the processor;
the memory is used for executing any one of the above-mentioned authentication methods according to the instructions in the program code.
Further, an embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program runs on a terminal device, the terminal device is caused to execute any implementation method of the above-mentioned identity verification method.
As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that all or part of the steps in the above embodiment methods can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network communication device such as a media gateway, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (11)
1. The identity authentication method is applied to an identity authentication blockchain system comprising an authorized party and an authenticating party, wherein a registration system is deployed in the identity authentication blockchain system; the method comprises the following steps:
the authorized party sends a verification request to the verifier, wherein the verification request comprises the identity of the authorized party;
the verifier generates a random number according to the verification request and returns the random number to the authorized party;
the authorized party generates a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and sends the verifiable report and the identity of the authorized party stored by the authorized party to the verifying party;
the verifying party acquires the identity file of the authorized party from the registration system by using the identity of the authorized party, verifies the verifiable report according to the identity file of the authorized party and returns a verification result to the authorized party.
2. The method according to claim 1, wherein the authorized party generates an authenticatable report based on the random number and the authenticatable credential data stored therein, and specifically comprises:
the authorized party signs the random number by using a private key of the authorized party stored by the authorized party to obtain fourth signature data; signing the verifiable certificate data by using a private key of the authorized party to obtain fifth signature data;
the authorized party generating the verifiable report using the nonce, the fourth signature data, the verifiable credential data, the fifth signature data;
the verifying party verifies the verifiable report according to the identity document of the authorized party, and the verifying method specifically comprises the following steps:
and the verifier acquires the public key of the authorized party from the identity file of the authorized party and verifies the fourth signature data and the fifth signature data by using the public key of the authorized party respectively.
3. The method according to claim 1 or 2, wherein after the verifying party verifies the verifiable report according to the identity document of the authorized party, before the verifying party returns a verification result to the authorized party, the method further comprises:
the verifying party acquires the verifiable certificate data from the verifiable report, extracts the identity identification of the authorizing party and the identification of the verifiable certificate data from the acquired verifiable certificate data, and sends the identity identification of the authorizing party and the identification of the verifiable certificate data to the registration system;
the registration system checks whether the identity of the authorized party and the identification of the verifiable certificate data are in a valid verifiable certificate data list, and returns a valid or invalid inquiry result of the authorized party to the verifier;
and the verifying party returns the verification result to the authorized party according to the query result.
4. The method of claim 1, wherein an authorizer is deployed in the identity authorization blockchain system; the method further comprises the following steps:
the authorized party acquires the declaration information of the authorizing party from the registration system, requests the authorizing party to carry out identity authentication on the authorized party according to the identity identification of the authorized party stored by the authorized party, generates an identity authorization request according to the declaration information of the authorizing party and sends the identity authorization request to the authorizing party when the identity authentication result of the authorizing party on the authorized party is passed;
the authorization party generates verifiable certificate data according to the identity authorization request and sends the identification of the verifiable certificate data in the verifiable certificate data to the registration system;
the registration system updates according to the identification of the verifiable certificate data and returns an updating result to the authorized party;
the authorizing party sends the verifiable credential data to the authorized party for storage by the authorized party.
5. The method of claim 4, wherein after the authorized party obtains the declaration information of the authorized party, the method further comprises: the authorized party generates the declaration data of the authorized party according to the declaration information of the authorizing party; the identity authorization request comprises the declaration data of the authorized party;
the method for generating the verifiable credential data by the authorized party specifically comprises the following steps:
the authorizing party generates the identification of the verifiable certificate data according to a preset rule, and signs the declaration data of the authorized party by using a private key of the authorizing party stored by the authorizing party to obtain the signature of the declaration data of the authorized party;
the authorizing party generates the verifiable credential data based on the authorized party claim data, a signature of the authorized party claim data, and an identification of the verifiable credential data.
6. The method of claim 4, wherein the authorizing party sending the verifiable credential data to the authorized party for saving by the authorized party comprises:
the authorizing party sending the verifiable credential data and the identity of the authorizing party to the authorized party;
the authorized party sends a query request to the registration system according to the identification of the verifiable certificate data and the identification of the authorized party;
the registration system searches whether the identifier of the verifiable certificate data exists in a verifiable certificate data list of the authorization party or not according to the identity identifier of the authorization party, if so, the registration system indicates that the identifier of the verifiable certificate data is valid, and returns the query result and the identity file of the authorization party corresponding to the identity identifier of the authorization party to the authorized party;
and the authorized party verifies the verifiable certificate data according to the identity document of the authorized party, and if the verification is passed, the verifiable certificate data is confirmed to be legal and is stored.
7. The method of claim 4, wherein before the authorized party sends the identity authorization request to the authorizing party according to the claim information of the authorizing party, the method further comprises:
the authorized party generates a second random number; the identity authorization request also comprises the second random number;
the method includes that the authorizer sends the verifiable credential data to the authorized party so that the authorized party can store the verifiable credential data, and specifically includes:
the authorizing party generates a third random number and generates authentication data and encrypted data of the verifiable certificate data according to the second random number, the third random number and the verifiable certificate data; sending the authentication data, the encrypted data of the verifiable certificate data and the identity of the authorized party stored by the authorized party to the authorized party;
the authorized party acquires the identity file of the authorized party from the registration system according to the identity of the authorized party; and verifying the authentication data according to the identity file of the authorized party, decrypting the encrypted data of the verifiable certificate data to obtain the verifiable certificate data if the authentication is passed, and storing the verifiable certificate data obtained by decryption.
8. The method of claim 4, wherein before the authorized party sends the identity authorization request to the authorizing party, further comprising: the authorized party sets a security identifier, and sets the type of the security identifier as plaintext return or ciphertext return; the identity authorization request also comprises the security identification;
before the authorizer sends the verifiable credential data to the authorized party, further comprising: the authorized party judges the type of the safety identification, and when the type of the safety identification is plaintext return, the plaintext data of the verifiable certificate data is sent to the authorized party; and when the type of the security identifier is ciphertext return, sending the ciphertext data of the verifiable certificate data to the authorized party.
9. The identity authentication device is applied to an identity authentication blockchain system comprising an authorized party and an authentication party, wherein a registration system is deployed in the identity authentication blockchain system; the device comprises:
the authorized party is used for sending a verification request to the verifier, and the verification request comprises the identity of the authorized party;
the verifier is used for generating a random number according to the verification request and returning the random number to the authorized party;
the authorized party is also used for generating a verifiable report according to the random number and the verifiable certificate data stored by the authorized party, and sending the verifiable report and the identity of the authorized party stored by the authorized party to the verifier;
the verifying party is further configured to obtain the identity file of the authorized party from the registration system by using the identity of the authorized party, verify the verifiable report according to the identity file of the authorized party, and return a verification result to the authorized party.
10. An apparatus for identity verification, the apparatus comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method of any of claims 1-8 according to instructions in the program code.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium is used to store a computer program for performing the method of any of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011194900.6A CN112311538B (en) | 2020-10-30 | 2020-10-30 | Identity verification method, device, storage medium and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011194900.6A CN112311538B (en) | 2020-10-30 | 2020-10-30 | Identity verification method, device, storage medium and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112311538A true CN112311538A (en) | 2021-02-02 |
CN112311538B CN112311538B (en) | 2024-04-23 |
Family
ID=74334145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011194900.6A Active CN112311538B (en) | 2020-10-30 | 2020-10-30 | Identity verification method, device, storage medium and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112311538B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113014392A (en) * | 2021-02-19 | 2021-06-22 | 湖南大学 | Block chain-based digital certificate management method, system, equipment and storage medium |
CN113139209A (en) * | 2021-04-15 | 2021-07-20 | 中国科学院软件研究所 | Verifiable credential implementation method and system based on atomic signature |
CN113282956A (en) * | 2021-06-03 | 2021-08-20 | 网易(杭州)网络有限公司 | House purchasing data processing method, device and system and electronic equipment |
CN113316140A (en) * | 2021-05-21 | 2021-08-27 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access equipment and terminal |
CN114862388A (en) * | 2022-07-01 | 2022-08-05 | 浙江毫微米科技有限公司 | Identity management method based on digital wallet, computer equipment and storage medium |
CN114900354A (en) * | 2022-05-05 | 2022-08-12 | 国网山东省电力公司德州供电公司 | Distributed identity authentication and management method and system for energy data |
CN115278598A (en) * | 2022-07-30 | 2022-11-01 | 工业和信息化部装备工业发展中心 | E-VIN application and verification method and system |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20190026558A (en) * | 2017-09-04 | 2019-03-13 | 한국전자통신연구원 | Teriminal apparatus, server apparatus, blockchain and method for fido universal authentication using the same |
CN109922077A (en) * | 2019-03-27 | 2019-06-21 | 北京思源互联科技有限公司 | A kind of identity identifying method and its system based on block chain |
GB201916644D0 (en) * | 2019-11-15 | 2020-01-01 | Nchain Holdings Ltd | Identity verification protocol using blockchain transactions |
CN110768968A (en) * | 2019-10-11 | 2020-02-07 | 支付宝(杭州)信息技术有限公司 | Authorization method, device, equipment and system based on verifiable statement |
CN110795501A (en) * | 2019-10-11 | 2020-02-14 | 支付宝(杭州)信息技术有限公司 | Method, device, equipment and system for creating verifiable statement based on block chain |
CN110874464A (en) * | 2018-09-03 | 2020-03-10 | 巍乾全球技术有限责任公司 | Method and equipment for managing user identity authentication data |
CN111431936A (en) * | 2020-04-17 | 2020-07-17 | 支付宝(杭州)信息技术有限公司 | Authorization processing method, device, equipment and system based on verifiable statement |
CN111444492A (en) * | 2019-01-16 | 2020-07-24 | 延安医链区块链科技有限公司 | Digital identity verification method based on medical block chain |
CN111475845A (en) * | 2020-04-13 | 2020-07-31 | 中国工商银行股份有限公司 | Unstructured data identity authorization access system and method |
KR20200110118A (en) * | 2019-09-02 | 2020-09-23 | 주식회사 코인플러그 | Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network |
CN111835528A (en) * | 2020-07-16 | 2020-10-27 | 广州大学 | Decentralized Internet of things cross-domain access authorization method and system |
-
2020
- 2020-10-30 CN CN202011194900.6A patent/CN112311538B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20190026558A (en) * | 2017-09-04 | 2019-03-13 | 한국전자통신연구원 | Teriminal apparatus, server apparatus, blockchain and method for fido universal authentication using the same |
CN110874464A (en) * | 2018-09-03 | 2020-03-10 | 巍乾全球技术有限责任公司 | Method and equipment for managing user identity authentication data |
CN111444492A (en) * | 2019-01-16 | 2020-07-24 | 延安医链区块链科技有限公司 | Digital identity verification method based on medical block chain |
CN109922077A (en) * | 2019-03-27 | 2019-06-21 | 北京思源互联科技有限公司 | A kind of identity identifying method and its system based on block chain |
KR20200110118A (en) * | 2019-09-02 | 2020-09-23 | 주식회사 코인플러그 | Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network |
CN110768968A (en) * | 2019-10-11 | 2020-02-07 | 支付宝(杭州)信息技术有限公司 | Authorization method, device, equipment and system based on verifiable statement |
CN110795501A (en) * | 2019-10-11 | 2020-02-14 | 支付宝(杭州)信息技术有限公司 | Method, device, equipment and system for creating verifiable statement based on block chain |
GB201916644D0 (en) * | 2019-11-15 | 2020-01-01 | Nchain Holdings Ltd | Identity verification protocol using blockchain transactions |
CN111475845A (en) * | 2020-04-13 | 2020-07-31 | 中国工商银行股份有限公司 | Unstructured data identity authorization access system and method |
CN111431936A (en) * | 2020-04-17 | 2020-07-17 | 支付宝(杭州)信息技术有限公司 | Authorization processing method, device, equipment and system based on verifiable statement |
CN111835528A (en) * | 2020-07-16 | 2020-10-27 | 广州大学 | Decentralized Internet of things cross-domain access authorization method and system |
Non-Patent Citations (3)
Title |
---|
DTS/CYBER-0013: "TECHNICAL SPECIFICATION CYBER; Mechanisms for privacy assurance and verification", ETSI TS 103 485, no. 1 * |
RTS/RRS-0315: "TECHNICAL SPECIFICATION Reconfigurable Radio Systems (RRS); Security requirements for reconfigurable radios", ETSI TS 103 436, no. 1 * |
姚英英;常晓林;甄平;: "基于区块链的去中心化身份认证及密钥管理方案", 网络空间安全, no. 06 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113014392A (en) * | 2021-02-19 | 2021-06-22 | 湖南大学 | Block chain-based digital certificate management method, system, equipment and storage medium |
CN113139209A (en) * | 2021-04-15 | 2021-07-20 | 中国科学院软件研究所 | Verifiable credential implementation method and system based on atomic signature |
CN113139209B (en) * | 2021-04-15 | 2023-09-26 | 中国科学院软件研究所 | Verification credential realization method and system based on atomic signature |
CN113316140A (en) * | 2021-05-21 | 2021-08-27 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access equipment and terminal |
CN113316140B (en) * | 2021-05-21 | 2023-03-24 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access equipment and terminal |
CN113282956A (en) * | 2021-06-03 | 2021-08-20 | 网易(杭州)网络有限公司 | House purchasing data processing method, device and system and electronic equipment |
CN113282956B (en) * | 2021-06-03 | 2022-04-29 | 网易(杭州)网络有限公司 | House purchasing data processing method, device and system and electronic equipment |
CN114900354A (en) * | 2022-05-05 | 2022-08-12 | 国网山东省电力公司德州供电公司 | Distributed identity authentication and management method and system for energy data |
CN114900354B (en) * | 2022-05-05 | 2023-08-29 | 国网山东省电力公司德州供电公司 | Distributed identity authentication and management method and system for energy data |
CN114862388A (en) * | 2022-07-01 | 2022-08-05 | 浙江毫微米科技有限公司 | Identity management method based on digital wallet, computer equipment and storage medium |
CN115278598A (en) * | 2022-07-30 | 2022-11-01 | 工业和信息化部装备工业发展中心 | E-VIN application and verification method and system |
Also Published As
Publication number | Publication date |
---|---|
CN112311538B (en) | 2024-04-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112291245B (en) | Identity authorization method, identity authorization device, storage medium and equipment | |
CN112311538B (en) | Identity verification method, device, storage medium and equipment | |
KR101974452B1 (en) | Methods and system for managing personal information based on programmable blockchain and one-id | |
CN113691560B (en) | Data transmission method, method for controlling data use, and cryptographic device | |
US10567370B2 (en) | Certificate authority | |
KR102177848B1 (en) | Method and system for verifying an access request | |
KR101985179B1 (en) | Blockchain based id as a service | |
CN106161350B (en) | Method and device for managing application identifier | |
CN107832632B (en) | Asset certification authorization query method, system, electronic device and computer readable storage medium | |
JP6667371B2 (en) | Communication system, communication device, communication method, and program | |
CN114008968A (en) | System, method and storage medium for license authorization in a computing environment | |
CN106209730B (en) | Method and device for managing application identifier | |
Abraham et al. | SSI Strong Authentication using a Mobile-phone based Identity Wallet Reaching a High Level of Assurance. | |
CN109644137B (en) | Method for token-based authentication with signed messages | |
CN109302286B (en) | Fido equipment key index generation method | |
CN114079645A (en) | Method and device for registering service | |
Omori et al. | Extended inter-device digital rights sharing and transfer based on device-owner equality verification using homomorphic encryption | |
CN114005190B (en) | Face recognition method for class attendance system | |
CN115150184B (en) | Method and system for applying metadata in fabric block chain certificate | |
CN117118759B (en) | Method for reliable use of user control server terminal key | |
KR102497440B1 (en) | Method and system for providing user information management service based on decentralized identifiers | |
WO2023131537A1 (en) | Methods and apparatuses for signing in or signing up a user | |
CN116055105A (en) | Cloud storage data processing method, device and server | |
CN115664700A (en) | Data encryption method and data decryption method | |
CN115720137A (en) | Information management system, method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |