CN113922962A - Method and device for selectively disclosing digital identity attribute - Google Patents
Method and device for selectively disclosing digital identity attribute Download PDFInfo
- Publication number
- CN113922962A CN113922962A CN202111061784.5A CN202111061784A CN113922962A CN 113922962 A CN113922962 A CN 113922962A CN 202111061784 A CN202111061784 A CN 202111061784A CN 113922962 A CN113922962 A CN 113922962A
- Authority
- CN
- China
- Prior art keywords
- hash
- certificate
- identity attribute
- attribute field
- statement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000004364 calculation method Methods 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 230000015572 biosynthetic process Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the specification discloses a selective disclosure method and a device of digital identity attribute, wherein the method is applied to a first component and comprises the following steps: calculating the hash of each identity attribute field in the statement contained in the original certificate; forming a statement hash according to the identity attribute field hash, and forming a new certificate by the statement hash and other fields of the original certificate; computing the new credential hash; the issuer signs the new credential hash with a private key such that the signature is used to verify the identity attribute that needs to be revealed. The scheme of the invention is applied to a digital identity verification scene, the verifier can only obtain the identity attribute information disclosed by the holder, and the holder does not need to worry about other identity attribute information being leaked.
Description
Technical Field
The present disclosure relates to the field of computer software technologies, and in particular, to a method and an apparatus for selectively disclosing digital identity attributes, and an electronic device.
Background
With the development of internet technology, identity authentication technology is widely applied, but privacy problems are brought to the holder, and particularly when the holder only needs to disclose some identity attributes of the holder, it is currently common practice that the holder presents a digital certificate of the holder, and the digital certificate includes all the identity attributes of the holder and a signature of an issuer, so that other identity attributes are disclosed, and privacy risks are brought to the holder. It is therefore of interest to devise a solution that enables the holder to choose to reveal a given identity attribute.
Disclosure of Invention
It is an object of the embodiments of the present specification to provide a method and apparatus for selective disclosure of digital identity attribute.
In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:
in a first aspect, a method for selectively disclosing digital identity attributes is provided, which is applied to a first component, and comprises the following steps:
calculating the hash of each identity attribute field in the statement contained in the original certificate;
forming a statement hash according to the identity attribute field hash, and forming a new certificate by the statement hash and other fields of the original certificate;
computing the new credential hash;
the issuer signs the new credential hash with a private key such that the signature is used to verify the identity attribute that needs to be revealed.
In a second aspect, an apparatus for selectively disclosing digital identity attributes is provided, including:
the hash calculation module is used for calculating the hash value of the specified data;
the certificate management module is used for forming a statement hash according to the identity attribute field hash, and then forming a new certificate by the statement hash and other fields of the original certificate;
and the signature generation module is used for signing the new certificate hash by using a private key so that the signature is used for verifying the identity attribute to be disclosed.
In a third aspect, a method for selectively disclosing digital identity attributes is provided, in which after a credential holder submits an identity attribute field to be disclosed and an identity attribute field hash not to be disclosed to a verifier, and an original credential, the credential holder is applied to a second component, and the method includes:
the verifier obtains the identity attribute field to be disclosed;
calculating the hash of the identity attribute field to be disclosed;
forming a new certificate by the statement hash and other fields of the original certificate after the statement hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed;
computing the new credential hash;
verifying a signature of the original credential using a credential issuer public key;
and if the hash of the new certificate is equal to the hash of the original certificate, the authenticity of the identity attribute to be disclosed is confirmed.
In a fourth aspect, an apparatus for selectively disclosing digital identity attributes is provided, including:
the hash calculation module is used for calculating the hash value of the specified data;
the certificate management module is used for forming a new certificate by the statement hash and other fields of the original certificate after the statement hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed;
the signature decryption module is used for decrypting the original certificate hash signature by using the certificate issuer public key to obtain an original certificate hash;
and the hash comparison module is used for comparing whether the hash of the new certificate is equal to the hash of the original certificate so as to confirm the authenticity of the identity attribute.
In a fifth aspect, a system for selective disclosure of digital identity attributes is presented, comprising a first component and a second component, wherein,
the first component calculates the hash of each identity attribute field in the statement contained in the original certificate, forms a statement hash according to the identity attribute field hashes, then forms a new certificate by the statement hash and other fields of the certificate, calculates a second certificate hash, and signs the new certificate hash by using a private key so that the signature is used for verifying the identity attribute to be disclosed;
the verifier of the second component obtains the identity attribute field to be revealed, calculates the hash of the identity attribute field to be revealed, forms a new certificate by the statement hash and other fields of the original certificate after forming a statement hash according to the hash of the identity attribute field to be revealed and the hash of the identity attribute field not to be revealed, calculates the hash of the new certificate, decrypts the hash signature of the original certificate by using a public key of a certificate issuer to obtain the hash of the original certificate, and confirms the authenticity of the identity attribute if the hash of the new certificate is equal to the hash of the original certificate;
after the first component generates the owner signature, the second component verifies the identity attribute to be disclosed, which is submitted by the owner, according to the owner signature.
In a sixth aspect, an electronic device is provided, including: a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of the first aspect.
In a seventh aspect, a computer-readable storage medium is presented, which stores one or more programs that, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of the first aspect.
In an eighth aspect, an electronic device is provided, including: a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of the third aspect.
In a ninth aspect, a computer readable storage medium is presented, storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of the third aspect.
The specification can achieve at least the following technical effects:
the scheme of the invention is applied to a digital identity verification scene, the verifier can only obtain the identity attribute information disclosed by the holder, and the holder does not need to worry about other identity attribute information being leaked.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a schematic diagram illustrating steps of a method for selectively disclosing digital identity attributes according to an embodiment of the present disclosure.
Fig. 2 is a second schematic diagram of steps of a method for selectively disclosing digital identity attributes according to an embodiment of the present disclosure.
Fig. 3 is a schematic structural diagram of an apparatus for selectively disclosing digital identity attributes according to an embodiment of the present disclosure.
Fig. 4 is a second schematic structural diagram of a selective disclosure apparatus for digital identity attribute according to an embodiment of the present disclosure.
Fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
Key terms
Distributed digital identity, DID: the DID identifier is an identifier composed of character strings and used for representing a digital identity, is a decentralized and verifiable identifier, and can automatically complete the operations of registration, analysis, update or revocation of DID without a central registration authority so as to realize global uniqueness. Generally, one entity can have a plurality of identities, the entities manage and maintain the identities, and different identities have no associated information, so that the identity information can be effectively prevented from being collected by a third party. The core model of DID is distributed digital identity identifier and verifiable credential flow, the core technology is distributed ledger and cryptography, the combination of which is used to create non-repudiatable, and non-tampered identity records.
DID-related roles: (1) the Issuer issue is the issuing organization of the certificate, for example, the identification card is the public security organization as the Issuer, and the graduation certificate is the university as the Issuer; (2) holder, namely the Holder of the certificate, namely the ordinary people; (3) verifier is the person or authority who looks at our certificate when we use it. Such as: when we check in the hotel, the front desk verifies our identity card, and then the front desk of the hotel is the verifier. For another example: when the user enters a new company, the user needs to provide university graduation certificate, and HR of the new company is a verifier. The DID registration system Verifiable Data Registry is the place where the DID identification and the DID document are stored, and the corresponding DID document can be inquired through the DID identification.
Verifiable Credentials (VC for short): is a descriptive statement issued by one DID passing some attribute of another DID to endorse, and attaching its own digital signature to prove the authenticity of these attributes, which can be regarded as a digital certificate. A VC is also a JSON string that includes the following information: (1) VC metadata mainly includes information such as a publisher, a release date, a type of a declaration and the like; (2) claim, one or more specifications about the principal. For example, an identity card issued to my VC as a public security authority would include in the claims: name, sex, date of birth, ethnicity, address, etc.; (3) proof Proofs, which is typically a digital signature of the issuer, ensures that the present VC can be verified, prevents tampering of the VC contents, and verifies the issuer of the VC.
Verifiable expression (VP): the veriable presentation is abbreviated as VP, and the Verifiable presentation is data of the identity of the VC holder to the verifier table name. In general, we can show the full VC content directly, but in some cases we do not need to show the full VC content for privacy protection, only want to selectively disclose some attributes, or do not disclose any attributes, only need to prove some assertion. A VP is also a JSON string, which includes the following information: (1) the VP metadata mainly comprises information such as versions and types of JSON objects; (2) a VC list, which is to externally display the content of the VC, but may not contain any VC if it is a case of selective disclosure or privacy protection; (3) proofs certification is mainly the signature information of the holder for this VP.
The following detailed description is directed to alternative disclosure schemes for digital identity attributes referred to in this specification by specific examples.
Example one
The embodiment is described by taking the attribute disclosure of the identity document in real life as an example. In real life, without digital identity technology, when an identity document holder needs to present and verify an identity document, it is imperative that all attribute information on the identity document be provided to the verifier, a way in which identity attributes are not selectively revealed. However, with the digital identity DID technology, the identity document information can be generated into a digital identity, and selective disclosure of identity attributes is possible only in the case of digital identities.
Taking a hotel as an example, the name and identification number of the certificate holder need to be registered for authentication. However, the information such as the nationality and the address of the holder has no direct relation with hotel registration, if all the information is presented and submitted for verification, the hotel front office personnel may secretly write down or leak the address information to the internet for various reasons, various troubles are brought to the life of the certificate oneself, and the identity attribute of the holder needs to be selectively disclosed so as to reduce the risk of personal information leakage.
From the above scenario description, it can be seen that the above embodiments are implemented by two-way co-action. One aspect is how to generate DID digital identity attributes from the identity attributes of the document holder and sign the corresponding verifiable credential VC. Another aspect is that when the digital identity holder selectively submits a partial identity attribute for verification, the verifier is able to verify its authenticity only from the submitted partial identity attribute, i.e. verify the expressive VP authenticity. Therefore, the embodiment abstracts the first aspect as the side of the verifiable certificate VC for generating the digital identity attribute, that is, generating all the digital identity attributes of the holder, which is defined as the first component in the present specification; the second aspect is abstracted to the side of the verifiable representation VP that generates the digital identity attributes, i.e. the holder provides only the necessary identity attributes to verify, defined in this description as the second component.
In summary, the present embodiment provides a system for selectively disclosing digital identity attributes, comprising a first component and a second component, wherein,
the first component calculates the hash of each identity attribute field in the statement contained in the original certificate, forms a statement hash according to the identity attribute field hashes, then forms a new certificate by the statement hash and other fields of the certificate, calculates a second certificate hash, and signs the new certificate hash by using a private key so that the signature is used for verifying the identity attribute to be disclosed;
the verifier of the second component obtains the identity attribute field to be revealed, calculates the hash of the identity attribute field to be revealed, forms a new certificate by the statement hash and other fields of the original certificate after forming a statement hash according to the hash of the identity attribute field to be revealed and the hash of the identity attribute field not to be revealed, calculates the hash of the new certificate, decrypts the hash signature of the original certificate by using a public key of a certificate issuer to obtain the hash of the original certificate, and confirms the authenticity of the identity attribute if the hash of the new certificate is equal to the hash of the original certificate;
after the first component generates the owner signature, the second component verifies the identity attribute to be disclosed, which is submitted by the owner, according to the owner signature.
Example two
Referring to fig. 1, a schematic diagram of steps of a method for selectively disclosing a digital identity attribute provided in an embodiment of the present specification is shown, where an execution subject of the method is to generate a verifiable certificate VC side of the digital identity attribute, that is, to generate all digital identity attributes of a holder, which are defined as a first component in the present specification; the first component may specifically be an application service program (including a software client) or an electronic device such as a terminal. The present specification is exemplified as follows.
The method may comprise the steps of:
step 101: the hash of each identity attribute field in the claim contained in the original credential is computed.
Specifically, the identification number id, name, gender sender, birth date birthday, ethnic nation, and home address are all identity attributes of the Claim part of the original VC. The identity attribute is subjected to hash calculation, and a hash algorithm capable of realizing the scheme of the invention can be used for realizing the embodiment of the invention. However, since the embodiment also involves hash calculation in other steps, a uniquely selected hash algorithm should be used all the way to perform the hash calculation, so as to ensure the consistency of the calculation.
Step 102: and forming a statement hash according to the identity attribute field hash, and forming a new certificate by the statement hash and other fields of the original certificate.
Optionally, the declaration hash is formed by hashing the identity attribute field in a specified form. Specifically, the computed identity attribute hash strings may be sequentially spliced to form a new credential according to the declaration order of the identity attributes, where the new credential belongs to an intermediate "product" for computing a signature of the new credential.
Step 103: computing the new credential hash. Specifically, in this embodiment, a uniquely selected hash algorithm should be used during the hash calculation to ensure the calculation consistency, which is not described herein again.
Step 104: the issuer signs the new credential hash with a private key such that the signature is used to verify the identity attribute that needs to be revealed.
“proof”:{
"creator" refers to "did refers to public security department ID # keys-1",
“type”:“Secp256k1”,
“signatureValue”:
“3044022051757c2de7032a0c887c3fcef02ca3812fede7ca748254771b9513d8e2bb”
}
the signature signatureValue in the above example is a VC signature formed from the new credential. It should be noted here that the signature formation process uses an agreed private key.
Referring to fig. 2, a schematic diagram of steps of a method for selectively disclosing a digital identity attribute provided in an embodiment of the present specification is shown, where an execution subject of the method is a side for generating a verifiable representation of the digital identity attribute, that is, a holder only provides necessary identity attributes for verification, and the implementation subject is defined as a second component in the present specification; the second component may specifically be an application service program (including a software client) or an electronic device such as a terminal. The method may comprise the steps of:
the credential holder submits the identity attribute field to be revealed and the identity attribute field hash to be revealed to the verifier together with the original credential. It should be noted here that the identity attribute field to be exposed is submitted in the form of an original value, and the identity attribute field not to be exposed is submitted in the form of a hash value; at the same time, the original credential submitted by the holder to the verifier, i.e. the credential with the signature that the first component eventually generated for the holder. After the completion of the submission, the method comprises the following steps:
step 201: the verifier obtains the identity attribute field to be revealed.
Step 202: calculating the identity attribute field hash to be revealed.
Step 203: and forming a new certificate by the declaration hash and other fields of the original certificate after the declaration hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed.
Optionally, the declaration hash is formed by combining the identity attribute field hash to be revealed and the identity attribute field hash to be revealed in a specified form. Specifically, the computed identity attribute hash strings may be sequentially spliced to form a new credential according to the declaration order of the identity attributes, where the new credential belongs to an intermediate "product" for computing a signature of the new credential.
Step 204: computing the new credential hash.
Step 205: verifying a signature of the original credential using a credential issuer public key. It should be noted here that the signature verification process uses the agreed private key corresponding to the formed signature.
Step 206: and if the hash of the new certificate is equal to the hash of the original certificate, the authenticity of the identity attribute to be disclosed is confirmed.
Optionally, the second component uses a uniquely selected hash algorithm all the way through the hash calculation.
EXAMPLE III
Fig. 3 is a schematic structural diagram of an apparatus 300 for selectively disclosing digital identity attributes according to an embodiment of the present disclosure. Referring to fig. 3, in one embodiment, an apparatus for selectively disclosing digital identity attributes includes:
a hash calculation module 301, configured to calculate a hash value of the specified data;
the certificate management module 302 is configured to form a declaration hash according to the identity attribute field hash, and then form a new certificate by the declaration hash and other fields of the original certificate;
a signature generating module 303, configured to sign the new credential hash using a private key, so that the signature is used to verify the identity attribute to be disclosed.
Fig. 4 is a schematic structural diagram of an apparatus 400 for selectively disclosing digital identity attributes according to an embodiment of the present disclosure. Referring to fig. 4, in one embodiment, an apparatus for selectively disclosing digital identity attributes includes:
a hash calculation module 401, configured to calculate a hash value of the specified data;
the certificate management module 402 is configured to form a new certificate by using the declaration hash and other fields of the original certificate after forming a declaration hash according to the identity attribute field hash to be disclosed and the identity attribute field hash not to be disclosed;
the signature decryption module 403 is configured to decrypt the original credential hash signature by using the credential issuer public key to obtain an original credential hash;
a hash comparison module 404, configured to compare whether the new credential hash is equal to the original credential hash, so as to confirm identity attribute authenticity.
It should be understood that the selective disclosure apparatus for selectively disclosing digital identity attributes in the embodiments of the present specification can also perform the method performed by the selective disclosure apparatus (or device) for selectively disclosing digital identity attributes in fig. 1 to 2, and implement the functions of the selective disclosure apparatus (or device) for selectively disclosing digital identity attributes in the embodiments shown in fig. 1 to 2, which are not described herein again.
Example four
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present specification. Referring to fig. 5, at a hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other via an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to form the shared resource access control device on the logic level. The processor is used for executing the program stored in the memory and is specifically used for executing the following operations:
applied to a first component, comprising:
calculating the hash of each identity attribute field in the statement contained in the original certificate;
forming a statement hash according to the identity attribute field hash, and forming a new certificate by the statement hash and other fields of the certificate;
computing the new credential hash;
the issuer signs the new credential hash with a private key such that the signature is used to verify the identity attribute that needs to be revealed.
Or,
after submitting the identity attribute field to be disclosed and the identity attribute field hash not to be disclosed and the original certificate to the verifier, the certificate holder applies to a second component, which comprises:
the verifier obtains the identity attribute field to be disclosed;
calculating the hash of the identity attribute field to be disclosed;
forming a new certificate by the statement hash and other fields of the original certificate after the statement hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed;
computing the new credential hash;
verifying a signature of the original credential using a credential issuer public key;
and if the hash of the new certificate is equal to the hash of the original certificate, the authenticity of the identity attribute to be disclosed is confirmed.
The method for selectively disclosing the digital identity attribute disclosed in the embodiments of fig. 1 to 2 in the present specification may be applied to or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present specification may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present specification may be embodied directly in a hardware decoding processor, or in a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
Of course, besides the software implementation, the electronic device of the embodiment of the present disclosure does not exclude other implementations, such as a logic device or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or a logic device.
EXAMPLE five
Embodiments of the present specification also propose a computer-readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a portable electronic device comprising a plurality of application programs, are capable of causing the portable electronic device to perform the method of the embodiments shown in fig. 1 to 4, and in particular to perform the method of:
applied to a first component, comprising:
calculating the hash of each identity attribute field in the statement contained in the original certificate;
forming a statement hash according to the identity attribute field hash, and forming a new certificate by the statement hash and other fields of the certificate;
computing the new credential hash;
the issuer signs the new credential hash with a private key such that the signature is used to verify the identity attribute that needs to be revealed.
Or,
after submitting the identity attribute field to be disclosed and the identity attribute field hash not to be disclosed and the original certificate to the verifier, the certificate holder applies to a second component, which comprises:
the verifier obtains the identity attribute field to be disclosed;
calculating the hash of the identity attribute field to be disclosed;
forming a new certificate by the statement hash and other fields of the original certificate after the statement hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed;
computing the new credential hash;
verifying a signature of the original credential using a credential issuer public key;
and if the hash of the new certificate is equal to the hash of the original certificate, the authenticity of the identity attribute to be disclosed is confirmed.
In short, the above description is only a preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present specification shall be included in the protection scope of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Claims (13)
1. A method for selectively disclosing digital identity attributes, applied to a first component, comprising:
calculating the hash of each identity attribute field in the statement contained in the original certificate;
forming a statement hash according to the identity attribute field hash, and forming a new certificate by the statement hash and other fields of the original certificate;
computing the new credential hash;
the issuer signs the new credential hash with a private key such that the signature is used to verify the identity attribute that needs to be revealed.
2. The method of claim 1, wherein hash formation of the claim hash from the identity attribute field is a concatenation formation in a specified form.
3. The method of claim 1, wherein the first component uses a uniquely selected hashing algorithm in performing the hash calculation.
4. An apparatus for selective disclosure of digital identity attributes, comprising:
the hash calculation module is used for calculating the hash value of the specified data;
the certificate management module is used for forming a statement hash according to the identity attribute field hash, and then forming a new certificate by the statement hash and other fields of the certificate;
and the signature generation module is used for signing the new certificate hash by using a private key so that the signature is used for verifying the identity attribute to be disclosed.
5. A selective disclosure method of digital identity attribute, wherein after submitting identity attribute field to be disclosed and identity attribute field hash not to be disclosed and original certificate to verifier, certificate holder is applied to second component, comprising:
the verifier obtains the identity attribute field to be disclosed;
calculating the hash of the identity attribute field to be disclosed;
forming a new certificate by the statement hash and other fields of the original certificate after the statement hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed;
computing the new credential hash;
verifying a signature of the original credential using a credential issuer public key;
and if the hash of the new certificate is equal to the hash of the original certificate, the authenticity of the identity attribute to be disclosed is confirmed.
6. The method of claim 5, wherein the identity attribute field hash that needs to be revealed and the identity attribute field hash that does not need to be revealed form a declaration hash that is composed in a concatenation of specified forms.
7. The method of claim 5, wherein the second component uses a uniquely selected hashing algorithm in performing the hash calculation.
8. An apparatus for selective disclosure of digital identity attributes, comprising:
the hash calculation module is used for calculating the hash value of the specified data;
the certificate management module is used for forming a new certificate by the statement hash and other fields of the original certificate after the statement hash is formed according to the identity attribute field hash needing to be disclosed and the identity attribute field hash needing not to be disclosed;
the signature decryption module is used for decrypting the original certificate hash signature by using the certificate issuer public key to obtain an original certificate hash;
and the hash comparison module is used for comparing whether the hash of the new certificate is equal to the hash of the original certificate so as to confirm the authenticity of the identity attribute.
9. A system for selective disclosure of digital identity attributes comprising a first component and a second component, wherein,
the first component calculates the hash of each identity attribute field in the statement contained in the original certificate, forms a statement hash according to the identity attribute field hashes, then forms a new certificate by the statement hash and other fields of the certificate, calculates a second certificate hash, and signs the new certificate hash by using a private key so that the signature is used for verifying the identity attribute to be disclosed;
the verifier of the second component obtains the identity attribute field to be revealed, calculates the hash of the identity attribute field to be revealed, forms a new certificate by the statement hash and other fields of the original certificate after forming a statement hash according to the hash of the identity attribute field to be revealed and the hash of the identity attribute field not to be revealed, calculates the hash of the new certificate, decrypts the hash signature of the original certificate by using a public key of a certificate issuer to obtain the hash of the original certificate, and confirms the authenticity of the identity attribute if the hash of the new certificate is equal to the hash of the original certificate;
after the first component generates the owner signature, the second component verifies the identity attribute to be disclosed, which is submitted by the owner, according to the owner signature.
10. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of any of claims 1 to 3.
11. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of any of claims 5 to 7.
12. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs that, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of any of claims 1 to 3.
13. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs that, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of any of claims 5 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111061784.5A CN113922962A (en) | 2021-09-10 | 2021-09-10 | Method and device for selectively disclosing digital identity attribute |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111061784.5A CN113922962A (en) | 2021-09-10 | 2021-09-10 | Method and device for selectively disclosing digital identity attribute |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113922962A true CN113922962A (en) | 2022-01-11 |
Family
ID=79234567
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111061784.5A Pending CN113922962A (en) | 2021-09-10 | 2021-09-10 | Method and device for selectively disclosing digital identity attribute |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113922962A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866260A (en) * | 2022-07-05 | 2022-08-05 | 杭州天谷信息科技有限公司 | Chameleon hash distributed identity use method and system |
| CN116232763A (en) * | 2023-05-05 | 2023-06-06 | 敏于行(北京)科技有限公司 | Selectively disclosed dynamic combination verifiable credential generation method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170324750A1 (en) * | 2015-01-12 | 2017-11-09 | Sal Khan | Portable verifiable credentials and methods thereof |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112235278A (en) * | 2020-10-10 | 2021-01-15 | 杭州溪塔科技有限公司 | Method and device for monitoring address information of trader and electronic equipment |
| WO2021068636A1 (en) * | 2019-10-11 | 2021-04-15 | 支付宝(杭州)信息技术有限公司 | Block chain-based creation method, apparatus, device and system for verifiable claim |
| CN112950220A (en) * | 2021-03-10 | 2021-06-11 | 湖南大学 | Enterprise digital identity management system and method based on block chain |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
| CN113139209A (en) * | 2021-04-15 | 2021-07-20 | 中国科学院软件研究所 | Verifiable credential implementation method and system based on atomic signature |
| CN113221148A (en) * | 2021-05-27 | 2021-08-06 | 中国人民银行数字货币研究所 | Information verification method and device |
-
2021
- 2021-09-10 CN CN202111061784.5A patent/CN113922962A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170324750A1 (en) * | 2015-01-12 | 2017-11-09 | Sal Khan | Portable verifiable credentials and methods thereof |
| WO2021068636A1 (en) * | 2019-10-11 | 2021-04-15 | 支付宝(杭州)信息技术有限公司 | Block chain-based creation method, apparatus, device and system for verifiable claim |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112235278A (en) * | 2020-10-10 | 2021-01-15 | 杭州溪塔科技有限公司 | Method and device for monitoring address information of trader and electronic equipment |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
| CN112950220A (en) * | 2021-03-10 | 2021-06-11 | 湖南大学 | Enterprise digital identity management system and method based on block chain |
| CN113139209A (en) * | 2021-04-15 | 2021-07-20 | 中国科学院软件研究所 | Verifiable credential implementation method and system based on atomic signature |
| CN113221148A (en) * | 2021-05-27 | 2021-08-06 | 中国人民银行数字货币研究所 | Information verification method and device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866260A (en) * | 2022-07-05 | 2022-08-05 | 杭州天谷信息科技有限公司 | Chameleon hash distributed identity use method and system |
| CN114866260B (en) * | 2022-07-05 | 2022-10-28 | 杭州天谷信息科技有限公司 | Chameleon hash distributed identity using method and system |
| CN116232763A (en) * | 2023-05-05 | 2023-06-06 | 敏于行(北京)科技有限公司 | Selectively disclosed dynamic combination verifiable credential generation method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111401902B (en) | Service processing method, device and equipment based on block chain | |
| US11258612B2 (en) | Method, apparatus, and electronic device for blockchain-based recordkeeping | |
| WO2021068636A1 (en) | Block chain-based creation method, apparatus, device and system for verifiable claim | |
| CN113012008B (en) | Identity management method, device and equipment based on trusted hardware | |
| WO2021114872A1 (en) | Verifiable claim-based service processing method, apparatus, and device | |
| CN110035052B (en) | Method and device for checking historical transaction information and electronic equipment | |
| KR20240119060A (en) | Storage system for non-fungible tokens | |
| US11856107B2 (en) | Methods and systems for exchanging confidential information via a blockchain | |
| CN113922962A (en) | Method and device for selectively disclosing digital identity attribute | |
| CN118765403A (en) | Authenticated presentation of non-homogeneous pass | |
| CN114944937B (en) | Distributed digital identity verification method, system, electronic equipment and storage medium | |
| CN113901424A (en) | Method and device for selectively disclosing digital identity attribute | |
| CN114444125A (en) | Digital identity management method and device | |
| CN113704734A (en) | Distributed digital identity-based method for realizing certificate verification and related device | |
| US20230188353A1 (en) | Multi-issuer anonymous credentials for permissioned blockchains | |
| WO2023233173A1 (en) | Implementing self-sovereign identity (ssi) based on configurable individual profiles generated real-time from private attributes stored in the personal secure elements of the users | |
| WO2021223653A1 (en) | Methods and devices for protecting and verifying state transition of record | |
| ES2937922T3 (en) | Method for the electronic signature of contracts | |
| WO2021124498A1 (en) | Guarantee control method, information processing device, and guarantee control program | |
| CN113836521B (en) | Decentralized identity-based multiple identity management method and device | |
| WO2021223661A1 (en) | Methods and devices for protecting and verifying state information of record | |
| US20230403161A1 (en) | Aggregate anonymous credentials for decentralized identity in blockchain | |
| Hoang et al. | zkSSI: A Zero-Knowledge-Based Self-Sovereign Identity Framework | |
| CN118568771A (en) | Method, apparatus, medium and program product for asset privacy attestation | |
| WO2023034281A1 (en) | Systems and methods for use in generating audit logs related to network packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220111 |