CN113836521B - Decentralized identity-based multiple identity management method and device - Google Patents
Decentralized identity-based multiple identity management method and device Download PDFInfo
- Publication number
- CN113836521B CN113836521B CN202111422899.2A CN202111422899A CN113836521B CN 113836521 B CN113836521 B CN 113836521B CN 202111422899 A CN202111422899 A CN 202111422899A CN 113836521 B CN113836521 B CN 113836521B
- Authority
- CN
- China
- Prior art keywords
- identity
- decentralized
- decentralized identity
- target
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A decentralized identity-based multiple identity management method and device are provided, the method comprises the following steps: receiving an identity binding request, wherein the identity binding request carries a first signature corresponding to a first decentralized identity existing in a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity; verifying the validity of the first signature and the application information; and if the first signature and the validity check of the application information pass, applying for the second decentralized identity in the block chain based on the application information, and authorizing a legal holder of the first decentralized identity to use the second decentralized identity. By applying the scheme, the binding of multiple decentralized identities can be realized, and the convenience of managing multiple identities by the same user is improved.
Description
Technical Field
The present disclosure relates to the field of block chain technologies, and in particular, to a method and an apparatus for multiple identity management based on decentralized identity.
Background
In daily life, the service acquired by people from the society often depends on whether people have certain identities, and corresponding certificates or certificates are needed to prove that the people have the certain identities; with the richness, diversification and rigor of social services, people often need to hold a plurality of certificates or certificates to ensure that the certificates can flexibly use multiple identities in a plurality of scenes, but obviously, entity certificates such as traditional identity cards, employee cards and the like are difficult to carry about under the condition of a large number of the certificates.
In the related art, some software having a social service property may provide a digital card package function to solve the above-described problems; specifically, the software can collect the information such as images, characters, anti-counterfeiting marks and the like of the multiple certificates under the condition of obtaining the authorization of the user, and store the information in a client or a server in the form of digital files to form a digital card package containing the multiple digital certificates, and when the user needs to show the certificates, the corresponding digital certificates can be quickly called from the functions of the digital card package.
However, the above solutions only digitize the support of the certificate, and are still certificates using various centralized platforms, so that the management requirement of multiple identities and multiple certificates of one natural person cannot be fundamentally solved.
Disclosure of Invention
In view of the above, the present specification discloses a decentralized identity based multiple identity management method and apparatus.
According to a first aspect of embodiments of the present specification, a method for multiple identity management based on decentralized identity is disclosed, comprising:
receiving an identity binding request, wherein the identity binding request carries a first signature corresponding to an existing first decentralized identity of a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity;
verifying the validity of the first signature and the application information;
and if the first signature and the validity check of the application information pass, applying for the second decentralized identity in the block chain based on the application information, and authorizing a legal holder of the first decentralized identity to use the second decentralized identity.
Optionally, the authorizing the legitimate holder of the first decentralized identity to use the second decentralized identity includes:
adding the identity of the second decentralized identity to a set of sub-identity identities of the first decentralized identity; and are
And importing the private key of the second decentralized identity into a trusted execution environment which is used for signing with other decentralized identities under the first decentralized identity name.
Optionally, the identifier of the second decentralized identity carries an identity type tag of the second decentralized identity;
the method further comprises the following steps:
receiving a sub-identity lookup request, wherein the sub-identity lookup request carries a signature corresponding to a parent identity to be looked up and a type of the sub-identity to be looked up;
under the condition that the signature validity check corresponding to the parent identity to be consulted passes, searching a target decentralized identity which is matched with the identity type label and the type of the child identity to be consulted from the child identity set of the parent identity to be consulted;
and generating and returning a reference result corresponding to the target decentralized identity.
Optionally, the sub-identity lookup request carries a preset full-text presentation identifier;
the generating and returning a lookup result corresponding to the target decentralized identity comprises:
acquiring an attribute full text of the target decentralized identity;
generating a target signature of the attribute full text based on the target decentralized identity in a trusted execution environment which is used for signing with other decentralized identities under the parent identity name to be consulted;
and returning the attribute full text of the target decentralized identity and the target signature.
Optionally, the method further includes:
sending an information rechecking request to the information providing mechanism of the target decentralized identity so that the information providing mechanism rechecks the attribute full text of the target decentralized identity and returns a legal signature aiming at the attribute full text of the target decentralized identity under the condition that the rechecking is passed;
and returning the legality signature to the client side which sends the sub-identity lookup request.
According to a second aspect of embodiments herein, there is disclosed a decentralized identity based multiple identity management apparatus comprising:
the system comprises a receiving module, a first processing module and a second processing module, wherein the receiving module is used for receiving an identity binding request, and the identity binding request carries a first signature corresponding to a first decentralized identity existing in a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity;
the verification module is used for verifying the validity of the first signature and the application information;
and the authorization module is used for applying the second decentralized identity in the block chain based on the application information if the first signature and the legality verification of the application information pass, and authorizing the legal holder of the first decentralized identity to use the second decentralized identity.
Optionally, the authorization module further:
adding the identity of the second decentralized identity to a set of sub-identity identities of the first decentralized identity; and are
And importing the private key of the second decentralized identity into a trusted execution environment which is used for signing with other decentralized identities under the first decentralized identity name.
Optionally, the identifier of the second decentralized identity carries an identity type tag of the second decentralized identity;
the apparatus further comprises a lookup module to:
receiving a sub-identity lookup request, wherein the sub-identity lookup request carries a signature corresponding to a parent identity to be looked up and a type of the sub-identity to be looked up;
under the condition that the signature validity check corresponding to the parent identity to be consulted passes, searching a target decentralized identity which is matched with the identity type label and the type of the child identity to be consulted from the child identity set of the parent identity to be consulted;
and generating and returning a reference result corresponding to the target decentralized identity.
Optionally, the sub-identity lookup request carries a preset full-text presentation identifier;
the lookup module further:
acquiring an attribute full text of the target decentralized identity;
generating a target signature of the attribute full text based on the target decentralized identity in a trusted execution environment which is used for signing with other decentralized identities under the parent identity name to be consulted;
and returning the attribute full text of the target decentralized identity and the target signature.
Optionally, the apparatus further comprises:
the rechecking module is used for sending an information rechecking request to the information providing mechanism of the target decentralized identity so as to enable the information providing mechanism to recheck the attribute full text of the target decentralized identity and return a legal signature aiming at the attribute full text of the target decentralized identity under the condition that the rechecking is passed; and returning the legality signature to the client side which sends the sub-identity lookup request.
According to a third aspect of the embodiments of the present specification, a computer device is disclosed, which at least comprises a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of the above-mentioned aspect embodiments when executing the program.
According to a fourth aspect of embodiments herein, a computer-readable storage medium is disclosed, on which a computer program is stored, which, when executed by a processor, implements the method of any of the above-described aspect embodiments.
In the above technical solution, on one hand, the identity used by the user is not the identity authenticated by the traditional organization based on the centralized system, but a decentralized identity applied in the block chain; compared with the traditional scheme, the decentralized identity is beneficial to the intercommunication of the identity in a plurality of systems or application scenes which are connected to a block chain, and is also beneficial to a user to really master the ownership of the identity through a private key of the user.
On the other hand, after the first signature in the identity binding request is verified and the validity of the application information passes, the second decentralized identity of the new application becomes a sub-identity of the existing first decentralized identity, so that a natural user can indirectly use the second decentralized identity by using the first decentralized identity, the user does not need to manage a plurality of decentralized identities, and the use process of multiple decentralized identities is obviously simplified.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with this specification and together with the description, serve to explain the principles.
FIG. 1 is a diagram illustrating an example scenario of a multiple identity and document shown in this specification;
FIG. 2 is a flow chart illustrating a decentralized identity based multiple identity management method according to the present disclosure;
FIG. 3 is an exemplary diagram illustrating an interaction for reviewing attributes of a decentralized identity, as described herein;
FIG. 4 is a diagram illustrating an example of a decentralized identity based multiple identity management arrangement;
fig. 5 is a diagram illustrating an example of a computer device for decentralized identity based multiple identity management according to this specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure. It is to be understood that the described embodiments are only a few, and not all embodiments. All other embodiments that can be derived by one of ordinary skill in the art from one or more embodiments of the disclosure without making any creative effort shall fall within the scope of the disclosure.
When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of systems and methods consistent with aspects of the present description.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In daily life, the service acquired by people from the society often depends on whether people have certain identities, and corresponding certificates or certificates are needed to prove that the people have the certain identities; with the richness, diversification and rigor of social services, people often need to hold a plurality of certificates or certificates to ensure that the people can flexibly use multiple identities in a plurality of scenes.
Referring to FIG. 1, FIG. 1 is a diagram illustrating an example scenario of a multiple identity and document shown in the present specification; in this example, the third natural person may have triple identities of college students, citizens in a city, and volunteers in a sports meeting at the same time, wherein the identity of a college student may correspond to three kinds of certificates, i.e., a student certificate, a campus card, and a student status certificate; if Zhang III needs to buy the student ticket, the student card is needed to prove that the student ticket has the identity of a college student of a school, if Zhang III needs to pass through a campus entrance guard, the campus card is needed to prove that the student ticket has the identity of the college student of the school, and if Zhang III needs to carry out practice application, the student certificate is needed to prove that the student ticket has the identity of the college student of the school.
Even though the certificates corresponding to citizens in a certain city and volunteers in a certain sports meeting in the above figures are not shown, it can be seen that the conventional identity cards, employee cards and other entity certificates are difficult to carry about and accurately find in a specific application scene.
In the related art, some software having a social service property may provide a digital card package function to solve the above-described problems; specifically, the software can collect the information such as images, characters, anti-counterfeiting marks and the like of the multiple certificates under the condition of obtaining the authorization of the user, and store the information in a client or a server in the form of digital files to form a digital card package containing the multiple digital certificates, and when the user needs to show the certificates, the corresponding digital certificates can be quickly called from the functions of the digital card package.
However, the above solutions only digitize the support of the certificate, and are still certificates using various centralized platforms, so that the management requirement of multiple identities and multiple certificates of one natural person cannot be fundamentally solved.
Based on this, the present specification proposes a technical solution that replaces the traditional identity mechanism managed by the traditional centralized mechanism with the decentralized identity mechanism, and enables the user to have the right to use the existing first decentralized identity to invoke the second decentralized identity of the new application in a binding manner.
In implementation, before applying for the second decentralized identity in the blockchain, the legitimate holder of the first decentralized identity may be authorized to use the second decentralized identity through an authorization instruction, so that the second decentralized identity can be used by the legitimate holder of the first decentralized identity after being applied.
In the above technical solution, on one hand, the identity used by the user is not the identity authenticated by the traditional organization based on the centralized system, but is a decentralized identity applied in the blockchain; compared with the traditional scheme, the decentralized identity is beneficial to the intercommunication of the identity in a plurality of systems or application scenes which are connected to a block chain, and is also beneficial to a user to really master the ownership of the identity through a private key of the user.
On the other hand, after the first signature in the identity binding request is verified and the validity of the application information passes, the second decentralized identity of the new application becomes a sub-identity of the existing first decentralized identity, so that a natural user can indirectly use the second decentralized identity by using the first decentralized identity, the user does not need to manage a plurality of decentralized identities, and the use process of multiple decentralized identities is obviously simplified.
The present specification is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 2, fig. 2 is a flowchart illustrating a decentralized identity based multiple identity management method according to an embodiment of the present disclosure, including the following steps:
s201, receiving an identity binding request, wherein the identity binding request carries a first signature corresponding to a first decentralized identity existing in a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity;
s202, verifying the validity of the first signature and the application information;
s203, if the first signature and the validity check of the application information pass, applying for the second decentralized identity in the block chain based on the application information, and authorizing the legal holder of the first decentralized identity to use the second decentralized identity.
It can be understood that the above method can be completed by a decentralized identity management platform similar to a BaaS (block chain as a Service) platform, or can be directly implemented by deploying a corresponding intelligent contract in a block chain in advance and by a logic of the intelligent contract; or, the two technologies are combined, a BaaS platform provides an internal and external interaction function of the chain, an intelligent contract completes the operation on the chain, and the like; this need not be the case.
The block chain in this specification may include any type of block chain. The block chain technology, also called as distributed account book technology, is a technology in which a plurality of computing devices participate in accounting together and maintain a complete distributed database together; in general, blockchains have the characteristics of decentralization, public transparency, participation in database records by each computing device, and rapid data synchronization between computing devices. Blockchains are generally divided into three types: public chain (Public Blockchain), Private chain (Private Blockchain) and alliance chain (Consortium Blockchain). Furthermore, there may be a combination of the above types, such as private chain + federation chain, federation chain + public chain, and so on. In general, various types of blockchain properties may differ, and thus may be used to meet different technical requirements; for example, if the highest degree of decentralization is desired, a public chain may be selected; federation chains, etc., may be selected if desired to compromise decentralization and performance. Various types of blockchains are advantageous, and those skilled in the art can select the type of blockchain according to specific needs, and the description does not limit the specific type of blockchain.
It can be understood that the above block chain may interact with the outside through a block chain as a Service (BaaS) platform. Generally, BaaS platforms can provide flexible and customizable blockchain services to client-side computing devices connected to BaaS platforms by providing pre-written applications for activities that occur on the blockchain (such as subscription and notification, user authentication, database management, and remote updates). For example, in one example, a client outside the blockchain needs to communicate data with the blockchain, the BaaS platform may provide a service application such as MQ (Message Queue); the decentralized identity management platform connected with the BaaS platform can subscribe an intelligent contract deployed on a certain block chain in a block chain system connected with the BaaS platform and trigger a contract event generated on the block chain after execution; and the BaaS platform can monitor the event generated on the block chain after the intelligent contract is triggered to execute, and then based on software related to MQ service, the contract event is added to the message queue in the form of notification message, so that the decentralized identity management platform subscribing the message queue can obtain the notification related to the contract event.
In the art, Decentralized Identity (DID) is generally understood as an Identity authentication mechanism that may contain an Identifier and a document, with global uniqueness, high availability resolvability and cryptographic verifiability. A decentralized identity may be said to be associated with a blockchain if the decentralized identity depends on a blockchain implementation. In implementation, a typical decentralized identity may be represented by the following character string:
did:example:123123123123abcabcabc
wherein, the did part is a system identification for indicating that the character string is a decentralized identity; the example part is a DID method identifier used for indicating the method on the block chain on which DID specifically depends; the 123123123123abcabc part is an identifier specified in the DID method, typically corresponding to a pair of public and private keys held by the individual whose identity corresponds to. The decentralized identity document may include an identity public key corresponding to the DID, a corresponding encryption algorithm, and other information, and may be used to verify the decentralized identity. For example, assuming that a user, zhang san sends a piece of information, which carries a signature of a decentralized identity and a DID identifier, other users can check the validity of the decentralized identity signature only by finding the decentralized identity public key of zhang san from the block chain according to the DID identifier, and if the check is passed, the sender of the information can be proved to be a person who holds the private key of zhang san of the user, that is, zhang san self.
In this specification, an identity binding request may be first received, where the identity binding request carries a first signature corresponding to an existing first decentralized identity of a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity; assuming that in the current scenario, ZusanIII of the user needs to apply for newly registering a volunteer identity in a decentralized identity form, and wants to use a citizen identity in the decentralized identity form to call the volunteer identity for operation, the citizen identity is a first decentralized identity, the volunteer identity is a second decentralized identity, and ZusanIII is a legal holder of the citizen identity; zhang III can send the identity binding request to a decentralized identity management platform which is connected to a block chain through a client terminal held by Zhang III so as to bind the volunteer identity to the citizen identity of Zhang III.
Analyzing from the action of the various information, the application information corresponding to the second decentralized identity to be applied may not only include the authorization command, but also be used to apply for the second decentralized identity in subsequent steps, for example, be used for applying for the volunteer identity, such as the required volunteer service time, volunteer service location, volunteer service items, and the like; the first signature corresponding to the first decentralized identity is used for verifying that the legal holder who authorizes the first decentralized identity uses the authorization instruction of the second decentralized identity to issue the authorization instruction for the legal holder of the first decentralized identity, so that the condition of malicious attachment is avoided.
It is understood that the specific representation forms of the above-mentioned various information, such as the used language, codes, formats, etc., can be determined by those skilled in the art according to the business requirements, for example, for easy understanding, the chinese text representation can be used, for enhancing the extensibility, the dynamic array can be used to store data, etc., and it is understood that the present specification does not need to make strict limitation or enumeration.
In this specification, the validity of the first signature and the application information may be further checked; for the first signature, a specific signature verification method may be designed according to a specifically adopted encryption algorithm, and may be determined by a person skilled in the art, which is not limited in the present specification; as for the application information, as mentioned above, the application information may be used to provide information required for registering the second decentralized identity, or may carry the authorization instruction, so in this step, the validity of the content carried in the application information may be verified; for example, it is checked whether the names of volunteers in chinese and english recorded therein match, whether the volunteer service location and the project belong to preset legal locations and projects, and the like.
It is understood that the verification may be a local verification or a verification performed in cooperation with other systems or platforms; for example, when checking whether the volunteer service site and the project belong to the preset legal site and the preset project, the checking result can be obtained by interacting with a third party managing a list of the preset legal site and the preset project. The skilled person can design the specific flow of the above validity check according to the specific business requirements, and the present specification does not need to further describe or define.
In this specification, if the first signature and the validity check of the application information pass, the second decentralized identity may be applied in the blockchain based on the application information, and a legitimate owner of the first decentralized identity may be authorized to use the second decentralized identity. Based on the above description, it can be seen that through the above process, the content of the newly applied second decentralized identity is specified by the application information, and the legitimate holder of the first decentralized identity obtains the right to use the second decentralized identity; from the data logical structure perspective, the first decentralized identity and the second decentralized identity can be considered to form a hierarchical structure, that is, the first decentralized identity can be considered to be a parent identity of the second decentralized identity and the second decentralized identity can be considered to be a child identity of the first decentralized identity based on the fact that the legitimate holder of the first decentralized identity has the right to use the second decentralized identity.
It can be understood that the above process can be iterated, and the two-level structure originally composed of two decentralized identities can be expanded into a decentralized identity tree structure, and each decentralized identity can be used as a node in the decentralized identity tree structure; therefore, a plurality of decentralized identities with dependency and authorization relations can be efficiently managed and used in a mode of managing a tree structure. Continuing with the example of the third natural person, the third natural person can have a highest-level decentralized identity of the natural person owned by the third natural person, three decentralized identities of college student identity, citizen identity and volunteer identity can be associated with the decentralized identity of the natural person, and the college student identity can be further associated with student cards, campus cards and student status to prove that the decentralized identities are several; therefore, when a student card needs to be shown to purchase a student ticket in a natural person three-in-one mode, only the identity of the natural person or the identity of the student and any upper-layer identity of the student card need to be shown, the decentralized identity corresponding to the student card can be quickly obtained through the query algorithm of the tree structure, and the subsequent business is completed through the verification mechanism of the decentralized identity.
In an embodiment shown, to implement the decentralized identity tree structure, a child identity set field may be added to an attribute of the decentralized identity as a parent identity, and is used to store an identity of the decentralized identity as a child identity, and indirectly manage a private key of the child identity in a trusted execution environment manner, so as to facilitate opening a signature of the child identity; specifically, taking the first decentralized identity and the second decentralized identity as examples, the process of authorizing the legitimate holder of the first decentralized identity to use the second decentralized identity may include: adding the identity of the second decentralized identity to the set of sub-identities of the first decentralized identity; and importing the private key of the second decentralized identity into the trusted execution environment signed by other decentralized identities under the first decentralized identity name.
By applying the scheme, the further improvement of the structure and the function of the multiple decentralized identities can be realized, so that the first decentralized identity serving as a parent identity can quickly access the second decentralized identity serving as a child identity through the child identity identification set of the first decentralized identity, and can indirectly call the private key of the second decentralized identity through the trusted execution environment under the name of the first decentralized identity to perform digital signature on the second decentralized identity.
In an embodiment shown, the above management scheme of multiple identities may further support querying according to the type of the sub-identity; specifically, the identifier of the second decentralized identity may carry an identity type tag of the second decentralized identity; that is, in implementing the above-described binding between decentralized identities, the type of decentralized identity, which is a child identity, is stored with the identity in the child identity set of the parent identity.
When the query is specifically performed, a sub-identity query request carrying a signature corresponding to a parent identity to be queried and a type of a sub-identity to be queried can be received; wherein, the signature corresponding to the father identity is used for determining that the query request is agreed by the holder of the father identity, so as to avoid unauthorized query of other people; under the condition that the signature validity check corresponding to the parent identity to be consulted passes, searching a target decentralized identity with the identity type label matched with the type of the child identity to be consulted from the child identity set of the parent identity to be consulted; after the target decentralized identity is found, a lookup result corresponding to the target decentralized identity can be generated and returned.
It can be understood that, in order to accelerate the lookup process, the sub-identity sets of each node in the decentralized identity tree may be unified into a fast lookup tree in a cache manner, so as to further increase the speed of the lookup process; the specific data structure and the encoding mode of the above lookup result can be designed by those skilled in the art according to specific requirements, and the specification is not further limited.
In an embodiment shown, the above multiple identity management scheme may further support proving to a third party that someone holding a parent identity has a child identity; when the sub-identity lookup request is realized, the sub-identity lookup request carries a preset full-text presentation identifier; the generating and returning a reference result corresponding to the target decentralized identity may include: acquiring an attribute full text of the target decentralized identity; generating a target signature of the full-text attribute based on the target decentralized identity in a trusted execution environment for signing with other decentralized identities under the parent identity name to be consulted; and returning the attribute full text of the target decentralized identity and the target signature.
Through the process, the reference result obtained by the client side comprises the attribute full text of the target decentralized identity and the target signature, and the target signature is issued by the target decentralized identity, so that the third party can trust that the client side with the father identity can not only show the attribute full text of the target decentralized identity, but also sign by the target decentralized identity as long as the reference result is shown to the third party.
In an embodiment, the method may further include a process of performing information review on the target decentralized identity; specifically, the decentralized identity management platform may send an information rechecking request to the information providing mechanism of the target decentralized identity, so that the information providing mechanism rechecks the full-text attribute of the target decentralized identity, and returns a legal signature for the full-text attribute of the target decentralized identity when the rechecking is passed; and returning the legality signature to the client side which sends the sub-identity lookup request.
Referring to FIG. 3, FIG. 3 is an exemplary diagram illustrating an interaction for reviewing attributes of a decentralized identity, according to the present disclosure; in this example, a more complete interactive process that may occur is provided, in this process, a client may first send a rechecking instruction carrying a parent identity signature to a decentralized identity management platform, and then, when the decentralized identity management platform verifies that the parent identity signature carried by the decentralized identity management platform is legal, send a rechecking request to an information providing mechanism corresponding to a target decentralized identity that needs to be rechecked, where the rechecking request may include a full attribute or a partial attribute of the target decentralized identity to be verified, so that the information providing mechanism rechecks the attribute that needs to be rechecked, and if the attribute passes the rechecking request, send a corresponding legal signature to the decentralized identity management platform, and then, the decentralized identity management platform forwards the legal signature to the client. Thus, the client receives the confirmation signature of the validity of part or all of the attributes of the target decentralized identity from the information providing mechanism, and can prove the validity of part or all of the information of the target decentralized identity to any third party only by showing the validity signature.
The foregoing is a full description of the present specification directed to the decentralized identity based multiple identity management method. Based on the above contents, the above scheme disclosed in this specification is not only beneficial to the intercommunication of identities in multiple systems or application scenarios docked to a block chain, but also beneficial to a user to really master the ownership of their identities through their private keys, and can be convenient for a natural person user to indirectly use the above second decentralized identity by using the first decentralized identity, the user does not need to manage multiple decentralized identities any more, and the use flow of multiple decentralized identities is significantly simplified.
The present specification further provides embodiments of a corresponding decentralized identity based multiple identity management apparatus as follows:
fig. 4 is a diagram illustrating a structure of a decentralized identity-based multiple identity management apparatus shown in fig. 4; the device can comprise the following modules:
the receiving module 401 receives an identity binding request, where the identity binding request carries a first signature corresponding to an existing first decentralized identity of a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity;
a verification module 402, configured to verify the validity of the first signature and the application information;
an authorization module 403, configured to apply for the second decentralized identity in the block chain based on the application information if the first signature and the validity check of the application information pass, and authorize a legitimate owner of the first decentralized identity to use the second decentralized identity.
In an embodiment, the authorization module may further: adding the identifier of the second decentralized identity to the sub-identity identifier set of the first decentralized identity; and importing the private key of the second decentralized identity into a trusted execution environment signed by other decentralized identities under the first decentralized identity name. By applying the scheme, the further improvement of the structure and the function of the multiple decentralized identities can be realized, so that the first decentralized identity serving as a parent identity can quickly access the second decentralized identity serving as a child identity through the child identity identification set of the first decentralized identity, and can indirectly call the private key of the second decentralized identity through the trusted execution environment under the name of the first decentralized identity to perform digital signature on the second decentralized identity.
In a specific embodiment, the identifier of the second decentralized identity carries an identity type tag of the second decentralized identity; the apparatus may further include a lookup module to: receiving a sub-identity lookup request, wherein the sub-identity lookup request carries a signature corresponding to a parent identity to be looked up and a type of the sub-identity to be looked up; under the condition that the validity check of the signature corresponding to the parent identity to be consulted is passed, searching a target decentralized identity which is matched with the identity type label and the type of the child identity to be consulted from the child identity set of the parent identity to be consulted; and generating and returning a reference result corresponding to the target decentralized identity. By applying the scheme, the sub-identity query can be realized according to the type of the sub-identity.
In a specific embodiment, the sub-identity lookup request carries a preset full-text presentation identifier; the above consulting module may further: taking the attribute full text of the target decentralized identity; generating a target signature of the full-text attribute based on the target decentralized identity in a trusted execution environment for signing with other decentralized identities under the parent identity name to be consulted; and returning the attribute full text of the target decentralized identity and the target signature. By applying the scheme, the query result obtained by the client comprises the attribute full text of the target decentralized identity and the target signature, and the target signature is issued by the target decentralized identity, so that the third party can trust that the client with the father identity can not only show the attribute full text of the target decentralized identity, but also sign by the target decentralized identity as long as the query result is shown to the third party.
In a specific embodiment, the apparatus may further include: the rechecking module is used for sending an information rechecking request to the information providing mechanism of the target decentralized identity so as to enable the information providing mechanism to recheck the attribute full text of the target decentralized identity and return a legal signature aiming at the attribute full text of the target decentralized identity under the condition that the rechecking is passed; and returning the legality signature to the client side which sends the sub-identity lookup request. By applying the scheme, the rechecking of the full attribute text of the target decentralized identity is realized, and the client sending the sub-identity lookup request can prove the legality of the full attribute text of the target decentralized identity to any third party.
Embodiments of the present specification also provide a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the foregoing decentralized identity based multiple identity management method.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of a computing device according to an embodiment of the present disclosure, where the computing device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present specification also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the foregoing decentralized identity based multiple identity management method.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.
Claims (12)
1. A decentralized identity based multiple identity management method comprises the following steps:
receiving an identity binding request, wherein the identity binding request carries a first signature corresponding to a first decentralized identity existing in a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity;
verifying the validity of the first signature and the application information;
and if the first signature and the validity check of the application information pass, applying for the second decentralized identity in the block chain based on the application information, and authorizing a legal holder of the first decentralized identity to use the second decentralized identity, so that the second decentralized identity becomes a sub-identity of the first decentralized identity.
2. The method of claim 1, the authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity to make the second decentralized identity a sub-identity of the first decentralized identity, comprising:
adding the identity of the second decentralized identity to a set of sub-identity identities of the first decentralized identity; and are
And importing the private key of the second decentralized identity into a trusted execution environment which is used for signing with other decentralized identities under the first decentralized identity name.
3. The method of claim 2, wherein the identity of the second decentralized identity carries an identity type tag of the second decentralized identity;
the method further comprises the following steps:
receiving a sub-identity lookup request, wherein the sub-identity lookup request carries a signature corresponding to a parent identity to be looked up and a type of the sub-identity to be looked up;
under the condition that the signature validity check corresponding to the parent identity to be consulted passes, searching a target decentralized identity which is matched with the identity type label and the type of the child identity to be consulted from the child identity set of the parent identity to be consulted;
and generating and returning a reference result corresponding to the target decentralized identity.
4. The method according to claim 3, wherein the sub-identity lookup request carries a preset full-text presentation identifier;
the generating and returning a lookup result corresponding to the target decentralized identity comprises:
acquiring an attribute full text of the target decentralized identity;
generating a target signature of the attribute full text based on the target decentralized identity in a trusted execution environment which is used for signing with other decentralized identities under the parent identity name to be consulted;
and returning the attribute full text of the target decentralized identity and the target signature.
5. The method of claim 4, further comprising:
sending an information rechecking request to the information providing mechanism of the target decentralized identity so that the information providing mechanism rechecks the attribute full text of the target decentralized identity and returns a legal signature aiming at the attribute full text of the target decentralized identity under the condition that the rechecking is passed;
and returning the legality signature to the client side which sends the sub-identity lookup request.
6. A decentralized identity based multiple identity management apparatus comprising:
the system comprises a receiving module, a first processing module and a second processing module, wherein the receiving module is used for receiving an identity binding request, and the identity binding request carries a first signature corresponding to a first decentralized identity existing in a block chain and application information corresponding to a second decentralized identity to be applied; wherein the application information includes an authorization instruction for authorizing a legitimate holder of the first decentralized identity to use the second decentralized identity;
the verification module is used for verifying the validity of the first signature and the application information;
and the authorization module applies for the second decentralized identity in the block chain based on the application information if the first signature and the validity check of the application information pass, and authorizes a legal holder of the first decentralized identity to use the second decentralized identity, so that the second decentralized identity becomes a sub-identity of the first decentralized identity.
7. The apparatus of claim 6, the authorization module further to:
adding the identity of the second decentralized identity to a set of sub-identity identities of the first decentralized identity; and are
And importing the private key of the second decentralized identity into a trusted execution environment which is used for signing with other decentralized identities under the first decentralized identity name.
8. The apparatus of claim 7, wherein the identity of the second decentralized identity carries an identity type tag of the second decentralized identity;
the apparatus further comprises a lookup module to:
receiving a sub-identity lookup request, wherein the sub-identity lookup request carries a signature corresponding to a parent identity to be looked up and a type of the sub-identity to be looked up;
under the condition that the signature validity check corresponding to the parent identity to be consulted passes, searching a target decentralized identity which is matched with the identity type label and the type of the child identity to be consulted from the child identity set of the parent identity to be consulted;
and generating and returning a reference result corresponding to the target decentralized identity.
9. The apparatus according to claim 8, wherein the sub-identity lookup request carries a preset full-text presentation identifier;
the lookup module further:
acquiring an attribute full text of the target decentralized identity;
generating a target signature of the attribute full text based on the target decentralized identity in a trusted execution environment which is used for signing with other decentralized identities under the parent identity name to be consulted;
and returning the attribute full text of the target decentralized identity and the target signature.
10. The apparatus of claim 9, the apparatus further comprising:
the rechecking module is used for sending an information rechecking request to the information providing mechanism of the target decentralized identity so as to enable the information providing mechanism to recheck the attribute full text of the target decentralized identity and return a legal signature aiming at the attribute full text of the target decentralized identity under the condition that the rechecking is passed; and returning the legality signature to the client side which sends the sub-identity lookup request.
11. A computer device comprising at least a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 5 when executing the program.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111422899.2A CN113836521B (en) | 2021-11-26 | 2021-11-26 | Decentralized identity-based multiple identity management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111422899.2A CN113836521B (en) | 2021-11-26 | 2021-11-26 | Decentralized identity-based multiple identity management method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113836521A CN113836521A (en) | 2021-12-24 |
| CN113836521B true CN113836521B (en) | 2022-02-25 |
Family
ID=78971628
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111422899.2A Active CN113836521B (en) | 2021-11-26 | 2021-11-26 | Decentralized identity-based multiple identity management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113836521B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378342A (en) * | 2014-01-10 | 2015-02-25 | 腾讯科技(深圳)有限公司 | Multi-account verification method, device and system |
| CN109241726A (en) * | 2017-07-10 | 2019-01-18 | 上海策赢网络科技有限公司 | A kind of user authority control method and device |
| CN112257056A (en) * | 2020-10-26 | 2021-01-22 | 深圳市德卡科技股份有限公司 | Unified authentication method and system for multiple identity media |
| CN113544669A (en) * | 2019-03-18 | 2021-10-22 | 微软技术许可有限责任公司 | Authentication across decentralized and centralized identities |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11909882B2 (en) * | 2020-01-30 | 2024-02-20 | Dell Products L.P. | Systems and methods to cryptographically verify an identity of an information handling system |
| CN111797373B (en) * | 2020-07-08 | 2021-07-20 | 杭州云链趣链数字科技有限公司 | Method, system, computer device and readable storage medium for identity information authentication |
-
2021
- 2021-11-26 CN CN202111422899.2A patent/CN113836521B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378342A (en) * | 2014-01-10 | 2015-02-25 | 腾讯科技(深圳)有限公司 | Multi-account verification method, device and system |
| CN109241726A (en) * | 2017-07-10 | 2019-01-18 | 上海策赢网络科技有限公司 | A kind of user authority control method and device |
| CN113544669A (en) * | 2019-03-18 | 2021-10-22 | 微软技术许可有限责任公司 | Authentication across decentralized and centralized identities |
| CN112257056A (en) * | 2020-10-26 | 2021-01-22 | 深圳市德卡科技股份有限公司 | Unified authentication method and system for multiple identity media |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113836521A (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110060162B (en) | Data authorization and query method and device based on block chain | |
| US11323260B2 (en) | Method and device for identity verification | |
| CN107086909B (en) | Identity information generation method and device and identity verification method and device | |
| US9397838B1 (en) | Credential management | |
| CN113283905A (en) | Data storage and acquisition method and device based on block chain | |
| CN116432247A (en) | Infringement evidence method and device based on blockchain | |
| KR20120036831A (en) | Integrating updates into a social-networking service | |
| CN110020945B (en) | Data reading method and system based on multiple block chain networks | |
| CN109493087A (en) | A kind of method, computer installation and computer readable storage medium based on two dimensional code examination Immovable Property Registration information | |
| CN109327312A (en) | Authentication method and device, electronic equipment | |
| CN112398799A (en) | Single sign-on method, device and system | |
| CN110674531A (en) | Residence information management method, device, server and medium based on block chain | |
| CN110474775A (en) | User's creation method, device and equipment in a kind of piece of chain type account book | |
| KR20200055178A (en) | Management server and method of digital signature for electronic document | |
| CN106685945B (en) | Service request processing method, service handling number verification method and terminal thereof | |
| CN115130075A (en) | Digital signature method and device, electronic equipment and storage medium | |
| CN113221165B (en) | User element authentication method and device based on block chain | |
| CN114971827A (en) | Account checking method and device based on block chain, electronic equipment and storage medium | |
| CN113129008B (en) | Data processing method, device, computer readable medium and electronic equipment | |
| CN112906064B (en) | Method and device for generating description information | |
| US20220337435A1 (en) | Secure identity card using unclonable functions | |
| CN113704734A (en) | Distributed digital identity-based method for realizing certificate verification and related device | |
| CN110060151B (en) | Service execution method and device | |
| CN113836521B (en) | Decentralized identity-based multiple identity management method and device | |
| CN113765674B (en) | Cross-platform registration method and device based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |