CN114928447A - Data management method and system based on distributed identity - Google Patents
Data management method and system based on distributed identity Download PDFInfo
- Publication number
- CN114928447A CN114928447A CN202210125719.2A CN202210125719A CN114928447A CN 114928447 A CN114928447 A CN 114928447A CN 202210125719 A CN202210125719 A CN 202210125719A CN 114928447 A CN114928447 A CN 114928447A
- Authority
- CN
- China
- Prior art keywords
- data
- verification
- information
- user
- scene
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000013523 data management Methods 0.000 title claims abstract description 35
- 238000012795 verification Methods 0.000 claims abstract description 390
- 230000004044 response Effects 0.000 description 16
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000012800 visualization Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000000586 desensitisation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
The application discloses a data management method and system based on distributed identities, and belongs to the technical field of block chains. The method comprises the following steps: the user side sends the data to be managed to the data side in the block chain; the data side generates a credible certificate and verification information according to the data, and sends the credible certificate and the verification information to the user side, wherein the verification information is used for performing online verification or offline verification; a user side receives a credible certificate and verification information; a scene side sends a verification request to a user side; the user side generates data information according to the data and the verification request, and sends the data information, the credible certificate and the verification information to the scene side; and the scene side selects a corresponding verification mode according to the verification information, and verifies the data information, the credible certificate and the verification information by adopting the verification mode. The method and the device can perform offline verification when the verification capability of a scene party is sufficient and the requirements of business compliance are not high; and carrying out online verification when the verification capability of the scene side is not enough or the requirement of business compliance is high.
Description
Technical Field
The embodiment of the application relates to the technical field of block chains, in particular to a data management method and system based on distributed identities.
Background
The user side can send the identity data of the user side to the data side on the block chain, the data side can return a certificate to the user side, and then when the scene side needs to verify the identity data of the user side, the certificate can be obtained from the user side, and offline verification is carried out according to the certificate.
The accuracy of the off-line verification depends on a scene side, and when the verification capability of the scene side is insufficient or the requirement of the verification on the service compliance is high, the off-line verification cannot meet the verification requirement.
Disclosure of Invention
The embodiment of the application provides a data management method and system based on distributed identity, which are used for solving the problem that offline verification cannot meet verification requirements when the verification capability of a scene party is insufficient or when the requirements on service compliance are high. The technical scheme is as follows:
in one aspect, a data management method based on distributed identity is provided, and the method includes:
the user side sends the data to be managed to the data side in the block chain;
the data party generates a trusted certificate and verification information according to the data, and sends the trusted certificate and the verification information to the user party, wherein the trusted certificate comprises a user identifier, and the verification information is used for performing online verification or offline verification;
the user side receives the trusted voucher and the verification information;
the scene side sends a verification request to the user side;
the user side generates data information according to the data and the verification request, and sends the data information, the credible certificate and the verification information to the scene side;
and the scene side selects a corresponding verification mode according to the verification information, and verifies the data information, the credible certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
In a possible implementation manner, when the verification information is used for online verification, the verification information includes a verification identifier allocated by the data party;
and when the verification information is used for off-line verification, the verification information comprises a root hash value generated according to the data.
In a possible implementation manner, when the verification information is used for online verification, the verifying the data information, the trusted certificate, and the verification information in the verification manner includes:
the scene side sends a verification request to the data side, wherein the verification request comprises the data information, the credible certificate and the verification information;
and the data party verifies the verification identification in the verification information, acquires the data stored on the link according to the user identification in the trusted certificate after the verification is passed, verifies the data information according to the data, and returns a verification result to the scene party.
In one possible implementation, after the data party generates a trusted credential and verification information from the data, the method further includes: the data party generates a corresponding relation between a user identifier in the trusted voucher and a verification identifier in the verification information;
the data side verifies the verification identification in the verification information, and the verification information comprises the following steps: and the data side reads a verification identifier in the verification information and a user identifier in the credible certificate, detects whether a corresponding relation between the verification identifier and the user identifier exists, and if the corresponding relation exists, determines that the verification is passed.
In a possible implementation manner, when the data includes a plurality of fields arranged in a predetermined order, the verifying the data information according to the data includes:
when the data information comprises the plain text of partial fields and the field hash values of the partial fields, the data side replaces the plain text of each field with the corresponding field hash value;
the data side carries out hash operation on the field hash values of all the fields to obtain a first hash value;
the data side obtains a root hash value generated according to the data from a chain;
the data side verifies whether the root hash value and the first hash value are the same.
In one possible implementation, the method further includes:
after the data side acquires the data, replacing the plain text of each field in the data with a field hash value of the corresponding field;
and the data side performs hash operation on the field hash values of all the fields and stores the obtained root hash value in an uplink mode.
In a possible implementation manner, when the verification information is used for offline verification, the verifying the data information, the trusted certificate, and the verification information in the verification manner includes:
when the data information comprises the plain texts of partial fields and the field hash values of the partial fields, the scene party replaces the plain texts of each field with the corresponding field hash value;
the scene party carries out hash operation on the field hash values of all the fields to obtain a second hash value;
the scene party acquires a key according to the trusted certificate and decrypts a root hash value in the verification information according to the key;
the scene side verifies whether the root hash value is the same as the second hash value.
In a possible implementation manner, when the data includes a plurality of fields arranged in a predetermined order, the generating, by the user side, data information according to the data and the verification request includes:
the user side acquires a plaintext of a part of fields and a field hash value of the part of fields from the data according to the content requested by the verification request;
and the user side arranges the plaintext and the field hash values according to the preset sequence to obtain the data information.
In one possible implementation, before the data party generates the trusted voucher and the verification information according to the data, the method further comprises:
the data side checks the source and the use range of the data;
after determining that the source and the use range are correct, the data side verifies the data according to preset verification logic;
and after the verification is passed, the data side triggers and executes the step of generating the credible certificate and the verification information according to the data.
In one aspect, a data management system based on distributed identity is provided, the data management system comprises a user side, a data side and a scene side;
the user side is used for sending the data to be managed to the data side in the block chain;
the data side is used for generating a trusted certificate and verification information according to the data and sending the trusted certificate and the verification information to the user side, wherein the trusted certificate comprises a user identifier, and the verification information is used for performing online verification or offline verification;
the user side is further used for receiving the trusted certificate and the verification information;
the scene side is used for sending a verification request to the user side;
the user side is further used for generating data information according to the data and the verification request, and sending the data information, the credible certificate and the verification information to the scene side;
and the scene side is further used for selecting a corresponding verification mode according to the information in the verification information, and verifying the data information, the credible certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
The technical scheme provided by the embodiment of the application has the beneficial effects that at least:
the verification information fed back by the data side to the user side can be used for online verification or offline verification, after the scene side obtains the verification information of the user side, a corresponding online or offline verification mode can be selected according to the verification information, and the data information, the credible certificate and the verification information are verified in the verification mode. Therefore, offline verification can be performed when the verification capability of the scene party is sufficient and the requirements on service compliance are not high, so that the verification process is simplified; and when the verification capability of the scene party is insufficient or the requirement on service compliance is high, performing online verification to improve the verification accuracy.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of a method for distributed identity-based data management according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for distributed identity-based data management according to an embodiment of the present application;
FIG. 3 is a schematic illustration of an application document provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of data information provided by one embodiment of the present application;
FIG. 5 is a schematic diagram of a returned credential provided by one embodiment of the present application;
FIG. 6 is a schematic diagram of a secure store provided by one embodiment of the present application;
FIG. 7 is a diagrammatic illustration of request data provided in one embodiment of the present application;
FIG. 8 is a schematic illustration of return data provided by one embodiment of the present application;
FIG. 9 is a schematic illustration of online verification provided by one embodiment of the present application;
FIG. 10 is a schematic illustration of offline verification provided by one embodiment of the present application;
FIG. 11 is a schematic diagram of a data management process provided by one embodiment of the present application;
fig. 12 is a block diagram of a distributed identity-based data management system according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present application clearer, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of a method for distributed identity-based data management according to an embodiment of the present application is shown, where the method for distributed identity-based data management may be applied to a terminal. The data management method based on the distributed identity can comprise the following steps:
And assembling the data to be managed by the user side. The data to be managed comprises sensitive data of the user and other data, wherein the sensitive data can be identity information of the user, such as name, age, address, contact way, identification card number and the like; the other data may be service data or extension data, and the embodiment is not limited.
After the assembled data is obtained, the user side can send a certificate application request carrying the data to the data side through the trusted network channel. The trusted network channel is a channel for encrypting and transmitting data based on the end-to-end key, that is, the user side can encrypt the credential application request by using the end-to-end key and then send the ciphertext to the data side through the trusted network channel.
The user side may directly send a credential application request to the data side, and may also invoke the data side security control to send the credential application request to the data side, which is not limited in this embodiment.
It should be noted that, in this embodiment, it is assumed that a service-related credential template and a definition have been predefined according to a data credential service requirement, so that cooperation and interconnection and interworking of a trusted data ecological scene can be implemented.
And 102, the data side generates a trusted certificate and verification information according to the data, and sends the trusted certificate and the verification information to the user side, wherein the trusted certificate comprises a user identifier, and the verification information is used for online verification or offline verification.
The data side can receive the ciphertext through the trusted network channel and decrypt the ciphertext by using the end-to-end key to obtain a certificate application request; or, the data side can call the data side security control to receive the ciphertext, and decrypt the ciphertext by using the end-to-end key to obtain the certificate application request. The data side can check and verify the data, as described in the following embodiments.
And the data party generates a credible certificate and verification information according to the data. The trusted voucher may include a user identifier, user data, and also may include customized service data, where the user identifier is a character string that can uniquely identify a user, and the user data may include data that is convenient for visualization, such as a user name and a head portrait, and may also include sensitive data. The user data may be extracted by the data party from the received data.
Since the embodiment provides two verification methods, namely, online verification and offline verification, the data side can generate different verification information according to different verification methods, and the specific generation method is described in the following embodiments.
The data side can send the credible certificate and the verification information to the user side as response data; or, the data side can also obtain personalized customization data of the scene requirement, and sends the trusted voucher, the verification information and the personalized customization data to the user side as response data.
When sending the response data, the data party may directly send the response data to the user party through the trusted network channel, or may invoke the data party security control, and send the response data to the user party through the trusted network channel, which is not limited in this embodiment.
The data side can also call the public information storage service to store some self public information, such as documents, certificate template definition specification data, metadata, services and the like.
In step 103, the user side receives the trusted certificate and the verification information.
The user side may directly receive the response data sent by the data side through the trusted network channel, and may also invoke the data side security control, and receive the response data sent by the data side through the trusted network channel, which is not limited in this embodiment.
The user side can extract the trusted voucher and the authentication information from the received response data packet. When the trusted voucher information comprises the user identification, the user data and the customized service data, the user side can store the user identification and the data convenient for visualization in the trusted voucher locally, desensitize logic is adopted to process the sensitive data and then store the sensitive data in the local or cloud, and the customized service data is selectively stored in the local or cloud.
The user side can also call the public information storage service to store some self public information, such as documents, certificate template definition specification data, metadata, services and the like.
In a certain application scenario, when the user identity needs to be verified, a scenario party can construct a verification request according to the content needing to be verified and a preset template, and the verification request is sent to the user party through a trusted network channel.
And 105, the user side generates data information according to the data and the verification request, and sends the data information, the credible certificate and the verification information to the scene side.
The user side can receive the verification request through the trusted network channel, call the public information service to verify the identity and the validity of the scene side, call the public information service to obtain the stored trusted certificate and the verification information after the verification is passed, generate data information according to the content requested by the verification request, use a preset template to construct return data, and send the return data containing the data information, the trusted certificate and the verification information to the scene side through the trusted network channel.
And 106, selecting a corresponding verification mode by the scene party according to the verification information, and verifying the data information, the credible certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
The scene party may receive the data information, the trusted certificate and the verification information through the trusted network channel, determine whether to perform online verification or offline verification according to the content of the verification information, and verify the data information, the trusted certificate and the verification information by using a corresponding verification method, where a specific verification process is described in the following embodiments.
In summary, according to the data management method based on the distributed identity provided in the embodiment of the present application, the verification information fed back to the user side by the data side may be used for online verification or offline verification, and after obtaining the verification information of the user side, the scene side may select a corresponding online or offline verification mode according to the verification information, and verify the data information, the trusted certificate, and the verification information by using the verification mode. Therefore, offline verification can be performed when the verification capability of the scene party is sufficient and the requirements of service compliance are not high, so that the verification process is simplified; and when the verification capability of the scene party is insufficient or the requirement on service compliance is high, performing online verification to improve the verification accuracy.
Referring to fig. 2, a flowchart of a method for distributed identity-based data management according to an embodiment of the present application is shown, where the method for distributed identity-based data management can be applied to a terminal. The data management method based on the distributed identity can comprise the following steps:
in step 201, the user side sends data to be managed to the data side in the block chain.
And assembling the data to be managed by the user side. The data to be managed comprises sensitive data of the user and other data, wherein the sensitive data can be identity information of the user, such as name, age, address, contact way, identification card number and the like; the other data may be service data or extension data, and the embodiment is not limited.
After the assembled data is obtained, the user side may send a credential application request carrying the data to the data side through the trusted network channel, as shown in fig. 3. The trusted network channel is a channel for encrypting and transmitting data based on the end-to-end key, that is, the user side can encrypt the credential application request by using the end-to-end key and then send a ciphertext to the data side through the trusted network channel.
The user side may directly send a credential application request to the data side, and may also invoke the data side security control to send a credential application request to the data side, which is not limited in this embodiment.
In step 202, the data side checks the source and the application range of the data, and verifies the data according to the preset verification logic after determining that the source and the application range are correct.
The data side can receive the ciphertext through the trusted network channel and decrypt the ciphertext by using the end-to-end key to obtain a certificate application request; or, the data side can call the data side security control to receive the ciphertext and decrypt the ciphertext by using the end-to-end key to obtain the credential application request.
In this embodiment, the data side also needs to check the source and the range of use of the data. The source of the check data is information such as the identity of the check user, and the use range of the check data may be to check specific data, such as to check the authenticity of the data.
In implementation, a check rule may be preset in the data side, and the data side may check the data according to the check rule. After determining the source and the scope of the data are correct, the data side can also verify the data according to the verification logic. Specifically, the data side may verify the data according to the verification logic, or may invoke a third-party data verification service, which verifies the data according to the verification logic.
And 203, after the verification is passed, the data side generates a trusted certificate and verification information according to the data, and sends the trusted certificate and the verification information to the user side, wherein the trusted certificate comprises a user identifier, and the verification information is used for performing online verification or offline verification.
And the data party generates a credible certificate and verification information according to the data. The trusted voucher may include a user identifier, user data, and customized service data, where the user identifier is a character string that can uniquely identify a user, and the user data may include data that is convenient for visualization, such as a user name and a head portrait, and may also include sensitive data. The user data may be extracted by the data party from the received data.
Since the online verification mode and the offline verification mode are provided in the embodiment, the data side can generate different verification information according to different verification modes. Specifically, when the verification information is used for online verification, the verification information includes a verification identifier allocated by the data party, and at this time, the data party needs to generate a corresponding relationship between a user identifier in the trusted certificate and the verification identifier in the verification information; when the verification information is used for off-line verification, the verification information contains a root hash value generated according to the data. The following describes a flow of generating a root hash value on the data side.
Specifically, after the data side acquires the data, the plaintext of each field in the data can be replaced by the field hash value of the corresponding field; and the data side performs hash operation on the field hash values of all the fields and stores the obtained root hash value in an uplink mode.
For example, referring to fig. 4, the data includes five fields of the user's name, gender, year and month of birth, hobbies and proof of adulthood, and the data party can calculate a hash value hash1 of the field in the plaintext of the name; calculating a field hash value hash2 of the plaintext of the gender; calculating a field hash value hash3 of the plaintext of the birth year and month; calculating a hash value hash4 of a field of a plaintext of the hobbies; computing a field hash value hash5 of the plaintext of the proof of adults; arranging the 5 field hash values in a predetermined order, such as hash1-hash2-hash3-hash4-hash 5; and carrying out hash operation on the arranged contents to obtain a root hash value RootHash.
The data side can add the root hash value into the verification information, encrypt the root hash value by using a private key of the data side, and uplink store the obtained ciphertext.
The data party can send the credible certificate and the verification information to the user party as response data; or, the data side may further obtain personalized customization data of the scene requirement, and send the trusted certificate, the verification information, and the personalized customization data to the user side as response data, as shown in fig. 5.
When sending the response data, the data party may directly send the response data to the user party through the trusted network channel, or may invoke the data party security control, and send the response data to the user party through the trusted network channel, which is not limited in this embodiment.
At step 204, the user side receives the trusted voucher and authentication information.
The user side may directly receive the response data sent by the data side through the trusted network channel, and may also invoke the data side security control, and receive the response data sent by the data side through the trusted network channel, which is not limited in this embodiment.
The user side can extract the trusted voucher and the authentication information from the received response data packet. When the trusted voucher information includes the user identifier, the user data, and the customized service data, the user side may store the user identifier in the trusted voucher and data convenient for visualization locally, process the sensitive data by using desensitization logic, store the processed sensitive data in the local or cloud, and selectively store the customized service data in the local or cloud, as shown in fig. 6.
In step 205, the scene sends a verification request to the user.
In a certain application scenario, when the user identity needs to be verified, a scenario party may construct a verification request according to the content to be verified and a preset template, and send the verification request to the user party through a trusted network channel, as shown in fig. 7.
Under a certain supervision specification, after receiving a verification request, a user side needs to verify the identity of the user side by using a preset authoritative data source so that the scene side can confirm the identity of the user side. In a first implementation manner, when the identity information to be verified is sensitive, the identity may be verified by the user. Specifically, the user side may send a request carrying sensitive identity information such as an identification number, a name, and the like to the authoritative data source, the authoritative data source verifies the sensitive identity information in the request, generates a verification result, and sends the verification result to the user side, and the user side feeds the verification result back to the scene side. In a second implementation manner, when the identity information needing to be verified is not sensitive, the identity verification can be performed by the scene side. Specifically, the user side may send non-sensitive identity information such as a academic degree card to the scene side, the scene side sends a request carrying the non-sensitive identity information to the authoritative data source, and the authoritative data source verifies the non-sensitive identity information in the request, generates a verification result, and sends the verification result to the scene side.
In this embodiment, the user side can selectively disclose a part of the data, and the other part of the data is represented by the hash value of the data field. Still taking the example of data including five fields of the user's name, gender, year of birth, hobby and proof of adults as an example, and the user party determines to disclose the plaintext of the name and proof of adults, the user party generates data information including the plaintext of the name, hash2, hash3, hash4 and the plaintext of the proof of adults.
And step 207, the user side sends the data information, the credible certificate and the verification information to the scene side.
The user side may receive the verification request through the trusted network channel, invoke the public information service to verify the identity and validity of the scene side, invoke the public information service to obtain the stored trusted certificate and verification information after the verification is passed, generate data information according to the content requested by the verification request, construct return data using a preset template, and send the return data including the data information, the trusted certificate, and the verification information to the scene side through the trusted network channel, as shown in fig. 8.
It should be noted that, when information is transmitted between the user side and the scenario side, if a system platform exists between the user side and the scenario side and the system platform is allowed to cache the information (non-sensitive information), the user side may first send the information to the system platform, and the system platform forwards the information to the scenario side, and at this time, it is not necessary to establish an end-to-end data channel. If a system platform exists between the user side and the scene side and the system platform is prohibited from caching the information (sensitive information), the connection mode (such as an IP address and the like) of the opposite side can be acquired from the platform public service, then an end-to-end data channel is established with the opposite side, and the information is transmitted through the data channel.
And 208, the scene side selects a corresponding verification mode according to the verification information, and verifies the data information, the trusted certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
The scene party can receive the data information, the credible certificate and the verification information through the credible network channel, determine whether to carry out online verification or offline verification according to the content of the verification information, and verify the data information, the credible certificate and the verification information by adopting a corresponding verification mode.
(1) When the verification information is used for online verification, the scene side sends a verification request to a data side, wherein the verification request comprises data information, a credible certificate and verification information; and the data side verifies the verification identification in the verification information, acquires the data stored on the chain according to the user identification in the credible certificate after the verification is passed, verifies the data information according to the data, and returns a verification result to the scene side.
Wherein, the scenario party may send an authentication request to the data party through the trusted network channel, as shown in fig. 9. After receiving the verification request, the data side can call the public information service to verify the identity and validity of the scene side. After the verification passes, the data side can verify the verification identification in the verification information. Specifically, the data side may read the authentication identifier in the authentication information and the user identifier in the trusted credential, detect whether a corresponding relationship between the authentication identifier and the user identifier exists, and determine that the authentication is passed if the corresponding relationship exists.
When the data information comprises the plain text of partial fields and the field hash values of the partial fields, the data side can replace the plain text of each field with the corresponding field hash value; carrying out hash operation on the field hash values of all the fields to obtain a first hash value; acquiring a root hash value generated according to data from a chain; it is verified whether the root hash value and the first hash value are the same as shown in fig. 9.
Still taking the data information including the plain text of the name, the hash2, the hash3, the hash4 and the plain text of the proof of adults as an example, the data party can calculate the field hash value hash1 of the plain text of the name; computing a field hash value hash5 of the plaintext of the proof of adults; arranging the 5 field hash values in a predetermined order, such as hash1-hash2-hash3-hash4-hash 5; performing hash operation on the arranged content to obtain a first hash value; comparing whether the first hash value is the same as the RootHash stored on the chain; if the first hash value is the same as the RootHash value, generating a verification result of successful verification; and if the first hash value is different from the RootHash, generating a verification result of failed verification.
(2) When the verification information is used for off-line verification and the data information contains the plaintext of part of fields and the field hash values of part of fields, the scene side replaces the plaintext of each field with the corresponding field hash value; carrying out hash operation on the field hash values of all the fields to obtain a second hash value; acquiring a key according to the trusted certificate, and decrypting a root hash value in the verification information according to the key; it is verified whether the root hash value is identical to the second hash value as shown in fig. 10.
Still taking the data information including the plaintext of the name, the hash2, the hash3, the hash4 and the plaintext of the proof of adults as an example, the scene side can calculate the hash value hash1 of the field of the plaintext of the name; calculating a field hash value hash5 of the plaintext of the proof of adults; arranging the 5 field hash values in a predetermined order, such as hash1-hash2-hash3-hash4-hash 5; performing hash operation on the arranged contents to obtain a second hash value; comparing whether the second hash value is the same as the RootHash value in the verification information; if the second hash value is the same as the RootHash value, generating a verification result of successful verification; and if the second hash value is different from the RootHash, generating a verification result of failed verification.
As shown in fig. 11, to summarize, the data management method may include the following simplified flow: (1) the user applies for a certificate to the data party; (2) the data side returns a certificate to the user side; (3) the user side stores data; (4) the scene side applies for data from the user side; (5) returning data to the scene party by the user; (6) the scene side carries out off-line verification; (7) the scene party requests the data party to verify; (8) and the data side returns a verification result. Wherein, the step (6) and the step (7-8) are alternatively executed.
It should be noted that under a certain regulatory specification, the data to be managed sent to the data side by the user is only stored in the authoritative data side, that is, the data does not go out of the data side. For example, when the user applies for a certificate to the data side, the trusted certificate fed back by the data side only includes result data or desensitized data such as hash; when the scene direction data side applies for the verification information, the data direction scene side feeds back the verification information instead of the original text of the data, so that the safety of the data can be ensured.
To sum up, in the data management method based on distributed identity provided in the embodiment of the present application, the verification information fed back to the user by the data party may be used for online verification or offline verification, and after obtaining the verification information of the user, the scene party may select a corresponding online or offline verification mode according to the verification information, and verify the data information, the trusted certificate, and the verification information by using the verification mode. Therefore, offline verification can be performed when the verification capability of the scene party is sufficient and the requirements of service compliance are not high, so that the verification process is simplified; and when the verification capability of the scene party is not enough or the requirement of business compliance is higher, performing online verification to improve the verification accuracy.
Referring to fig. 12, a block diagram of a distributed identity-based data management system provided in an embodiment of the present application is shown, where the distributed identity-based data management system can be applied in a terminal. The distributed identity based data management system may include a user side 1210, a data side 1220, and a scenario side 1230;
a user side 1210 for sending data to be managed to a data side 1220 in a block chain;
the data side 1220 is configured to generate a trusted credential and verification information according to the data, and send the trusted credential and the verification information to the user side 1210, where the trusted credential includes a user identifier, and the verification information is used for performing online verification or offline verification;
a user side 1210 further configured to receive trusted credentials and authentication information;
a scenario party 1230 for sending a verification request to the user party 1210;
the user side 1210 is further configured to generate data information according to the data and the verification request, and send the data information, the trusted certificate, and the verification information to the scenario side 1230;
the scenario party 1230 is further configured to select a corresponding verification manner according to the information in the verification information, and verify the data information, the trusted certificate, and the verification information by using the verification manner, where the verification manner is online verification or offline verification.
In an alternative embodiment, when the authentication information is used for online authentication, the authentication information includes an authentication identifier assigned by the data party 1220;
when the verification information is used for off-line verification, the verification information contains a root hash value generated according to the data.
In an alternative embodiment, when the verification information is used for online verification, the scenario party 1230 is further configured to send a verification request to the data party 1220, where the verification request includes the data information, the trusted certificate, and the verification information;
the data side 1220 is further configured to verify the verification identifier in the verification information, obtain data stored in the chain according to the user identifier in the trusted credential after the verification is passed, verify the data information according to the data, and return a verification result to the scenario side 1230.
In an alternative embodiment, the data side 1220 is further configured to:
after generating a trusted certificate and verification information according to the data, generating a corresponding relation between a user identifier in the trusted certificate and a verification identifier in the verification information;
and reading the verification identifier in the verification information and the user identifier in the trusted certificate, detecting whether the corresponding relation between the verification identifier and the user identifier exists, and if so, determining that the verification is passed.
In an alternative embodiment, when the data includes a plurality of fields arranged in a predetermined order, the data side 1220 is further configured to:
when the data information comprises the plain text of partial fields and the field hash values of the partial fields, replacing the plain text of each field with the corresponding field hash value;
carrying out hash operation on the field hash values of all the fields to obtain a first hash value;
acquiring a root hash value generated according to data from a chain;
verifying whether the root hash value and the first hash value are the same.
In an alternative embodiment, the data side 1220 is further configured to:
after data is acquired, replacing the plaintext of each field in the data with the field hash value of the corresponding field;
and carrying out hash operation on the field hash values of all the fields, and performing uplink storage on the obtained root hash value.
In an alternative embodiment, when the verification information is used for offline verification, the scenario party 1230 is further configured to:
when the data information contains the plaintext of partial fields and the field hash values of the partial fields, replacing the plaintext of each field with the corresponding field hash value;
carrying out hash operation on the field hash values of all the fields to obtain a second hash value;
acquiring a key according to the trusted certificate, and decrypting a root hash value in the verification information according to the key;
verifying whether the root hash value is the same as the second hash value.
In an alternative embodiment, when the data includes a plurality of fields arranged in a predetermined order, the user side 1210 is further configured to:
according to the content requested by the verification request, acquiring a plaintext of a partial field and a field hash value of the partial field from the data;
and arranging the plaintext and the field hash values according to a preset sequence to obtain data information.
In an alternative embodiment, the data side 1220 is further configured to:
checking the source and the use range of the data before generating a credible certificate and verification information according to the data;
after determining that the source and the use range are correct, verifying data according to preset verification logic;
and after the verification is passed, triggering and executing the step of generating the credible certificate and the verification information according to the data.
To sum up, in the data management system based on the distributed identity provided in the embodiment of the present application, the verification information fed back to the user side by the data side may be used for online verification or offline verification, and after obtaining the verification information of the user side, the scene side may select a corresponding online or offline verification mode according to the verification information, and verify the data information, the trusted certificate, and the verification information by using the verification mode. Therefore, offline verification can be performed when the verification capability of the scene party is sufficient and the requirements of service compliance are not high, so that the verification process is simplified; and when the verification capability of the scene party is not enough or the requirement of business compliance is higher, performing online verification to improve the verification accuracy.
One embodiment of the present application provides a computer-readable storage medium having at least one instruction stored therein, which is loaded and executed by a processor to implement the distributed identity-based data management method as described above.
One embodiment of the present application provides a terminal, which includes a processor and a memory, where the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the distributed identity-based data management method as described above.
It should be noted that: in the data management system based on distributed identities provided in the foregoing embodiment, when performing data management based on distributed identities, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules as needed, that is, the internal structure of the data management system based on distributed identities is divided into different functional modules to complete all or part of the functions described above. In addition, the distributed identity-based data management system provided in the foregoing embodiment and the distributed identity-based data management method embodiment belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiment, and are not described again here.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk.
The above description should not be taken as limiting the embodiments of the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the embodiments of the present application should be included in the scope of the embodiments of the present application.
Claims (10)
1. A method for distributed identity-based data management, the method comprising:
the user side sends the data to be managed to the data side in the block chain;
the data party generates a trusted certificate and verification information according to the data, and sends the trusted certificate and the verification information to the user party, wherein the trusted certificate comprises a user identifier, and the verification information is used for performing online verification or offline verification;
the user side receives the trusted voucher and the verification information;
the scene side sends a verification request to the user side;
the user side generates data information according to the data and the verification request, and sends the data information, the credible certificate and the verification information to the scene side;
and the scene side selects a corresponding verification mode according to the verification information, and verifies the data information, the credible certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
2. The method of claim 1,
when the verification information is used for online verification, the verification information comprises a verification identifier distributed by the data party;
and when the verification information is used for off-line verification, the verification information comprises a root hash value generated according to the data.
3. The method of claim 2, wherein when the verification information is used for online verification, the verifying the data information, the trusted credential, and the verification information in the verification manner comprises:
the scene side sends a verification request to the data side, wherein the verification request comprises the data information, the credible certificate and the verification information;
and the data party verifies the verification identification in the verification information, acquires the data stored on the chain according to the user identification in the credible certificate after the verification is passed, verifies the data information according to the data, and returns a verification result to the scene party.
4. The method of claim 3,
after the data party generates trusted credentials and verification information from the data, the method further comprises: the data party generates a corresponding relation between a user identifier in the trusted voucher and a verification identifier in the verification information;
the data side verifies the verification identification in the verification information, and the verification information comprises the following steps: and the data side reads a verification identifier in the verification information and a user identifier in the credible certificate, detects whether a corresponding relation between the verification identifier and the user identifier exists, and if the corresponding relation exists, determines that the verification is passed.
5. The method according to claim 3, wherein when the data comprises a plurality of fields arranged in a predetermined order, the verifying the data information according to the data comprises:
when the data information comprises the plain texts of partial fields and the field hash values of the partial fields, the data side replaces the plain texts of each field with the corresponding field hash value;
the data side carries out hash operation on the field hash values of all the fields to obtain a first hash value;
the data side obtains a root hash value generated according to the data from a chain;
the data side verifies whether the root hash value and the first hash value are the same.
6. The method of claim 5, further comprising:
after the data party acquires the data, replacing the plaintext of each field in the data with a field hash value of a corresponding field;
and the data side performs hash operation on the field hash values of all the fields and stores the obtained root hash value in an uplink mode.
7. The method of claim 1, wherein when the verification information is used for offline verification, the verifying the data information, the trusted credential, and the verification information in the verification manner comprises:
when the data information contains the plain text of partial fields and the field hash values of the partial fields, the scene side replaces the plain text of each field with the corresponding field hash value;
the scene party carries out hash operation on the field hash values of all the fields to obtain a second hash value;
the scene party acquires a key according to the trusted certificate and decrypts a root hash value in the verification information according to the key;
the scene side verifies whether the root hash value is the same as the second hash value.
8. The method according to claim 1, wherein when the data includes a plurality of fields arranged in a predetermined order, the generating of data information by the user side based on the data and the authentication request includes:
the user side acquires a plaintext of a part of fields and a field hash value of the part of fields from the data according to the content requested by the verification request;
and the user side arranges the plaintext and the field hash values according to the preset sequence to obtain the data information.
9. The method of any of claims 1 to 8, wherein prior to the data party generating trusted credentials and authentication information from the data, the method further comprises:
the data side checks the source and the use range of the data;
after determining that the source and the use range are correct, the data side verifies the data according to preset verification logic;
and after the verification is passed, the data party triggers and executes the step of generating the credible certificate and the verification information according to the data.
10. A data management system based on distributed identity is characterized in that the data management system comprises a user side, a data side and a scene side;
the user side is used for sending the data to be managed to the data side in the block chain;
the data side is used for generating a trusted certificate and verification information according to the data and sending the trusted certificate and the verification information to the user side, the trusted certificate comprises a user identifier, and the verification information is used for performing online verification or offline verification;
the user side is further used for receiving the trusted certificate and the verification information;
the scene party is used for sending a verification request to the user party;
the user side is further used for generating data information according to the data and the verification request, and sending the data information, the credible certificate and the verification information to the scene side;
and the scene side is further used for selecting a corresponding verification mode according to the information in the verification information, and verifying the data information, the credible certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210125719.2A CN114928447B (en) | 2022-02-10 | 2022-02-10 | Data management method and system based on distributed identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210125719.2A CN114928447B (en) | 2022-02-10 | 2022-02-10 | Data management method and system based on distributed identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114928447A true CN114928447A (en) | 2022-08-19 |
| CN114928447B CN114928447B (en) | 2024-04-30 |
Family
ID=82804853
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210125719.2A Active CN114928447B (en) | 2022-02-10 | 2022-02-10 | Data management method and system based on distributed identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114928447B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306112A1 (en) * | 2009-06-01 | 2010-12-02 | Userstar Information System Co., Ltd. | Online trading method and system with mechanism for verifying authenticity of a product |
| CN104836780A (en) * | 2014-02-12 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Data interaction method, verifying terminal, server and system |
| US9280645B1 (en) * | 2012-11-15 | 2016-03-08 | Emc Corporation | Local and remote verification |
| CN109347878A (en) * | 2018-11-30 | 2019-02-15 | 西安电子科技大学 | The data verification of decentralization and data safety transaction system and method |
| CN109951489A (en) * | 2019-03-27 | 2019-06-28 | 深圳市网心科技有限公司 | A kind of digital identification authentication method, unit, system and storage medium |
| CN111159288A (en) * | 2019-12-16 | 2020-05-15 | 郑杰骞 | Method, system, device and medium for storing, verifying and realizing chain structure data |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112073479A (en) * | 2020-08-26 | 2020-12-11 | 重庆邮电大学 | Method and system for controlling de-centering data access based on block chain |
| KR20210051077A (en) * | 2019-10-29 | 2021-05-10 | 성균관대학교산학협력단 | Methods and systems for managing identification based on blockchain |
| KR20210065012A (en) * | 2019-11-26 | 2021-06-03 | 세종텔레콤 주식회사 | Certificate management server based on blockchain and method thereof and computer program |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
| KR20210090563A (en) * | 2020-01-10 | 2021-07-20 | 베이징 바이두 넷컴 사이언스 앤 테크놀로지 코., 엘티디. | Method, apparatus, device and medium for blockchain-based muti-party computation |
| US20210264018A1 (en) * | 2018-06-27 | 2021-08-26 | Newbanking Aps | Securely managing authenticated user-data items |
| CN113836554A (en) * | 2021-09-26 | 2021-12-24 | 网易(杭州)网络有限公司 | Method for managing certificate information based on block chain, electronic equipment and storage medium |
-
2022
- 2022-02-10 CN CN202210125719.2A patent/CN114928447B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306112A1 (en) * | 2009-06-01 | 2010-12-02 | Userstar Information System Co., Ltd. | Online trading method and system with mechanism for verifying authenticity of a product |
| US9280645B1 (en) * | 2012-11-15 | 2016-03-08 | Emc Corporation | Local and remote verification |
| CN104836780A (en) * | 2014-02-12 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Data interaction method, verifying terminal, server and system |
| US20160307179A1 (en) * | 2014-02-12 | 2016-10-20 | Tencent Technology (Shenzhen) Company Limited | Data interaction method, verification terminal, server, and system |
| US20210264018A1 (en) * | 2018-06-27 | 2021-08-26 | Newbanking Aps | Securely managing authenticated user-data items |
| CN109347878A (en) * | 2018-11-30 | 2019-02-15 | 西安电子科技大学 | The data verification of decentralization and data safety transaction system and method |
| WO2020191928A1 (en) * | 2019-03-27 | 2020-10-01 | 深圳市网心科技有限公司 | Digital identity authentication method, device, apparatus and system, and storage medium |
| CN109951489A (en) * | 2019-03-27 | 2019-06-28 | 深圳市网心科技有限公司 | A kind of digital identification authentication method, unit, system and storage medium |
| KR20210051077A (en) * | 2019-10-29 | 2021-05-10 | 성균관대학교산학협력단 | Methods and systems for managing identification based on blockchain |
| KR20210065012A (en) * | 2019-11-26 | 2021-06-03 | 세종텔레콤 주식회사 | Certificate management server based on blockchain and method thereof and computer program |
| CN111159288A (en) * | 2019-12-16 | 2020-05-15 | 郑杰骞 | Method, system, device and medium for storing, verifying and realizing chain structure data |
| WO2021120253A1 (en) * | 2019-12-16 | 2021-06-24 | 郑杰骞 | Data storage method and verification method for blockchain structure, blockchain structure implementation method, blockchain-structured system, device, and medium |
| KR20210090563A (en) * | 2020-01-10 | 2021-07-20 | 베이징 바이두 넷컴 사이언스 앤 테크놀로지 코., 엘티디. | Method, apparatus, device and medium for blockchain-based muti-party computation |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112073479A (en) * | 2020-08-26 | 2020-12-11 | 重庆邮电大学 | Method and system for controlling de-centering data access based on block chain |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
| CN113836554A (en) * | 2021-09-26 | 2021-12-24 | 网易(杭州)网络有限公司 | Method for managing certificate information based on block chain, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114928447B (en) | 2024-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10516538B2 (en) | System and method for digitally signing documents using biometric data in a blockchain or PKI | |
| EP1698993B1 (en) | Method and system for integrating multiple identities, identity mechanisms and identity providers in a single user paradigm | |
| CN109756343A (en) | Authentication method, device, computer equipment and the storage medium of digital signature | |
| US6895501B1 (en) | Method and apparatus for distributing, interpreting, and storing heterogeneous certificates in a homogenous public key infrastructure | |
| KR101130405B1 (en) | Method and system for identity recognition | |
| JP7083892B2 (en) | Mobile authentication interoperability of digital certificates | |
| US20090106550A1 (en) | Extending encrypting web service | |
| US20070136599A1 (en) | Information processing apparatus and control method thereof | |
| CN110264354B (en) | Method and device for creating block chain account and verifying block chain transaction | |
| KR102460299B1 (en) | Anonymous credential authentication system and method thereof | |
| CN106464496A (en) | Method and system for creating a certificate to authenticate a user identity | |
| CN112632581A (en) | User data processing method and device, computer equipment and storage medium | |
| CN104683107B (en) | Digital certificate keeping method and device, digital signature method and device | |
| CN111880919B (en) | Data scheduling method, system and computer equipment | |
| US7958548B2 (en) | Method for provision of access | |
| US20140289531A1 (en) | Communication system, relay device, and non-transitory computer readable medium | |
| CN114338242B (en) | Cross-domain single sign-on access method and system based on block chain technology | |
| CN115460019B (en) | Method, apparatus, device and medium for providing digital identity-based target application | |
| US8613057B2 (en) | Identity management facilitating minimum disclosure of user data | |
| CN113312664A (en) | User data authorization method and user data authorization system | |
| CN110798322B (en) | Operation request method, device, storage medium and processor | |
| CN111062059B (en) | Method and device for service processing | |
| CN114079645B (en) | Method and device for registering service | |
| CN114428661A (en) | Mirror image management method and device | |
| CN114928447B (en) | Data management method and system based on distributed identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |