TW202007115A - Identity management system based on cross-chain and method thereof - Google Patents

Abstract

An identity management system based on cross-chain and method thereof is disclosed. By using a first blockchain network and a second blockchain network to form a cross-chain architecture, and deploying two smart contracts and storing a personal data on the second blockchain network. When a requester transmits an access identity request to a client, the client displays a content of the access identity request, and allows an access permission to be set, so that the requester obtains the corresponding personal data from the second blockchain network through an application programming interface (API) for identification. The mechanism is help to improve the processing efficiency and data confidentiality of identity recognition.

Description

Identity recognition management system and method based on cross-chain architecture

The invention relates to an identity recognition management system and method, in particular to an identity recognition management system and method based on a cross-chain architecture.

In recent years, with the popularity and vigorous development of blockchain, various blockchain applications have sprung up. Among them, the application of Fintech combined with the financial industry has attracted the most attention.

In general, common blockchain applications are all running on a decentralized blockchain network (Peer to Peer, P2P). However, due to legal restrictions, the account needs to use a real-name system, so an identity management will be built on the public chain (or main chain), such as uPort, but this method will cause processing efficiency to be affected by the overall main chain network. Impact, and the handling fee is high. In addition, every interaction record with the smart contract is kept on the public chain. Once a link of a real identity is parsed out or provided to a third party after authentication, all past history will be completely public. Therefore, it has the problems of processing efficiency of identity recognition and poor data confidentiality.

In view of this, some manufacturers have proposed techniques to improve blockchain algorithms so that their processing efficiency can be effectively improved. However, this approach improves the overall processing efficiency of the blockchain, not simply for the part of identity recognition, so when the transaction volume is larger, the processing efficiency of identity recognition will also be affected. In addition, this method is still to record all the data on the main chain, so after the link of the real identity is parsed, the past history will also be fully disclosed, so it still cannot effectively solve the processing efficiency of identity recognition and data privacy The problem of poor sex.

In summary, it can be seen that the processing efficiency and poor data confidentiality of identity recognition have been in the prior art for a long time, so it is necessary to propose improved technical means to solve this problem.

The invention discloses an identity recognition management system and method based on a cross-chain architecture.

First, the present invention discloses an identity management system based on a cross-chain architecture. The system includes: a first blockchain network, a second blockchain network, a supervisor, a client, and a requester. Among them, the first blockchain network is composed of multiple nodes, each node has a first blockchain; the second blockchain network is a private chain composed of multiple consensus ends, and each consensus end performs consensus calculations Both have a second blockchain, and regularly record the data of this second blockchain in the first blockchain; the supervision end is one of the consensus ends, which is used to provide an application interface in advance to allow Use the cross-chain method to access the data of the second blockchain network, and issue the request encryption contract and the request identification access contract in the second blockchain network in advance.

As for the client part, each client is connected to the second blockchain network through the application program interface in a cross-chain manner. Each client includes: a display module and an agreement module. Wherein, the display module is used to call the request request to identify the access request function in the access contract through the application program interface after detecting the identity access request, and the request request function calls the request private key in the encryption contract Key function, obtain the corresponding private key to decrypt the identity access request to display the request content; the consent module is used to call the request to identify the consent function in the access contract through the application interface when the request content is agreed The access token (Access Token) has the access right, and the function of calling the public key to obtain the requester's public key to encrypt the client's personal data and upload it to the second blockchain network.

In the part of the request end, each request end is connected to the second blockchain network in a cross-chain manner through an application program interface. Each request end includes: a request module and an access module. Among them, the request module is used to call the request key function in the encryption contract through the application interface to generate the encrypted public key before sending the identity access request, and first use the encrypted public key to store the identity Take the request for encryption, and then send the encrypted identity access request and the requester's own public key to the request function of the request identification access contract through the application interface to obtain the corresponding and unauthorized request. Access token; after the client agrees to the request content, the access module is used to obtain the identification data function through the application program interface and bring the access token with access permission to obtain the encrypted personal data and To decrypt.

In addition, the present invention discloses an identity management method based on a cross-chain architecture, which is applied in a network environment having a first blockchain network, a second blockchain network, a supervisor, a client, and a requester. 2. The blockchain network is composed of multiple consensus terminals. One of the consensus terminals is the supervisory terminal. The steps include: the supervisory terminal provides an application program interface in advance to allow the client and requester to access the second area in a cross-chain manner The data of the blockchain network; the supervisor side pre-releases the request encryption contract and the request identification access contract on the second blockchain network; the request end calls the request encryption contract through the application interface before sending the identity access request each time The request key function in the method generates an encrypted public key, and first encrypts the identity access request with the encrypted public key, and then passes the encrypted identity access request and the requester public key of the requester itself through The application interface sends the request function requesting the identification access contract to obtain the corresponding access token; after the client detects the identity access request through the application interface, the client calls for the identification access through the application interface. The acquisition request function in the contract calls the acquisition private key function in the encryption contract from the acquisition request function to obtain the corresponding private key to decrypt the identity access request to display the request content; when the client agrees When requesting content, call through the application interface to identify the consent function in the access contract, authorize the access token to have access rights, and call the get public key function to obtain the requester's public key to encrypt and upload personal data To the second blockchain network; each consensus terminal executes a consensus algorithm and has a second blockchain, and regularly records the data of the second blockchain in the first block of the first blockchain network Chain; and the requesting end, after the client agrees to the request content, calls the function of obtaining identification data through the application interface and brings into the access token, which is used to obtain encrypted personal data and decrypt it.

The system and method disclosed by the present invention are as above, and the difference from the prior art is that the present invention forms a cross-chain architecture through the first blockchain network and the second blockchain network, and is released on the second blockchain network Smart contract and storage of personal data, when the requesting end sends an identity access request to the client, the client displays the request content and allows setting of access permissions, so that the requesting end can cross-chain from the second blockchain through the application interface The Internet obtains the corresponding personal data for identification.

Through the above-mentioned technical means, the present invention can achieve the technical effect of improving the processing efficiency of identity identification and data privacy.

The embodiments of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.

Before describing the identity management system and method based on the cross-chain architecture disclosed by the present invention, the environment to which the present invention is applied will be described first. The present invention is applied to multiple blockchain networks that execute smart contracts. Cross-chain architecture, the computer equipment in each blockchain network can be regarded as a blockchain node (or simply referred to as a node), the blockchain nodes are connected through P2P and used to process blockchain transactions (Blockchain Transactions). The cross-chain architecture can use Merkle Root (Block Root) to check the characteristics of any transaction through the Merkle proof mechanism (Merkle proof) to achieve the use of one blockchain to verify the other blockchain. The purpose of the transaction. In this way, assuming that a certain transaction on the blockchain of the first blockchain network is to be verified on the blockchain of the second blockchain network, it is only necessary to provide this transaction and its parent node ( The hash value of the parent nodes can be verified. In actual implementation, the first blockchain network can be regarded as the parent chain or the main chain, and the second blockchain network can be regarded as the child chain, such as: "Plasma Chain" or "Side Chain". In addition, in practical implementation, the consensus terminal, supervision terminal, client terminal and requesting terminal in the present invention are all computer equipment, and the computer equipment may be a server, a computer host, a notebook computer, a tablet computer, a smartphone, etc. Etc., to execute computer program instructions, for example: blockchain program "Ethereum". In addition, the "request encryption contract" and "request identification access contract" mentioned in the article refer to smart contracts. The smart contract refers to a computer program that drives execution of instructions based on established conditions and transmitted information. On the above, the smart contract is written through programming languages, such as: Solidity, Serpent, LLL, EtherScript, Sidechain, etc., which can contain various functions, events, parameter states, etc. Take the blockchain program "Ethereum" as an example. Its smart contract is compiled to obtain a binary code and an application binary interface (Application Binary Interface, ABI), so as to broadcast the smart contract to the blockchain network and wait for the miner (Miner) ) Put the smart contract on the blockchain and get the corresponding address. At this point, the smart contract is released through the blockchain transaction. After that, each node can execute the corresponding smart contract according to this address, and change the state of the smart contract on the blockchain and detect whether the event is triggered by different instructions.

The following further describes the identity management system and method based on the cross-chain architecture of the present invention with reference to the drawings. Please refer to "Figure 1", which is the system of the identity management system based on the cross-chain architecture of the present invention Block diagram, this system includes: a first blockchain network 110, a second blockchain network 120, a supervisor 130, a client 140, and a requester 150. Among them, the first blockchain network 110 is composed of multiple nodes (not shown), each node has a first blockchain; the second blockchain network 120 is composed of multiple consensus terminals 121 (supervised End 130 is also a private chain composed of consensus end 121). Each consensus end 121 executes a consensus algorithm, such as Proof of Stake (PoS), and each has a second blockchain (specifically, The blockchain of a blockchain network 110 is called the first blockchain; the blockchain of the second blockchain network 120 is called the second blockchain), and the Data such as: Root Hash (Root Hash), recorded in the first blockchain, so that the first blockchain has an identity recognition function. In actual implementation, the private chain may also be a consortium chain. The only difference between the two is the limited participation of personnel (for example: the private chain is limited to members of the same organization; the consortium chain allows members of cross-organizations to participate). In particular, it is assumed that the second blockchain is a dedicated blockchain for identity identification. Since the hash data of the second blockchain is regularly recorded in the first blockchain, the cross-chain method can be used to provide the first The blockchain acquires the function of identity recognition. In this way, the complete data only exists in the second blockchain, and only the supervisor 130 or the authorized consensus 121 can obtain it to ensure the security of the data. In addition, it can also improve efficiency and reduce costs, because The calculations are all in the second blockchain network 120, so there will be no problems of low efficiency and high transaction fees of the public chain.

The supervisory terminal 130 is one of the consensus terminals 121, and is used to provide an application interface in advance to allow cross-chain access to the data of the second blockchain network 120, and the second blockchain network 120 Issue request encryption contract and request identification access contract. Since the request encryption contract and the request identification access contract are both smart contracts, when these two smart contracts are released, all nodes in the second blockchain network 120 (ie: consensus terminal 121, including the supervisor terminal 130 ) On the blockchain (ie: the second blockchain) will have these two smart contracts, so each node can execute the corresponding smart contract as long as it knows the smart contract address, and in order to make the second blockchain network 120 The other nodes in the can know the smart contract address, and can trigger an event and bring in their own smart contract address when the request for the encryption contract and the request identification access contract is completed, so that each node detects that the event is triggered , Can simultaneously obtain the aforementioned smart contract address, and then execute the corresponding smart contract according to the smart contract address. In addition, in actual implementation, the application program interface can be a web-based Web API (ie: RESTful API) that conforms to the design style of Representational State Transfer (REST), except that it can be set on the supervisor 130 In addition, it can also be set on the authorized consensus terminal 121 to enable the requesting terminal 150 and the client 140 or both to call for an encrypted contract and request identification access through the authorized consensus terminal 121 through this application interface. The functions in the contract.

Next, in the part of the client 140, the client 140 includes: a display module 141 and an agreement module 142. Among them, the display module 141 is used to call the request request identification access function in the access contract through the application interface after detecting the identity access request, and the request request function calls the request to obtain the private key in the encryption contract Function, obtain the corresponding private key to decrypt the identity access request to display the content of the request. In other words, the display module 141 displays the content of the request from the requesting terminal 150, and provides the user at the client 140 to browse to determine whether to grant access to the requesting terminal 150. In practical implementation, the client 140 uses the application program interface provided by the consensus terminal 121 or the supervisor terminal 130 through a network running the TCP/IP network protocol.

The consent module 142 is used to identify the consent function in the access contract to authorize the access token to have access authority through the application interface call request when approving the request content, and to obtain the requester's public key by calling the public key function. In order to encrypt the personal data of the client 140 and upload it to the second blockchain network 120. In actual implementation, the content of the request may include an access permission range, an access period, whether multiple accesses are allowed, whether an update of the access token is allowed, or at least one of them. For example, the access permission range may include Read personal data such as name, birthday, education, name, birthday and academic qualifications, etc.; the access period can include a period of time, and storage is allowed within this period of time If it is set to "Yes", it means that multiple access is allowed. If it is "No", it means that it can only be accessed once.

As for the part of the request terminal 150, the request terminal 150 includes: a request module 151 and an access module 152. Among them, the request module 151 is used to call the request key function in the encryption contract through the application interface to generate the encrypted public key before sending the identity access request each time, and first use the encrypted public key to store the identity Take the request for encryption, and then send the encrypted identity access request and the requester public key of the requester 150 itself to the request function of the request identification access contract through the application interface to obtain the corresponding and not yet Authorized access token. In actual implementation, the requesting end 150 also uses the application interface provided by the consensus end 121 or the supervisory end 130 through the network running the TCP/IP network protocol. In addition, the public key of the requesting end and the encrypted public key are used like the public key exchange of SSL. The purpose is to encrypt the data transmitted between the two ends, because the request of the requesting end 150 may be similar to the use of an identity card number to request someone's In order to prevent such information from being obtained by unauthorized persons, both parties need to encrypt the data to be sent with the other party's public key before sending the data. In particular, the requesting end 150 may use an encrypted public key to encrypt all data sent to the second blockchain network 120, and send the encrypted public key together when sending data to provide a consensus end 121 The private key corresponding to this encrypted public key is queried from the request encryption contract for decryption.

The access module 152 is used for obtaining the identification data function through the application program interface after the client 140 agrees to the request content and bringing in an access token with access permission to obtain encrypted personal data and perform Decrypt. In practical implementation, the request identification access contract may include a reply period and a preset access right. When the client 140 does not respond to an identity access request within the reply period, the client 140 may directly store the deposit according to the preset access right. Take the token to authorize. In other words, suppose that after the request module 151 issues an identity access request, the access module 152 fails to obtain the consent of the client 140 within the reply period. At this time, the request may be deemed invalid, or a similar open authorization (OAuth) method allows to obtain encrypted personal data by requesting the default access permission in the access contract.

In particular, in actual implementation, each module described in the present invention can be implemented in various ways, including software, hardware, or any combination thereof. For example, in some embodiments, each module may It can be implemented by software or hardware or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can pass integrated circuit chips, System on Chip (SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA), etc. The invention may be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for causing the processor to implement various aspects of the present invention. The computer-readable storage medium may be a tangible form that can hold and store instructions used by the instruction execution device equipment. The computer-readable storage medium may be, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive lists) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. The computer-readable storage media used herein are not to be interpreted as transient signals themselves, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (eg, optical signals through fiber optic cables), or through wires The transmitted electrical signal. In addition, the computer-readable program instructions described herein can be downloaded from computer-readable storage media to various computing/processing devices, or via a network, such as the Internet, local area network, wide area network, and/or wireless network To external computer equipment or external storage devices. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs, and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for computer-readable storage media stored in each computing/processing device in. The computer program instructions to perform the operations of the present invention may be combined language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, microinstructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby, PHP, etc., as well as conventional programs Procedural programming language, such as: C language or similar programming language. Computer readable program instructions can be executed entirely on the computer, partly on the computer, as a stand-alone software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server On the implementation.

Please refer to "Picture 2A" and "Picture 2B", "Picture 2A" and "Picture 2B" are flow charts of the method for identity management based on cross-chain architecture of the present invention, which is applied to the first blockchain The network environment of the network 110, the second blockchain network 120, the supervisor 130, the client 140, and the requester 150. The second blockchain network 120 is composed of multiple consensus terminals 121, among which One is the supervisor 130. The steps include: the supervisor 130 provides an application interface in advance to allow the client 140 and the requester 150 to use cross-chain access to the data of the second blockchain network 120 (step 210); supervision The terminal 130 issues a request encryption contract and a request identification access contract on the second blockchain network 120 in advance (step 220); the request terminal 150 calls the request encryption contract through the application interface before sending the identity access request each time Request key function to generate an encrypted public key, and first encrypt the identity access request with the encrypted public key, and then pass the encrypted identity access request and the requester public key of the requester 150 itself through The application interface sends the request function requesting the identification access contract to obtain the corresponding access token (step 230); after the client 140 detects the identity access request through the application interface, the application interface The call request identifies the acquisition request function in the access contract, and the acquisition request function calls the acquisition private key function in the encryption contract to obtain the corresponding private key to decrypt the identity access request to display the request content (Step 240); When the client 140 agrees to the request content, the request function of the access contract is identified through the application interface call request, the access token is authorized to have the access right, and the call acquisition public key function is obtained Request the public key of the terminal to encrypt personal data and upload it to the second blockchain network 120 (step 250); each consensus terminal 121 executes a consensus algorithm and has a second blockchain, and periodically The data of the blockchain is recorded in the first blockchain of the first blockchain network 110 (step 260); and the requesting terminal 150 calls the function of obtaining identification data through the application interface after the client 140 agrees to the requested content and Bring an access token to obtain encrypted personal data and decrypt it (step 270). Through the above steps, a cross-chain architecture can be formed through the first blockchain network 110 and the second blockchain network 120, and the smart contract and personal data can be issued on the second blockchain network 120 when the requesting end 150 When sending an identity access request to the client 140, the client 140 displays the content of the request and allows setting of access permissions, so that the requesting terminal 150 obtains the corresponding information from the second blockchain network 120 in a cross-chain manner through the application interface Identification of personal data.

The following description will be made in conjunction with "Picture 3" to "Picture 5" by way of example, please refer to "Picture 3" first, "Picture 3" is for applying the present invention to request access to personal data for identification Schematic diagram of identification. When the requesting end 150 wants to verify the identity of the verifier, it can enter the number of the person to be verified in the input block 310 of the verification window 300, such as: A123456789, so as to request the corresponding personal data for identity identification processing. After the cursor clicks on the verification component 320, the request module 151 will first call the request key function in the request encryption contract through the application interface, such as: "requestNewKey()" to generate the corresponding encryption public key, and use this The encrypted public key encrypts the identity access request, and then sends the encrypted identity access request and the requester public key of the requester 150 itself to the request function requesting the identification access contract through the application interface. Used to obtain the corresponding and unauthorized access token. In particular, when an encrypted ID access request is issued, an encrypted public key is also issued, so that the client 140 can query the corresponding private key from the second blockchain network 120 according to the encrypted public key To decrypt the encrypted ID access request and obtain the request content.

As shown in "Figure 4", "Figure 4" is a schematic diagram of applying the present invention to the client to agree to authorization. As mentioned above, the client 140 can query the corresponding private key from the second blockchain network 120 according to the encrypted public key to decrypt the encrypted ID access request, and then obtain the request content. The method is that after detecting the identity access request, the display module 141 calls the application request interface to identify the access request function in the access contract, such as: "getRequest()", which is called by this access request function Request the private key acquisition function in the encryption contract, such as: "getPrivateKey()", obtain the corresponding private key to decrypt the encrypted identity access request, so that the permission setting window 400 shown in "Figure 4" The content of the request is displayed in, for example: read name, read birthday, read academic degree, write name, write birthday, write academic degree, etc., and allow the setting element 410 at the corresponding place to set permissions such as allow or deny. When all the access rights are set, click the determination element 420 with the cursor. At this time, the consent module 142 will call through the application interface to request the consent function in the access contract, such as "approve()" In order to authorize the access token to have corresponding access rights according to the setting of the setting element 410. At this point, the access right of the access token is set. It should be added that the content of the request may also include: access period, update strategy of the access token, such as: whether it can be updated, the number of times it can be updated, and so on. Next, the consent module 142 will also call to obtain the public key function, such as: "getPublicKey()", to obtain the public key of the requesting end (ie: the public key of the requesting end), so as to use the public key of the requesting end to encrypt personal data, and Upload to the second blockchain network 120, for example: call the upload identity data function "uploadIdentityData()" in the request identification access contract to upload the encrypted personal data.

As illustrated in "Figure 5", "Figure 5" is a schematic diagram of the personal data obtained by browsing the requesting end using the present invention. When the client 140 agrees to the content of the request, the requesting terminal 150 will call the function to obtain the identification data through the application interface, such as: "getIdentityData()", and bring the access token into this function, this function will Check whether the access token has expired and whether you have the right to access the corresponding data. If there is no problem, you can obtain the encrypted personal data. Then, the requesting end 150 can use the private key corresponding to the requesting end public key for decryption, and each decrypted personal data can be displayed on each display element 510 in the browsing window 500 respectively. May include ID number, name, birthday, education, etc. At this point, the requesting end 150 can complete the identification according to the decrypted personal data. Since the second blockchain network 120 specializes in the operation of identity recognition, it will not be affected by the inefficiency of the first blockchain network 110, so it can achieve the purpose of high efficiency and low cost in identity recognition, while the second The blockchain network 120 will periodically record the root hash on the first blockchain network 110 (or called the main chain, such as the Ethereum main chain) to which it belongs, so the root hash can be used to make the first block Chain network 110 can also have an identity recognition function.

In summary, it can be seen that the difference between the present invention and the prior art is that a cross-chain architecture is formed through the first blockchain network and the second blockchain network, and the smart contract is issued on the second blockchain network and Store personal data, when the requesting terminal sends an identity access request to the client, the client displays the request content and allows setting of access permissions, so that the requesting terminal can obtain it from the second blockchain network through the application interface in a cross-chain manner Corresponding personal data is used for identity identification, and the technical problems can be solved by this technical method, thereby achieving the technical effect of improving the processing efficiency of identity identification and data privacy.

Although the present invention has been disclosed as the foregoing embodiments, it is not intended to limit the present invention. Any person familiar with similar arts can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of patent protection shall be determined by the scope of the patent application attached to this specification.

110‧‧‧ First blockchain network 120‧‧‧ Second blockchain network 121‧‧‧ Consensus terminal 130‧‧‧ Supervision terminal 140‧‧‧Client 141‧‧‧ Display module 142‧‧ ‧Agree module 150‧‧‧Request terminal 151‧‧‧Request module 152‧‧‧Access module 300‧‧‧‧Verification window 310‧‧‧ Input block 320‧‧‧Authentication component 400‧‧‧Permission setting Window 410‧‧‧Setting element 420‧‧‧Confirmation element 500‧‧‧Browse window 510‧‧‧Display element Step 210‧‧‧The supervisor provides an application interface in advance to allow the client and request end to use cross-chain storage Obtain the data of the second blockchain network Step 220‧‧‧ The supervisory side pre-releases a request encryption contract and a request identification access contract on the second blockchain network Step 230‧‧‧The requester sends each time Before an identity access request, call a request key function in the request encryption contract through the application interface to generate an encrypted public key, and first encrypt the identity access request with the encrypted public key, The encrypted ID access request and a requester public key of the requester itself are sent to the request function of the request identification access contract through the application program interface to obtain a corresponding one Access token step 240: After detecting the identity access request through the application interface, the client calls an acquisition request function in the request identification access contract through the application interface, and the acquisition The request function calls a get private key function in the request encryption contract, obtains the corresponding private key to decrypt the identity access request to display a request content. Step 250‧‧‧When the client agrees to the request content When calling the request through the application interface to identify a consent function in the access contract to authorize the access token to have access rights, and calling a get public key function to obtain the requester's public key to access a person's data Encrypt and upload to the second blockchain network Step 260‧‧‧Each consensus end executes a consensus algorithm and has a second blockchain, and periodically records the data of the second blockchain in the second A first blockchain step 270‧‧‧ of a blockchain network, after the client agrees to the request, the requesting terminal calls a function for obtaining identification data through the application interface and brings it into the storage Take the token to get the encrypted personal data and decrypt it

Figure 1 is a system block diagram of an identity management system based on a cross-chain architecture of the present invention. 2A and 2B are flowcharts of the method for identity management based on cross-chain architecture of the present invention. Figure 3 is a schematic diagram of applying the present invention to request the requesting end to access personal data for identification. FIG. 4 is a schematic diagram of applying the present invention to the client to agree to authorization. FIG. 5 is a schematic diagram of personal data obtained by browsing the requesting end using the present invention.

110‧‧‧The first blockchain network

120‧‧‧The second blockchain network

121‧‧‧Consensus

130‧‧‧Supervision

140‧‧‧Client

141‧‧‧ display module

142‧‧‧ agree module

150‧‧‧ Request side

151‧‧‧Request module

152‧‧‧Access module

Claims (10)

An identity management system based on a cross-chain architecture. The system includes: a first blockchain network consisting of multiple nodes, each node having a first blockchain; a second blockchain network , The second blockchain network is a private chain composed of multiple consensus ends, each consensus end executes a consensus algorithm and has a second blockchain, and regularly records data of the second blockchain On the first blockchain; a supervisory end, which is one of the consensus ends, used to provide an application interface in advance to allow cross-chain access to the data of the second blockchain network , And pre-release a request encryption contract and a request identification access contract on the second blockchain network; at least one client, each client uses the application interface to cross-chain with the second block Chained network connection, each client includes: a display module for calling an acquisition request function in the access identification contract through the application interface after detecting an identity identification access request, The acquisition request function calls an acquisition private key function in the request encryption contract, obtains the corresponding private key and decrypts the identity access request to display a request content; and a consent module is used to agree In the content of the request, call the request through the application interface to identify a consent function in the access contract to authorize an access token to have access rights, and call a get public key function to obtain a requester's public key, to Encrypt and upload a personal data of the client to the second blockchain network; and at least one requesting end, each requesting end is in a cross-chain manner with the second blockchain network through the application interface For connection, each requesting end includes: a requesting module, which is used to call a request key function in the request encryption contract through the application interface to generate an encrypted public request before sending the identity access request Key, and first encrypt the ID access request with the encrypted public key, and then send the encrypted ID access request and the requester public key of the requester together through the application interface A request function to the request identifying the access contract to obtain a corresponding and unauthorized access token; and an access module to use the application after the client approves the request content The program interface calls a function for obtaining identification data and brings the access token with access authority to obtain the encrypted personal data and decrypt it. The identity management system based on cross-chain architecture according to item 1 of the patent application scope, wherein the request content includes the scope of access authority, access period, whether multiple access is allowed and whether the access token is allowed to be updated or at least one. The identity management system based on the cross-chain architecture according to item 1 of the patent application scope, wherein the request identification access contract includes a reply period and at least one preset access right, when the client does not reply within the reply period When an access request should be identified, the access token is authorized directly according to the preset access permission. The identity management system based on the cross-chain architecture according to item 1 of the patent scope, wherein the requesting end encrypts all data sent to the second blockchain network with the encrypted public key, and when sending the data The encrypted public key is sent together to provide the consensus terminal to query the private key corresponding to the encrypted public key from the request encryption contract for decryption. The identity management system based on the cross-chain architecture according to item 1 of the patent application scope, wherein the application interface is allowed to be set on the authorized consensus end to make the request end and the client or both First, call the request encryption contract and the request identification access contract through the authorized end through the application program interface. An identity management method based on cross-chain architecture is used in a network environment with a first blockchain network, a second blockchain network, a supervisor, at least one client, and at least one request end. The second blockchain network is composed of multiple consensus terminals, one of which is the supervisory terminal. The steps include: the supervisory terminal provides an application interface in advance to allow the client and the requesting terminal to use Cross-chain access to the data of the second blockchain network; the supervisory terminal publishes a request encryption contract and a request identification access contract on the second blockchain network in advance; the requester terminal transmits each time Before an identity access request, call a request key function in the request encryption contract through the application interface to generate an encrypted public key, and first encrypt the identity access request with the encrypted public key, The encrypted ID access request and a requester public key of the requester itself are sent to the request function of the request identification access contract through the application program interface to obtain a corresponding one Access token; after detecting the identity access request through the application interface, the client calls an acquisition request function in the request identification access contract through the application interface, and the acquisition request letter Call a request to obtain a private key function in the request encryption contract, obtain the corresponding private key to decrypt the identity access request to display a request content; when the client agrees to the request content, through the application The interface calls the request to identify a consent function in the access contract to authorize the access token to have access rights, and calls a get public key function to obtain the requester's public key to encrypt a person's data and upload it to the The second blockchain network; each consensus terminal executes a consensus algorithm and has a second blockchain, and periodically records the data of the second blockchain in the first blockchain network. A blockchain; and the requesting end, after the client agrees to the content of the request, calls a function for obtaining identification data through the application interface and brings in the access token to obtain the encrypted personal data And decrypt it. According to the identity management method based on cross-chain architecture in item 6 of the patent application scope, the request content includes the scope of access authority, access period, whether multiple access is allowed and whether the access token is allowed to be updated or at least one of them one. According to the identity management method based on cross-chain architecture in item 6 of the patent application scope, wherein the request identification access contract includes a reply period and at least one preset access right, when the client does not reply within the reply period When an access request should be identified, the access token is authorized directly according to the preset access permission. According to the cross-chain architecture-based identity management method of item 6 of the patent application scope, wherein the requesting end encrypts all data sent to the second blockchain network with the encrypted public key, and when sending the data The encrypted public key is sent together to provide the consensus terminal to query the private key corresponding to the encrypted public key from the request encryption contract for decryption. The identity management method based on the cross-chain architecture according to item 6 of the patent application scope, wherein the application interface is allowed to be set on the authorized consensus end to make the request end and the client or both First, call the request encryption contract and the request identification access contract through the authorized end through the application program interface.

Images