TW202007115A - Identity management system based on cross-chain and method thereof - Google Patents
Identity management system based on cross-chain and method thereof Download PDFInfo
- Publication number
- TW202007115A TW202007115A TW107123646A TW107123646A TW202007115A TW 202007115 A TW202007115 A TW 202007115A TW 107123646 A TW107123646 A TW 107123646A TW 107123646 A TW107123646 A TW 107123646A TW 202007115 A TW202007115 A TW 202007115A
- Authority
- TW
- Taiwan
- Prior art keywords
- request
- access
- contract
- blockchain network
- client
- Prior art date
Links
Images
Abstract
Description
本發明涉及一種身分識別管理系統及其方法,特別是基於跨鏈架構的身分識別管理系統及其方法。The invention relates to an identity recognition management system and method, in particular to an identity recognition management system and method based on a cross-chain architecture.
近年來,隨著區塊鏈的普及與蓬勃發展,各種區塊鏈應用便如雨後春筍般出現。其中又以與金融業結合的金融科技(Fintech)應用最受矚目。In recent years, with the popularity and vigorous development of blockchain, various blockchain applications have sprung up. Among them, the application of Fintech combined with the financial industry has attracted the most attention.
一般而言,常見的區塊鏈應用皆係以點對點(Peer to Peer, P2P)方式運行在去中心化(Decentralization)的區塊鏈網路(Blockchain Network)上。然而,礙於法規上的限制,帳戶需要使用實名制,所以會在公有鏈(或稱為主鏈)上再建置身分識別管理,如:uPort,但是此方式將造成處理效率受到整體主鏈網路的影響,而且手續費高昂。除此之外,每個與智能合約的互動記錄皆留存在公有鏈上,一旦某個真實身分的連結被解析出,或是認證後提供給某個第三方,則一切過往歷史就會被完全公開。故具有身分識別的處理效率及資料隱密性不佳的問題。In general, common blockchain applications are all running on a decentralized blockchain network (Peer to Peer, P2P). However, due to legal restrictions, the account needs to use a real-name system, so an identity management will be built on the public chain (or main chain), such as uPort, but this method will cause processing efficiency to be affected by the overall main chain network. Impact, and the handling fee is high. In addition, every interaction record with the smart contract is kept on the public chain. Once a link of a real identity is parsed out or provided to a third party after authentication, all past history will be completely public. Therefore, it has the problems of processing efficiency of identity recognition and poor data confidentiality.
有鑑於此,便有廠商提出改良區塊鏈演算法的技術,使其處理效率能夠有效地被提高。然而,此方式改善的是區塊鏈整體的處理效率,並非單純針對身分識別的部分進行改善,所以在交易量越大時,身分識別的處理效率同樣會受到影響。另外,此一方式仍然是將所有資料記錄在主鏈上,所以在真實身分的連結被解析出後,同樣會使過往歷史被完全公開,故仍然無法有效解決身分識別的處理效率及資料隱密性不佳的問題。In view of this, some manufacturers have proposed techniques to improve blockchain algorithms so that their processing efficiency can be effectively improved. However, this approach improves the overall processing efficiency of the blockchain, not simply for the part of identity recognition, so when the transaction volume is larger, the processing efficiency of identity recognition will also be affected. In addition, this method is still to record all the data on the main chain, so after the link of the real identity is parsed, the past history will also be fully disclosed, so it still cannot effectively solve the processing efficiency of identity recognition and data privacy The problem of poor sex.
綜上所述,可知先前技術中長期以來一直存在身分識別的處理效率及資料隱密性不佳之問題,因此實有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that the processing efficiency and poor data confidentiality of identity recognition have been in the prior art for a long time, so it is necessary to propose improved technical means to solve this problem.
本發明揭露一種基於跨鏈架構的身分識別管理系統及其方法。The invention discloses an identity recognition management system and method based on a cross-chain architecture.
首先,本發明揭露一種基於跨鏈架構的身分識別管理系統,此系統包含:第一區塊鏈網路、第二區塊鏈網路、監管端、客戶端及請求端。其中,第一區塊鏈網路由多個節點組成,每一節點均具有第一區塊鏈;第二區塊鏈網路係由多個共識端組成的私有鏈,每一共識端執行共識演算法且均具有一個第二區塊鏈,以及定期將此第二區塊鏈的資料記錄在第一區塊鏈;監管端為所述共識端其中之一,用以預先提供應用程式介面以允許使用跨鏈方式存取第二區塊鏈網路的資料,並且預先在第二區塊鏈網路發布請求加密合約及請求識別存取合約。First, the present invention discloses an identity management system based on a cross-chain architecture. The system includes: a first blockchain network, a second blockchain network, a supervisor, a client, and a requester. Among them, the first blockchain network is composed of multiple nodes, each node has a first blockchain; the second blockchain network is a private chain composed of multiple consensus ends, and each consensus end performs consensus calculations Both have a second blockchain, and regularly record the data of this second blockchain in the first blockchain; the supervision end is one of the consensus ends, which is used to provide an application interface in advance to allow Use the cross-chain method to access the data of the second blockchain network, and issue the request encryption contract and the request identification access contract in the second blockchain network in advance.
至於客戶端的部分,每一客戶端均透過應用程式介面以跨鏈方式與第二區塊鏈網路連接,每一客戶端包含:顯示模組及同意模組。其中,顯示模組用以在偵測到身分識別存取請求後,透過應用程式介面呼叫請求識別存取合約中的取得請求函式,由所述取得請求函式呼叫請求加密合約中的取得私鑰函式,取得相應的私鑰對身分識別存取請求進行解密以顯示請求內容;同意模組用以在同意請求內容時,透過應用程式介面呼叫請求識別存取合約中的同意函式授權存取權杖(Access Token)具有存取權限,以及呼叫取得公鑰函式獲得請求端公鑰,以對所述客戶端的個人資料進行加密並上傳至第二區塊鏈網路。As for the client part, each client is connected to the second blockchain network through the application program interface in a cross-chain manner. Each client includes: a display module and an agreement module. Wherein, the display module is used to call the request request to identify the access request function in the access contract through the application program interface after detecting the identity access request, and the request request function calls the request private key in the encryption contract Key function, obtain the corresponding private key to decrypt the identity access request to display the request content; the consent module is used to call the request to identify the consent function in the access contract through the application interface when the request content is agreed The access token (Access Token) has the access right, and the function of calling the public key to obtain the requester's public key to encrypt the client's personal data and upload it to the second blockchain network.
在請求端的部分,每一請求端均透過應用程式介面以跨鏈方式與第二區塊鏈網路連接,每一請求端包含:請求模組及存取模組。其中,請求模組用以在每次傳送身分識別存取請求之前,透過應用程式介面呼叫請求加密合約中的請求金鑰函式以產生加密公鑰,並且先以此加密公鑰對身分識別存取請求進行加密,再將加密後的身分識別存取請求及請求端本身的請求端公鑰一併透過應用程式介面傳送至請求識別存取合約的請求函式,用以取得相應且尚未授權的存取權杖;存取模組用以在客戶端同意請求內容後,透過應用程式介面呼叫取得識別資料函式並帶入具有存取權限的存取權杖,用以取得加密的個人資料並進行解密。In the part of the request end, each request end is connected to the second blockchain network in a cross-chain manner through an application program interface. Each request end includes: a request module and an access module. Among them, the request module is used to call the request key function in the encryption contract through the application interface to generate the encrypted public key before sending the identity access request, and first use the encrypted public key to store the identity Take the request for encryption, and then send the encrypted identity access request and the requester's own public key to the request function of the request identification access contract through the application interface to obtain the corresponding and unauthorized request. Access token; after the client agrees to the request content, the access module is used to obtain the identification data function through the application program interface and bring the access token with access permission to obtain the encrypted personal data and To decrypt.
另外,本發明揭露一種基於跨鏈架構的身分識別管理方法,應用在具有第一區塊鏈網路、第二區塊鏈網路、監管端、客戶端及請求端的網路環境,所述第二區塊鏈網路由多個共識端組成,所述共識端其中之一為監管端,其步驟包括:監管端預先提供應用程式介面以允許客戶端及請求端使用跨鏈方式存取第二區塊鏈網路的資料;監管端預先在第二區塊鏈網路發布請求加密合約及請求識別存取合約;請求端在每次傳送身分識別存取請求之前,透過應用程式介面呼叫請求加密合約中的請求金鑰函式以產生加密公鑰,並且先以加密公鑰對身分識別存取請求進行加密,再將加密後的身分識別存取請求及請求端本身的請求端公鑰一併透過應用程式介面傳送至請求識別存取合約的請求函式,用以取得相應的存取權杖;客戶端透過應用程式介面偵測到身分識別存取請求後,透過應用程式介面呼叫請求識別存取合約中的取得請求函式,由所述取得請求函式呼叫請求加密合約中的取得私鑰函式,以便取得相應的私鑰對身分識別存取請求進行解密以顯示請求內容;當客戶端同意請求內容時,透過應用程式介面呼叫請求識別存取合約中的同意函式授權存取權杖具有存取權限,以及呼叫取得公鑰函式獲得請求端公鑰,以對個人資料進行加密並上傳至第二區塊鏈網路;每一共識端執行共識演算法且均具有第二區塊鏈,以及定期將第二區塊鏈的資料記錄在第一區塊鏈網路的第一區塊鏈;以及請求端在客戶端同意請求內容後,透過應用程式介面呼叫取得識別資料函式並帶入存取權杖,用以取得加密的個人資料並進行解密。In addition, the present invention discloses an identity management method based on a cross-chain architecture, which is applied in a network environment having a first blockchain network, a second blockchain network, a supervisor, a client, and a requester. 2. The blockchain network is composed of multiple consensus terminals. One of the consensus terminals is the supervisory terminal. The steps include: the supervisory terminal provides an application program interface in advance to allow the client and requester to access the second area in a cross-chain manner The data of the blockchain network; the supervisor side pre-releases the request encryption contract and the request identification access contract on the second blockchain network; the request end calls the request encryption contract through the application interface before sending the identity access request each time The request key function in the method generates an encrypted public key, and first encrypts the identity access request with the encrypted public key, and then passes the encrypted identity access request and the requester public key of the requester itself through The application interface sends the request function requesting the identification access contract to obtain the corresponding access token; after the client detects the identity access request through the application interface, the client calls for the identification access through the application interface. The acquisition request function in the contract calls the acquisition private key function in the encryption contract from the acquisition request function to obtain the corresponding private key to decrypt the identity access request to display the request content; when the client agrees When requesting content, call through the application interface to identify the consent function in the access contract, authorize the access token to have access rights, and call the get public key function to obtain the requester's public key to encrypt and upload personal data To the second blockchain network; each consensus terminal executes a consensus algorithm and has a second blockchain, and regularly records the data of the second blockchain in the first block of the first blockchain network Chain; and the requesting end, after the client agrees to the request content, calls the function of obtaining identification data through the application interface and brings into the access token, which is used to obtain encrypted personal data and decrypt it.
本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過第一區塊鏈網路及第二區塊鏈網路組成跨鏈架構,並且在第二區塊鏈網路發布智能合約及儲存個人資料,當請求端傳送身分識別存取請求至客戶端時,客戶端顯示請求內容並允許設定存取權限,以便請求端透過應用程式介面以跨鏈方式自第二區塊鏈網路取得相應的個人資料進行身分識別。The system and method disclosed by the present invention are as above, and the difference from the prior art is that the present invention forms a cross-chain architecture through the first blockchain network and the second blockchain network, and is released on the second blockchain network Smart contract and storage of personal data, when the requesting end sends an identity access request to the client, the client displays the request content and allows setting of access permissions, so that the requesting end can cross-chain from the second blockchain through the application interface The Internet obtains the corresponding personal data for identification.
透過上述的技術手段,本發明可以達成提高身分識別的處理效率及資料隱密性之技術功效。Through the above-mentioned technical means, the present invention can achieve the technical effect of improving the processing efficiency of identity identification and data privacy.
以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。The embodiments of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.
在說明本發明所揭露之基於跨鏈架構的身分識別管理系統及其方法之前,先對本發明所應用的環境作說明,本發明是應用在執行智能合約的多個區塊鏈網路所組成的跨鏈架構,在各區塊鏈網路中的計算機設備皆可視為區塊鏈節點(或簡稱為節點),所述區塊鏈節點透過P2P方式連接,並且用以處理區塊鏈交易(Blockchain Transactions)。所述跨鏈架構可利用梅克爾根(Merkle Root;Block Root)透過梅克爾證明機制(Merkle proof)可以檢驗任意一筆交易的特性,達到利用某一條區塊鏈來驗證另一條區塊鏈上的交易之目的。這樣一來,假設在第一區塊鏈網路的區塊鏈上要驗證某一個交易是否在第二區塊鏈網路的區塊鏈上,就只需要提供此筆交易及其父節點(Parent Nodes)的雜湊值(Hash)就得以被驗證,在實際實施上,第一區塊鏈網路可視為母鏈或主鏈,第二區塊鏈網路可視為子鏈,如:「Plasma Chain」或「側鏈(Side Chain)」。另外,在實際實施上,本發明所述的共識端、監管端、客戶端及請求端皆為計算機設備,而計算機設備可為伺服器、電腦主機、筆記型電腦、平板電腦、智慧型手機等等,用以執行電腦程式指令,例如:區塊鏈程式「Ethereum」。另外,文中所述的「請求加密合約」及「請求識別存取合約」皆是指智能合約,所述智能合約是指依據既定的條件及傳輸的資訊來驅動執行指令的電腦程式,在實際實施上,所述智能合約係透過程式語言,例如:Solidity、Serpent、LLL、EtherScript、Sidechain等等來撰寫,其可包含各種不同的函式(Function)、事件(Event)、參數狀態等等,以區塊鏈程式「Ethereum」為例,其智能合約是經編譯後得到二進位編碼及應用二進位介面(Application Binary Interface, ABI),以便將智能合約廣播至區塊鏈網路,等候礦工(Miner)將智能合約放上區塊鏈並得到相應的地址,至此即透過區塊鏈交易完成智能合約的發布。之後,各節點便可根據此地址執行相應的智能合約,並且藉由不同的指令來改變智能合約在區塊鏈上的狀態以及偵測事件是否被觸發。Before describing the identity management system and method based on the cross-chain architecture disclosed by the present invention, the environment to which the present invention is applied will be described first. The present invention is applied to multiple blockchain networks that execute smart contracts. Cross-chain architecture, the computer equipment in each blockchain network can be regarded as a blockchain node (or simply referred to as a node), the blockchain nodes are connected through P2P and used to process blockchain transactions (Blockchain Transactions). The cross-chain architecture can use Merkle Root (Block Root) to check the characteristics of any transaction through the Merkle proof mechanism (Merkle proof) to achieve the use of one blockchain to verify the other blockchain. The purpose of the transaction. In this way, assuming that a certain transaction on the blockchain of the first blockchain network is to be verified on the blockchain of the second blockchain network, it is only necessary to provide this transaction and its parent node ( The hash value of the parent nodes can be verified. In actual implementation, the first blockchain network can be regarded as the parent chain or the main chain, and the second blockchain network can be regarded as the child chain, such as: "Plasma Chain" or "Side Chain". In addition, in practical implementation, the consensus terminal, supervision terminal, client terminal and requesting terminal in the present invention are all computer equipment, and the computer equipment may be a server, a computer host, a notebook computer, a tablet computer, a smartphone, etc. Etc., to execute computer program instructions, for example: blockchain program "Ethereum". In addition, the "request encryption contract" and "request identification access contract" mentioned in the article refer to smart contracts. The smart contract refers to a computer program that drives execution of instructions based on established conditions and transmitted information. On the above, the smart contract is written through programming languages, such as: Solidity, Serpent, LLL, EtherScript, Sidechain, etc., which can contain various functions, events, parameter states, etc. Take the blockchain program "Ethereum" as an example. Its smart contract is compiled to obtain a binary code and an application binary interface (Application Binary Interface, ABI), so as to broadcast the smart contract to the blockchain network and wait for the miner (Miner) ) Put the smart contract on the blockchain and get the corresponding address. At this point, the smart contract is released through the blockchain transaction. After that, each node can execute the corresponding smart contract according to this address, and change the state of the smart contract on the blockchain and detect whether the event is triggered by different instructions.
以下配合圖式對本發明基於跨鏈架構的身分識別管理系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明基於跨鏈架構的身分識別管理系統的系統方塊圖,此系統包含:第一區塊鏈網路110、第二區塊鏈網路120、監管端130、客戶端140及請求端150。其中,第一區塊鏈網路110由多個節點組成(圖中未示),每一節點均具有第一區塊鏈;第二區塊鏈網路120係由多個共識端121(監管端130同樣也是共識端121)組成的私有鏈,每一共識端121執行共識演算法,如:權益證明(Proof of Stake, PoS),並且均具有第二區塊鏈(具體來說,在第一區塊鏈網路110的區塊鏈稱為第一區塊鏈;在第二區塊鏈網路120的區塊鏈稱為第二區塊鏈),以及定期將第二區塊鏈的資料如:根雜湊(Root Hash),記錄在第一區塊鏈,以便讓第一區塊鏈具有身分識別功能。在實際實施上,所述私有鏈亦可為聯盟鏈,兩者差異僅在於限制參與的人員不同(例如:私有鏈僅限同一組織的成員參與;聯盟鏈則允許跨組織的成員參與)。特別要說明的是,假設第二區塊鏈是身分識別專用的區塊鏈,由於定期將第二區塊鏈的雜湊資料記錄在第一區塊鏈,所以可以利用跨鏈的方式提供第一區塊鏈取得身分識別的功能。如此一來,完整的資料僅存在於第二區塊鏈,只有監管端130或獲得授權的共識端121才能取得,確保資料的安全性,除此之外,亦可提高效率、降低成本,因為運算皆在第二區塊鏈網路120,所以不會有公有鏈的低效率及高額交易手續費的問題。The following further describes the identity management system and method based on the cross-chain architecture of the present invention with reference to the drawings. Please refer to "Figure 1", which is the system of the identity management system based on the cross-chain architecture of the present invention Block diagram, this system includes: a
監管端130為所述共識端121其中之一,用以預先提供應用程式介面以允許使用跨鏈方式存取第二區塊鏈網路120的資料,並且預先在第二區塊鏈網路120發布請求加密合約及請求識別存取合約。由於所述請求加密合約及請求識別存取合約皆為智能合約,當這兩個智能合約發布完成後,第二區塊鏈網路120中的所有節點(即:共識端121,包含監管端130)上的區塊鏈(即:第二區塊鏈)都會有這兩個智能合約,所以各節點只要知道智能合約地址就能執行相應的智能合約,而為了讓第二區塊鏈網路120中的其它節點能夠得知智能合約地址,可以分別在請求加密合約及請求識別存取合約發布完成時,觸發一個事件並帶入本身的智能合約地址,以便在各節點偵測到事件被觸發後,能夠同時獲得前述帶入的智能合約地址,進而根據智能合約地址來執行相應的智能合約。另外,在實際實施上,所述應用程式介面可為基於網路且符合表現層狀態轉換(Representational State Transfer, REST)設計風格的Web API(即:RESTful API),除了可以設置在監管端130之外,亦可被設置在獲得授權的共識端121,用以使請求端150及客戶端140或兩者任一透過此應用程式介面經由獲得授權的共識端121呼叫請求加密合約及請求識別存取合約中的各函式。The
接著,在客戶端140的部分,所述客戶端140包含:顯示模組141及同意模組142。其中,顯示模組141用以在偵測到身分識別存取請求後,透過應用程式介面呼叫請求識別存取合約中的取得請求函式,由取得請求函式呼叫請求加密合約中的取得私鑰函式,取得相應的私鑰對身分識別存取請求進行解密以顯示請求內容。換句話說,顯示模組141會顯示請求端150的請求內容,提供位於客戶端140的使用者進行瀏覽,以確定是否授權給請求端150存取。在實際實施上,所述客戶端140係透過運行TCP/IP網路協定的網路來使用共識端121或監管端130所提供的應用程式介面。Next, in the part of the
同意模組142用以在同意請求內容時,透過應用程式介面呼叫請求識別存取合約中的同意函式授權存取權杖具有存取權限,以及呼叫取得公鑰函式獲得請求端公鑰,以對所述客戶端140的個人資料進行加密並上傳至第二區塊鏈網路120。在實際實施上,所述請求內容可包含存取權限範圍、存取期限、是否允許多次存取及是否允許更新存取權杖或至少其中之一,舉例來說,存取權限範圍可包含讀取姓名、讀取生日、讀取學歷、寫入姓名、寫入生日及寫入學歷等各種個人資料,並以此類推;存取期限可包含一段時間範圍,在這段時間範圍內允許存取,反之則禁止存取;至於是否允許多次存取,若設定為「是」,代表允許多次存取,若為「否」則代表僅能存取一次。The
至於請求端150的部分,所述請求端150包含:請求模組151及存取模組152。其中,請求模組151用以在每次傳送身分識別存取請求之前,透過應用程式介面呼叫請求加密合約中的請求金鑰函式以產生加密公鑰,並且先以加密公鑰對身分識別存取請求進行加密,再將加密後的身分識別存取請求及請求端150本身的請求端公鑰,一併透過應用程式介面傳送至請求識別存取合約的請求函式,用以取得相應且尚未授權的存取權杖。在實際實施上,請求端150同樣係透過運行TCP/IP網路協定的網路來使用共識端121或監管端130所提供的應用程式介面。另外,請求端公鑰和加密公鑰的用途就如同SSL交換公鑰的做法,目的是為了加密兩端互相傳輸的資料,因為請求端150的請求可能類似利用某身分證字號來要求某人的生日和姓名,為了避免這類資訊被未授權者取得,所以雙方在發送資料之前,皆需要以對方的公鑰對欲發送的資料先進行加密。特別要說明的是,所述請求端150可使用加密公鑰對所有發送至第二區塊鏈網路120的資料進行加密,以及在發送資料時一併發送此加密公鑰,提供共識端121自請求加密合約中查詢出對應此加密公鑰的私鑰以進行解密。As for the part of the
存取模組152用以在客戶端140同意所述請求內容後,透過應用程式介面呼叫取得識別資料函式並帶入具有存取權限的存取權杖,用以取得加密的個人資料並進行解密。在實際實施上,請求識別存取合約可包含回覆期限及預設存取權限,當客戶端140在回覆期限內未回應身分識別存取請求時,可直接根據所述預設存取權限對存取權杖進行授權。換句話說,假設請求模組151發出身分識別存取請求後,存取模組152在回覆期限內遲遲得不到客戶端140同意,此時,可認定請求失效,或是以類似開放授權(OAuth)的方式,允許以請求識別存取合約中的預設存取權限來取得加密的個人資料。The
特別要說明的是,在實際實施上,本發明所述的各模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip, SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device, CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋爲瞬時信號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光信號)、或者通過電線傳輸的電信號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。計算機可讀程式指令可以完全地在電腦上執行、部分地在電腦上執行、作爲一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。In particular, in actual implementation, each module described in the present invention can be implemented in various ways, including software, hardware, or any combination thereof. For example, in some embodiments, each module may It can be implemented by software or hardware or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can pass integrated circuit chips, System on Chip (SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA), etc. The invention may be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for causing the processor to implement various aspects of the present invention. The computer-readable storage medium may be a tangible form that can hold and store instructions used by the instruction execution device equipment. The computer-readable storage medium may be, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive lists) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. The computer-readable storage media used herein are not to be interpreted as transient signals themselves, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (eg, optical signals through fiber optic cables), or through wires The transmitted electrical signal. In addition, the computer-readable program instructions described herein can be downloaded from computer-readable storage media to various computing/processing devices, or via a network, such as the Internet, local area network, wide area network, and/or wireless network To external computer equipment or external storage devices. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs, and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for computer-readable storage media stored in each computing/processing device in. The computer program instructions to perform the operations of the present invention may be combined language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, microinstructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby, PHP, etc., as well as conventional programs Procedural programming language, such as: C language or similar programming language. Computer readable program instructions can be executed entirely on the computer, partly on the computer, as a stand-alone software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server On the implementation.
請參閱「第2A圖」及「第2B圖」,「第2A圖」及「第2B圖」為本發明基於跨鏈架構的身分識別管理方法的方法流程圖,應用在具有第一區塊鏈網路110、第二區塊鏈網路120、監管端130、客戶端140及請求端150的網路環境,第二區塊鏈網路120由多個共識端121組成,所述共識端其中之一為監管端130,其步驟包括:監管端130預先提供應用程式介面以允許客戶端140及請求端150使用跨鏈方式存取第二區塊鏈網路120的資料(步驟210);監管端130預先在第二區塊鏈網路120發布請求加密合約及請求識別存取合約(步驟220);請求端150在每次傳送身分識別存取請求之前,透過應用程式介面呼叫請求加密合約中的請求金鑰函式以產生加密公鑰,並且先以加密公鑰對身分識別存取請求進行加密,再將加密後的身分識別存取請求及請求端150本身的請求端公鑰一併透過應用程式介面傳送至請求識別存取合約的請求函式,用以取得相應的存取權杖(步驟230);客戶端140透過應用程式介面偵測到身分識別存取請求後,透過應用程式介面呼叫請求識別存取合約中的取得請求函式,由所述取得請求函式呼叫請求加密合約中的取得私鑰函式,以便取得相應的私鑰對身分識別存取請求進行解密以顯示請求內容(步驟240);當客戶端140同意請求內容時,透過應用程式介面呼叫請求識別存取合約中的同意函式,授權存取權杖使其具有存取權限,以及呼叫取得公鑰函式獲得請求端公鑰,以便對個人資料進行加密並上傳至第二區塊鏈網路120(步驟250);每一共識端121執行共識演算法且均具有第二區塊鏈,以及定期將第二區塊鏈的資料記錄在第一區塊鏈網路110的第一區塊鏈(步驟260);以及請求端150在客戶端140同意請求內容後,透過應用程式介面呼叫取得識別資料函式並帶入存取權杖,用以取得加密的個人資料並進行解密(步驟270)。透過上述步驟,即可透過第一區塊鏈網路110及第二區塊鏈網路120組成跨鏈架構,並且在第二區塊鏈網路120發布智能合約及儲存個人資料,當請求端150傳送身分識別存取請求至客戶端140時,客戶端140顯示請求內容並允許設定存取權限,以便請求端150透過應用程式介面以跨鏈方式自第二區塊鏈網路120取得相應的個人資料進行身分識別。Please refer to "Picture 2A" and "Picture 2B", "Picture 2A" and "Picture 2B" are flow charts of the method for identity management based on cross-chain architecture of the present invention, which is applied to the first blockchain The network environment of the
以下配合「第3圖」至「第5圖」以實施例的方式進行如下說明,請先參閱「第3圖」,「第3圖」為應用本發明於請求端請求存取個人資料進行身分識別之示意圖。當請求端150欲對待驗證者進行身分驗證時,可以在驗證視窗300的輸入區塊310中鍵入待驗證者的身分證字號,如:A123456789,以便請求相應的個人資料進行身分識別處理。當游標點選驗證元件320之後,請求模組151會先透過應用程式介面呼叫請求加密合約中的請求金鑰函式,如:「requestNewKey()」,以產生相應的加密公鑰,並且以此加密公鑰對身分識別存取請求進行加密,再將加密後的身分識別存取請求及請求端150本身的請求端公鑰一併透過應用程式介面傳送至請求識別存取合約的請求函式,用以取得相應且尚未授權的存取權杖。特別要說明的是,在發出加密的身分識別存取請求時,還會一併發出加密公鑰,以便客戶端140能夠根據此加密公鑰從第二區塊鏈網路120查詢相應的私鑰來對加密過的身分識別存取請求進行解密,進而獲得請求內容。The following description will be made in conjunction with "Picture 3" to "Picture 5" by way of example, please refer to "Picture 3" first, "Picture 3" is for applying the present invention to request access to personal data for identification Schematic diagram of identification. When the requesting
如「第4圖」所示意,「第4圖」為應用本發明於客戶端同意授權之示意圖。前面提到,客戶端140能夠根據加密公鑰從第二區塊鏈網路120查詢相應的私鑰來對加密過的身分識別存取請求進行解密,進而獲得請求內容。其方式是顯示模組141在偵測到身分識別存取請求後,透過應用程式介面呼叫請求識別存取合約中的取得請求函式,如:「getRequest()」,由這個取得請求函式呼叫請求加密合約中的取得私鑰函式,如:「getPrivateKey()」,取得相應的私鑰對加密過的身分識別存取請求進行解密,以便在「第4圖」所示意的權限設定視窗400中顯示請求內容,如:讀取姓名、讀取生日、讀取學歷、寫入姓名、寫入生日、寫入學歷等等,並且允許在相應處的設定元件410設定允許或拒絕等權限。當各項存取權限皆設定完成後,以游標點選確定元件420,此時,同意模組142將透過應用程式介面呼叫請求識別存取合約中的同意函式,如:「approve()」,以便根據設定元件410的設定來授權存取權杖具有相應的存取權限。至此,即完成存取權杖的存取權限之設定。要補充說明的是,所述請求內容還可包含:存取期限、存取權杖的更新策略,如:是否可更新、可更新的次數等等。接下來,同意模組142還會呼叫取得公鑰函式,如:「getPublicKey()」,取得請求端的公鑰(即:請求端公鑰),以便使用此請求端公鑰加密個人資料,並且上傳至第二區塊鏈網路120,例如:呼叫請求識別存取合約中的上傳身分識別資料函式「uploadIdentityData()」來上傳加密後的個人資料。As shown in "Figure 4", "Figure 4" is a schematic diagram of applying the present invention to the client to agree to authorization. As mentioned above, the
如「第5圖」所示意,「第5圖」為應用本發明於請求端瀏覽獲得的個人資料之示意圖。當客戶端140同意請求內容後,所述請求端150會透過應用程式介面呼叫取得識別資料函式,如:「getIdentityData()」,並且將存取權杖帶入此函式,此函式會檢查存取權杖是否過期,以及是否有存取相應資料的權限,倘若沒有問題,便能夠取得加密過的個人資料。接著,請求端150即可使用與請求端公鑰對應的私鑰來進行解密,並且可將解密後的各項個人資料分別顯示在瀏覽視窗500中的各顯示元件510,所述各項個人資料可包含身分證字號、姓名、生日、學歷等等。至此,請求端150即可根據解密後的各項個人資料來完成身分識別。由於第二區塊鏈網路120專門處理身分識別的運算,不會受到第一區塊鏈網路110的低效率影響,所以在身分識別上能夠達到高效率及低成本的目的,而第二區塊鏈網路120會定期將根雜湊記錄在其所屬的第一區塊鏈網路110(或稱為主鏈,如:以太坊主鏈)上,所以能夠通過根雜湊,使第一區塊鏈網路110也能夠擁有身分識別的功能。As illustrated in "Figure 5", "Figure 5" is a schematic diagram of the personal data obtained by browsing the requesting end using the present invention. When the
綜上所述,可知本發明與先前技術之間的差異在於透過第一區塊鏈網路及第二區塊鏈網路組成跨鏈架構,並且在第二區塊鏈網路發布智能合約及儲存個人資料,當請求端傳送身分識別存取請求至客戶端時,客戶端顯示請求內容並允許設定存取權限,以便請求端透過應用程式介面以跨鏈方式自第二區塊鏈網路取得相應的個人資料進行身分識別,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高身分識別的處理效率及資料隱密性之技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that a cross-chain architecture is formed through the first blockchain network and the second blockchain network, and the smart contract is issued on the second blockchain network and Store personal data, when the requesting terminal sends an identity access request to the client, the client displays the request content and allows setting of access permissions, so that the requesting terminal can obtain it from the second blockchain network through the application interface in a cross-chain manner Corresponding personal data is used for identity identification, and the technical problems can be solved by this technical method, thereby achieving the technical effect of improving the processing efficiency of identity identification and data privacy.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。Although the present invention has been disclosed as the foregoing embodiments, it is not intended to limit the present invention. Any person familiar with similar arts can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of patent protection shall be determined by the scope of the patent application attached to this specification.
110‧‧‧第一區塊鏈網路120‧‧‧第二區塊鏈網路121‧‧‧共識端130‧‧‧監管端140‧‧‧客戶端141‧‧‧顯示模組142‧‧‧同意模組150‧‧‧請求端151‧‧‧請求模組152‧‧‧存取模組300‧‧‧驗證視窗310‧‧‧輸入區塊320‧‧‧驗證元件400‧‧‧權限設定視窗410‧‧‧設定元件420‧‧‧確定元件500‧‧‧瀏覽視窗510‧‧‧顯示元件步驟210‧‧‧監管端預先提供一應用程式介面以允許客戶端及請求端使用跨鏈方式存取第二區塊鏈網路的資料步驟220‧‧‧監管端預先在該第二區塊鏈網路發布一請求加密合約及一請求識別存取合約步驟230‧‧‧請求端在每次傳送一身分識別存取請求之前,透過該應用程式介面呼叫該請求加密合約中的一請求金鑰函式以產生一加密公鑰,並且先以該加密公鑰對該身分識別存取請求進行加密,再將加密後的該身分識別存取請求及所述請求端本身的一請求端公鑰一併透過該應用程式介面傳送至該請求識別存取合約的一請求函式,用以取得相應的一存取權杖步驟240‧‧‧客戶端透過該應用程式介面偵測到該身分識別存取請求後,透過該應用程式介面呼叫該請求識別存取合約中的一取得請求函式,由該取得請求函式呼叫該請求加密合約中的一取得私鑰函式,取得相應的私鑰對該身分識別存取請求進行解密以顯示一請求內容步驟250‧‧‧當所述客戶端同意該請求內容時,透過該應用程式介面呼叫該請求識別存取合約中的一同意函式授權該存取權杖具有存取權限,以及呼叫一取得公鑰函式獲得該請求端公鑰,以對一個人資料進行加密並上傳至該第二區塊鏈網路步驟260‧‧‧每一共識端執行共識演算法且均具有一第二區塊鏈,以及定期將該第二區塊鏈的資料記錄在第一區塊鏈網路的一第一區塊鏈步驟270‧‧‧所述請求端在所述客戶端同意該請求內容後,透過該應用程式介面呼叫一取得識別資料函式並帶入該存取權杖,用以取得加密的該個人資料並進行解密110‧‧‧ First blockchain network 120‧‧‧ Second blockchain network 121‧‧‧ Consensus terminal 130‧‧‧ Supervision terminal 140‧‧‧Client 141‧‧‧ Display module 142‧‧ ‧Agree module 150‧‧‧Request terminal 151‧‧‧Request module 152‧‧‧Access module 300‧‧‧‧Verification window 310‧‧‧ Input block 320‧‧‧Authentication component 400‧‧‧Permission setting Window 410‧‧‧Setting element 420‧‧‧Confirmation element 500‧‧‧Browse window 510‧‧‧Display element Step 210‧‧‧The supervisor provides an application interface in advance to allow the client and request end to use cross-chain storage Obtain the data of the second blockchain network Step 220‧‧‧ The supervisory side pre-releases a request encryption contract and a request identification access contract on the second blockchain network Step 230‧‧‧The requester sends each time Before an identity access request, call a request key function in the request encryption contract through the application interface to generate an encrypted public key, and first encrypt the identity access request with the encrypted public key, The encrypted ID access request and a requester public key of the requester itself are sent to the request function of the request identification access contract through the application program interface to obtain a corresponding one Access token step 240: After detecting the identity access request through the application interface, the client calls an acquisition request function in the request identification access contract through the application interface, and the acquisition The request function calls a get private key function in the request encryption contract, obtains the corresponding private key to decrypt the identity access request to display a request content. Step 250‧‧‧When the client agrees to the request content When calling the request through the application interface to identify a consent function in the access contract to authorize the access token to have access rights, and calling a get public key function to obtain the requester's public key to access a person's data Encrypt and upload to the second
第1圖為本發明基於跨鏈架構的身分識別管理系統之系統方塊圖。 第2A圖及第2B圖為本發明基於跨鏈架構的身分識別管理方法之方法流程圖。 第3圖為應用本發明於請求端請求存取個人資料進行身分識別之示意圖。 第4圖為應用本發明於客戶端同意授權之示意圖。 第5圖為應用本發明於請求端瀏覽獲得的個人資料之示意圖。Figure 1 is a system block diagram of an identity management system based on a cross-chain architecture of the present invention. 2A and 2B are flowcharts of the method for identity management based on cross-chain architecture of the present invention. Figure 3 is a schematic diagram of applying the present invention to request the requesting end to access personal data for identification. FIG. 4 is a schematic diagram of applying the present invention to the client to agree to authorization. FIG. 5 is a schematic diagram of personal data obtained by browsing the requesting end using the present invention.
110‧‧‧第一區塊鏈網路 110‧‧‧The first blockchain network
120‧‧‧第二區塊鏈網路 120‧‧‧The second blockchain network
121‧‧‧共識端 121‧‧‧Consensus
130‧‧‧監管端 130‧‧‧Supervision
140‧‧‧客戶端 140‧‧‧Client
141‧‧‧顯示模組 141‧‧‧ display module
142‧‧‧同意模組 142‧‧‧ agree module
150‧‧‧請求端 150‧‧‧ Request side
151‧‧‧請求模組 151‧‧‧Request module
152‧‧‧存取模組 152‧‧‧Access module
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW107123646A TWI663865B (en) | 2018-07-09 | 2018-07-09 | Identity management system based on cross-chain and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW107123646A TWI663865B (en) | 2018-07-09 | 2018-07-09 | Identity management system based on cross-chain and method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI663865B TWI663865B (en) | 2019-06-21 |
TW202007115A true TW202007115A (en) | 2020-02-01 |
Family
ID=67764653
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW107123646A TWI663865B (en) | 2018-07-09 | 2018-07-09 | Identity management system based on cross-chain and method thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI663865B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110311790B (en) | 2019-06-28 | 2020-07-28 | 阿里巴巴集团控股有限公司 | Method and device for sending authenticable message in cross-link mode |
CN110443704B (en) * | 2019-06-28 | 2021-02-19 | 创新先进技术有限公司 | Method and device for sending resources in cross-link mode |
CN110430162B (en) * | 2019-06-28 | 2020-11-24 | 创新先进技术有限公司 | Method and device for sending authenticable message in cross-link mode |
US11336451B2 (en) | 2019-06-28 | 2022-05-17 | Advanced New Technologies Co., Ltd. | Cross-blockchain resource transmission |
US11356282B2 (en) | 2019-06-28 | 2022-06-07 | Advanced New Technologies Co., Ltd. | Sending cross-chain authenticatable messages |
US11251966B2 (en) | 2019-06-28 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Sending cross-chain authenticatable messages |
US11184395B1 (en) | 2020-05-13 | 2021-11-23 | International Business Machines Corporation | Cross-network identity provisioning |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10812274B2 (en) * | 2015-05-07 | 2020-10-20 | Blockstream Corporation | Transferring ledger assets between blockchains via pegged sidechains |
CA3083508C (en) * | 2016-06-17 | 2022-03-08 | Jonathan WEIMER | Blockchain systems and methods for user authentication |
GB201611948D0 (en) * | 2016-07-08 | 2016-08-24 | Kalypton Int Ltd | Distributed transcation processing and authentication system |
CN106447309A (en) * | 2016-11-13 | 2017-02-22 | 杭州复杂美科技有限公司 | Across-chain transaction of source chain and lateral chain |
CN106779708B (en) * | 2016-12-23 | 2021-02-02 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | Intelligent contract-based identity management method and system for participants on block chain |
CN107464112B (en) * | 2017-07-20 | 2021-05-25 | 捷德(中国)科技有限公司 | Transaction management method and system based on block chain |
CN107528886B (en) * | 2017-07-25 | 2020-07-31 | 中国科学院计算技术研究所 | Block chain full-network splitting method and system |
-
2018
- 2018-07-09 TW TW107123646A patent/TWI663865B/en active
Also Published As
Publication number | Publication date |
---|---|
TWI663865B (en) | 2019-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI663865B (en) | Identity management system based on cross-chain and method thereof | |
TWI707245B (en) | Retrieving access data for blockchain networks using highly available trusted execution environments | |
US11973750B2 (en) | Federated identity management with decentralized computing platforms | |
US10764752B1 (en) | Secure mobile initiated authentication | |
US10735202B2 (en) | Anonymous consent and data sharing on a blockchain | |
De Oliveira et al. | Towards a blockchain-based secure electronic medical record for healthcare applications | |
TWI729719B (en) | Block chain-based data authorization method and device, electronic equipment and computer readable storage medium | |
US20210044976A1 (en) | Secure mobile initiated authentications to web-services | |
Kumar et al. | Decentralized secure storage of medical records using Blockchain and IPFS: A comparative analysis with future directions | |
EP3777028B1 (en) | Generating and linking private transaction identifiers to distributed data repositories | |
CN110417750B (en) | Block chain technology-based file reading and storing method, terminal device and storage medium | |
TW202107458A (en) | Data authorization method and device based on smart contract | |
Bao et al. | IoTChain: A three-tier blockchain-based IoT security architecture | |
CN111143872A (en) | System and apparatus for data confidentiality in distributed ledgers | |
BR112019014847A2 (en) | computer-implemented method, non-transitory computer-readable storage medium and system to provide smart contract service | |
US20180212952A1 (en) | Managing exchanges of sensitive data | |
CN110445840B (en) | File storage and reading method based on block chain technology | |
WO2021169767A1 (en) | Data processing method and apparatus, device and medium | |
US20210306135A1 (en) | Electronic device within blockchain based pki domain, electronic device within certification authority based pki domain, and cryptographic communication system including these electronic devices | |
WO2021057124A1 (en) | Fpga-based privacy block chain implementing method and device | |
CN113422683A (en) | Edge cloud cooperative data transmission method, system, storage medium and terminal | |
KR102207993B1 (en) | Transaction Management System and Method Using Blockchain | |
WO2022227799A1 (en) | Device registration method and apparatus, and computer device and storage medium | |
CN114978664A (en) | Data sharing method and device and electronic equipment | |
Sidhu et al. | Trust development for blockchain interoperability using self-sovereign identity integration |