CN112950220B

CN112950220B - Enterprise digital identity management system and method based on blockchain

Info

Publication number: CN112950220B
Application number: CN202110258371.XA
Authority: CN
Inventors: 兰秋军; 贾时雨; 马超群; 周中定; 李信儒; 万丽
Original assignee: Hunan University
Current assignee: Hunan University
Priority date: 2021-03-10
Filing date: 2021-03-10
Publication date: 2023-09-26
Anticipated expiration: 2041-03-10
Also published as: CN112950220A

Abstract

The application discloses a block chain-based enterprise digital identity management system and a method, wherein the enterprise digital identity management system comprises a dynamic digital identity life cycle management subsystem, a digital identity authorization management subsystem, an identity data storage subsystem and a verifiable credential management subsystem, and the enterprise digital identity management method comprises the following steps: a distributed digital identity identifier initialization stage, an enterprise registration digital identity stage, an enterprise trade development financial business stage, and an enterprise registration change or cancellation stage. The application combines digital identity management with enterprise-level business operation by using blockchain technology, self-right identity technology, zero knowledge proof technology, asymmetric encryption and other technologies, simplifies the information registration and management process of enterprises in registration, transaction, change and logout stages, provides autonomous and controllable information management and data sharing scheme for the enterprises, and realizes privacy data protection and identity trusted proof.

Description

Enterprise digital identity management system and method based on blockchain

Technical Field

The application relates to the technical field of blockchains, in particular to an enterprise digital identity management system and method based on a blockchain.

Background

In traditional enterprise identity management, the following disadvantages exist: 1. the enterprise related personnel need to go to each government department to carry out downlink flow operation, and a paper file is used for providing evidence, and the link needs to consume a long time due to the dispersion of each department; 2. paper files are easy to lose and damage, the number of the original files is limited, and the paper files are easy to limit in the use process; 3. the data counterfeiting event is more easy to occur, and the protection efficacy of signature stamping is weaker only by means of paper documents; 4. the enterprise owner needs to properly manage the enterprise identity related files, and when enterprise information is changed, data update is needed to be carried out through each government department again, so that the efficiency and the convenience are greatly affected; 5. in the further enterprise production and management process, a large amount of business data can be generated, the difficulty in acquiring and supervising the information by the supervision departments and the partners is high, the information circulation is not smooth, and a data island is generated.

Disclosure of Invention

On one hand, the embodiment of the application provides an enterprise digital identity management system based on a blockchain, which aims to solve the technical problems of high cost, low efficiency, weak protection effectiveness, unsmooth information circulation and high risk in the existing enterprise identity management process.

The technical scheme adopted by the embodiment of the application is as follows:

a blockchain-based enterprise digital identity management system, comprising:

the dynamic digital identity life cycle management subsystem is used for registering, data updating, data inquiring and identity logout links, the distributed account book stores identity information modification history, the identity is updated to the latest modification state, and traceability of the identity record is provided;

the digital identity authorization management subsystem is used for authorizing the access range and time of the third party when the third party requests to access the enterprise digital identity; and, therefore, an organization digital identity needs to be managed by an member in the enterprise, namely, a correlation management is formed between the personal digital identity of the enterprise and the organization digital identity, and the organization digital identity authorizes a person to manage the organization digital identity under different authority ranges; the user can inquire the authorized range of the digital identity, so that the user can know the use condition of the identity under different application scenes;

the identity data storage subsystem is used for storing user wallets, plaintext distributed account book and ciphertext distributed account book, wherein digital identity information is stored in the user wallets and can be automatically selected by a user to store whether data is uplink or not, and the user wallets are locally stored, so that the data is prevented from being acquired and further shared by a third party;

The verifiable credential management subsystem is used for issuing, storing and using verifiable credentials, wherein a verifiable credential issuing and verifying process based on zero knowledge proof is specified, so that identity proof providing privacy protection function is realized.

Further, the verifiable certificate provides an identity verification scheme capable of verifying both a data source and data content for the digital identity, the verifiable certificate is generated according to an application scene, and the content of the verifiable certificate comprises certificate metadata, a declaration data set and proving information; the credential metadata comprises a publisher of the credential, a release time and a credential type; the stated data set is the digital identity information of the user involved in a specific scene; the certification information carries out endorsement signature on the certificate metadata and the statement data set, and comprises a signature type, a signature value, creation time and creator information.

Further, the process of issuing the verifiable credential includes the steps of:

the issuer generates a user declaration field and hashes each field;

the hashed data forms a claim_hash through the merck tree form, and hashes again together with the credential ID and other credential metadata to form a credentials_hash;

Then, a signature value is obtained through private key signature of a certificate issuer, and the signature value is added into the verifiable certificate to form an issuing process of the complete verifiable certificate.

Further, when the data required for the verification scenario spans multiple verifiable voucher contents, the holder generates a verifiable statement through the verifiable voucher, further providing an identification containing multiple voucher contents including statement metadata such as voucher type, id and terms of use; the verifiable credential data includes a credential id, a claim dataset; the proving information carries out signature endorsement on the statement metadata and the verifiable credential data, and the signing endorsement comprises a signature type, a signature value, creation time and creator information.

Further, the verification process of the verifiable credential and the verifiable statement is verified by means of zero knowledge, and the purpose of verifying the credential and the authenticity of the statement is achieved under the condition that the plaintext of the statement data is not acquired, and the method comprises the following steps:

the holder provides verifiable credentials/statements in which the statement that the verifier is allowed to view is presented in plain text, the remaining statement appearing in hashed form;

the verifier hashes the plaintext data again according to the credential generation process, forms a hash_hash of all obtained Hash values in the credential in a merck tree form, hashes the Hash values again together with the credential ID and other credential metadata, and forms a first Hash value Crodentials_hash;

Meanwhile, the verifier extracts the verifiable certificate signature value, acquires an issuer public key from the distributed account book through a distributed digital identity identifier of the certificate issuer, decrypts the signature value by utilizing the public key, and obtains a second Hash value Crodentials_hash of the verifiable certificate;

if the first Hash value Credentials_Hash and the second Hash value Credentials_Hash are consistent, then the Credentials/statements provided by the credential/statement holder and the claims contained therein may be considered authentic.

The application further provides a block chain-based enterprise digital identity management method, which comprises the following steps:

a distributed digital identity identifier initialization phase: registering each organization node in an enterprise digital identity management system to obtain a public distributed digital identity identifier of each organization, wherein each organization node comprises an industrial and commercial office node, an accounting office node, a technical supervision office node, a tax office node, a bank node, a third party credit investigation organization node and an enterprise node;

the enterprise registration digital identity stage: the enterprise node sends a registration request to an industrial and commercial office node, an accounting office node, a technical supervision office node, a tax office node, a bank node and a third party credit investigation organization node according to relevant regulations, and the industrial and commercial office node, the accounting office node, the technical supervision office node, the tax office node, the bank node and the third party credit investigation organization node issue corresponding verifiable certificates to the enterprise node after examination, and meanwhile store hash values of the corresponding verifiable certificates in a distributed account book;

The trade activity stage is carried out by enterprises: the enterprise nodes of the two parties with the intention of the collaboration send credit report certificates issued by the nodes of the third party credit institution to each other, and then after trade consensus is achieved and trade contracts are signed, the enterprise nodes of the two parties sign the trade contracts in a verifiable certificate form and issue the signed and endorsed trade contracts to the enterprise nodes of the other parties; during the trade of the enterprise nodes of both sides, the enterprise nodes of both sides issue corresponding certificates to the enterprise nodes of the other sides in a verifiable certificate form, and the hash values of the corresponding certificates are stored in a distributed account book;

the trade financial business development stage of enterprises: the core enterprises in the supply chain send the materials required by the loan request to the banking nodes in the form of verifiable certificates or verifiable statements, the banking nodes execute money-shifting operation after auditing, money is paid to the enterprises with insufficient flowable funds in the supply chain for paying the goods, meanwhile, the money-shifting money is issued to the enterprise B nodes in detail in the form of verifiable certificates, and the hash value of the verifiable certificates is stored in the distributed account book;

enterprise registration change or cancellation phase: the enterprise node sends the materials required by the change or the cancellation to the enterprise node in a verifiable certificate or verifiable statement form for verification, and the enterprise node sends the changed enterprise business license to the enterprise node in a verifiable certificate form after verification, and simultaneously stores the hash value of the verifiable certificate in the distributed account book.

Further, the enterprise registration digital identity stage specifically includes the steps of:

the enterprise node sends a registration request to the business office node and submits a related application form;

the business office node audits the application, issues related certificates for the enterprise node in a verifiable certificate form after the application passes, and stores the hash value of the verifiable certificate in a distributed account book;

the enterprise node makes a registration request to an accounting office node;

the node of the accounting firm inquires the fund condition of the enterprise, issues a banking inquiry letter in the form of a verifiable certificate, and stores the hash value of the verifiable certificate in a distributed account book;

the enterprise node obtains a business office node credential template, which comprises a registration application form, a stockholder or initiator list, a forensic manager supervision condition, a legal representative registration form, a designated representative or proxy agent registration form, and submits the registration form and a company's project and verification report file to the business office node after filling;

the business office node audits the data and issues business licenses for the enterprise node in the form of verifiable certificates, and meanwhile, the hash value of the verifiable certificates is stored in a distributed account book;

the enterprise node puts forward an organization code certificate application to the technical supervision bureau node by virtue of a business license;

The technical supervision bureau node issues an organization code certificate to the enterprise node in the form of a verifiable certificate, and simultaneously stores a hash value of the verifiable certificate in a distributed account book;

the enterprise node puts forward a tax registration certificate application to the tax bureau node by virtue of a business license;

the tax bureau node issues tax registration certificates to the enterprise node in the form of verifiable certificates, and simultaneously, the hash value of the verifiable certificates is stored in a distributed account book;

the enterprise node puts forward an account opening application to the bank node according to business license, organization code certificate and tax certificate;

the bank node handles account opening registration for the enterprise node and issues account opening information to the enterprise in a form of verifiable certificates, and meanwhile, the hash value of the verifiable certificates is stored in the distributed account book;

the enterprise node registers at the third party credit organization node and submits business license certificates, organization code certificate certificates, tax certificate certificates, bank account opening certificates and legal person information;

and the third-party credit bureau node initially generates credit report credentials for the enterprise node according to the credentials, and simultaneously stores the hash value of the credit report credentials in the distributed account book.

Further, the trade development stage of the enterprise specifically comprises the following steps:

If the enterprise A node and the enterprise B node have the intention of being in charge, the enterprise A node sends a credit report credential issued by a third-party credit agency to the enterprise B node;

the enterprise node B sends credit report credentials issued by the third-party credit agency node to the enterprise node A;

the enterprise A node and the enterprise B node which reach the trade cooperation consensus sign trade contracts, the trade contracts form a proof aiming at trade cooperation related matters in a verifiable certificate form, the enterprise A node generates certificates and issues the certificates to the enterprise B node after signing and endorsing, and meanwhile, the hash value of the verifiable certificate is stored in a distributed account book;

the enterprise node B also generates a certificate aiming at the trade contract, signs and endorses the certificate and then issues the certificate to the enterprise node A, and simultaneously stores the hash value of the verifiable certificate in a distributed account book;

assuming that the enterprise A node delivers goods to the enterprise B node, after receiving the goods, the enterprise B node issues a goods transportation evidence to the enterprise A node in a verifiable certificate form according to the type and the quantity of the goods, and meanwhile, the hash value of the goods transportation evidence is stored in a distributed account book;

assuming that the node B of the enterprise pays the money to the node A of the enterprise, after the node A of the enterprise receives the money, issuing a fund payment evidence to the node B of the enterprise in a verifiable evidence form according to the money amount and the freight transportation evidence, and storing a hash value of the fund payment evidence in a distributed account book;

If a transaction change condition occurs in the trade activity, the enterprise node records the transaction change terms in the form of verifiable certificates, and the verifiable certificates are signed, endorsed and stored in a distributed account book.

Further, the trade financial business development stage of the enterprise specifically comprises the following steps:

assuming that the node A of the enterprise is a core enterprise in a supply chain, if the node B of the enterprise can flow funds insufficient for paying the money of goods, the financial business of the supply chain can be developed, and the node B of the enterprise provides a loan request for the node A of the enterprise;

the node A of the enterprise gives a loan request to a node B of the bank;

after receiving the loan request, the banking node requests the enterprise A node to present related proving information, including business license, property condition, related production and operation record of the enterprise B node and credit reporting;

the enterprise A node sends the related proving information to a banking node in the form of verifiable credentials or verifiable statement;

the bank node reviews the verifiable credential or verifiable statement;

after the verification passes, the bank node executes money-dialing operation to pay money to the enterprise node B;

the bank node generates detailed description information of the money in the form of verifiable credentials issued to the enterprise node B and stores the hash value of the verifiable credentials in the distributed ledger.

Further, the enterprise registration change or cancellation stage specifically includes the steps of:

the enterprise node submits an enterprise business license change application to the industrial and commercial office node;

the business office node requests the enterprise node to provide the existing identification material;

the enterprise node sends the required materials including business license, organization code certificate, tax certificate, bank account opening certificate verifiable certificate and credit report to the industrial and commercial office node in the form of certificate itself or further generated verifiable statement;

the business office node examines the certificates or statements, and if the examination is passed, the business office node registers the certificates or statements according to the change request of the business license of the enterprise;

the business office node sends the changed business license of the enterprise to the enterprise node in the form of a verifiable certificate, and the hash value of the verifiable certificate is stored in the distributed account book;

the enterprise node logout process declares a distributed digital identity identifier of the disabled enterprise node by the enterprise node after performing a country specification related logout procedure;

issuing a certification invalid proof of a certification issued by a certification authority node capable of verifying the certification for the certification issued by the enterprise node.

In another aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the blockchain-based enterprise digital identity management method when executing the program.

In another aspect, an embodiment of the present application provides a storage medium, where the storage medium includes a stored program, and when the program runs, controls an apparatus where the storage medium is located to execute the blockchain-based enterprise digital identity management method.

The application has the following beneficial effects:

the system and the method for managing the enterprise digital identity based on the blockchain combine digital identity management with enterprise-level business operation by using the blockchain technology, the self-right identity technology, the zero-knowledge proof technology, the asymmetric encryption technology and the like, simplify the information registration and management process of the enterprise in registration, transaction, change and cancellation stages, provide an independent and controllable information management and data sharing scheme for the enterprise, and realize privacy data protection and identity trusted proof. The application designs an enterprise digital identity management system based on a distributed account book technology, and converts the digital identity which is conventionally centrally managed or jointly managed into an autonomy identity, so that an identity main body really grasps the management right of the digital identity. Because the digital identity is controlled by the identity body, the related identity data is also stored by the identity body, and when a third party requests the body to provide the identity, the privacy of the identity body data can be protected by a zero knowledge proof mode. Compared with the traditional digital identity management which focuses on the management of the personal identity, the enterprises and other organizations of the application also have the digital identity, but the identity depends on the operation of individuals in the organizations, and the use of the digital identity can provide convenient operation management for the flows of enterprise registration, transaction, loan, logout and the like. Traditional offline business operation is limited by time and space, paper certificates are easy to forge and inconvenient to store and manage, the number of original documents is limited, related identity data are managed by using digital identities, data safety and privacy are guaranteed through a cryptography technology, identity management cost is reduced, and meanwhile, the problem of data island is relieved. The application links the information of all the participating nodes, and transparencies the processing process of each party mechanism. The application simplifies the data transmission and auditing process by combining the block chain technology and the intelligent contract technology, saves a great deal of manpower and material resources and time cost, reduces a great deal of intermediate links and ensures that the business process is safer, more reliable and more convenient.

In addition to the objects, features and advantages described above, the present application has other objects, features and advantages. The application will be described in further detail with reference to the accompanying drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. In the drawings:

FIG. 1 is a schematic diagram of a prior art enterprise identity management business process.

FIG. 2 is a schematic diagram of a blockchain-based enterprise digital identity management system in accordance with the preferred embodiment of the present application.

Fig. 3 is a schematic diagram of the verifiable credential structure of a preferred embodiment of the present application.

FIG. 4 is a schematic diagram of a flow of issuing verifiable credentials in accordance with a preferred embodiment of the present application.

Fig. 5 is a schematic diagram of a verifiable statement structure of a preferred embodiment of the application.

Fig. 6 is a schematic flow chart of the present application for verifying verifiable credentials/statements.

Fig. 7 is a network deployment diagram of a preferred embodiment of the present application.

FIG. 8 is a flow chart of a method for managing enterprise digital identities in accordance with a preferred embodiment of the present application.

FIG. 9 is a business timing diagram of an enterprise digital identity management method in accordance with another preferred embodiment of the present application.

Fig. 10 is a schematic diagram showing the composition of an electronic device according to a preferred embodiment of the present application.

Detailed Description

It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.

For ease of understanding, technical terms and multiparty nodes involved in a blockchain network in a blockchain-based insurance claim method will be explained first.

The technical scheme adopted by the embodiment of the application relates to seven roles of an enterprise organization, an industrial and commercial office, an accounting office, a technical supervision office, a tax office, a bank and a third party credit investigation organization on a business side, and the seven roles correspond to a blockchain network and comprise an enterprise node, an industrial and commercial office node, an accounting office node, a technical supervision office node, a tax office node, a bank node, a third party credit investigation node, an Oracle (predictors) and a consensus node, wherein:

oracle (prophetic): the platform for providing external information can allow the blockchain to be connected to any existing API, and can import, store and export information about network nodes on the blockchain, so that dynamic acquisition of the information is realized;

Enterprise node: an organization that performs commerce trade and has a need for organizing digital identity management;

business office node: a government agency that reviews and issues operating permissions for the corporation;

accounting office node: issuing a bank inquiry letter to carry out related accounting and supervision business;

technical regulatory agency node: issuing an organization code certificate for an enterprise;

tax bureau node: issuing relevant tax vouchers to carry out tax accounting and supervision;

and (3) a banking node: performing fund paying and supervision;

third-party credit node: providing credit investigation service for enterprises and generating enterprise credit investigation reports;

consensus node: the method consists of an organization responsible for consensus algorithm, and maintains a digital identity network, including packaging, submitting and reading of transactions.

Blockchain techniques: the system is essentially a shared database, the data blocks are sequentially connected in time sequence to form the data blocks, a reliable way is provided for tracing the data, the data blocks are collectively maintained in a decentralization or multicentric mode, thus the tamper-proof and anti-counterfeiting requirements are realized, the uplink data are encrypted by means of the cryptography technology, the privacy-controllable data disclosure is transparent, and therefore, the blockchain technology is a fusion development of multiple disciplines such as mathematics, cryptography, the Internet, computer programming and the like.

Digital identity: is generated after the popularization of the internet, maps the real world identity to the network world and is used for providing the identity of the network world business operation for the user. Identity authentication can be realized through traditional account/password and biological characteristics, and autonomous control of the digital identity by a user can be realized by further using the decentralized digital identity.

Enterprise digital identity: for enterprises, communities, government organizations and the like, the digital identity for providing the related attribute information of the organizations is applied to business trade, public management and other scenes, the network world identity is provided for the organizations, and the identity is operated and managed by authorized related individuals.

Zero knowledge proof: the system is also called a minimum leakage proof system, and refers to a cryptography method for enabling a verifier to trust a fact under the condition that the verifier does not need to provide specific information, the verifier and the verifier both sides or multiple sides follow an information interaction protocol together, information is sent and verified in an interactive or non-interactive mode, and therefore the privacy protection purpose of minimizing information leakage is achieved.

Decentralized key management DKMS: the method is one of the components of the self-initiative identity system, and provides a solution for generating, signing, hosting and recovering the decentralized distributed private key, so that the security and privacy of the digital asset are improved.

Privacy dataset: in order to ensure that a specific data set can only be referred by a specific member, and other members need to have the requirement that the authenticity of the data can be verified, a private data set is formed by original data and a data hash value (the content of the speculative data is prevented by random salt) so as to meet the requirement, the node authorized to access can store the original data in the private data set in a private database thereof, unauthorized nodes such as a sorting node and an endorsement node cannot check the original data, and the data hash value is written into a public account book after being endorsed and sorted for later verification.

Hash algorithm: it can map binary plaintext strings of arbitrary length into shorter binary strings of fixed length (Hash values), and the probability of different plaintext mappings into the same Hash value is very small. An excellent Hash algorithm can realize the following functions: forward speed, reverse difficulty, input sensitivity, collision avoidance, and thus, the Hash algorithm is also called fingerprint (fingerprint) or digest (digest).

As shown in fig. 1, in conventional enterprise identity management, the main flow includes the steps of:

x1. the method comprises the steps of acquiring an enterprise (word size) name pre-approval application form of the industrial and commercial office, filling in and auditing by the industrial and commercial office, and issuing an enterprise (word size) name pre-approval notice form to the industrial and commercial office;

X2. the accounting firm takes the bank inquiry letter and is stamped by the firm;

x3. to the business office, a registration application form is set up, a stockholder (sponsor) list, a legal manager supervision condition, a legal representative registration form, a designated representative or entrusted agent registration form is obtained, and after filling in, the registration form is handed over to the business office with files such as a check name notice, a company's nutation, a check report and the like for checking and issuing a business license;

x4., the technical supervision bureau handles the organization code certificate by business license;

x5, transacting tax registration certificate by business license to tax bureau;

x6, opening an account by using business license, organization code certificate and tax certificate to the bank;

as shown in FIG. 2, the preferred embodiment of the present application provides a blockchain-based enterprise digital identity management system, comprising:

the digital identity authorization management subsystem is used for authorizing the access range and time of the third party when the third party requests to access the enterprise digital identity; because the enterprise is taken as the main body of the organization digital identity and does not have the autonomous control capability of taking an individual as the main body, the organization digital identity is managed by an intra-enterprise member, namely, the personal digital identity of the enterprise and the organization digital identity form association management, and an organization digital identity authorizes an individual to manage the organization digital identity under different authority ranges; the user can inquire the authorized range of the digital identity, so that the user can know the use condition of the identity under different application scenes;

The block chain-based enterprise digital identity management system combines digital identity management with enterprise-level business operation by using the block chain technology, the self-initiative identity technology, the zero knowledge proof technology, the asymmetric encryption technology and the like, simplifies the information registration and management process of enterprises in registration, transaction, change and cancellation stages, provides an independent and controllable information management and data sharing scheme for the enterprises, and realizes privacy data protection and identity trusted proof. The embodiment designs an enterprise digital identity management system based on a distributed account book technology, and converts the digital identity which is conventionally centrally managed or jointly managed into an autonomy identity, so that an identity body really grasps the management right of the digital identity. Because the digital identity is controlled by the identity body, the related identity data is also stored by the identity body, and when a third party requests the body to provide the identity, the privacy of the identity body data can be protected by a zero knowledge proof mode. Compared with the traditional digital identity management which focuses on the management of personal identities, the enterprises and other organizations of the embodiment also have the digital identities, but the identities depend on individuals in the organizations to operate, and the digital identities can provide convenient operation management for the processes of enterprise registration, transaction, loan, logout and the like. Traditional offline business operation is limited by time and space, paper certificates are easy to forge and inconvenient to store and manage, the number of original documents is limited, related identity data are managed by using digital identities, data safety and privacy are guaranteed through a cryptography technology, identity management cost is reduced, and meanwhile, the problem of data island is relieved. The embodiment links the information of all the participating nodes, so that the processing process of each party mechanism is transparent, and the supervision is convenient. Through the combination of the block chain and the intelligent contract technology, the data transmission and auditing process is simplified, a large amount of manpower and material resources and time cost are saved, and a large amount of intermediate links are reduced, so that the business process is safer, more reliable and more convenient.

Specifically, verifiable Credentials (VC) are important content in distributed digital identity management, so the verifiable credentials provide an identity verification scheme for digital identity that can be verified both in terms of data source and data content, the verifiable credentials are generated according to an application scenario, and the content of the verifiable credentials comprises credential metadata, a declaration data set and certification information as shown in fig. 3; the credential metadata comprises a publisher of the credential, a release time and a credential type; the stated data set is the digital identity information of the user involved in a specific scene; the certification information carries out endorsement signature on the certificate metadata and the statement data set, and comprises information such as signature type, signature value, creation time, creator and the like.

In particular, the verifiable credential management process involves four primary participating principals, including an issuer, a holder, a verifier, and a distributed ledger, the issuer may be an organization and a person, but because of the different degrees of trust that different issuers possess, the verifier chooses to trust verifiable credentials issued by issuers that have been approved by the verifier when verifying the credentials, while achieving zero knowledge proof of the data of the declaration of the verifiable credentials, as shown in fig. 4, the process of issuing the verifiable credentials includes the steps of:

The issuer generates a user declaration field and hashes each field (random salt can be added for confusion to ensure that the data content is speculated);

Specifically, after obtaining the verifiable credential, the user can be used to prove self-related identity information to the verifier, and since the verifiable credential signing process is performed on all the declaration data contained in the credential, only one of the declarations cannot be signed and verified, so that the complete credential needs to be provided when the credential is presented, meanwhile, one verifiable credential contains the digital identity of the identity subject in a specific field, when the data required by the verification scene spans multiple verifiable credential contents, a holder generates a verifiable statement (VP) through the verifiable credential, and further provides the identity credential containing multiple credential contents, wherein the verifiable statement contents contain statement metadata such as credential type, id and terms of use, as shown in fig. 5; the verifiable credential data includes a credential id, a claim dataset; the proving information is used for signing and endorsing the statement metadata and the verifiable credential data, and comprises information such as signature type, signature value, creation time, creator and the like.

Specifically, as shown in fig. 6, the verification process of the verifiable credential and the verifiable statement is verified by means of zero knowledge, and the purpose of verifying the credential and the authenticity of the statement is achieved without acquiring the plaintext of the statement data, and the method comprises the following steps:

meanwhile, the verifier extracts the verifiable certificate signature value, acquires an issuer public key from the distributed account book through a distributed digital identity identifier DID of the certificate issuer, decrypts the signature value by utilizing the public key, and obtains a second Hash value Credentials_hash of the verifiable certificate;

The verification process of the present embodiment has the following advantages:

in the verification process, only the interaction between the proving provider and the proving verifier is generated, the verifier is not required to interact with the issuer for verifying the authenticity of the certificate/statement, so that the burden of the certificate issuer is reduced, and only the issuing of the certificate is required to be completed, and the proving is not required to be provided for the verifier in each verification of the verifier. Secondly, the privacy of information required by non-verification in the certificate is guaranteed, and part of statement is subjected to hash processing, so that a verifiable statement is generated, and the fact that the verification mode is truly and credible by using the hash function is guaranteed due to the characteristics of high calculation speed, collision resistance and unidirectionality of the hash function.

Fig. 7 is a network deployment schematic diagram of the above embodiment.

As shown in FIG. 8, another aspect of the present application provides a blockchain-based enterprise digital identity management method, based on the enterprise digital identity management of the above embodiment and the network deployment shown in FIG. 7, comprising the steps of:

s1, initializing a distributed digital identity identifier: each organization node registers in an enterprise digital identity management system to obtain a public distributed digital identity identifier (DID) of each organization, wherein each organization node comprises an industrial and commercial office node, an accounting office node, a technical supervision office node, a tax office node, a bank node, a third party credit investigation organization node and an enterprise node;

S2, registering digital identity by the enterprise: the enterprise node sends a registration request to an industrial and commercial office node, an accounting office node, a technical supervision office node, a tax office node, a bank node and a third party credit investigation organization node according to relevant regulations, and the industrial and commercial office node, the accounting office node, the technical supervision office node, the tax office node, the bank node and the third party credit investigation organization node issue corresponding verifiable certificates to the enterprise node after examination, and meanwhile store hash values of the corresponding verifiable certificates in a distributed account book;

s3, a trade activity development stage of enterprises: the enterprise nodes of the two parties with the intention of the collaboration send credit report certificates issued by the nodes of the third party credit institution to each other, and then after trade consensus is achieved and trade contracts are signed, the enterprise nodes of the two parties sign the trade contracts in a verifiable certificate form and issue the signed and endorsed trade contracts to the enterprise nodes of the other parties; during the trade of the enterprise nodes of both sides, the enterprise nodes of both sides issue corresponding certificates to the enterprise nodes of the other sides in a verifiable certificate form, and the hash values of the corresponding certificates are stored in a distributed account book;

s4, a trade financial business development stage of enterprises: the core enterprises in the supply chain send the materials required by the loan request to the banking nodes in the form of verifiable certificates or verifiable statements, the banking nodes execute money-shifting operation after auditing, money is paid to the enterprises with insufficient flowable funds in the supply chain for paying the goods, meanwhile, the money-shifting money is issued to the enterprise B nodes in detail in the form of verifiable certificates, and the hash value of the verifiable certificates is stored in the distributed account book;

S5, enterprise registration change or cancellation stage: the enterprise node sends the materials required by the change or the cancellation to the enterprise node in a verifiable certificate or verifiable statement form for verification, and the enterprise node sends the changed enterprise business license to the enterprise node in a verifiable certificate form after verification, and simultaneously stores the hash value of the verifiable certificate in the distributed account book.

The embodiment combines digital identity management with enterprise-level business operation by using the blockchain technology, the self-right identity technology, the zero knowledge proof technology, the asymmetric encryption technology and the like, simplifies the information registration and management process of enterprises in registration, transaction, change and logout stages, provides an independent and controllable information management and data sharing scheme for the enterprises, and realizes privacy data protection and identity trusted proof.

In particular, as shown in fig. 9, in the preferred embodiment of the present invention, since the government agency is the basic organization for issuing certificates for users, the government agency should first be registered in the digital identity network, and thus the distributed digital identity identifier initialization phase specifically includes the steps of:

s1.A, registering an industrial and commercial bureau, an accounting bureau, a technical supervision bureau, a tax bureau, a bank and a third party credit bureau in a digital identity network to obtain a public distributed digital identity identifier (DID) of each bureau;

S1.B, the enterprise registers in the digital identity network, and generates a distributed digital identity identifier (DID) for subsequent government departments to issue certificates to the enterprise.

Specifically, the enterprise registration digital identity stage specifically includes the steps of:

s2.A, the enterprise node sends a registration request to the business office node and submits a related application form;

s2.B, the business office node audits the application, issues related certificates for the enterprise node in a verifiable certificate form after the application passes, and simultaneously stores the hash value of the verifiable certificate in a distributed account book;

s2.C, the enterprise node makes a registration request to the accounting office node;

s2.D, the node of the accounting firm inquires the fund condition of the enterprise, issues a banking inquiry function in the form of a verifiable certificate, and stores the hash value of the verifiable certificate in a distributed account book;

s2.E, the enterprise node acquires a business office node credential template, which comprises a registration application form, a stockholder or sponsor list, a legal manager supervision condition, a legal representative registration form, a designated representative or proxy agent registration form, and submits the business office node credential template and a corporate nutshell and check report file to the business office node after filling;

s2.F, the business office node audits data and issues business licenses for the enterprise node in a form of verifiable certificates, and meanwhile, the hash value of the verifiable certificates is stored in a distributed account book;

S2.G, the enterprise node puts forward an organization code certificate application to the technical supervision bureau node according to the business license;

s2.H, the technical supervision bureau node issues an organization code certificate to the enterprise node in the form of a verifiable certificate, and simultaneously, the hash value of the verifiable certificate is stored in the distributed account book;

s2, the enterprise node puts forward a tax registration certificate application to the tax bureau node according to the business license;

s2.J, the tax bureau node issues tax registration certificate to the enterprise node in the form of verifiable certificate, and simultaneously, the hash value of the verifiable certificate is stored in the distributed account book;

s2.K, the enterprise node puts forward an account opening application to the bank node according to business license, organization code certificate and tax certificate;

s2.L, the bank node handles account opening registration for the enterprise node and issues account opening information to the enterprise in a form of verifiable certificates, and meanwhile, the hash value of the verifiable certificates is stored in the distributed account book;

s2. The enterprise node registers at the third party credit agency node and submits business license certificates, organization code certificate certificates, tax certificate certificates, bank account opening certificates and legal person information;

s2.N, the third-party credit agency node initially generates credit report certificates for the enterprise nodes according to the certificates, and meanwhile, the hash value of the credit report certificates is stored in the distributed account book.

Specifically, the trade development stage of the enterprise specifically comprises the following steps:

s3.A, if the enterprise A node and the enterprise B node have the intention of being in charge, the enterprise A node sends a credit report credential issued by a third-party credit agency to the enterprise B node;

s3.B, the enterprise B node sends credit report credentials issued by the third-party credit agency node to the enterprise A node;

s3.C, the enterprise A node and the enterprise B node which reach the trade cooperation consensus sign trade contracts, the trade contracts form a proof aiming at trade cooperation related matters in the form of verifiable certificates, the enterprise A node generates certificates, signs and endorses the certificates and then issues the certificates to the enterprise B node, and meanwhile, the hash value of the verifiable certificates is stored in a distributed account book;

s3.D, the enterprise node B also generates a certificate for the trade contract, signs and endorses the certificate and then issues the certificate to the enterprise node A, and simultaneously, the hash value of the verifiable certificate is stored in the distributed account book;

s3.E, assuming that the enterprise A node delivers goods to the enterprise B node, after receiving the goods, the enterprise B node issues a goods transportation evidence to the enterprise A node in a verifiable certificate form according to the type and the quantity of the goods, and meanwhile, the hash value of the goods transportation evidence is stored in a distributed account book;

S3.F: assuming that the node B of the enterprise pays the money to the node A of the enterprise, after the node A of the enterprise receives the money, issuing a fund payment evidence to the node B of the enterprise in a verifiable evidence form according to the money amount and the freight transportation evidence, and storing a hash value of the fund payment evidence in a distributed account book;

and S3.G, if the transaction change condition is generated in the trade activity, recording transaction change terms in a verifiable certificate form by the enterprise node, signing an endorsement for the verifiable certificate, and storing the endorsement in the distributed account book.

Specifically, the trade financial business development stage of the enterprise specifically comprises the following steps:

s4.A, assuming that the enterprise A node is a core enterprise in a supply chain, if the movable funds of the enterprise B node are insufficient to pay the money, the supply chain financial business can be developed, and the enterprise B node makes a loan request to the enterprise A node;

s4.B, the enterprise A node gives a loan request to the bank node;

s4. The banking node requests the enterprise A node to show the related proving information after receiving the loan request, wherein the proving information comprises business license, property condition, related production and operation record of the enterprise B node and credit investigation report;

s4.D, the enterprise A node sends the related proving information to the banking node in the form of verifiable credentials or verifiable statement;

S4, the bank node reviews the verifiable credentials or verifiable statements;

s4.F, checking that money is paid by the bank node after passing through, and paying money to the enterprise node B;

s4. The bank node generates detailed description information of the money in the form of verifiable certificates, the verifiable certificates are issued to the node B of the enterprise, and hash values of the verifiable certificates are stored in the distributed account book.

Specifically, the enterprise registration change or cancellation stage specifically includes the steps of:

s5.A, the enterprise node submits an enterprise business license change application to the business office node;

s5.B, the business office node requests the enterprise node to provide the existing identification material;

s5.C, the enterprise node sends the required materials including business license, organization code certificate, tax certificate, bank account opening certificate verifiable certificate and credit report to the enterprise node in the form of certificate itself or further generated verifiable statement;

s5.D, the business office node examines the certificates or statements, and if the examination passes, the business office node registers the certificates or statements according to the change request of the business license of the enterprise;

s5.E, the business office node sends the changed business license to the business node in the form of verifiable certificates, and the hash value of the verifiable certificates is stored in the distributed account book;

S5.F, the enterprise node logout process declares the distributed digital identity identifier of the disabled enterprise node by the enterprise node after performing the relevant logout procedure of the national regulation;

s5.G, issuing a certification invalid proof of a certification issued by a certification issuing by a related organization node capable of verifying the certification for the enterprise node.

According to the enterprise digital identity management method based on the blockchain, the digital identity which is conventionally managed in a centralized or joint mode is converted into the self-right identity, so that an identity main body really grasps the management right of the digital identity. Because the digital identity is controlled by the identity body, the related identity data is also stored by the identity body, and when a third party requests the body to provide the identity, the privacy of the identity body data can be protected by a zero knowledge proof mode. The traditional digital identity management focuses on the management of the personal identity, and enterprises and other organizations of the embodiment also have the digital identity, but the identity depends on the individuals in the organization to operate, and the digital identity can be used for providing convenient operation management for the flows of enterprise registration, transaction, loan, logout and the like. The embodiment uses the digital identity to manage the related identity data, ensures the data security and privacy through the cryptography technology, reduces the identity management cost, simultaneously relieves the problem of data island, ensures that the business operation is not limited by time and space, is not easy to forge and is convenient to store and manage.

Another preferred embodiment of the present application, as illustrated in fig. 10, provides an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the blockchain-based enterprise digital identity management method.

Another preferred embodiment of the present application provides a storage medium, where the storage medium includes a stored program, and when the program runs, controls a device in which the storage medium is located to perform the blockchain-based enterprise digital identity management method.

Compared with the prior art, the application has the following advantages:

1. aiming at an enterprise digital identity management scene, a convenient digital management scheme is provided, and efficient data management of links such as enterprise registration, production management, information change, enterprise logout and the like is realized.

2. The cryptographic technology is utilized to encrypt the trade information of the enterprise, and the enterprise identity is presented to the related party by means of the verifiable certificate, so that the effect of verifying the authenticity of the data is achieved while the privacy is protected.

3. And the distributed digital identity is used for breaking the information island by using a block chain distributed account book technology, so that data sharing is realized.

4. An independent controllable scheme is provided for the identity management of enterprises and other organizations, the use of paper certificates is reduced, and the time cost of transacting business in each department offline is reduced.

5. Provides a convenient regulatory approach for government regulatory authorities.

It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.

The functions described in the methods of this embodiment, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in one or more computing device readable storage media. Based on such understanding, a part of the present application that contributes to the prior art or a part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device, etc.) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or other various media capable of storing program codes.

The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. A blockchain-based enterprise digital identity management system, comprising:

the digital identity authorization management subsystem is used for authorizing the access range and time of the third party when the third party requests to access the enterprise digital identity; and, therefore, an organization digital identity needs to be managed by an member in the enterprise, namely, a correlation management is formed between the personal digital identity of the enterprise and the organization digital identity, and the organization digital identity authorizes a person to manage the organization digital identity under different authority ranges; the user can inquire the authorized range of the digital identity, so that the user can know the use condition of the inquired digital identity under different application scenes;

the verifiable credential management subsystem is used for issuing, storing and using verifiable credentials, wherein a verifiable credential issuing and verifying process based on zero knowledge proof is specified, so that identity proof providing privacy protection function is realized;

the process of issuing the verifiable credential includes the steps of:

the issuer generates a user declaration field and hashes each field;

then, a signature value is obtained through private key signature of a certificate issuer, and the signature value is added into the verifiable certificate to form an issuing process of the complete verifiable certificate;

the verification process of the verifiable certificate and the verifiable statement is verified by means of zero knowledge, and the purposes of verifying the certificate and the authenticity of the statement are achieved under the condition that the plaintext of the statement data is not acquired, and the method comprises the following steps:

2. The blockchain-based enterprise digital identity management system of claim 1, wherein the blockchain-based enterprise digital identity management system,

the verifiable certificate provides an identity verification scheme capable of verifying both data sources and data contents for the digital identity, and the verifiable certificate is generated according to an application scene and contains certificate metadata, a statement data set and certification information; the credential metadata comprises a publisher of the credential, a release time and a credential type; the stated data set is the digital identity information of the user involved in a specific scene; the certification information carries out endorsement signature on the certificate metadata and the statement data set, and comprises a signature type, a signature value, creation time and creator information.

3. The blockchain-based enterprise digital identity management system of claim 1, wherein the blockchain-based enterprise digital identity management system,

when the data required for the verification scenario spans a plurality of verifiable voucher contents, the holder generates a verifiable statement through the verifiable voucher, further providing an identification containing the plurality of voucher contents, the verifiable statement contents containing statement metadata such as voucher type, id and terms of use; the verifiable credential data includes a credential id, a claim dataset; the proving information carries out signature endorsement on the statement metadata and the verifiable credential data, and the signing endorsement comprises a signature type, a signature value, creation time and creator information.

4. A blockchain-based enterprise digital identity management method, based on an enterprise digital identity management system as claimed in any one of claims 1 to 3, comprising the steps of:

a distributed digital identity identifier initialization phase: each organization node registers in the enterprise digital identity management system to obtain a public distributed digital identity identifier of each organization, wherein each organization node comprises an industrial and commercial office node, an accounting office node, a technical supervision office node, a tax office node, a bank node, a third party credit investigation organization node and an enterprise node;

5. The blockchain-based enterprise digital identity management method of claim 4, wherein the enterprise registration digital identity stage specifically comprises the steps of:

the enterprise node makes a registration request to an accounting office node;

6. The blockchain-based enterprise digital identity management method of claim 4, wherein the enterprise conducting trade activity phase specifically comprises the steps of:

7. The blockchain-based enterprise digital identity management method of claim 4, wherein the enterprise conducting the trade financial transaction phase specifically comprises the steps of:

The node A of the enterprise gives a loan request to a node B of the bank;

the bank node reviews the verifiable credential or verifiable statement;

8. The blockchain-based enterprise digital identity management method of claim 4, wherein the enterprise registration change or cancellation phase specifically comprises the steps of: