CN113486367B - High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger - Google Patents

High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger Download PDF

Info

Publication number
CN113486367B
CN113486367B CN202110641068.8A CN202110641068A CN113486367B CN 113486367 B CN113486367 B CN 113486367B CN 202110641068 A CN202110641068 A CN 202110641068A CN 113486367 B CN113486367 B CN 113486367B
Authority
CN
China
Prior art keywords
service unit
user
wallet
certificate
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110641068.8A
Other languages
Chinese (zh)
Other versions
CN113486367A (en
Inventor
兰秋军
程林海
马超群
周中定
李信儒
万丽
米先华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202110641068.8A priority Critical patent/CN113486367B/en
Publication of CN113486367A publication Critical patent/CN113486367A/en
Application granted granted Critical
Publication of CN113486367B publication Critical patent/CN113486367B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses an autonomous dynamic digital identity management framework of a high-performance expandable distributed account book, which provides two digital identity management systems of distributed digital identities and centralized digital identities for users, and the users can flexibly select and use the system according to own requirements. The distributed digital identity scheme provided for the user can realize the autonomous control of the digital identity of the user of the distributed account book in the transaction processing process, and improve the trust and experience of the user on the distributed account book. In addition, the whole system architecture is deployed in a cluster deployment mode, the system availability and the expansibility are improved, and the system performance and the availability can be expanded according to actual needs.

Description

High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger
Technical Field
The invention relates to the technical field of distributed account books, in particular to an autonomous dynamic digital identity management framework of a high-performance extensible distributed account book.
Background
The current digital identity management method of the distributed account book technology is mainly a CID management system based on a PKI system, CIDs are managed and controlled by a single authority, and such a centralized management architecture may have performance problems, and when a task is heavy, for example, effective distribution of a huge revocation certificate list may become a performance shortboard, which may lead to efficiency. The current CID management architecture has some problems:
1. the user lacks the control right for the digital identity of the user;
2. the treatment efficiency is low;
3. the availability is not high, when a server or a database is down, the digital identity management activity may not be performed by the centralized architecture, and the system has the risk of insufficient availability.
Disclosure of Invention
The invention provides an autonomous dynamic digital identity management framework of a high-performance expandable distributed account book, which aims to solve the technical problems that a user lacks control right on own digital identity, the processing efficiency is low and the usability is low in the conventional distributed account book technology adopting a CID management framework.
According to one aspect of the present invention, there is provided an autonomic dynamic digital identity management architecture for a high performance scalable distributed ledger, comprising:
the identity wallet service module is used for providing life cycle management proxy service of digital identity for the user;
the DID service module is used for providing DID life cycle management and query service for the user;
the CID service module is used for providing CID life cycle management and query service for the user;
the MSP service module is used for providing services of digital identity management and authentication for a user;
the database module is used for storing data in a cluster mode;
the identity wallet service module is used for selecting a DID service module or a CID service module according to a service request of a user to provide life cycle management and query service of digital identity for the user, and the DID service module or the CID service module performs corresponding operation on data stored in the database module according to the content of the user request;
the identity wallet service module comprises a wallet API, a wallet service unit and a wallet storage service unit, the wallet API is used for providing an interface for a user to obtain wallet service, the wallet service unit is used for providing an interface for the user to obtain MSP service, CID service, DID block chain service and wallet storage service, DID and DID documents are generated for the user, the wallet storage service is used for safely storing or deleting certificates, keys and communication relations for the user, the DID service module comprises a DID server cluster and a DID block chain, the CID service module comprises an RA service unit, a CA service unit, a certificate storage service unit and a CRL service unit, the RA service unit is used for verifying the identity of the user, verifying the validity of data, registering and deciding whether to agree with the CA service unit to issue digital certificates for the user, and the CA service unit is used for issuing digital certificates for the user, the system comprises a certificate storage service unit, a CRL service unit, a RA service unit, a CA service unit, a certificate storage service unit and a CRL service unit, wherein the certificate storage service unit is used for storing digital certificates, the CRL service unit is used for recording revoked certificate serial numbers, and the RA service unit, the CA service unit, the certificate storage service unit and the CRL service unit are all built in a server cluster mode.
Further, the database module comprises a memory database and a persistent database built in a cluster manner, the DID block chain is mounted in the persistent database built in the cluster manner, for data needing to be stored for a long time, the DID service module or the CID service module obtains services of the persistent database, and for data needing to be stored temporarily or operated frequently, the DID service module or the CID service module obtains services of the memory database.
Further, the service types provided by the DID service module include DID registration, DID verification and DID logout, wherein the DID verification includes credential issuance, statement generation and verification and credential revocation, and the service types provided by the CID service module include CID registration, CID verification and CID logout.
Further, the process of the user performing DID registration is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through the wallet API, generates own DID and DID documents through the wallet service unit, registers the DID into the DID block chain, and the wallet service unit stores the DID documents of the user into the wallet storage service unit.
Further, the process of the user performing DID verification is as follows: the certificate issuer, the certificate holder and the declaration verifier register own DID to a DID block chain, the certificate holder applies for a certificate to the certificate issuer, the certificate issuer verifies the DID of the certificate holder through the DID block chain, the certificate issuer generates a certificate after the verification passes and registers the certificate to the DID block chain, the certificate issuer sends the certificate to the certificate holder through a secure channel, the certificate holder generates a verification statement according to the certificate and displays the verification statement to the declaration verifier through a secure signal, the declaration verifier verifies the DID of the certificate holder and the content of the verification statement through the DID block chain and responds to the certificate holder with a verification result, and the certificate issuer cancels the certificate and submits revocation information to the DID block chain.
Further, the process of the user performing DID logout is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through a wallet API, generates DID logout information through the wallet service unit, submits the generated DID logout information to a DID block chain, and deletes DID information related to the user through the wallet service unit.
Further, the process of CID logout by the user is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through a wallet API (application program interface), generates registration information through the wallet service unit and submits the registration information to the RA service unit, the RA service unit verifies the user information and then informs the CA service unit to generate a corresponding digital certificate and a private key, the RA service unit submits the user information to the certificate storage service unit, the CA service unit generates the digital certificate and the private key of the user and then returns the digital certificate and the private key to the RA service unit, the CA service unit submits the digital certificate of the user to the certificate storage service unit, the RA service unit returns the digital certificate and the private key to the user, and the wallet service unit stores the user number and the private key to the certificate storage service unit.
Further, the process of CID verification by the user is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through the wallet API, acquires CID information from the wallet storage service unit through the wallet service unit, submits the CID information to the MSP service module through the wallet service unit, and the MSP service module acquires CRL from the CRL service unit and verifies the validity of the CID information of the user.
Further, the process of CID logout by the user is as follows: a user logs in an identity wallet service module, the identity wallet service module is connected to a wallet service unit through a wallet API (application program interface) and submits CID information needing to be cancelled to an RA service unit through the wallet service unit, the RA service unit verifies the information submitted by the user and then informs a CA service unit to cancel a corresponding digital certificate, the CA service unit submits a corresponding digital certificate serial number to a CRL (certificate identity) service unit and returns a cancellation result to the RA service unit, the RA service unit returns a CID cancellation result to the user, and the wallet service unit modifies related information in a wallet storage service unit according to the CID cancellation result; or, the certificate storage service unit submits the CID digital certificate information meeting the logout condition to the CA service unit, and the CA service unit submits the corresponding digital certificate serial number to the CRL service unit after verifying the CID digital certificate information meeting the logout condition.
The system further comprises an agent module which is set up in a cluster mode, and the agent module is used for carrying out load balancing on a plurality of user requests submitted by the identity wallet service module and distributing the plurality of service requests to a DID server cluster and a CID server cluster.
The invention has the following effects:
the autonomous dynamic digital identity management framework of the high-performance expandable distributed account book provides two digital identity management systems of distributed Digital Identity (DID) and centralized digital identity (CID) for users, and the users can flexibly select and use the management system according to own requirements. The distributed Digital Identity (DID) scheme provided for the user can realize the autonomous control of the digital identity of the user of the distributed account book in the transaction processing process, and improve the trust and experience of the user on the distributed account book. In addition, the whole system architecture is deployed in a cluster deployment mode, the system availability and the expansibility are improved, and the system performance and the availability can be expanded according to actual needs.
In addition to the objects, features and advantages described above, other objects, features and advantages of the present invention are also provided. The present invention will be described in further detail below with reference to the drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a block diagram of an autonomous dynamic digital identity management architecture of a high-performance scalable distributed ledger according to a preferred embodiment of the present invention.
Fig. 2 is a schematic architecture diagram of an autonomous dynamic digital identity management architecture of a high-performance scalable distributed ledger according to a preferred embodiment of the present invention.
Fig. 3 is a schematic diagram of cluster deployment of the autonomous dynamic digital identity management architecture of the high-performance scalable distributed ledger of the preferred embodiment of the present invention.
Fig. 4 is a logic diagram of DID registration by a user in the preferred embodiment of the present invention.
Fig. 5 is a logic diagram of DID authentication performed by a user in the preferred embodiment of the present invention.
Fig. 6 is a logic diagram of the user performing DID logoff in the preferred embodiment of the present invention.
Fig. 7 is a logic diagram of CID registration by a user in the preferred embodiment of the present invention.
Fig. 8 is a logic diagram of CID verification performed by a user in the preferred embodiment of the present invention.
Fig. 9 is a logic diagram of CID deregistration by a user in the preferred embodiment of the present invention.
Detailed Description
The embodiments of the invention will be described in detail below with reference to the accompanying drawings, but the invention can be embodied in many different forms, which are defined and covered by the following description.
As shown in fig. 1 and 2, a preferred embodiment of the present invention provides an autonomous dynamic digital identity management architecture of a high-performance scalable distributed ledger, comprising:
the identity wallet service module is used for providing life cycle management proxy service of digital identity for the user;
the DID service module is used for providing DID life cycle management and query service for the user;
the CID service module is used for providing CID life cycle management and query service for the user;
the MSP service module is used for providing services of digital identity management and authentication for a user;
the database module is used for storing data in a cluster mode;
the identity wallet service module is used for selecting a DID service module or a CID service module according to a service request of a user to provide life cycle management and query service of digital identity for the user, and the DID service module or the CID service module performs corresponding operation on data stored in the database module according to the content of the user request.
It can be understood that the autonomous dynamic digital identity management architecture of the high-performance scalable distributed ledger is mainly divided into three levels: a service layer, an application layer, and a technology layer. The business layer describes business services provided by the identity management system of the distributed book technology to users, and the layer mainly comprises DID life cycle business and CID life cycle business. Specifically, the service types provided by the DID service module include DID registration, DID verification and DID logout, wherein the DID verification includes credential issuance, statement generation and verification and credential revocation, and the service types provided by the CID service module include CID registration, CID verification and CID logout.
And the application layer describes the application services of the distributed account book identity management system supporting business, and comprises an identity wallet, a DID blockchain, a CID service and an MSP service. Specifically, the identity wallet service module comprises a wallet API, a wallet service unit and a wallet storage service unit, wherein the wallet API is used for providing an interface for a user to obtain wallet services, the wallet service unit is used for providing an interface for the user to obtain MSP services, CID services, DID blockchain services and wallet storage services, DID and DID documents are generated for the user, and the wallet storage services are used for safely storing or deleting certificates, keys and communication relations for the user. The DID service module comprises a DID server cluster and a DID block chain, and specifically, the DID block chain comprises a full service providing unit, a billing service providing unit, a verification service providing unit, a communication anchor service providing unit, a DID parsing service providing unit, a certificate registration service providing unit and a consensus service providing unit, the full service providing unit is used for providing services such as billing, verification, communication anchor, DID parsing and certificate registration for the DID block chain, the billing service providing unit is used for providing a billing service for the DID block chain, the verification service providing unit is used for providing a transaction verification service, the communication anchor service providing unit is used for providing a communication anchor service for organizing communication in the DID block chain, the DID parsing service providing unit is used for providing a DID parsing service for a user, and the certificate registration service providing unit is used for providing a certificate registration service for a certificate issuer, the consensus service providing unit is used for providing consensus service for all the transactions in the DID blockchain. The CID service module comprises an RA service unit, a CA service unit, a certificate storage service unit and a CRL service unit, wherein the RA service unit is used for verifying the identity of a user, checking the validity of data and registering and deciding whether to allow the CA service unit to issue a digital certificate to the user, the CA service unit is used for issuing the digital certificate to the user and managing the whole life cycle of a public key, the certificate storage service unit is used for storing the digital certificate, the CRL service unit is used for recording the serial number of the revoked certificate, and a certificate revocation list, namely a CRL, needs to be maintained as the digital certificate cannot be forcibly withdrawn once being issued. The RA service unit, the CA service unit, the certificate storage service unit and the CRL service unit are all built in a server cluster mode, namely a CID server cluster is built. In addition, the MSP service module includes passageway MSP service unit, organizes MSP service unit and node MSP service unit, passageway MSP service unit is used for providing authentication service for distributed account book passageway, organize MSP service unit and be used for providing authentication service for distributed account book organization, node MSP service unit is used for providing authentication service for distributed account book node.
And the technical layer describes technical services such as processing, storage and communication services required by running the application service, and mainly comprises technical services such as cryptography, communication protocols, data storage, a P2P network, certificate standards and the like.
It can be understood that the autonomous dynamic digital identity management architecture of the high-performance scalable distributed account book of the embodiment provides two sets of digital identity management systems, namely, a distributed Digital Identity (DID) system and a centralized digital identity (CID) system, for the user, and the user can flexibly select and use the digital identity management system according to the own requirements. The distributed Digital Identity (DID) scheme provided for the user can realize the autonomous control of the digital identity of the user of the distributed account book in the transaction processing process, and improve the trust and experience of the user on the distributed account book. In addition, the whole system architecture is deployed in a cluster deployment mode, the system availability and the expansibility are improved, and the system performance and the availability can be expanded according to actual needs.
It can be understood that the database module includes a memory database and a persistent database built in a cluster manner, the DID block chain is mounted in the persistent database built in the cluster manner, for data needing to be stored for a long time, the DID service module or the CID service module obtains services of the persistent database, and for data needing to be stored temporarily or operated frequently, the DID service module or the CID service module obtains services of the memory database.
It can be understood that, as shown in fig. 3, the autonomous dynamic digital identity management architecture of the high-performance scalable distributed ledger further includes an agent module built in a cluster manner, that is, an agent cluster, and the agent module is configured to load balance the plurality of user requests submitted by the identity wallet service module, and offload the plurality of service requests to a DID server cluster and a CID server cluster. The proxy cluster comprises a load balancing server and a reverse proxy server. By load balancing and reverse proxy of the service request, the performance of each server in the server cluster is fully exerted, and the transaction processing efficiency is improved. The autonomous dynamic digital identity management architecture of the high-performance expandable distributed account book further comprises a message queue cluster, and the message queue cluster is used for sequencing processing operations of the DID server cluster and the CID server cluster and then sending the processing operations to the database cluster.
Specifically, as shown in fig. 4, the process of the user performing DID registration is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through the wallet API, generates own DID and DID documents through the wallet service unit, registers the DID into the DID block chain, and the wallet service unit stores the DID documents of the user into the wallet storage service unit. The DID registration model is regist DID () → (DID, pk, sk), where DID represents the user-generated DID, pk represents the public key of the DID, and sk represents the private key of the DID.
As shown in fig. 5, the process of DID verification by the user is as follows: the certificate issuer, the certificate holder and the declaration verifier register own DID to a DID block chain, the certificate holder applies for a certificate to the certificate issuer, the certificate issuer verifies the DID of the certificate holder through the DID block chain, the certificate issuer generates a certificate after the verification passes and registers the certificate to the DID block chain, the certificate issuer sends the certificate to the certificate holder through a secure channel, the certificate holder generates a verification statement according to the certificate and displays the verification statement to the declaration verifier through a secure signal, the declaration verifier verifies the DID of the certificate holder and the content of the verification statement through the DID block chain and responds to the certificate holder with a verification result, and the certificate issuer cancels the certificate and submits revocation information to the DID block chain. The DID verification model is as follows:
Figure BDA0003107747440000081
wherein, DID represents the DID of VC holder, the attribute information of VC holder, the private key of VC issuer; setVCIndicates the set of VCs, sk required to generate a VP (authentication declaration)CA private key representing the VC holder; pkbPublic key, pk, representing the VC issuercRepresenting the public key of the VC holder.
As shown in fig. 6, the process of the user performing DID logout is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through a wallet API, generates DID logout information through the wallet service unit, submits the generated DID logout information to a DID block chain, and the wallet service unit deletes DID information related to the user. The DID logout model is as follows: cancellation DID (DID, sk) → (failure), where DID denotes the DID that the user wants to logout, and sk denotes the user's private key.
As shown in fig. 7, the process of CID logout by the user is as follows: the user logs in the identity wallet service module, the identity wallet service module is connected to the wallet service unit through a wallet API, registration information is generated through the wallet service unit and submitted to an RA service unit, the RA service unit verifies the user information and then informs a CA service unit to generate a corresponding digital certificate and a private key, the RA service unit submits the user information to a certificate storage service unit, the CA service unit generates the digital certificate and the private key of the user and then returns the digital certificate and the private key to the RA service unit, the CA service unit submits the digital certificate of the user to the certificate storage service unit, the RA service unit returns the digital certificate and the private key to the user, and the wallet service unit stores the user number and the private key to the wallet storage service unit. The CID registration model is: regist cid () → (pk, sk), where pk denotes the user's public key and sk denotes the user's private key.
As shown in fig. 8, the process of CID verification by the user is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through the wallet API, acquires CID information from the wallet storage service unit through the wallet service unit, submits the CID information to the MSP service module through the wallet service unit, and the MSP service module acquires CRL from the CRL service unit and verifies the validity of the CID information of the user. The CID verification model is: MSP _ VerifyCID (Certificate, pk)CACRL) → (tube, false), in which Certificate represents the user's digital Certificate, pkCARepresenting the public key of the CA and the CRL representing the certificate revocation list.
As shown in fig. 9, the process of CID logout by the user is as follows: the user logs in the identity wallet service module, is connected to the wallet service unit through a wallet API (application program interface) and submits CID (certificate identifier) information needing to be logged out to the RA service unit through the wallet service unit, the RA service unit verifies the information submitted by the user and then informs the CA service unit to log out the corresponding digital certificate, the CA service unit submits the serial number of the corresponding digital certificate to the CRL service unit and returns the logging-out result to the RA service unit, the RA service unit returns the CID logging-out result to the user, and the wallet service unit modifies related information in the wallet storage service unit according to the CID logging-out result. Or, the certificate storage service unit submits the CID digital certificate information meeting the logout condition to the CA service unit, and the CA service unit submits the corresponding digital certificate serial number to the CRL service unit after verifying the CID digital certificate information meeting the logout condition. The CID logout model is as follows: cancellation CID (Certificate, sk) → (failure), where cancellation represents the user's digital Certificate, sk represents the user's private key when the user applies for canceling CID, and sk represents the CA's private key when the CA service unit cancels CID.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An autonomic dynamic digital identity management architecture for a high performance, scalable, distributed ledger, comprising:
the identity wallet service module is used for providing life cycle management proxy service of digital identity for the user;
the DID service module is used for providing DID life cycle management and query service for the user;
the CID service module is used for providing life cycle management and query services of CID for the user;
the MSP service module is used for providing services of digital identity management and authentication for a user;
the database module is used for storing data in a cluster mode;
the identity wallet service module is used for selecting a DID service module or a CID service module according to a service request of a user to provide life cycle management and query service of digital identity for the user, and the DID service module or the CID service module performs corresponding operation on data stored in the database module according to the content of the user request;
the identity wallet service module comprises a wallet API, a wallet service unit and a wallet storage service unit, wherein the wallet API is used for providing an interface for a user to obtain wallet services, the wallet service unit is used for providing an interface for the user to obtain MSP services, CID services, DID blockchain services and wallet storage services, DID and DID documents are generated for the user, the wallet storage services are used for safely storing or deleting certificates, keys and communication relations for the user, the DID service module comprises a DID server cluster and a DID blockchain, the CID service module comprises an RA service unit, a CA service unit, a certificate storage service unit and a CRL service unit, the RA service unit is used for verifying the identity of the user, checking the validity of data, registering and deciding whether to grant the CA service unit to issue digital certificates for the user, and the CA service unit is used for issuing digital certificates for the user, the system comprises a certificate storage service unit, a CRL service unit, a RA service unit, a CA service unit, a certificate storage service unit and a CRL service unit, wherein the certificate storage service unit is used for storing digital certificates, the CRL service unit is used for recording revoked certificate serial numbers, and the RA service unit, the CA service unit, the certificate storage service unit and the CRL service unit are all built in a server cluster mode.
2. The architecture of claim 1, wherein the database module includes a memory database and a persistent database built in a cluster manner, the DID block chain is mounted in the persistent database built in a cluster manner, the DID service module or CID service module obtains services of the persistent database for data that needs to be stored for a long time, and the DID service module or CID service module obtains services of the memory database for data that needs to be stored temporarily or operated frequently.
3. The architecture of autonomous dynamic digital identity management for high performance, scalable, distributed ledger of claim 2, wherein the types of business provided by the DID service module include DID registration, DID validation including credential issuance, claim generation and validation, credential revocation, and DID logout.
4. The autonomic dynamic digital identity management framework for a high performance, scalable distributed ledger of claim 3 wherein the DID registration process by a user is: the user logs in the identity wallet service module, is connected to the wallet service unit through the wallet API, generates own DID and DID documents through the wallet service unit, registers the DID into the DID block chain, and the wallet service unit stores the DID documents of the user into the wallet storage service unit.
5. The autonomic dynamic digital identity management framework for a high performance, scalable distributed ledger of claim 3 wherein the DID validation process by the user is: the certificate issuer, the certificate holder and the declaration verifier register own DID to a DID block chain, the certificate holder applies for a certificate to the certificate issuer, the certificate issuer verifies the DID of the certificate holder through the DID block chain, the certificate issuer generates a certificate after the verification passes and registers the certificate to the DID block chain, the certificate issuer sends the certificate to the certificate holder through a secure channel, the certificate holder generates a verification statement according to the certificate and displays the verification statement to the declaration verifier through a secure signal, the declaration verifier verifies the DID of the certificate holder and the content of the verification statement through the DID block chain and responds to the certificate holder with a verification result, and the certificate issuer cancels the certificate and submits revocation information to the DID block chain.
6. The autonomic dynamic digital identity management framework for a high performance, scalable distributed ledger of claim 3 wherein the DID deregistration process by a user is: the user logs in the identity wallet service module, is connected to the wallet service unit through a wallet API, generates DID logout information through the wallet service unit, submits the generated DID logout information to a DID block chain, and the wallet service unit deletes DID information related to the user.
7. The autonomic dynamic digital identity management framework for a high performance, scalable distributed ledger of claim 3 wherein the process for a user to perform CID registration is: the user logs in the identity wallet service module, the identity wallet service module is connected to the wallet service unit through a wallet API, registration information is generated through the wallet service unit and submitted to an RA service unit, the RA service unit verifies the user information and then informs a CA service unit to generate a corresponding digital certificate and a private key, the RA service unit submits the user information to a certificate storage service unit, the CA service unit generates the digital certificate and the private key of the user and then returns the digital certificate and the private key to the RA service unit, the CA service unit submits the digital certificate of the user to the certificate storage service unit, the RA service unit returns the digital certificate and the private key to the user, and the wallet service unit stores the user number and the private key to the wallet storage service unit.
8. The architecture of claim 3, wherein the CID validation by the user is performed by: the user logs in the identity wallet service module, is connected to the wallet service unit through the wallet API, acquires CID information from the wallet storage service unit through the wallet service unit, submits the CID information to the MSP service module through the wallet service unit, and the MSP service module acquires CRL from the CRL service unit and verifies the validity of the CID information of the user.
9. The autonomic dynamic digital identity management framework for a high performance, scalable distributed ledger of claim 3 wherein the process for a user to perform CID deregistration is: a user logs in an identity wallet service module, is connected to a wallet service unit through a wallet API and submits CID information needing to be logged out to an RA service unit through the wallet service unit, the RA service unit verifies the information submitted by the user and then informs a CA service unit to log out a corresponding digital certificate, the CA service unit submits a corresponding digital certificate serial number to a CRL service unit and returns a log-out result to the RA service unit, the RA service unit returns a CID log-out result to the user, and the wallet service unit modifies related information in a wallet storage service unit according to the CID log-out result; or, the certificate storage service unit submits the CID digital certificate information meeting the logout condition to the CA service unit, and the CA service unit submits the corresponding digital certificate serial number to the CRL service unit after verifying the CID digital certificate information meeting the logout condition.
10. The autonomic dynamic digital identity management architecture for a high performance, scalable distributed ledger of claim 2 further comprising a clustered agent module for load balancing a plurality of user requests submitted by the identity wallet service module, offloading a plurality of service requests to a DID server cluster and a CID server cluster.
CN202110641068.8A 2021-06-09 2021-06-09 High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger Active CN113486367B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110641068.8A CN113486367B (en) 2021-06-09 2021-06-09 High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110641068.8A CN113486367B (en) 2021-06-09 2021-06-09 High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger

Publications (2)

Publication Number Publication Date
CN113486367A CN113486367A (en) 2021-10-08
CN113486367B true CN113486367B (en) 2022-05-03

Family

ID=77934844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110641068.8A Active CN113486367B (en) 2021-06-09 2021-06-09 High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger

Country Status (1)

Country Link
CN (1) CN113486367B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679473B (en) * 2022-03-18 2022-12-23 青岛闪收付信息技术有限公司 Financial account management system and method based on distributed digital identity

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417750A (en) * 2019-07-09 2019-11-05 北京健网未来科技有限公司 File based on block chain technology is read and method, terminal device and the storage medium of storage
US10637665B1 (en) * 2016-07-29 2020-04-28 Workday, Inc. Blockchain-based digital identity management (DIM) system
CN112199714A (en) * 2020-12-04 2021-01-08 支付宝(杭州)信息技术有限公司 Privacy protection method and device based on block chain and electronic equipment
CN112199726A (en) * 2020-10-29 2021-01-08 中国科学院信息工程研究所 Block chain-based alliance trust distributed identity authentication method and system
CN112311530A (en) * 2020-10-29 2021-02-02 中国科学院信息工程研究所 Block chain-based alliance trust distributed identity certificate management authentication method
CN112580102A (en) * 2020-12-29 2021-03-30 郑州大学 Multi-dimensional digital identity authentication system based on block chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10637665B1 (en) * 2016-07-29 2020-04-28 Workday, Inc. Blockchain-based digital identity management (DIM) system
CN110417750A (en) * 2019-07-09 2019-11-05 北京健网未来科技有限公司 File based on block chain technology is read and method, terminal device and the storage medium of storage
CN112199726A (en) * 2020-10-29 2021-01-08 中国科学院信息工程研究所 Block chain-based alliance trust distributed identity authentication method and system
CN112311530A (en) * 2020-10-29 2021-02-02 中国科学院信息工程研究所 Block chain-based alliance trust distributed identity certificate management authentication method
CN112199714A (en) * 2020-12-04 2021-01-08 支付宝(杭州)信息技术有限公司 Privacy protection method and device based on block chain and electronic equipment
CN112580102A (en) * 2020-12-29 2021-03-30 郑州大学 Multi-dimensional digital identity authentication system based on block chain

Also Published As

Publication number Publication date
CN113486367A (en) 2021-10-08

Similar Documents

Publication Publication Date Title
CN110032865B (en) Authority management method, device and storage medium
US20030145223A1 (en) Controlled access to credential information of delegators in delegation relationships
US7761467B2 (en) Method and a system for certificate revocation list consolidation and access
CN111884815A (en) Block chain-based distributed digital certificate authentication system
JP5215289B2 (en) Method, apparatus and system for distributed delegation and verification
US7543139B2 (en) Revocation of anonymous certificates, credentials, and access rights
CN110493347A (en) Data access control method and system in large-scale cloud storage based on block chain
US10817967B2 (en) Method for controlling the identity of a user by means of a blockchain
US20110296172A1 (en) Server-side key generation for non-token clients
CN109150539A (en) A kind of Distributed CA System based on block chain, method and device
US20110296171A1 (en) Key recovery mechanism
Yao et al. PBCert: Privacy-preserving blockchain-based certificate status validation toward mass storage management
CN101312394A (en) Method and apparatus for accelerating public-key certificate validation
US20100275015A1 (en) Anonymous register system and method thereof
CN113824563B (en) Cross-domain identity authentication method based on block chain certificate
US20020099668A1 (en) Efficient revocation of registration authorities
Toorani et al. A decentralized dynamic pki based on blockchain
CN110177109A (en) A kind of cross-domain Verification System of dual-proxy based on id password and alliance's chain
KR20220065049A (en) Computer implemented method and system for storing guaranteed data on blockchain
CN114930772A (en) Verification requirements document for credential verification
CN113486367B (en) High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger
CN114051031A (en) Encryption communication method, system, equipment and storage medium based on distributed identity
CN114930770A (en) Certificate identification method and system based on distributed ledger
CN112446701B (en) Identity authentication method, equipment and storage device based on blockchain
JP4706165B2 (en) Account management system, account management method, and account management program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant