CN113704734A - Distributed digital identity-based method for realizing certificate verification and related device - Google Patents
Distributed digital identity-based method for realizing certificate verification and related device Download PDFInfo
- Publication number
- CN113704734A CN113704734A CN202110797325.7A CN202110797325A CN113704734A CN 113704734 A CN113704734 A CN 113704734A CN 202110797325 A CN202110797325 A CN 202110797325A CN 113704734 A CN113704734 A CN 113704734A
- Authority
- CN
- China
- Prior art keywords
- certificate
- platform
- electronic certificate
- target user
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000013475 authorization Methods 0.000 claims description 13
- 238000005516 engineering process Methods 0.000 claims description 11
- 238000012797 qualification Methods 0.000 claims description 10
- 238000012790 confirmation Methods 0.000 claims description 6
- 239000000126 substance Substances 0.000 claims description 3
- 238000010200 validation analysis Methods 0.000 claims 2
- 230000008569 process Effects 0.000 abstract description 10
- 210000001503 joint Anatomy 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- YSCNMFDFYJUPEF-OWOJBTEDSA-N 4,4'-diisothiocyano-trans-stilbene-2,2'-disulfonic acid Chemical compound OS(=O)(=O)C1=CC(N=C=S)=CC=C1\C=C\C1=CC=C(N=C=S)C=C1S(O)(=O)=O YSCNMFDFYJUPEF-OWOJBTEDSA-N 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/36—User authentication by graphic or iconic representation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
One or more embodiments of the present specification disclose a method and related apparatus for implementing electronic certificate verification based on distributed digital identity, the scheme including: based on DID and cryptography, the certificate possibly exposed at the platform service side is effectively hidden, so that the user data is effectively prevented from being leaked under the condition that an authoritative platform is not required to carry out endorsements, the system is less in butt joint, and the realization is easy. In the whole verification process, the verification of a plurality of certificates can be completed without showing designated certificates, one code is universal, and the operation convenience is improved while the data security is ensured.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and a related apparatus for implementing credential verification based on distributed digital identities.
Background
When the traditional system software provides services, the credibility of the platform cannot be really achieved.
Taking an electronic license scene as an example, the scene relates to 4 types of roles: the license holder, the government functional department, the license verifying party and the system platform party providing the whole service. The existing solution still has the following disadvantages in actual application:
when a license holder uses a client to apply and use a license, different licenses need to be selected according to scenes for use, and user experience is inconvenient; the information circulation of the license passes through the system platform side, the credibility of the platform cannot be really achieved, and the endorsement can only be made by depending on an authoritative platform operation organization.
In conclusion, the existing certificate verification scheme has the problems of potential data safety hazards and inconvenient operation.
Disclosure of Invention
One or more embodiments of the present disclosure provide a method and a related apparatus for implementing credential verification based on distributed digital identity, so as to ensure security and convenience of operation of user data without endorsement based on DID, cryptography, and graphic coding techniques.
To solve the above technical problem, one or more embodiments of the present specification are implemented as follows:
in a first aspect, a method for implementing electronic certificate verification based on distributed digital identity is provided, including:
after a platform user party creates a distributed digital identity DID for a target user, applying an electronic certificate to a certificate issuer through a platform service party;
after the target user passes qualification verification according to the DID of the target user, the certificate issuer issues at least one electronic certificate for the target user, and sends the electronic certificate to the platform service side after encryption, wherein each electronic certificate carries a mark for representing the type of the certificate;
the platform service party generates a graphic code corresponding to the target user based on an image coding technology and sends the graphic code to the platform user party, wherein the platform service party locally maintains a certificate library corresponding to the target user, and at least one electronic certificate of the target user is stored in the certificate library;
when a verification requirement event occurs, the platform user shows the graphic code to a certificate verifier;
the certificate verifying party analyzes the graphic code, acquires an encrypted electronic certificate matched with the certificate type of the current verification service from the platform service party, and returns the acquired encrypted electronic certificate to the platform user party for confirmation and authorization;
the platform user side sends the authorized encrypted electronic certificate to a certificate verifying side through a platform service side;
and after the certificate verifying party decrypts the encrypted electronic certificate, verifying the original text of the electronic certificate.
In a second aspect, a system for implementing electronic certificate verification based on distributed digital identity is provided, including: the system comprises a platform user side, a platform service side, a certificate issuer and a certificate verifier; wherein the content of the first and second substances,
after a platform user party creates a distributed digital identity DID for a target user, applying an electronic certificate to a certificate issuer through a platform service party;
after the target user passes qualification verification according to the DID of the target user, the certificate issuer issues at least one electronic certificate for the target user, and sends the electronic certificate to the platform service side after encryption, wherein each electronic certificate carries a mark for representing the type of the certificate;
the platform service party generates a graphic code corresponding to the target user based on an image coding technology and sends the graphic code to the platform user party, wherein the platform service party locally maintains a certificate library corresponding to the target user, and at least one electronic certificate of the target user is stored in the certificate library;
when a verification requirement event occurs, the platform user shows the graphic code to a certificate verifier;
the certificate verifying party analyzes the graphic code, acquires an encrypted electronic certificate matched with the certificate type of the current verification service from the platform service party, and returns the acquired encrypted electronic certificate to the platform user party for confirmation and authorization;
the platform user side sends the authorized encrypted electronic certificate to a certificate verifying side through a platform service side;
and after the certificate verifying party decrypts the encrypted electronic certificate, verifying the original text of the electronic certificate.
In a third aspect, an electronic device is provided, including:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method performed by the subject in the first aspect.
In a fourth aspect, a computer-readable storage medium is presented, which stores one or more programs that, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of the first aspect performed by the executing subject.
According to the technical scheme provided by one or more embodiments of the specification, based on DID and cryptography, the certificate possibly exposed at the platform service side is effectively hidden, so that the user data is effectively prevented from being leaked under the condition that an authoritative platform is not required to endorse, the system is less in butt joint, and the realization is easy. In the whole verification process, the verification of a plurality of certificates can be completed without showing designated certificates, one code is universal, and the operation convenience is improved while the data security is ensured.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, reference will now be made briefly to the attached drawings, which are needed in the description of one or more embodiments or prior art, and it should be apparent that the drawings in the description below are only some of the embodiments described in the specification, and that other drawings may be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a schematic diagram of an implementation architecture of an electronic certificate verification scheme according to an embodiment of the present specification.
Fig. 2 is a schematic step diagram of a method for implementing electronic certificate verification based on distributed digital identities according to an embodiment of the present specification.
Fig. 3a is a schematic flow chart of electronic license verification provided in an embodiment of the present specification.
Fig. 3b is a schematic flow chart of the identification card and passport verification provided by one embodiment of the present description.
Fig. 4 is a schematic diagram of a system structure for implementing electronic certificate verification based on distributed digital identity.
Fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present specification.
Detailed Description
In order to make the technical solutions in the present specification better understood, the technical solutions in one or more embodiments of the present specification will be clearly and completely described below with reference to the accompanying drawings in one or more embodiments of the present specification, and it is obvious that the one or more embodiments described are only a part of the embodiments of the present specification, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments described herein without making any inventive step shall fall within the scope of protection of this document.
Distributed Identities (DID) are Decentralized verifiable digital Identifiers, and have the characteristics of being distributed, autonomously controllable, cross-chain multiplexing and the like. The user entity (natural person or enterprise, organization, etc.) can autonomously complete the registration, parsing, updating or revocation of the DID. The DID is an identifier consisting of a string of characters to represent a digital identity that can be globally unique without the need for a central registry. Typically, a user entity may possess multiple identities, each assigned a unique DID value, and an asymmetric key associated therewith. There is no associated information between different identities, thus effectively avoiding the collection of owner identity information.
First, an implementation architecture of an electronic certificate verification scheme according to an embodiment of the present specification is described, and with reference to fig. 1, the implementation architecture includes: a platform user side 102, a platform service side 104, a credential issuer side 106, and a credential verifier 108. The platform user 102 corresponds to a platform service object, for example, a target user operating the credential application and verification service of this time, where the target user may be a natural person, an enterprise, an organization, or the like; the platform service party 104 is configured to provide a backend service for the platform service party 102, and in a specific implementation, the platform user party 102 may be a mobile terminal such as a mobile phone, and the platform service party 104 may be a background server such as a computer. The certificate issuing party 106 may be a party (actually corresponding to a service terminal) issuing a verifiable certificate VC, and the certificate verifying party 108 may be a certificate using entity, such as a ticket gate or a bank desk, etc., which needs to verify the identity information of the target user. It should be understood that in this system architecture, there may be multiple credential issuers 106, and the target user may apply for the electronic credential from different credential issuers 106; the certificate issuing party 106 may be one, and the single certificate issuing party 106 integrates a plurality of certificate issuing functions, that is, a plurality of different electronic certificates can be issued according to different applications of the target user.
Considering that the current platform service party generally gives priority to a centralized system, the platform user party applies for and uses the credentials through terminal software such as app and h5 provided by the platform service party. The platform service side provides the service connection of the user terminal and the SDK connection of the certificate lower sender, and the certificate verifying side can verify the certificate shown by the platform user side. In addition, in the embodiment of the specification, one graphic code is used for verifying a plurality of electronic certificates of a target user, one code is universal, the privacy of the user is protected under the multi-party cooperation by adopting a cryptography technology, the problem of leakage of a centralized platform service party is avoided, and the safety and the standardability of application and verification of the electronic certificates are improved.
Example one
Referring to fig. 2, a schematic diagram of steps of a method for implementing electronic certificate verification based on distributed digital identity provided in an embodiment of the present specification is shown, where the method may include the following steps:
step 202: after a platform user side creates a distributed digital identity DID for a target user, the platform user side applies for an electronic certificate to a certificate issuer through a platform service side.
The DID can be specifically analyzed as a DID Document, which includes a unique id of the DID, a public key list, detailed information of the public key (holder, encryption algorithm, key status, etc.), and other attribute descriptions of the DID holder.
The platform user side can create and generate one or more DIDs through the platform user side or the platform service side, and the DIDs are not related and represent different identity information in different business fields. After the DID is created, the platform user side applies for the electronic certificate to the certificate issuer through the terminal software of the platform service side. At the time of application, the DID created by itself and related to the business domain of the application certificate can be sent to the certificate issuer.
Step 204: and after the target user passes the qualification verification according to the DID of the target user, the certificate issuer issues at least one electronic certificate for the target user, and sends the electronic certificate to the platform service side after encryption, wherein each electronic certificate carries a mark for representing the type of the certificate.
In embodiments of the present specification, the electronic voucher may be an authenticatable voucher defined according to different voucher types, such as a certificate (identification card, passport, driver's license, etc.), contract, ticket, etc.
And the certificate issuer verifies whether the target user has claim qualification according to the matching of the received DID completion data, if so, the certificate issuer issues the electronic certificate for the target user, and otherwise, the certificate issuer does not issue the electronic certificate. It should be understood that, when the platform user side applies for the electronic certificate, the electronic certificate of one certificate type or a plurality of certificate types can be applied at the same time according to the self requirement. For example, a license may be applied in one application operation, or a license and a passport may be applied at the same time.
After the electronic certificate is issued, the certificate issuer encrypts the electronic certificate according to the corresponding cryptography technology and sends the electronic certificate to the platform service side for storage. Considering that the target user has more than one applied electronic certificate, each electronic certificate is added with a mark for representing the certificate type for the convenience of distinguishing and subsequent verification. The token may be a unified token negotiated by the certificate issuer and the certificate validator, for example, the token negotiated for specifying the certificate type corresponding to the identity card is x, and for example, the token negotiated for specifying the electronic certificate type corresponding to the passport is the physical address of the passport issuer.
Optionally, when encrypting each electronic certificate, the certificate issuer may first obtain the public key of the target user from the blockchain; and then, encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain a first encryption result.
Step 206: the platform service side generates a graphic code corresponding to the target user based on an image coding technology and sends the graphic code to the platform user side, wherein the platform service side locally maintains a certificate base corresponding to the target user, and at least one electronic certificate of the target user is stored in the certificate base.
In the scheme of the application, in order to avoid inconvenience caused by the fact that different electronic certificates are presented for verification on the platform user side in different service scenes, all the electronic certificates of a target user are maintained in a certificate base, and the target user is used for generating a graphic coding link pointing to the certificate base where all the electronic certificates are located. I.e. the graphical coded link points to the voucher library, in which each electronic voucher is indexed with a voucher type. Therefore, the corresponding electronic certificate original text can be found for verification according to the certificate type during verification, so that a certificate holder does not need to appoint to open a certain certificate when showing the certificate, and one code is universal.
Step 208: and when a verification requirement event occurs, the platform user shows the graphic code to a certificate verifier.
Wherein, the graphic code is a two-dimensional code or a bar code.
Step 210: and the certificate verifying party analyzes the graphic code, acquires an encrypted electronic certificate matched with the certificate type of the current verification service from the platform service party, and returns the acquired encrypted electronic certificate to the platform user party for confirmation and authorization.
Optionally, the certificate verifying party analyzes the graphic code to obtain a uniform resource locator URL corresponding to the graphic code; and based on the address specified by the URL, finding out a certificate library corresponding to the target user, and obtaining an encrypted electronic certificate matched with the certificate type of the verification service.
Further, the platform user side issues an authorization instruction, and decrypts the first encryption result by using the private key of the target user to obtain a symmetric key; and encrypting the symmetric key based on the obtained public key of the certificate verifier to obtain a second encryption result.
Step 212: and the platform user side sends the authorized encrypted electronic certificate to the certificate verifying side through the platform service side.
Step 214: and after the certificate verifying party decrypts the encrypted electronic certificate, verifying the original text of the electronic certificate.
Optionally, the certificate verifying party decrypts the received second encryption result by using a local private key to obtain a symmetric key; and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
Further, when the platform user side applies for a new electronic certificate to the certificate issuer through the platform service side; after the certification issuer verifies the qualification of the target user according to the DID of the target user, the certification issuer issues a new electronic certificate for the target user and sends the electronic certificate to the platform service party after encryption; and the platform service party adds the newly encrypted electronic certificate in a locally maintained certificate library corresponding to the target user. Therefore, the generated graphic codes do not need to be modified, and only new electronic certificate indexes are needed to be added into the certificate library or existing electronic certificate indexes are needed to be deleted, so that the electronic certificate library is convenient to update.
It should be appreciated that DIDs created by the platform user side will typically be stored on the uplink, i.e., uploaded to the blockchain store. In this way, the public key of the platform user side carried in the DID can be made public (the credential issuer, credential verifier, etc. can access the enforcement node of the blockchain).
The following description will take an electronic certificate as an example.
Refer to the flow chart of the electronic license application and verification shown in fig. 3 a.
And the platform user side initiates an electronic license application.
And triggering the platform service party to call the interface.
The license issuer issues an electronic license: firstly, issuing an electronic certificate; next, acquiring a public key of a platform user side on the chain; then, encrypting the electronic certificate original text (M) by using the local symmetric key (K) to obtain an encrypted electronic certificate (EK (M)); finally, the symmetric key (K) is encrypted by using the public key PK of the platform user side to obtain an encryption result (EPK (K)).
The platform service side retains the encryption result (EPK (K)) and the encrypted electronic certificate (EK (M)), and generates the two-dimensional code.
And under the verification scene, the platform user presents the two-dimensional code to the license verifier.
And (3) primary verification of a certificate verifier: and acquiring a two-dimension code URL, splicing the two-dimension code URL to be verified, and returning a complete URL after verification of the certificate code.
And triggering the platform service party to call the corresponding interface.
The platform user side confirms authorization: firstly, a target user confirms issuing authorization; then, decrypting (EPK (K)) by using a local private key to obtain (K); then, the (K) is encrypted by using the public key (PV) of the certificate verifier to obtain a ciphertext (EPV (K)).
And triggering the platform service party to call the corresponding interface.
And (4) secondary verification of a certificate verifying party: firstly, decrypting the obtained (EPV (K)) by using a local private key to obtain (K); then, the encrypted electronic certificate (EK (M)) retained by the service platform side is decrypted by using the (K) to obtain an original text (M) of the electronic certificate; then, the validity of the electronic certificate original text is verified.
Further, referring to fig. 3b, the platform client of xiaoming uses the mobile phone to apply for the id card and the passport to the government functional department through the platform server, respectively.
The platform client creates the DID and applies for the identification card and passport.
The platform server calls the corresponding interface.
The government functional department issues an electronic identity card and an electronic passport, and encrypts respectively: the electronic identity card 01- (EPK (K)) & (EK (M1)); the electronic passport 02- (EPK (K)) & (EK (M2)).
The platform server generates a two-dimensional code.
The platform user side presents the two-dimensional code.
The verifying party A analyzes the two-dimensional code and obtains the electronic identity card 01, and meanwhile, the verifying party B analyzes the two-dimensional code and obtains the electronic passport 02.
The verifier A and the verifier B respectively call the interfaces.
After the platform user side confirms the authorization for the second time, the platform user side decrypts and re-encrypts to obtain (EPV (K)).
And the platform user side calls the interfaces to respectively return to the verifier A and the verifier B.
The verifier A decrypts to obtain M1, and the verifier B decrypts to obtain M2; and (5) respectively checking.
Through the technical scheme, based on DID and cryptography, the certificate possibly exposed at the platform service side is effectively hidden, so that the user data is effectively prevented from being revealed under the condition that an authoritative platform is not required to carry out endorsement, the system is less in butt joint, and the realization is easy. In the whole verification process, the verification of a plurality of certificates can be completed without showing designated certificates, one code is universal, and the operation convenience is improved while the data security is ensured.
Example two
Referring to fig. 4, a system 400 for implementing electronic certificate verification based on distributed digital identity is provided for the embodiments of this specification, where the system 400 includes: a platform user party 402, a platform service party 404, a credential issuer 406, and a credential verifier 408; wherein the content of the first and second substances,
after the platform user side 402 creates a distributed digital identity DID for the target user, an electronic certificate is applied to the certificate issuer through the platform service side 404;
the certificate issuer 406 issues at least one electronic certificate for the target user after the qualification audit of the target user is passed according to the DID of the target user, and sends the electronic certificate to the platform service side 404 after encryption, wherein each electronic certificate carries a mark representing a certificate type;
the platform service side 404 generates a graphic code corresponding to the target user based on an image coding technology, and sends the graphic code to the platform user side 402, wherein the platform service side 404 locally maintains a credential library corresponding to the target user, and at least one electronic credential of the target user is stored in the credential library;
when a verification requirement event occurs, the platform user side 402 presents the graphical code to a credential verifier 408;
the certificate verifying party 408 analyzes the graphic code, obtains an encrypted electronic certificate matched with the certificate type of the current verification service from the platform service party 404, and returns the obtained encrypted electronic certificate to the platform user party 402 for confirmation and authorization;
the platform user 402 sends the authorized encrypted electronic certificate to the certificate verifier 408 through the platform service 404;
the certificate validator 408 decrypts the encrypted electronic certificate and verifies the original text of the electronic certificate.
Optionally, as an embodiment, when the certificate issuer encrypts each electronic certificate, the public key of the target user is acquired from the blockchain; and encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain a first encryption result.
In a specific implementation manner of the embodiment of the present specification, the credential verifier parses the graphics code to obtain a uniform resource locator URL corresponding to the graphics code; and based on the address specified by the URL, finding out a certificate library corresponding to the target user, and obtaining an encrypted electronic certificate matched with the certificate type of the verification service.
In another specific implementation manner of the embodiment of the present specification, the platform user side issues an authorization instruction, and decrypts the first encryption result using the private key of the target user to obtain a symmetric key; and encrypting the symmetric key based on the obtained public key of the certificate verifier to obtain a second encryption result.
In another specific implementation manner of the embodiment of the present specification, the credential verifier decrypts the received second encryption result using a local private key to obtain a symmetric key; and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
In another specific implementation manner of the embodiment of the present specification, the platform user applies for a new electronic certificate to the certificate issuer through the platform service; after the certification issuer verifies the qualification of the target user according to the DID of the target user, the certification issuer issues a new electronic certificate for the target user and sends the electronic certificate to the platform service party after encryption; and the platform service party adds the newly encrypted electronic certificate in a locally maintained certificate library corresponding to the target user.
In another specific implementation manner of the embodiment of the present specification, the graphic code is a two-dimensional code or a barcode.
Through the technical scheme, based on DID and cryptography, the certificate possibly exposed at the platform service side is effectively hidden, so that the user data is effectively prevented from being revealed under the condition that an authoritative platform is not required to carry out endorsement, the system is less in butt joint, and the realization is easy. In the whole verification process, the verification of a plurality of certificates can be completed without showing designated certificates, one code is universal, and the operation convenience is improved while the data security is ensured.
EXAMPLE III
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present specification. Referring to fig. 5, at a hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other via an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor.
The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs the computer program, and forms each execution body in the system shown in fig. 4 on a logic level. And the processor executes the program stored in the memory and is specifically used for executing the operation of each execution main body in the system shown in fig. 4.
The method performed by the apparatus according to the embodiments shown in fig. 2 and fig. 3 of the present specification can be applied to or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The methods, steps, and logic blocks disclosed in one or more embodiments of the present specification may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with one or more embodiments of the present disclosure may be embodied directly in hardware, in a software module executed by a hardware decoding processor, or in a combination of the hardware and software modules executed by a hardware decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
The electronic device may also execute the method in fig. 2 and fig. 3, and implement the functions of the corresponding apparatus in the embodiments shown in fig. 2 and fig. 3, which are not described herein again in this specification.
Of course, besides the software implementation, the electronic device of the embodiment of the present disclosure does not exclude other implementations, such as a logic device or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or a logic device.
Through the technical scheme, based on DID and cryptography, the certificate possibly exposed at the platform service side is effectively hidden, so that the user data is effectively prevented from being revealed under the condition that an authoritative platform is not required to carry out endorsement, the system is less in butt joint, and the realization is easy. In the whole verification process, the verification of a plurality of certificates can be completed without showing designated certificates, one code is universal, and the operation convenience is improved while the data security is ensured.
Example four
Embodiments of the present specification also propose a computer-readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a portable electronic device comprising a plurality of application programs, are capable of causing the portable electronic device to perform the methods of the embodiments shown in fig. 2 and 3, and in particular for performing the methods of the execution bodies of the system shown in fig. 4.
Through the technical scheme, based on DID and cryptography, the certificate possibly exposed at the platform service side is effectively hidden, so that the user data is effectively prevented from being revealed under the condition that an authoritative platform is not required to carry out endorsement, the system is less in butt joint, and the realization is easy. In the whole verification process, the verification of a plurality of certificates can be completed without showing designated certificates, one code is universal, and the operation convenience is improved while the data security is ensured.
In short, the above description is only a preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present specification shall be included in the protection scope of the present specification.
The system, apparatus, module or unit illustrated in one or more of the above embodiments may be implemented by a computer chip or an entity, or by an article of manufacture with a certain functionality. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Claims (10)
1. A method for implementing electronic certificate verification based on distributed digital identity comprises the following steps:
after a platform user party creates a distributed digital identity DID for a target user, applying an electronic certificate to a certificate issuer through a platform service party;
after the target user passes qualification verification according to the DID of the target user, the certificate issuer issues at least one electronic certificate for the target user, and sends the electronic certificate to the platform service side after encryption, wherein each electronic certificate carries a mark for representing the type of the certificate;
the platform service party generates a graphic code corresponding to the target user based on an image coding technology and sends the graphic code to the platform user party, wherein the platform service party locally maintains a certificate library corresponding to the target user, and at least one electronic certificate of the target user is stored in the certificate library;
when a verification requirement event occurs, the platform user shows the graphic code to a certificate verifier;
the certificate verifying party analyzes the graphic code, acquires an encrypted electronic certificate matched with the certificate type of the current verification service from the platform service party, and returns the acquired encrypted electronic certificate to the platform user party for confirmation and authorization;
the platform user side sends the authorized encrypted electronic certificate to a certificate verifying side through a platform service side;
and after the certificate verifying party decrypts the encrypted electronic certificate, verifying the original text of the electronic certificate.
2. The method for implementing electronic certificate verification based on distributed digital identity as claimed in claim 1, when said certificate issuer encrypts for each electronic certificate, comprising:
acquiring a public key of the target user from a block chain;
and encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain a first encryption result.
3. The method for implementing electronic certificate verification based on distributed digital identity according to claim 1, wherein the certificate verifying party parses the graphic code and obtains an encrypted electronic certificate matching the certificate type of the current verification service from the platform service party, specifically comprising:
the certificate verifying party analyzes the graphic code to obtain a Uniform Resource Locator (URL) corresponding to the graphic code;
and based on the address specified by the URL, finding out a certificate library corresponding to the target user, and obtaining an encrypted electronic certificate matched with the certificate type of the verification service.
4. The method for implementing electronic certificate verification based on distributed digital identity as claimed in claim 2, wherein said platform user side performs validation authorization, specifically comprising:
the platform user side issues an authorization instruction, and decrypts the first encryption result by using a private key of the target user to obtain a symmetric key; and the number of the first and second groups,
and encrypting the symmetric key based on the obtained public key of the certificate verifier to obtain a second encryption result.
5. The method for implementing electronic certificate verification based on distributed digital identity as claimed in claim 4, wherein the certificate verifier decrypts the encrypted electronic certificate, specifically comprising:
the certificate verifying party decrypts the received second encryption result by using a local private key to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
6. The method for implementing electronic credential verification based on distributed digital identity of claim 1, further comprising:
the platform user side applies a new electronic certificate to the certificate issuer through the platform service side;
after the certification issuer verifies the qualification of the target user according to the DID of the target user, the certification issuer issues a new electronic certificate for the target user and sends the electronic certificate to the platform service party after encryption;
and the platform service party adds the newly encrypted electronic certificate in a locally maintained certificate library corresponding to the target user.
7. The method for implementing electronic certificate verification based on distributed digital identity as claimed in any one of claims 1-6, wherein said graphic code is a two-dimensional code or a bar code.
8. A system for implementing electronic credential validation based on distributed digital identities, comprising: the system comprises a platform user side, a platform service side, a certificate issuer and a certificate verifier; wherein the content of the first and second substances,
after a platform user party creates a distributed digital identity DID for a target user, applying an electronic certificate to a certificate issuer through a platform service party;
after the target user passes qualification verification according to the DID of the target user, the certificate issuer issues at least one electronic certificate for the target user, and sends the electronic certificate to the platform service side after encryption, wherein each electronic certificate carries a mark for representing the type of the certificate;
the platform service party generates a graphic code corresponding to the target user based on an image coding technology and sends the graphic code to the platform user party, wherein the platform service party locally maintains a certificate library corresponding to the target user, and at least one electronic certificate of the target user is stored in the certificate library;
when a verification requirement event occurs, the platform user shows the graphic code to a certificate verifier;
the certificate verifying party analyzes the graphic code, acquires an encrypted electronic certificate matched with the certificate type of the current verification service from the platform service party, and returns the acquired encrypted electronic certificate to the platform user party for confirmation and authorization;
the platform user side sends the authorized encrypted electronic certificate to a certificate verifying side through a platform service side;
and after the certificate verifying party decrypts the encrypted electronic certificate, verifying the original text of the electronic certificate.
9. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method performed by the execution body in any one of claims 1-7.
10. A computer readable storage medium storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method performed by the main body in any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110797325.7A CN113704734A (en) | 2021-07-14 | 2021-07-14 | Distributed digital identity-based method for realizing certificate verification and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110797325.7A CN113704734A (en) | 2021-07-14 | 2021-07-14 | Distributed digital identity-based method for realizing certificate verification and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113704734A true CN113704734A (en) | 2021-11-26 |
Family
ID=78648581
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110797325.7A Pending CN113704734A (en) | 2021-07-14 | 2021-07-14 | Distributed digital identity-based method for realizing certificate verification and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113704734A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114666168A (en) * | 2022-05-23 | 2022-06-24 | 浙江毫微米科技有限公司 | Decentralized identity certificate verification method and device, and electronic equipment |
| CN115632886A (en) * | 2022-12-21 | 2023-01-20 | 国网数字科技控股有限公司 | Block chain-based electronic license acquisition method, system and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080106371A1 (en) * | 2006-10-20 | 2008-05-08 | Userstar Information System Co., Ltd. | Method and system for verifying authenticity of an object |
| US20170331815A1 (en) * | 2016-05-13 | 2017-11-16 | MobileIron, Inc. | Unified vpn and identity based authentication to cloud-based services |
| CN109584120A (en) * | 2018-10-10 | 2019-04-05 | 山西特信环宇信息技术有限公司 | A kind of certificate chain enforcement system and its application method |
| CN109583976A (en) * | 2018-10-10 | 2019-04-05 | 山西特信环宇信息技术有限公司 | A kind of certificate chain electronic tax billing system and its application method |
| CN111523152A (en) * | 2020-05-11 | 2020-08-11 | 毕红伟 | Block chain-based electronic certificate management method, management network and electronic equipment |
| CN112861102A (en) * | 2021-03-12 | 2021-05-28 | 杭州溪塔科技有限公司 | Block chain-based electronic file processing method and system |
| CN112906066A (en) * | 2021-03-13 | 2021-06-04 | 四川开源观科技有限公司 | License block chaining platform based on-chain Hash state management |
| CN113111330A (en) * | 2021-03-24 | 2021-07-13 | 广州智投链码科技有限公司 | Enterprise legal identity authentication management method and system based on enterprise chain code |
-
2021
- 2021-07-14 CN CN202110797325.7A patent/CN113704734A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080106371A1 (en) * | 2006-10-20 | 2008-05-08 | Userstar Information System Co., Ltd. | Method and system for verifying authenticity of an object |
| US20170331815A1 (en) * | 2016-05-13 | 2017-11-16 | MobileIron, Inc. | Unified vpn and identity based authentication to cloud-based services |
| CN109584120A (en) * | 2018-10-10 | 2019-04-05 | 山西特信环宇信息技术有限公司 | A kind of certificate chain enforcement system and its application method |
| CN109583976A (en) * | 2018-10-10 | 2019-04-05 | 山西特信环宇信息技术有限公司 | A kind of certificate chain electronic tax billing system and its application method |
| CN111523152A (en) * | 2020-05-11 | 2020-08-11 | 毕红伟 | Block chain-based electronic certificate management method, management network and electronic equipment |
| CN112861102A (en) * | 2021-03-12 | 2021-05-28 | 杭州溪塔科技有限公司 | Block chain-based electronic file processing method and system |
| CN112906066A (en) * | 2021-03-13 | 2021-06-04 | 四川开源观科技有限公司 | License block chaining platform based on-chain Hash state management |
| CN113111330A (en) * | 2021-03-24 | 2021-07-13 | 广州智投链码科技有限公司 | Enterprise legal identity authentication management method and system based on enterprise chain code |
Non-Patent Citations (1)
| Title |
|---|
| 王浩亮;廉玉忠;王丽莉;: "面向电子证照共享的区块链技术方案研究与实现", 计算机工程, no. 08, 31 August 2020 (2020-08-31), pages 283 - 289 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114666168A (en) * | 2022-05-23 | 2022-06-24 | 浙江毫微米科技有限公司 | Decentralized identity certificate verification method and device, and electronic equipment |
| CN114666168B (en) * | 2022-05-23 | 2022-11-01 | 浙江毫微米科技有限公司 | Decentralized identity certificate verification method and device, and electronic equipment |
| CN115632886A (en) * | 2022-12-21 | 2023-01-20 | 国网数字科技控股有限公司 | Block chain-based electronic license acquisition method, system and device |
| CN115632886B (en) * | 2022-12-21 | 2023-03-10 | 国网数字科技控股有限公司 | Block chain-based electronic license acquisition method, system and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6768960B2 (en) | 2D barcode processing methods, devices, and systems | |
| CN107086909B (en) | Identity information generation method and device and identity verification method and device | |
| CN111401902B (en) | Service processing method, device and equipment based on block chain | |
| US20180295121A1 (en) | Secure element authentication | |
| CN110417797B (en) | Method and device for authenticating user | |
| CN110795501A (en) | Method, device, equipment and system for creating verifiable statement based on block chain | |
| CN111931154B (en) | Service processing method, device and equipment based on digital certificate | |
| CN104662864A (en) | User-convenient authentication method and apparatus using a mobile authentication application | |
| CN111047313B (en) | Code scanning payment, information sending and key management method, device and equipment | |
| CN109495268B (en) | Two-dimensional code authentication method and device and computer readable storage medium | |
| CN109618341A (en) | A kind of digital signature authentication method, system, device and storage medium | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| US20210226794A1 (en) | Access control using proof-of-possession token | |
| CN113704775B (en) | Service processing method and related device based on distributed digital identity | |
| JP2022518061A (en) | Methods, Computer Program Products, and Equipment for Transferring Ownership of Digital Assets | |
| CN114666168B (en) | Decentralized identity certificate verification method and device, and electronic equipment | |
| CN113704734A (en) | Distributed digital identity-based method for realizing certificate verification and related device | |
| CN110798322A (en) | Operation request method, device, storage medium and processor | |
| KR102157695B1 (en) | Method for Establishing Anonymous Digital Identity | |
| CN113901424A (en) | Method and device for selectively disclosing digital identity attribute | |
| CN111600882A (en) | Block chain-based account password management method and device and electronic equipment | |
| CN113114610A (en) | Stream taking method, device and equipment | |
| CN107026841B (en) | Method and device for publishing works in network | |
| CN113890738A (en) | Electronic signature method and device | |
| CN111818094B (en) | Identity registration method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |