CN113704775B - Service processing method and related device based on distributed digital identity - Google Patents
Service processing method and related device based on distributed digital identity Download PDFInfo
- Publication number
- CN113704775B CN113704775B CN202110797332.7A CN202110797332A CN113704775B CN 113704775 B CN113704775 B CN 113704775B CN 202110797332 A CN202110797332 A CN 202110797332A CN 113704775 B CN113704775 B CN 113704775B
- Authority
- CN
- China
- Prior art keywords
- electronic
- service
- voucher
- certificate
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000012795 verification Methods 0.000 claims abstract description 62
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000012545 processing Methods 0.000 claims abstract description 28
- YSCNMFDFYJUPEF-OWOJBTEDSA-N 4,4'-diisothiocyano-trans-stilbene-2,2'-disulfonic acid Chemical compound OS(=O)(=O)C1=CC(N=C=S)=CC=C1\C=C\C1=CC=C(N=C=S)C=C1S(O)(=O)=O YSCNMFDFYJUPEF-OWOJBTEDSA-N 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 16
- 230000008569 process Effects 0.000 abstract description 12
- 230000001960 triggered effect Effects 0.000 abstract description 7
- 230000014759 maintenance of location Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 208000024891 symptom Diseases 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
One or more embodiments of the present disclosure disclose a service processing method and related device based on distributed digital identity, where the scheme includes: by using the DID technology, the user side can be protected from higher privacy by using an encryption technology in a service scene triggered in real time, and the content selection right of the credentials required by the verification operation is handed over to the user side for processing, so that data leakage possibly caused by the retention of other platforms is avoided, and the safety of the user data is ensured as much as possible; in addition, state information is maintained for the evidence-stored certificates on the blockchain, so that the accuracy of user verification can be ensured. Thus, the data security and the service processing efficiency in the credential verification process are improved as a whole.
Description
Technical Field
The present document relates to the field of blockchain technologies, and in particular, to a service processing method based on distributed digital identities and a related device.
Background
The traditional financial institutions serve the financial systems in a centralized manner to play roles of information matching, credit guarantee and resource allocation.
However, with the increasing number of counter-parties, increasingly complex transaction patterns, and more diversified data exchange requirements, the centralized mode of operation of conventional financial institutions is challenged. Especially in the information processing aspect, financial institutions need to invest huge cost to solve the problem of information asymmetry. Many financial institutions are providing digital transformation plans, but most of them still move off-line business to on-line, and treat the symptoms and not the root cause.
Especially, in the existing financial service scene related to multipoint information interaction and verification, the security and verification efficiency of service data cannot be ensured.
Disclosure of Invention
An object of one or more embodiments of the present disclosure is to provide a service processing method and related device based on distributed digital identity, so as to improve data security and service processing efficiency in a credential verification process.
To solve the above technical problems, one or more embodiments of the present specification are implemented as follows:
in a first aspect, a service processing method based on distributed digital identity is provided, including:
after a user side creates a distributed digital identity DID for a target user, sending a service request to a service side;
the business side returns a verification requirement, wherein the verification requirement at least comprises: the type of the certificate to be verified for executing the service at this time;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates associated with corresponding DIDs for the target user respectively and sends the electronic certificates to the user side after encryption; meanwhile, the electronic certificates are signed and then sent to a blockchain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the blockchain for each electronic certificate;
after decrypting the encrypted electronic certificates, the user side selects one or more certificate contents of each electronic certificate, encrypts the electronic certificates by using the public key of the service side and transmits the encrypted electronic certificates to the service side;
and the service party decrypts the received voucher content by using the private key of the service party, verifies the decrypted voucher content based on the electronic voucher signature stored on the blockchain and the corresponding state information, and executes the service after the verification is passed.
In a second aspect, a service processing system based on distributed digital identity is provided, including: a user side, a business side and an issuer side; wherein,
after a user side creates a distributed digital identity DID for a target user, sending a service request to a service side;
the business side returns a verification requirement, wherein the verification requirement at least comprises: the type of the certificate to be verified for executing the service at this time;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates associated with corresponding DIDs for the target user respectively and sends the electronic certificates to the user side after encryption; meanwhile, the electronic certificates are signed and then sent to a blockchain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the blockchain for each electronic certificate;
after decrypting the encrypted electronic certificates, the user side selects one or more certificate contents of each electronic certificate, encrypts the electronic certificates by using the public key of the service side and transmits the encrypted electronic certificates to the service side;
and the service party decrypts the received voucher content by using the private key of the service party, verifies the decrypted voucher content based on the electronic voucher signature stored on the blockchain and the corresponding state information, and executes the service after the verification is passed.
In a third aspect, an electronic device is provided, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method performed by the respective execution body described above.
In a fourth aspect, a computer-readable storage medium is provided, which stores one or more programs that, when executed by an electronic device that includes a plurality of application programs, cause the electronic device to execute the method performed by the respective execution bodies described above.
According to the technical scheme provided by one or more embodiments of the present description, through the use of the DID technology, the user side can be protected from higher privacy by using the encryption technology in a service scene triggered in real time, and the content selection right of the credentials required by the verification operation is handed over to the user side for processing, so that data leakage possibly caused by the retention of other platforms is avoided, and the user data security is ensured as much as possible; in addition, state information is maintained for the evidence-stored certificates on the blockchain, so that the accuracy of user verification can be ensured. Thus, the data security and the service processing efficiency in the credential verification process are improved as a whole.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, reference will be made below to the accompanying drawings which are used in the description of one or more embodiments or of the prior art, it being apparent that the drawings in the description below are only some of the embodiments described in the description, from which, without inventive faculty, other drawings can also be obtained for a person skilled in the art.
Fig. 1 is a system architecture for implementing a service processing scheme based on DID according to an embodiment of the present disclosure.
Fig. 2 is a schematic step diagram of a service processing method based on distributed digital identity according to an embodiment of the present disclosure.
Fig. 3 is a business flow diagram of a commercial loan for houses provided in an embodiment of the present disclosure.
Fig. 4 is a schematic structural diagram of a service processing system based on distributed digital identity according to an embodiment of the present disclosure.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that those skilled in the art will better understand the technical solutions in this specification, a clear and complete description of the technical solutions in one or more embodiments of this specification will be provided below with reference to the accompanying drawings in one or more embodiments of this specification, and it is apparent that the one or more embodiments described are only a part of embodiments of this specification, not all embodiments. All other embodiments, which can be made by one or more embodiments of the present disclosure without inventive faculty, are intended to be within the scope of the present disclosure.
The distributed identity identifier (Decentralized Identifiers, DID) is a decentralised verifiable digital identifier and has the characteristics of being distributed, independently controllable, cross-chain multiplexing and the like. The user entity (natural person or enterprise, organization, etc.) can autonomously complete registration, resolution, update or revocation operations of the DID. DID is an identifier consisting of a string of characters to represent a digital identity that can be globally unique without the need for a central registration authority. Typically, a user entity may possess multiple identities, each assigned a unique DID value, and an asymmetric key associated therewith. No association information exists between different identities, so that the aggregation of identity information of owners is effectively avoided.
First, a system architecture for implementing a service processing scheme based on DID according to the embodiments of the present disclosure is described, and referring to fig. 1, the system architecture includes: a customer party 102, a business party 104, an issuer 106, and a broker party 108. The user side 102 corresponds to a platform service object, for example, a target user operating the present credential application and verification service, where the target user may be a natural person or an enterprise, an organization, etc.; the service party 104 is configured to provide back-end services (specifically, verification services and business services) to the user party 102, and in a specific implementation, the user party 102 may be a mobile terminal such as a mobile phone, and the service party 104 may be a background server such as a computer. The issuer 106 may be an authority (actually corresponding to a service terminal) that issues verifiable credentials VC, and the agent 108 may be an authority that provides KYC services to create DID for the entity. It should be appreciated that in this system architecture, there may be multiple issuers 106, and the target user may apply for electronic credentials from different issuers 106; the issuer 106 may also be one, and the single issuer 106 may integrate multiple credential issuing functions, i.e., issue multiple different electronic credentials according to different applications of the target user.
In the scheme, the DID technology realizes a set of identity identification and trusted data exchange solution with global mutual identification, portability and interoperability. By creating DID for user entities (enterprises, individuals) and issuing verifiable credentials VC, a series of services of distributed entity identification and management, trusted data exchange protocols, etc. are effectuated. A user-centric, privacy-preserving, security-compliant data exchange paradigm is provided for decentralized services, particularly financial services. And the ecological circle passenger acquisition capacity of the business mechanism is expanded, and the business capacity is opened to a larger extent.
Example 1
Referring to fig. 2, a schematic step diagram of a service processing method based on distributed digital identity according to an embodiment of the present disclosure is provided, where the method may include the following steps:
step 202: after the user side creates a distributed digital identity DID for the target user, a service request is sent to the service side.
Optionally, when the user side creates the distributed digital identity DID for the target user, the method may specifically include:
creating a DID for the target user through the agent; the agent side only allows the user side to access the data, or the agent side allows the user side and the service side to access the data, or the agent side opens the access right.
The DID may be specifically parsed into a DID Document that includes a unique identification code of the DID, a list of public keys and detailed information of the public keys (holder, encryption algorithm, key status, etc.), and other attribute descriptions of the DID holder. The user side can complete identity authentication through the proxy side, and create and generate one or more DIDs, wherein the DIDs are not related, and represent different identity information in different service fields.
The user side initiates a service request to the service side based on the created DID, and it should be understood that the service request may carry the DID related information of the target user, so as to facilitate the service side to identify the identity.
Step 204: the business side returns a verification requirement, wherein the verification requirement at least comprises: the type of credential that needs to be verified to perform this service.
After the user side initiates the service application, the service side is not triggered to directly perform service operation. Instead, the service party returns to the user party a verification requirement for subsequent identity and service authority verification of the user party, where the verification requirement includes at least a credential type that needs to be verified for executing the service. For example, the credential types may include tax certificates, housing certificates, academic certificates, and the like.
Step 206: the user side applies for the electronic certificate to at least one issuer respectively based on the certificate type in the verification requirement.
After knowing the types of the certificates required for the verification of the business side, the user side can apply for the electronic certificates to the issuers corresponding to the types of the certificates respectively. In fact, only one credential type can be contained in the verification requirement, so that the user side only needs to apply for the electronic credential to the issuer corresponding to the credential type later; of course, the verification requirement can also include a plurality of credential types, and the user can apply for different electronic credentials to the corresponding issuers of the credential types respectively.
Step 208: the at least one issuer issues electronic certificates associated with corresponding DIDs for the target user respectively and sends the electronic certificates to the user side after encryption; and simultaneously, signing the electronic certificates and then sending the electronic certificates to a blockchain for certificate storage, wherein state information representing the validity of each electronic certificate is maintained on the blockchain for each electronic certificate.
And the issuer checks whether the target user has claim qualification according to the matching of the received DID completion data, if so, the electronic certificate is issued for the target user, and if not, the electronic certificate is not issued. Optionally, when each issuer encrypts the issued electronic certificate, it may specifically include: obtaining a public key of the target user from a blockchain; and encrypting the electronic certificate by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result. And then, the encrypted electronic certificate is sent to the user side. Meanwhile, the issuer signs the electronic certificates by using a local private key, then sends the electronic certificates to the blockchain for storing, and after the certificates are stored, state information of each electronic certificate is maintained on the blockchain, wherein the state information is used for representing the validity of the electronic certificates, for example, the state information can be an aging mark, and if the aging is exceeded, the certificates are determined to be invalid. For another example, the status information may be a status flag, and if the current status flag is invalid, the credential is determined to be invalid.
Step 210: and the user side decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts the electronic certificates by using the public key of the service side and transmits the encrypted electronic certificates to the service side.
Optionally, when the user side decrypts the encrypted electronic certificate, the method specifically includes: decrypting the encryption result by using the private key to obtain a symmetric key; and decrypting the encrypted electronic certificate by using the symmetric key to obtain an electronic certificate original document.
An implementable solution, said verification requirement further comprising: executing the content attribute of the electronic certificate which needs to be verified in the service; then, when the user side selects one or more credential contents of each electronic credential and uses the public key of the service side to encrypt and transmit the one or more credential contents to the service side, the method specifically includes: and selecting one or more voucher contents of each electronic voucher based on the content attribute of the electronic voucher in the verification requirement, encrypting by using the public key of the service party and transmitting to the service party.
The content attribute may be a certain item of content of an electronic certificate, for example, taking a tax payment certificate as an example, the content attribute may include: annual tax amount, year of tax, total amount of tax, etc.
Step 212: and the service party decrypts the received voucher content by using the private key of the service party, verifies the decrypted voucher content based on the electronic voucher signature stored on the blockchain and the corresponding state information, and executes the service after the verification is passed.
Optionally, the service party decrypts the received credential content by using its own private key, and verifies the received credential content based on the electronic credential signature stored on the blockchain and the corresponding status information, which specifically includes: decrypting the received credential content using the private key of the issuer and signing the corresponding electronic credential signature using the public key of the issuer; and verifying the authenticity of the decrypted voucher content based on the electronic vouchers obtained after the signing, and verifying the validity of the decrypted voucher content based on the state information of each electronic voucher.
In the embodiment of the present disclosure, when verifying the electronic certificate, the authenticity verification may be performed on the certificate content of the electronic certificate, that is, based on the electronic certificate obtained after the signing, whether the received certificate content is authentic or not is verified; and then verifying the timeliness of the voucher contents based on the on-chain state information corresponding to the electronic voucher. Alternatively, the validity is checked first and then checked.
By using the DID technology, the user side can be protected from higher privacy by using an encryption technology in a service scene triggered in real time, and the content selection right of the credentials required by the verification operation is handed over to the user side for processing, so that data leakage possibly caused by the retention of other platforms is avoided, and the safety of the user data is ensured as much as possible; in addition, state information is maintained for the evidence-stored certificates on the blockchain, so that the accuracy of user verification can be ensured. Thus, the data security and the service processing efficiency in the credential verification process are improved as a whole.
The following describes the solution according to the present specification by taking financial business as an example.
Referring to fig. 3, a business flow diagram is shown for an example of a financial business as a house-buying commercial loan. In the business scenario, the business scenario mainly comprises a house purchasing user end, a paying bank end, a supervision end and a government integrated transaction end (tax end, house management end and college end). In addition, a blockchain is included.
And the house purchasing user side performs identity authentication through the supervision side and creates the DID.
And the house purchasing user sends a loan request to the paying bank.
The payoff bank side returns the required voucher type and the content attribute.
And the house purchasing user initiates an electronic certificate application to the tax sub-end, the house management sub-end and the college sub-end respectively.
Issuing an electronic certificate and encrypting: firstly, respectively issuing electronic certificates (tax certification, housing certification and academic certification) associated with DID by a tax sub-end, a housing tube end and a college sub-end; next, obtaining a public key of the house-buying user on the chain; then, encrypting the electronic certificate original text (M) by using a local symmetric key (K) to obtain an encrypted electronic certificate (EK (M)); finally, the symmetric key (K) is encrypted using the public key PK of the house-buying user to obtain an encryption result (EPK (K)).
And sending the encrypted electronic certificate to a house buying user side, signing the electronic certificate, and sending the electronic certificate to the blockchain certificate.
The house purchasing user decrypts the electronic certificate: firstly, decrypting (EPK (K)) by using a local private key to obtain (K); then, the encrypted electronic certificate (EK (M)) is decrypted by using the symmetric key (K) to obtain an electronic certificate original document (M).
The house purchasing user selectively re-encrypts the electronic certificate and transmits the electronic certificate to the paying bank.
And after decrypting the electronic certificate, the bank end obtains the electronic certificate signature from the chain and signs the electronic certificate signature.
The bank end verifies the authenticity and validity of the electronic certificate.
And after the verification is passed, the paying bank side executes the paying business.
Through the technical scheme, the financial institution can reduce the collection of information when executing business operation, and can retrieve required certificates in a distributed mode, realize certificate verification and operation registration through the blockchain, and support supervision and traceability. The entity can protect privacy as much as possible in the process of service development, especially in a cross-business state and multi-level service mode, the quick alignment of the identity and the information can be realized without gathering data.
Example two
Referring to fig. 4, for a distributed digital identity-based service processing system provided in an embodiment of the present disclosure, the system 400 may include: a user party 402, a business party 404, and an issuer 406; wherein,
after user side 402 creates a distributed digital identity, DID, for the target user, sending a service request to service side 404;
the business 404 returns a verification requirement comprising at least: the type of the certificate to be verified for executing the service at this time;
the user side 402 applies for electronic credentials to at least one issuer 406 based on the credential type in the verification requirements, respectively;
the at least one issuer 406 issues electronic certificates associated with the corresponding DID to the target user, respectively, and sends the electronic certificates to the user side 402 after encryption; meanwhile, the electronic certificates are signed and then sent to a blockchain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the blockchain for each electronic certificate;
after decrypting the encrypted electronic certificates, the user side 402 selects one or more certificate contents of each electronic certificate, encrypts the electronic certificates by using the public key of the service side 404, and transmits the encrypted electronic certificates to the service side 404;
the service party 404 decrypts the received voucher content by using its own private key, verifies the decrypted voucher content based on the electronic voucher signature stored in the blockchain and the corresponding state information, and executes the service after the verification is passed.
Optionally, as an embodiment, the system further includes: an agent;
when the user side creates a distributed digital identity DID for a target user, the method is specifically used for: creating a DID for the target user through the agent;
the agent side only allows the user side to access the data, or the agent side allows the user side and the service side to access the data, or the agent side opens the access right.
In a specific implementation of an embodiment of the present description, when each issuer encrypts an issued electronic certificate, it is specifically used to:
obtaining a public key of the target user from a blockchain;
encrypting the electronic certificate text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result;
correspondingly, when the user side decrypts the encrypted electronic certificate, the method is specifically used for:
decrypting the encryption result by using the private key to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain an electronic certificate original document.
In yet another specific implementation of an embodiment of the present disclosure, the verifying requirement further includes: executing the content attribute of the electronic certificate which needs to be verified in the service;
the user side is specifically configured to, when selecting one or more credential contents of each electronic credential and transmitting the one or more credential contents to the service side after encrypting the one or more credential contents by using the public key of the service side:
and selecting one or more voucher contents of each electronic voucher based on the content attribute of the electronic voucher in the verification requirement, encrypting by using the public key of the service party and transmitting to the service party.
In another specific implementation manner of this embodiment of the present disclosure, when the service party decrypts the received credential content using its private key, and verifies the decrypted credential content based on the electronic credential signature and the corresponding state information stored on the blockchain, the service party is specifically configured to:
decrypting the received credential content using the private key of the issuer and signing the corresponding electronic credential signature using the public key of the issuer;
and verifying the authenticity of the decrypted voucher content based on the electronic vouchers obtained after the signing, and verifying the validity of the decrypted voucher content based on the state information of each electronic voucher.
By using the DID technology, the user side can be protected from higher privacy by using an encryption technology in a service scene triggered in real time, and the content selection right of the credentials required by the verification operation is handed over to the user side for processing, so that data leakage possibly caused by the retention of other platforms is avoided, and the safety of the user data is ensured as much as possible; in addition, state information is maintained for the evidence-stored certificates on the blockchain, so that the accuracy of user verification can be ensured. Thus, the data security and the service processing efficiency in the credential verification process are improved as a whole.
Example III
Fig. 5 is a schematic structural view of an electronic device according to an embodiment of the present specification. Referring to fig. 5, at the hardware level, the electronic device includes a processor, and optionally an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, network interface, and memory may be interconnected by an internal bus, which may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 5, but not only one bus or type of bus.
And the memory is used for storing programs. In particular, the program may include program code including computer-operating instructions. The memory may include memory and non-volatile storage and provide instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs, and forms the corresponding execution body device on the logic level. And the processor is used for executing the programs stored in the memory and is particularly used for executing the operations executed by the corresponding execution main body.
The method performed by the apparatus disclosed in the embodiment shown in fig. 2 or 3 of the present specification may be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The methods, steps, and logic blocks disclosed in one or more embodiments of the present description may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with one or more embodiments of the present disclosure may be embodied directly in a hardware decoding processor or in a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
The electronic device may also execute the method of fig. 2 or 3 and implement the functions of the corresponding apparatus in the embodiments shown in fig. 2 and 3, which are not described herein again.
Of course, in addition to the software implementation, the electronic device of the embodiments of the present disclosure does not exclude other implementations, such as a logic device or a combination of software and hardware, that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
By using the DID technology, the user side can be protected from higher privacy by using an encryption technology in a service scene triggered in real time, and the content selection right of the credentials required by the verification operation is handed over to the user side for processing, so that data leakage possibly caused by the retention of other platforms is avoided, and the safety of the user data is ensured as much as possible; in addition, state information is maintained for the evidence-stored certificates on the blockchain, so that the accuracy of user verification can be ensured. Thus, the data security and the service processing efficiency in the credential verification process are improved as a whole.
Example IV
The present description also proposes a computer-readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a portable electronic device comprising a plurality of application programs, enable the portable electronic device to perform the methods of the embodiments shown in fig. 2 and 3, and in particular to perform the operations performed by the respective execution bodies.
By using the DID technology, the user side can be protected from higher privacy by using an encryption technology in a service scene triggered in real time, and the content selection right of the credentials required by the verification operation is handed over to the user side for processing, so that data leakage possibly caused by the retention of other platforms is avoided, and the safety of the user data is ensured as much as possible; in addition, state information is maintained for the evidence-stored certificates on the blockchain, so that the accuracy of user verification can be ensured. Thus, the data security and the service processing efficiency in the credential verification process are improved as a whole.
In summary, the foregoing description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the protection scope of the present specification.
The systems, devices, modules, or units illustrated in one or more of the embodiments described above may be implemented in particular by a computer chip or entity, or by a product having some function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Claims (12)
1. A business processing method based on distributed digital identity includes:
after a user side creates a distributed digital identity DID for a target user, sending a service request to a service side;
the business side returns a verification requirement, wherein the verification requirement at least comprises: the type of the certificate to be verified for executing the service at this time;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates associated with corresponding DIDs for the target user respectively and sends the electronic certificates to the user side after encryption; meanwhile, the electronic certificates are signed and then sent to a blockchain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the blockchain for each electronic certificate;
after decrypting the encrypted electronic certificates, the user side selects one or more certificate contents of each electronic certificate, encrypts the electronic certificates by using the public key of the service side and transmits the encrypted electronic certificates to the service side;
and the service party decrypts the received voucher content by using the private key of the service party, verifies the decrypted voucher content based on the electronic voucher signature stored on the blockchain and the corresponding state information, and executes the service after the verification is passed.
2. The service processing method based on distributed digital identity according to claim 1, wherein the user side creates a distributed digital identity DID for a target user, specifically comprising:
the user side creates a DID for the target user through the proxy side;
the agent side only allows the user side to access the data, or the agent side allows the user side and the service side to access the data, or the agent side opens the access right.
3. The distributed digital identity-based business processing method according to claim 1 or 2, wherein each issuer encrypts the issued electronic certificate, and specifically comprises:
the issuer obtains a public key of the target user from a blockchain;
encrypting the electronic certificate text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result;
correspondingly, when the user side decrypts the encrypted electronic certificate, the method specifically comprises the following steps:
the user side decrypts the encryption result by using the private key of the user side to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain an electronic certificate original document.
4. The distributed digital identity based business processing method of claim 1, said verification requirement further comprising: executing the content attribute of the electronic certificate which needs to be verified in the service;
the user side selects one or more credential contents of each electronic credential and transmits the one or more credential contents to the service side after encrypting the one or more credential contents by using the public key of the service side, and the method specifically comprises the following steps:
the user side selects one or more voucher contents of each electronic voucher based on the content attribute of the electronic voucher in the verification requirement, encrypts the electronic voucher by using the public key of the service side and transmits the electronic voucher to the service side.
5. The service processing method based on distributed digital identity according to claim 1, 2 or 4, wherein the service party decrypts the received voucher content by using its own private key, and verifies the decrypted voucher content based on the electronic voucher signature and the corresponding state information stored on the blockchain, specifically comprising:
the business side decrypts the received credential content by using the private key of the business side, and signs the corresponding electronic credential signature by using the public key of the issuer;
and verifying the authenticity of the decrypted voucher content based on the electronic vouchers obtained after the signing, and verifying the validity of the decrypted voucher content based on the state information of each electronic voucher.
6. A distributed digital identity based business processing system comprising: a user side, a business side and an issuer side; wherein,
after a user side creates a distributed digital identity DID for a target user, sending a service request to a service side;
the business side returns a verification requirement, wherein the verification requirement at least comprises: the type of the certificate to be verified for executing the service at this time;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates associated with corresponding DIDs for the target user respectively and sends the electronic certificates to the user side after encryption; meanwhile, the electronic certificates are signed and then sent to a blockchain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the blockchain for each electronic certificate;
after decrypting the encrypted electronic certificates, the user side selects one or more certificate contents of each electronic certificate, encrypts the electronic certificates by using the public key of the service side and transmits the encrypted electronic certificates to the service side;
and the service party decrypts the received voucher content by using the private key of the service party, verifies the decrypted voucher content based on the electronic voucher signature stored on the blockchain and the corresponding state information, and executes the service after the verification is passed.
7. The distributed digital identity based service processing system of claim 6 further comprising: an agent;
when the user side creates a distributed digital identity DID for a target user, the method is specifically used for: creating a DID for the target user through the agent;
the agent side only allows the user side to access the data, or the agent side allows the user side and the service side to access the data, or the agent side opens the access right.
8. The distributed digital identity based business processing system of claim 6 or 7, when each issuer encrypts an issued electronic certificate, specifically for:
obtaining a public key of the target user from a blockchain;
encrypting the electronic certificate text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result;
correspondingly, when the user side decrypts the encrypted electronic certificate, the method is specifically used for:
decrypting the encryption result by using the private key to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain an electronic certificate original document.
9. The distributed digital identity based service processing system of claim 6, said verification requirement further comprising: executing the content attribute of the electronic certificate which needs to be verified in the service;
the user side is specifically configured to, when selecting one or more credential contents of each electronic credential and transmitting the one or more credential contents to the service side after encrypting the one or more credential contents by using the public key of the service side:
and selecting one or more voucher contents of each electronic voucher based on the content attribute of the electronic voucher in the verification requirement, encrypting by using the public key of the service party and transmitting to the service party.
10. The distributed digital identity-based service processing system of claim 6, 7 or 9, wherein the service party is configured to, when decrypting the received voucher content using its own private key and verifying the decrypted voucher content based on the electronic voucher signature and the corresponding state information stored on the blockchain:
decrypting the received credential content using the private key of the issuer and signing the corresponding electronic credential signature using the public key of the issuer;
and verifying the authenticity of the decrypted voucher content based on the electronic vouchers obtained after the signing, and verifying the validity of the decrypted voucher content based on the state information of each electronic voucher.
11. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions which, when executed, cause the processor to perform the method performed by the execution body of any one of claims 1 to 5.
12. A computer readable storage medium storing one or more programs, which when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of the subject of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110797332.7A CN113704775B (en) | 2021-07-14 | 2021-07-14 | Service processing method and related device based on distributed digital identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110797332.7A CN113704775B (en) | 2021-07-14 | 2021-07-14 | Service processing method and related device based on distributed digital identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113704775A CN113704775A (en) | 2021-11-26 |
| CN113704775B true CN113704775B (en) | 2024-02-27 |
Family
ID=78648582
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110797332.7A Active CN113704775B (en) | 2021-07-14 | 2021-07-14 | Service processing method and related device based on distributed digital identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113704775B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114679313B (en) * | 2022-03-23 | 2023-06-20 | 杭州溪塔科技有限公司 | Method and device for verifying credential transfer interaction of blockchain system |
| CN114666168B (en) * | 2022-05-23 | 2022-11-01 | 浙江毫微米科技有限公司 | Decentralized identity certificate verification method and device, and electronic equipment |
| CN115174146B (en) * | 2022-06-02 | 2024-02-23 | 浙江毫微米科技有限公司 | Communication method and device based on distributed identity |
| CN114900321B (en) * | 2022-07-14 | 2022-10-14 | 云上人和物联科技有限公司 | Autonomous real-name electronic identity certificate generation system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10637665B1 (en) * | 2016-07-29 | 2020-04-28 | Workday, Inc. | Blockchain-based digital identity management (DIM) system |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112199721A (en) * | 2020-10-13 | 2021-01-08 | 腾讯科技(北京)有限公司 | Authentication information processing method, device, equipment and storage medium |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11139976B2 (en) * | 2016-02-15 | 2021-10-05 | Sal Khan | System and method, which using blockchain and mobile devices, provides the validated and authenticated identity of an individual to a valid and authenticated requestor |
-
2021
- 2021-07-14 CN CN202110797332.7A patent/CN113704775B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10637665B1 (en) * | 2016-07-29 | 2020-04-28 | Workday, Inc. | Blockchain-based digital identity management (DIM) system |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112199721A (en) * | 2020-10-13 | 2021-01-08 | 腾讯科技(北京)有限公司 | Authentication information processing method, device, equipment and storage medium |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113704775A (en) | 2021-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220321359A1 (en) | Methods and systems for ownership verification using blockchain | |
| CN109313685B (en) | Encryption application of block chain system | |
| CN111401902B (en) | Service processing method, device and equipment based on block chain | |
| CN110046996B (en) | Data processing method and device | |
| CN113704775B (en) | Service processing method and related device based on distributed digital identity | |
| EP3962020B1 (en) | Information sharing methods and systems | |
| EP3073670B1 (en) | A system and a method for personal identification and verification | |
| CN111418184B (en) | Credible insurance letter based on block chain | |
| CN110766550A (en) | Asset query method and device based on block chain and electronic equipment | |
| CN111770199B (en) | Information sharing method, device and equipment | |
| KR20210040078A (en) | Systems and methods for safe storage services | |
| EP3964995B1 (en) | Data processing methods, apparatuses, and devices | |
| EP3867849B1 (en) | Secure digital wallet processing system | |
| CN110035052A (en) | A kind of method, apparatus that checking historical transactional information and electronic equipment | |
| CN114143041A (en) | Identity verification method, device and equipment based on block chain and storage medium | |
| US11954686B2 (en) | Information sharing methods and systems | |
| CN113826134A (en) | Credible insurance letter based on block chain | |
| CN113704734A (en) | Distributed digital identity-based method for realizing certificate verification and related device | |
| CN114463110A (en) | Credit granting system and method based on block chain | |
| CN111818094B (en) | Identity registration method, device and equipment | |
| US20230060447A1 (en) | Secure Authorization and Transmission of Data Between Trustless Actors | |
| CN115238000A (en) | Block chain parent chain creation management method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |