CN113973016B - Authorization processing method, device, equipment and system based on verifiable statement - Google Patents

Authorization processing method, device, equipment and system based on verifiable statement Download PDF

Info

Publication number
CN113973016B
CN113973016B CN202111247089.8A CN202111247089A CN113973016B CN 113973016 B CN113973016 B CN 113973016B CN 202111247089 A CN202111247089 A CN 202111247089A CN 113973016 B CN113973016 B CN 113973016B
Authority
CN
China
Prior art keywords
user
information
authorization
verifiable statement
verifiable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111247089.8A
Other languages
Chinese (zh)
Other versions
CN113973016A (en
Inventor
孙善禄
杨仁慧
刘佳伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202111247089.8A priority Critical patent/CN113973016B/en
Publication of CN113973016A publication Critical patent/CN113973016A/en
Application granted granted Critical
Publication of CN113973016B publication Critical patent/CN113973016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the specification provides an authorization processing method, device, equipment and system based on verifiable statement, wherein the method comprises the following steps: the method comprises the steps that a first service end receives an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request comprises authorization information generated based on the first verifiable statement and a public key corresponding to the first digital identity information of the second user; generating authorization record information according to the authorization information and the first identification information of the first verifiable statement; and storing the authorization record information into a first blockchain, and sending authorization success information to the first user.

Description

Authorization processing method, device, equipment and system based on verifiable statement
This patent application is application number: 202010305730.8, filing date: the invention name of China patent application of 'method, device, equipment and system for processing authorization based on verifiable statement' is divided into patent application of the year 2020, 04 and 17.
Technical Field
The present document relates to the field of data processing technologies, and in particular, to an authorization processing method, device, equipment, and system based on verifiable claims.
Background
Digital identity information, such as DID (full English: decentralized Identifiers, full Chinese: distributed identity), is a de-centralized verifiable digital identifier. The DID can identify the identity of an individual, the identity of an organization, etc., but since the DID does not have real information of an individual, an organization, etc., such as a name, a home address, etc., the user typically combines the DID with a verifiable statement (english full name: verifiable Credential, abbreviated as VC) by which information such as age, academic, certain rights possessed, etc., is verified. In general, the content that often needs to be proved in different scenes is different, and access rights to verifiable claims need to be granted to different users, so how to effectively make verifiable claims is a problem that access rights are of interest to users.
Disclosure of Invention
One or more embodiments of the present disclosure provide an authorization processing method based on a verifiable statement, which is applied to a first service end corresponding to a first user. The method includes receiving an authorization request sent by a first user. Wherein the authorization request is for requesting that a second user be granted access to a first verifiable claim of the first user. The authorization request includes authorization information. The authorization information is generated based on the first verifiable claim and a public key corresponding to the first digital identity information of the second user. And generating authorization record information according to the authorization information. And storing the authorization record information into a first blockchain, and sending authorization success information to the first user.
One or more embodiments of the present disclosure provide an authorization processing method based on a verifiable statement, which is applied to a second server. The method includes receiving a key acquisition request sent by a first user. Wherein the key acquisition request includes first digital identity information of the second user. And obtaining the public key corresponding to the first digital identity information from the second blockchain. And sending the obtained public key to the first user so that the first user grants the second user access right to the first verifiable statement of the first user based on the public key.
One or more embodiments of the present disclosure provide an authorization processing device based on a verifiable statement, which is applied to a first service end corresponding to a first user. The apparatus includes a receiving module that receives an authorization request sent by a first user. Wherein the authorization request is for requesting that a second user be granted access to a first verifiable claim of the first user. The authorization request includes authorization information. The authorization information is generated based on the first verifiable claim and a public key corresponding to the first digital identity information of the second user. The apparatus also includes a generation module that generates authorization record information from the authorization information. The device also comprises a sending module which stores the authorization record information into a first blockchain and sends authorization success information to the first user.
One or more embodiments of the present disclosure provide an authorization processing device based on a verifiable statement, which is applied to a second server. The apparatus includes a receiving module that receives a key acquisition request sent by a first user. Wherein the key acquisition request includes first digital identity information of the second user. The device also comprises a first acquisition module which acquires a public key corresponding to the first digital identity information from the second blockchain. The apparatus also includes a transmitting module that transmits the obtained public key to the first user to cause the first user to grant the second user access to the first verifiable claim of the first user based on the public key.
One or more embodiments of the present specification provide an authorization processing system based on a verifiable claim. The system comprises a first client of a first user, a first server corresponding to the first client and a second server. The first client side responds to the authorization operation of the first user for granting the second user with the first verifiable claim access right of the first user, and sends a key acquisition request to the second server side according to the first digital identity information of the second user. And receiving a public key corresponding to the first digital identity information sent by the second server. Generating authorization information according to the public key and the first verifiable statement, and sending an authorization request to the first server according to the authorization information. The first server receives the authorization request. And generating authorization record information according to the authorization information. And storing the authorization record information into a first blockchain. And sending authorization success information to the first client. And the second server receives the key acquisition request. And obtaining the public key corresponding to the first digital identity information from the second blockchain. And sending the obtained public key to the first client.
One or more embodiments of the present specification provide an authorization processing device based on a verifiable claim. The apparatus includes a processor. The device further comprises a memory arranged to store computer executable instructions. The computer-executable instructions, when executed, receive an authorization request sent by a first user. Wherein the authorization request is for requesting that a second user be granted access to a first verifiable claim of the first user. The authorization request includes authorization information. The authorization information is generated based on the first verifiable claim and a public key corresponding to the first digital identity information of the second user. And generating authorization record information according to the authorization information. Storing the authorization record information into a first blockchain, and sending authorization success information to the first user
One or more embodiments of the present specification provide an authorization processing device based on a verifiable claim. The apparatus includes a processor. The device further comprises a memory arranged to store computer executable instructions. The computer-executable instructions, when executed, receive a key acquisition request sent by a first user. Wherein the key acquisition request includes first digital identity information of the second user. And obtaining the public key corresponding to the first digital identity information from the second blockchain. And sending the obtained public key to the first user so that the first user grants the second user access right to the first verifiable statement of the first user based on the public key.
One or more embodiments of the present specification provide a storage medium. The storage medium is for storing computer-executable instructions. The computer-executable instructions, when executed, receive an authorization request sent by a first user. Wherein the authorization request is for requesting that a second user be granted access to a first verifiable claim of the first user. The authorization request includes authorization information. The authorization information is generated based on the first verifiable claim and a public key corresponding to the first digital identity information of the second user. And generating authorization record information according to the authorization information. Storing the authorization record information into a first blockchain, and sending authorization success information to the first user
One or more embodiments of the present specification provide a storage medium. The storage medium is for storing computer-executable instructions. The computer-executable instructions, when executed, receive a key acquisition request sent by a first user. Wherein the key acquisition request includes first digital identity information of the second user. And obtaining the public key corresponding to the first digital identity information from the second blockchain. And sending the obtained public key to the first user so that the first user grants the second user access right to the first verifiable statement of the first user based on the public key.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description that follow are only some of the embodiments described in the description, from which, for a person skilled in the art, other drawings can be obtained without inventive faculty.
FIG. 1 is a schematic diagram of a first scenario of an authorization processing method based on verifiable claims provided by one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram of a second scenario of an authorization processing method based on verifiable claims provided by one or more embodiments of the present disclosure;
FIG. 3 is a schematic diagram of a first flowchart of an authorization processing method based on verifiable claims according to one or more embodiments of the present disclosure;
FIG. 4 is a second flow diagram of a method of authorization processing based on a verifiable claim provided in one or more embodiments of the present disclosure;
FIG. 5 is a third flow diagram of a method of authorization processing based on a verifiable claim provided in one or more embodiments of the present disclosure;
FIG. 6 is a fourth flow diagram of a method of authorization processing based on a verifiable claim provided in one or more embodiments of the present disclosure;
FIG. 7 is a fifth flow diagram of a method of authorization processing based on a verifiable claim provided in one or more embodiments of the present disclosure;
FIG. 8 is a sixth flow diagram of a method of authorization processing based on a verifiable claim provided in one or more embodiments of the present disclosure;
FIG. 9 is a first flow diagram of a state change method based on verifiable claims provided by one or more embodiments of the present disclosure;
FIG. 10 is a second flow diagram of a state change method based on verifiable claims provided by one or more embodiments of the present disclosure;
FIG. 11 is a schematic diagram of a seventh flowchart of a method for authorization processing based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 12 is a schematic illustration of an eighth flowchart of a method of authorization processing based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 13 is a schematic illustration of a ninth flowchart of a method of authorization processing based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 14 is a tenth flow diagram of a method of authorization processing based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 15 is a schematic illustration of an eleventh flowchart of a method of authorization processing based on a verifiable claim provided in one or more embodiments of the present disclosure;
FIG. 16 is a twelfth flowchart of a method for authorization processing based on verifiable claims provided by one or more embodiments of the present disclosure;
FIG. 17 is a thirteenth flow diagram of a method of authorization processing based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 18 is a flowchart illustrating a fourteenth method for authorization processing based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 19 is a fifteenth flowchart of a method for authorization processing based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 20 is a schematic diagram of a first module composition of an authorization processing device based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 21 is a schematic diagram of a second module configuration of an authorization processing device based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 22 is a schematic diagram of a first component of an authorization processing system based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 23 is a second component schematic diagram of an authorization processing system based on a verifiable claim provided by one or more embodiments of the present disclosure;
FIG. 24 is a schematic diagram of an authorization processing device based on a verifiable claim provided by one or more embodiments of the present disclosure.
Detailed Description
In order to enable a person skilled in the art to better understand the technical solutions in one or more embodiments of the present specification, the technical solutions in one or more embodiments of the present specification will be clearly and completely described below with reference to the drawings in one or more embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one or more embodiments of the present disclosure without inventive faculty, are intended to be within the scope of the present disclosure.
Fig. 1 is a schematic application scenario diagram of an authorization processing method based on verifiable claims according to one or more embodiments of the present disclosure, where, as shown in fig. 1, the scenario includes: the system comprises a first client of a first user, a first service end corresponding to the first user, a first blockchain corresponding to the first service end, a second service end and a second blockchain corresponding to the second service end. The first service end provides services such as storage, authorization management and state management of the verifiable statement; the second server side provides services such as creation of digital identity information, issuance of verifiable statement and the like; the first blockchain stores authorization record information, access record information, state change record information and the like which can be verified and declared; the second blockchain maintains creation record information for the digital identity information, issue record information for the verifiable statement, and the like. The first client and the second client may be a mobile phone, a tablet computer, a desktop computer, a portable notebook computer, etc. (only the mobile phone is shown in fig. 1); the first service end and the second service end can be independent servers, and can also be a server cluster consisting of a plurality of servers;
optionally, the first server is a node in a first blockchain and the second server is a node in a second blockchain. Correspondingly, a first user pre-operates a first client of the first user to apply for second digital identity information and a first verifiable statement from a second server, and the applied first verifiable statement is stored in the first server; the second user pre-operates the second client to apply for the first digital identity information and the public-private key pair corresponding to the first digital identity information from the second server. When a first user needs to grant access rights of a second user to a first verifiable statement, the first user firstly operates a first client to send a key acquisition request to a second server, and the second server acquires a corresponding public key from a second blockchain according to first digital identity information included in the key acquisition request and sends the acquired public key to the first client; the first client generates authorization information according to the first verifiable statement and the acquired public key, and sends an authorization request to the first server according to the authorization information; the first server generates authorization record information according to the authorization information and the first identification information of the first verifiable statement; the first service end stores the authorization record information into a first blockchain and sends authorization success information to the first client end; the first client displays the authorization success information.
Further, as shown in fig. 2, the first server may not be a node in the first blockchain, and the second server may not be a node in the second blockchain; correspondingly, the application scene further comprises: a first blockchain node accessing the first blockchain and a second blockchain node accessing the second blockchain; when the second server receives the key acquisition request sent by the first client, sending the key acquisition request to the second blockchain node so that the second blockchain node acquires the corresponding public key from the second blockchain, sending the acquired public key to the second server, and sending the received public key to the first client by the second server; and the first service end sends the authorization record information to the first blockchain node after generating the authorization record information so that the first blockchain node stores the authorization record information into the first blockchain.
The first client side obtains a public key corresponding to the first digital identity information of the second user from the second server side, and generates authorization information based on the obtained public key and the first verifiable statement, so that an authorization request is sent to the first server side according to the authorization information, and the first server side stores the authorization record information into the first blockchain; the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
Based on the application scenario architecture, one or more embodiments of the present disclosure provide an authorization processing method based on verifiable claims. Fig. 3 is a flowchart of a method for processing authorization based on verifiable claims according to one or more embodiments of the present disclosure, where the method in fig. 3 can be executed by the first server in fig. 1, and as shown in fig. 3, the method includes the following steps:
Step S102, receiving an authorization request sent by a first user, wherein the authorization request is used for requesting to grant access rights of a first verifiable statement to the first user for a second user; the authorization request comprises authorization information, and the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user;
Specifically, the first client responds to the authorization operation of the first user, generates authorization information according to a first verifiable statement to be authorized and a public key corresponding to first digital identity information of the second user, which is obtained in advance from the second server, and sends an authorization request to the corresponding first server according to the authorization information; the first service end receives an authorization request sent by the first client end. Wherein the authorization request may further include first identification information of the first verifiable statement, first digital identity information of the first user, and the like; the process of generating the authorization information is described in detail below.
Step S104, generating authorization record information according to the authorization information and the first identification information of the first verifiable statement;
specifically, the authorization information, the first identification information of the first verifiable statement, the first digital identity information of the second user and the like are associated and recorded, and the recorded information is determined to be the authorization record information.
Step S106, the authorization record information is stored in the first block chain, and authorization success information is sent to the first user.
In one or more embodiments of the present disclosure, when a first service end receives an authorization request sent by a first client end, authorization record information is generated according to authorization information in the authorization request, and the authorization record information is stored in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
In order to avoid that other people impersonate the first user to perform the authorization operation, in one or more embodiments of the present disclosure, the authorization request may further include second signature data obtained by signing the specified information with a private key corresponding to the second digital identity information of the first user; accordingly, step S104 may include:
And acquiring a public key corresponding to the second digital identity information, and if the second signature data is verified to pass according to the acquired public key, generating authorization record information according to the authorization information and the first identification information of the first verifiable statement.
The obtaining the public key corresponding to the second digital identity information may include: sending a key acquisition request to a second server according to the second digital identity information, so that the second server inquires a public key corresponding to the second digital identity information from a second blockchain; or the first server side sends a key acquisition request to the first client side, so that the first client side sends the key acquisition request to the second server side, and when the first client side receives the public key sent by the second server side, the first client side sends the received public key to the first server side.
Because the private key corresponding to the second digital identity information is only held by the first user, the risk that the second user impersonates the first user for authorization operation is effectively avoided by verifying the second signature data.
After the first user grants the second user access to the first verifiable claim, the second user may access the first verifiable claim. Specifically, in one or more embodiments of the present disclosure, a first user corresponds to the same first service end as a second user, for example, the first user and the second user belong to the same federation chain, and at this time, the second user requests to access the first verifiable statement by sending a first access request to the first service end. In response, as shown in fig. 4, step S106 further includes:
Step S108, a first access request of a verifiable statement sent by a second user is received; wherein the first access request includes first digital identity information and first identification information;
Specifically, after the authorization is successful, the first user may privately inform the second user of the first identification information of the first verifiable statement; or the first user operates the first client to send the first identification information of the first verifiable statement to the second client of the second user; or the first server side sends authorization prompt information to the second client side according to the first identification information so that the second user accesses the first verifiable statement according to the first identification information. When the second user needs to access the first verifiable statement, the second client side is operated, and the second client side responds to the access operation of the second user and sends a first access request to the first server side according to the first digital identity information, the first identification information and the like of the second user.
Step S110, according to the first digital identity information and the first identification information, inquiring the associated authorization record information from the first blockchain, and sending a first verifiable statement in the inquired authorization record information to the second user.
To ensure that a user not granted access rights cannot access the first verifiable claim, in one or more embodiments of the present disclosure, the first verifiable claim is encrypted using an envelope encryption; specifically, as shown in FIG. 5, step S102 includes the following step S102-2;
Step S102-2, receiving an authorization request sent by a first user; wherein the authorization request is for requesting that the second user be granted access to the first verifiable claim of the first user; the authorization request comprises authorization information, wherein the authorization information comprises ciphertext of a first verifiable statement and ciphertext of a first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to a first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key corresponding to the first digital identity of the second user;
Corresponding to step S102-2, as shown in FIG. 5, step S110 includes the following step S110-2;
Step S110-2, according to the first digital identity information and the first identification information, inquiring the associated authorization record information from the first blockchain, and sending the ciphertext of the first verifiable statement and the ciphertext of the first key in the inquired authorization record information to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
By encrypting the first verifiable statement in an envelope encryption mode, only the second user granted access rights can decrypt the ciphertext of the first key to obtain the first key, so that the first verifiable statement is obtained by decrypting the ciphertext of the first verifiable statement according to the first key, and the privacy of the first verifiable statement is effectively ensured.
Further, in one or more embodiments of the present disclosure, in order to effectively verify the identity of the second user, the first access request further includes: and the first signature data is obtained by carrying out signature processing on the specified data according to the private key corresponding to the first digital identity information. Specifically, as shown in FIG. 6, step S108 may include the following step S108-2;
step S108-2, a first access request of a verifiable statement sent by a second user is received; the first access request comprises first digital identity information, first identification information and first signature data obtained by carrying out signature processing on the appointed data according to a private key corresponding to the first digital identity information;
correspondingly, as shown in FIG. 6, the step S110 includes the following steps S110-4 and S110-6;
step S110-4, obtaining a public key corresponding to the first digital identity information;
The process of obtaining the public key corresponding to the first digital identity information is similar to the process of obtaining the public key corresponding to the second digital identity information, which is described in the related description and is not repeated here.
Step S110-6, the obtained public key is adopted to verify the first signature data, if the verification is passed, the associated authorization record information is queried from the first blockchain according to the first digital identity information and the first identification information, and a first verifiable statement in the queried authorization record information is sent to the second user.
Because the private key corresponding to the first digital identity information is only held by the second user, the access operation of the first verification statement by the second user can be effectively avoided by verifying the first signature data.
To ensure that the access record of the first verifiable claim is traceable, in one or more embodiments of the present disclosure, the first server saves the access record information of the first verifiable claim into the first blockchain. Specifically, as shown in fig. 7, after step S108, the method further includes:
step S109, recording the receiving time of the first access request;
Correspondingly, step S110 further includes:
Step S112, according to the first identification information, the first digital identity information and the receiving time, generating access record information of the first verifiable statement, and storing the access record information in the first blockchain.
When the first user and the second user correspond to the same first service end, the second user realizes the access of the first verifiable statement through data communication with the first service end. Further, in one or more embodiments of the present disclosure, the first user may also correspond to a different first service end with the second user, for example, the first user is a user of the first federation chain, and the second user is a user of the second federation chain, where the first federation chain is different from the second federation chain; at this time, the second user does not have authority to perform data communication with the first server, and accesses the first verifiable statement through the second server. Specifically, as shown in fig. 8, after step S106, the method further includes:
Step S114, receiving an acquisition request of the authorization information sent by the second server; the acquisition request comprises first digital identity information and first identification information;
Step S116, if the associated authorization record information is queried from the first blockchain according to the first digital identity information and the first identification information, transmitting the authorization information in the authorization record information to the second server; and the second server side stores the authorization information in the second blockchain, and when receiving a third access request of the verifiable statement sent by the second user, sends the first verifiable statement in the authorization information stored in the second blockchain to the second user.
Specifically, after the first server side sends authorization success information to the first user, the first user sends a data migration request to the second server side; the second server side sends an acquisition request of authorization information to a first server side corresponding to the first user according to first digital identity information and first identification information of a first verifiable statement included in the data migration request, and stores the authorization information into a second blockchain when receiving the authorization information sent by the first server side, so that when receiving a third access request of the verifiable statement sent by the second user, the second server side sends the first verifiable statement in the authorization information stored in the second blockchain to the second user.
Therefore, when the first user corresponds to different first service ends with the second user, the second service end obtains authorization information from the first service end corresponding to the first user and stores the authorization information in the second block chain based on the data migration request of the first user; the second user communicates data with the second server to enable access to the first verifiable claim.
Further, as described above, the second service side provides the issuing service of the verifiable statement, and correspondingly, before step S102, the method further includes:
Receiving a first verifiable statement sent by a second server side, and storing the first verifiable statement; the first verifiable statement is generated by the second server based on an application request of the verifiable statement sent by the first user.
The first verifiable statement may be saved into the first blockchain, or may be saved into a local database.
Further, the first user may further access the first verifiable claim, and accordingly, after storing the first verifiable claim, the method may further include:
receiving a second access request of the verifiable statement sent by the first user, wherein the second access request comprises first identification information; and acquiring a first verifiable statement corresponding to the stored first identification information, and transmitting the acquired first verifiable statement to the first user.
Optionally, in order to make the access record of the first verifiable claim traceable, after sending the acquired first verifiable claim to the first user, the method further comprises: and generating access record information according to the first identification information, the second digital identity information of the first user, the receiving time of the second access request and the like, and storing the access record information into the first blockchain.
In practical application, when the user does not need to use the verifiable statement for a certain period of time, in order to avoid other people from stealing the verifiable statement, the user also has processing requirements of freezing, revoking and the like on the verifiable statement so as to change the state of the verifiable statement. Based on this, in one or more embodiments of the present disclosure, the first service side may further perform a corresponding change process on the state of the first verifiable statement based on the processing request of the first user, and specifically, as shown in fig. 9, the method further includes:
Step S202, receiving a processing request of a verifiable statement sent by a first user; the processing request is used for requesting any one of revocation processing, freezing processing and unfreezing processing of the first verifiable statement; processing the request includes first identification information of a first verifiable claim;
wherein the processing request further includes processing type information;
Step S204, if the first verifiable statement is determined to meet the preset processing conditions, changing the state information of the first verifiable statement according to the processing request;
Specifically, according to the different states of the verifiable statement required by different processing types, in one or more embodiments of the present disclosure, an association relationship between processing type information and state information is preset, for example, state information associated with processing type information 1 representing revocation processing is valid and temporarily disabled, state information associated with processing type information 2 representing freezing processing is valid, and state information associated with processing type information 3 representing unfreezing processing is temporarily disabled. Accordingly, step S204 includes: acquiring state information of the current state of the first verifiable statement, and if the acquired state information is matched with state information associated with preset processing type information, determining that the first verifiable statement meets preset processing conditions; or acquiring the state information of the current state of the verifiable statement and the processing frequency of the first user on the first verifiable statement within the preset time period, and if the acquired state information is matched with the state information related to the preset processing type information and the processing frequency is smaller than the preset frequency, determining that the first verifiable statement meets the preset processing condition.
The method for acquiring the state information of the current state of the first verifiable statement comprises the following steps: inquiring the last related change record information from the first blockchain according to the first identification information of the first verifiable statement, and acquiring the state information of the current state of the first verifiable statement from the inquired change record information;
Further, obtaining the processing frequency of the first user to the first verifiable statement within the preset duration includes: according to a first query time corresponding to the first statement identification and the preset duration, querying target change record information, of which the timestamp is positioned in the first query time and is associated with the first statement identification, from the blockchain, counting the number of the target state change record information, and determining the counted number as the processing frequency of the first user for the first verifiable statement in the preset duration. The preset duration and the preset frequency can be set automatically according to the needs in practical application; for example, the preset duration is 30 minutes, and the current time is 25 minutes of 09 hours of 25 months of 10 months of 2019, then the corresponding first query time is 55 minutes of 08 hours of 25 months of 10 months of 2019 to 25 minutes of 09 hours of 10 months of 2019.
Further, in order to avoid that another person masquerades as the first user to freeze the first verifiable statement, in one or more embodiments of the present disclosure, step S204 may further include: sending an authentication request to a first client so that the first client collects authentication information of a first user; if the authentication of the first user is passed according to the authentication information sent by the first client, determining that the first authenticatable statement meets a preset processing condition, and changing the state information of the first authenticatable statement according to the processing request.
The identity verification information can be any one or more of biological characteristic information such as a human face, a fingerprint, an iris and the like; correspondingly, the first server matches the identity verification information sent by the first client with the identity information of the user stored in the appointed database, if the matching is successful, the identity verification of the first user is determined to pass, if the matching is failed, the identity verification of the first user is determined to fail, and a request failure result is sent to the first client; the appointed database can be a database of the first service end, and when the first user registers the first client, the identity verification information of the first user is collected through the first client and stored in the database, so that the database has validity and effectiveness; the designated database may also be a database of designated institutions, where the designated institutions are trusted third party institutions, have authority and legality, and store identity information of users in the database, and access the database to verify the identity verification information of the users, where the designated institutions are public security authorities, for example. Further, when the security level of the content related to the first verifiable statement is low, if the first user is proved to have a certain participation authority of a charitable activity, the identity verification information can also be verification information in the form of verification codes, correspondingly, the first server matches the verification codes returned by the first client with the verification codes stored by the first server, if the matching is successful, the identity verification of the first user is determined to pass, if the matching is failed, the identity verification of the first user is determined to fail, and request failure result information is sent to the first client so that the first client can display the request failure result information.
Step S206, generating change record information according to the first identification information and the changed state information, and storing the change record information in the first block chain.
Specifically, the first declaration identification, the changed state information, the processing type information, the processing time and the like are associated and recorded, and the recorded information is used as change record information; the change log information is saved to the first blockchain.
Further, the first user may also query the history of change records, and accordingly, as shown in fig. 10, step S206 may further include:
Step S208, receiving a change record query request sent by a first user, wherein the change record query request comprises first identification information and second query time;
the second query time is time period information to be queried.
Step S210, inquiring corresponding change record information from the second block chain according to the first identification information and the second inquiry time;
step S212, a query result is generated according to the queried change record information, and the query result is sent to the first user.
Therefore, the first user can send a processing request to the corresponding first server according to the need to request to freeze, cancel and so on the first verifiable statement, thereby not only realizing the effective management of the verifiable statement, but also avoiding the risk of stealing the first verifiable statement by others; by storing change record information into the first blockchain, effective traceability and inquiry of the change record are realized.
It should be noted that, when the first server is not a node in the first blockchain, the above steps may be performed through the corresponding first blockchain link point when the data is required to be obtained from the first blockchain and stored in the first blockchain.
In one or more embodiments of the present disclosure, when a first service end receives an authorization request sent by a first client end, authorization record information is generated according to authorization information in the authorization request, and the authorization record information is stored in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
Corresponding to the verifiable statement-based authorization processing method described in the above fig. 3 to 10, based on the same technical concept, one or more embodiments of the present disclosure further provide another verifiable statement-based authorization processing method, and fig. 11 is a schematic flow diagram of another verifiable statement-based authorization processing method provided in one or more embodiments of the present disclosure, where the method in fig. 11 can be executed by the second server in fig. 1; as shown in fig. 11, the method includes the steps of:
step S302, a key acquisition request sent by a first user is received, wherein the key acquisition request comprises first digital identity information of a second user;
step S304, a public key corresponding to the first digital identity information is obtained from the second block chain;
Step S306, the obtained public key is sent to the first user, so that the first user grants the second user access right to the first verifiable statement of the first user based on the received public key.
In one or more embodiments of the present disclosure, when receiving a key obtaining request sent by a first user, a second server obtains a corresponding public key from a second blockchain and sends the public key to the first user, so that the first user may grant the second user access rights to a first verifiable statement of the first user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
In order to grant access rights to the first verifiable statement to the second user, the second user applies for the first digital identity information and a public-private key pair corresponding to the first digital identity information from the second server in advance, and the public key is stored in a first document corresponding to the first digital identity information. Accordingly, as shown in FIG. 12, in one or more embodiments of the present disclosure, step S304 includes the following step S304-2;
step S304-2, according to the first digital identity information, inquiring the associated first document from the second blockchain, and acquiring the public key from the inquired first document.
After the first user has granted the second user access, the second user may access the first verifiable claim. Specifically, when the first user corresponds to the same first service end as the second user, the second user firstly obtains the access address of the first service end from the second service end, and performs data communication with the first service end according to the access address to access the first verifiable statement. In response, as shown in fig. 13, after step S306, the method further includes:
step S308, receiving an address inquiry request sent by a second user; wherein the address query request includes first digital identity information of the second user;
step S310, inquiring the associated first document from the second blockchain according to the first digital identity information, and acquiring the access address of the first service end from the first document;
step S312, the acquired access address is sent to the second user, so that the second user sends a first access request of the verifiable statement to the first service end according to the access address to request to access the first verifiable statement.
When receiving an address access request sent by a second user, the method obtains a corresponding access address and sends the corresponding access address to the second user, so that the second user can send a first access request of the verifiable statement to a corresponding first service end according to the access address, and access of the first verifiable statement is achieved.
Further, when the first user and the second user correspond to different first service ends, that is, when the second user does not have the communication right of the first service end corresponding to the first user, access to the first verifiable statement can be achieved through the second service end. Specifically, as shown in fig. 14, step S306 further includes the following steps S314 to S318:
Step S314, obtaining the authorization information of the access right from the first server corresponding to the first user; the method comprises the steps that authorization information is sent to a first service end by a first user, so that the first service end stores authorization record information into a first block chain according to the authorization information; the authorization information is generated based on a public key corresponding to the first digital identity information of the second user and the first verifiable statement;
specifically, as shown in fig. 15, step S314 may include:
Step S314-2, if a data migration request sent by a first user is received, sending an acquisition request of authorization information to a first service end corresponding to the first user according to first digital identity information and first identification information of a first verifiable statement included in the data migration request; the first service end obtains associated authorization record information from the first block chain according to the first digital identity information and the first identification information, and returns authorization information in the authorization record information;
step S314-4, receiving the authorization information sent by the first server.
Specifically, when the first user receives the authorization success information sent by the first service end, a data migration request is sent to the second service end according to the first digital identity information and the first identification information, so that the second service end sends an acquisition request of the authorization information to the first service end corresponding to the first user, the authorization information is migrated from the first blockchain to the second blockchain, and the second user sends a third access request to the second service end to access the first verifiable statement.
Step S316, the authorization information is stored in the second block chain;
Step S318, when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information stored in the second blockchain is sent to the second user.
When the first user corresponds to different first service ends with the second user, the second service end obtains the authorization information from the first service end based on the data migration request of the first user, so that the authorization information is migrated from the first block chain to the second block chain, the second user can perform data communication with the second service end, and therefore access of the first verifiable statement is achieved.
Further, in order to ensure the privacy of the first verifiable statement, in one or more embodiments of the present disclosure, the first verifiable statement is encrypted by using an envelope encryption method, and accordingly, as shown in fig. 16, step S314 may include the following steps S314-6:
Step S314-6, obtaining the authorization information of the access right from the first server corresponding to the first user; the method comprises the steps that authorization information is sent to a first service end by a first user, so that the first service end stores authorization record information into a first block chain according to the authorization information; the authorization information includes: ciphertext of the first verifiable claim and ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to a first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key corresponding to the first digital identity;
Correspondingly, as shown in fig. 16, step S318 includes the following steps S318-2:
Step S318-2, when a third access request of the verifiable statement sent by the second user is received, the ciphertext of the first verifiable statement and the ciphertext of the first key in the authorization information stored in the second blockchain are sent to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
In order to prove that the second user has access to the first verifiable claim, in one or more embodiments of the present disclosure, the second server may further generate a verifiable claim after obtaining the authorization information to prove that the second user has access to the first verifiable claim in the authorization information. Specifically, as shown in fig. 17, step S316 may include the following steps S316-2 and S316-4:
Step S316-2, generating a second verifiable statement according to the authorization information, and storing the second verifiable statement and second identification information of the second verifiable statement in a second blockchain in a correlated manner;
the second verifiable claim can further comprise first digital identity information of the second user and the like so as to represent that the second user has access rights to the first verifiable claim of the authorization information.
Step S316-4, the second identification information is sent to the second user, so that the second user sends a third access request according to the second identification information;
In correspondence thereto, as shown in fig. 17, step S318 includes the following steps S318-4 and S318-6:
step S318-4, when a third access request of the verifiable statement sent by the second user is received, acquiring a second verifiable statement stored in association from a second blockchain according to second identification information in the third access request;
and step S318-6, acquiring authorization information from the second verifiable statement, and if the current time is determined not to exceed the deadline in the authorization information, transmitting the first verifiable statement in the authorization information to the second user.
The expiration time is a valid expiration time designated by the first user and granted with the access right of the second user, and when the expiration time is reached, the granted access right is disabled.
Thus, by generating the second verifiable statement including the authorization information and transmitting the first verifiable statement in the authorization information included in the second verifiable statement to the second user when the third access request transmitted by the second user is received, the second user is enabled to access the first verifiable statement.
Further, in one or more embodiments of the present disclosure, as shown in fig. 18, the step S316 may further include the following steps S316-6 to S316-10:
Step S316-6, generating a third verifiable statement according to the first digital identity information; wherein the third verifiable claim is used to prove that the second user has access to the first verifiable claim in the authorization information;
Wherein the third verifiable claim may also include fields, etc. that characterize having access rights.
Step S316-8, the authorization information, the third verifiable statement and the third identification information of the third verifiable statement are stored in a second blockchain in a correlated manner;
Step S316-10, third identification information is sent to the second user, so that the second user sends a third access request according to the third identification information;
correspondingly, as shown in fig. 18, step S318 may include the following steps S318-8 and S318-10:
Step S318-8, when a third access request of the verifiable statement sent by the second user is received, obtaining the associated and stored authorization information and the third verifiable statement from the second blockchain according to third identification information in the third access request;
step S318-10, if it is determined that the first digital identity information in the third access request matches the first digital identity information in the third verifiable claim and the current time does not exceed the deadline in the authorization information, the first verifiable claim in the authorization information is sent to the second user.
Therefore, the second user has access to the first verifiable claim by generating the third verifiable claim to prove that the second user has the access right of the first verifiable claim, and matching the first digital identity information in the third access request with the first digital identity information in the third verifiable claim when the third access request is received, so that the identity of the second user is verified.
Further, in order to make the access record traceable, in one or more embodiments of the present disclosure, after sending the first verifiable statement in the authorization information to the second user, the method further includes: generating access record information of the first verifiable statement according to the identification information of the second verifiable statement or the third verifiable statement, the first digital identity information, the receiving time of the third access request and the like; the access record information is saved to the second blockchain.
As described above, the second service side provides the issuing service of the verifiable statement, and correspondingly, as shown in fig. 19, before step S302, may further include:
step S300-2, receiving an application request of a verifiable statement sent by a first user; the application request comprises application information and storage information;
Wherein the stored information is used to characterize a storage location of the first verifiable claim; the first user can store the first verifiable statement to a corresponding first service end according to the requirement; self-keeping may also be selected such that the second server sends the generated first verifiable claim to the second client of the second user.
Step S300-4, generating a first verifiable statement according to the application information;
And step S300-6, according to the stored information, the generated first verifiable statement is sent to the corresponding first service end, so that the first service end stores the first verifiable statement.
Further, after step S300-4, the method may further include: generating issuing record information of the verifiable statement according to first identification information of the first verifiable statement, second digital identity information of the first user and the like; the issue record information is saved into the second blockchain.
Further, on the basis of any one of the embodiments, the second server may further receive an application request of digital identity information sent by the first user or the second user, generate corresponding digital identity information, and a document and public-private key pair corresponding to the digital identity information, send the digital identity information and the private key to the corresponding user, store the generated public key in the generated document, and store the generated document and the digital identity information in the second blockchain correspondingly.
It should be noted that, when the second server is not a node in the second blockchain, the above steps may be performed by the corresponding second blockchain node when the data is required to be obtained from the second blockchain and stored in the second blockchain.
In one or more embodiments of the present disclosure, when receiving a key obtaining request sent by a first user, a second server obtains a corresponding public key from a second blockchain and sends the public key to the first user, so that the first user may grant the second user access rights to a first verifiable statement of the first user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
Corresponding to the authorization processing method based on the verifiable statement described in the above fig. 3 to 10, one or more embodiments of the present disclosure further provide an authorization processing device based on the verifiable statement based on the same technical concept. Fig. 20 is a schematic block diagram of a verifiable claim-based authorization processing device provided in one or more embodiments of the present disclosure, where the device is configured to perform the verifiable claim-based authorization processing method described in fig. 3 to 10, and as shown in fig. 20, the device includes:
A receiving module 401, which receives an authorization request sent by a first user, wherein the authorization request is used for requesting to grant access rights to a first verifiable statement of the first user to a second user; the authorization request comprises authorization information, and the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user;
A generation module 402, configured to generate authorization record information according to the authorization information and the first identification information of the first verifiable statement;
and the sending module 403 is used for storing the authorization record information into a first blockchain and sending authorization success information to the first user.
According to the authorization processing device based on the verifiable statement, when an authorization request sent by a first user is received, authorization record information is generated according to authorization information in the authorization request, and the authorization record information is stored in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
Optionally, the second user corresponds to the same first service end as the first user; the authorization record information further includes: the first digital identity information; the apparatus further comprises: a first query module;
The receiving module 401 receives a first access request of a verifiable statement sent by the second user after the sending module 403 sends authorization success information to the first user; wherein the first access request includes the first digital identity information and the first identification information;
And the first query module queries the associated authorization record information from the first blockchain according to the first digital identity information and the first identification information, and sends the first verifiable statement in the queried authorization record information to the second user.
Optionally, the authorization information includes: the ciphertext of the first verifiable claim and the ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key;
The first query module sends the queried ciphertext of the first verifiable statement and the ciphertext of the first key in the authorization record information to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
Optionally, the first access request further includes: first signature data obtained by carrying out signature processing on the appointed data according to a private key corresponding to the first digital identity information;
the first query module acquires a public key corresponding to the first digital identity information; and
And verifying the first signature data by adopting the obtained public key, and if the verification is passed, inquiring the associated authorization record information from the first blockchain according to the first digital identity information and the first identification information.
Optionally, the apparatus further comprises: a recording module and a first generating module;
the recording module records the receiving time of the first access request after the receiving module 401 receives the first access request of the verifiable statement sent by the second user;
The first generation module is used for generating access record information of the first verifiable statement according to the first identification information, the first digital identity information and the receiving time after the first query module transmits the first verifiable statement in the queried authorization record information to the second user; and
And storing the access record information into the first blockchain.
Optionally, the second user corresponds to a different first service end with the first user; the authorization record information further includes: the first digital identity information; the apparatus further comprises: a second query module;
The receiving module 401 receives an acquisition request of the authorization information sent by the second server after the first generating module stores the authorization record information into the first blockchain; wherein the acquisition request includes the first digital identity information and the first identification information;
The second query module is used for transmitting the authorization information in the authorization record information to the second server if the associated authorization record information is queried from the first blockchain according to the first digital identity information and the first identification information; and the second server side stores the authorization information in a second blockchain, and when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information stored in the second blockchain is sent to the second user.
Optionally, the apparatus further comprises: a change module and a second generation module;
The receiving module 401 further receives a processing request of the verifiable statement sent by the first user; wherein the processing request is used for requesting any one of revocation processing, freezing processing and unfreezing processing of the first verifiable statement; the processing request comprises the first identification information;
the changing module is used for changing the state information of the first verifiable statement according to the processing request if the first verifiable statement meets the preset processing condition;
the second generation module generates change record information according to the first identification information and the changed state information; and saving the change record information to a first blockchain.
Optionally, the processing the request further includes: processing type information;
The change module is used for acquiring state information of the current state of the first verifiable statement, and if the acquired state information is matched with the state information associated with the preset processing type information, determining that the first verifiable statement meets the preset processing condition; or alternatively
Acquiring state information of the current state of the verifiable statement and the processing frequency of the first user on the first verifiable statement within a preset duration, and if the acquired state information is matched with the state information associated with the preset processing type information and the processing frequency is smaller than the preset frequency, determining that the first verifiable statement meets preset processing conditions.
Optionally, the apparatus further comprises: a storage module;
the receiving module 401 further receives the first verifiable statement sent by the second server before receiving the authorization request sent by the first user; the first verifiable statement is generated by the second server based on an application request of the verifiable statement sent by the first user;
And the storage module stores the first verifiable statement.
Optionally, the apparatus further comprises: an acquisition module;
The receiving module 401 receives a second access request of the verifiable statement sent by the first user after the saving module saves the first verifiable statement, where the second access request includes the first identification information;
the acquisition module acquires the first verifiable statement corresponding to the stored first identification information;
the sending module 403 sends the obtained first verifiable statement to the first user.
According to the authorization processing device based on the verifiable statement, when an authorization request sent by a first user is received, authorization record information is generated according to authorization information in the authorization request, and the authorization record information is stored in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
It should be noted that, in this specification, an embodiment of the authorization processing apparatus based on the verifiable statement and an embodiment of the authorization processing method based on the verifiable statement are based on the same inventive concept, so that a specific implementation of this embodiment may refer to a corresponding implementation of the authorization processing method based on the verifiable statement, and a repetition is omitted.
Further, corresponding to the verifiable claim-based authorization processing method described in fig. 11 to 19, one or more embodiments of the present disclosure further provide another verifiable claim-based authorization processing device based on the same technical concept. Fig. 21 is a schematic block diagram of another verifiable claim-based authorization processing device provided in one or more embodiments of the present disclosure, where the device is configured to perform the verifiable claim-based authorization processing method described in fig. 11-19, and as shown in fig. 21, the device includes:
A receiving module 501, configured to receive a key acquisition request sent by a first user, where the key acquisition request includes first digital identity information of a second user;
the first obtaining module 502 obtains a public key corresponding to the first digital identity information from the second blockchain;
and a sending module 503, configured to send the obtained public key to the first user, so that the first user grants the second user access rights to the first verifiable statement of the first user based on the public key.
The authorization processing device based on the verifiable statement provided by one or more embodiments of the present disclosure acquires a corresponding public key from the second blockchain and sends the public key to the first user when receiving a key acquisition request sent by the first user, so that the first user can grant the second user access rights to the first verifiable statement of the first user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
Optionally, the first obtaining module 502 queries the associated first document from the second blockchain according to the first digital identity information; and
And obtaining a public key from the queried first document.
Optionally, the first user and the second user correspond to the same first service end; the first server is used for storing and managing verifiable statement; the apparatus further comprises: a second acquisition module;
The receiving module 501 receives an address query request sent by the second user after the sending module 503 sends the obtained public key to the first user; wherein the address query request includes first digital identity information of the second user;
The second acquisition module queries the associated first document from the second blockchain according to the first digital identity information; and
Acquiring an access address of the first service end from the first document;
And sending the acquired access address to the second user, so that the second user sends a first access request of the verifiable statement to the first service end according to the access address to request to access the first verifiable statement.
Optionally, the first user and the second user correspond to different first service ends; the first server is used for storing and managing verifiable statement; the apparatus further comprises: the third acquisition module and the storage module;
The third obtaining module obtains the authorization information of the access right from the first server corresponding to the first user after the sending module 503 sends the obtained public key to the first user; the first user sends the authorization information to the first service end, so that the first service end stores authorization record information into a first blockchain according to the authorization information; the authorization information is generated based on the public key and the first verifiable claim;
The storage module stores the authorization information into the second blockchain;
The sending module 503 sends the first verifiable statement in the authorization information to the second user when the receiving module 501 receives a third access request of the verifiable statement sent by the second user.
Optionally, if the third obtaining module receives a data migration request sent by the first user, the third obtaining module sends an obtaining request of the authorization information to a first server corresponding to the first user according to the first digital identity information and the first identification information of the first verifiable statement included in the data migration request; the first server side obtains associated authorization record information from the first blockchain according to the first digital identity information and the first identification information, and returns authorization information in the authorization record information; and
And receiving the authorization information sent by the first server.
Optionally, the authorization information includes: the ciphertext of the first verifiable claim and the ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key;
The sending module 503 sends the ciphertext of the first verifiable statement and the ciphertext of the first key to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
Optionally, the authorization information further includes: the expiration time of the access rights;
the storage module generates a second verifiable statement according to the authorization information; and
Storing the second verifiable claim and a second identification information association of the second verifiable claim into the second blockchain;
transmitting the second identification information to the second user so that the second user transmits the third access request according to the second identification information;
The sending module 503 obtains, from the second blockchain, the second verifiable statement stored in association according to the second identification information in the third access request; and
Obtaining the authorization information from the second verifiable claim;
And if the current time is not determined to exceed the deadline in the authorization information, sending a first verifiable statement in the authorization information to the second user.
Optionally, the authorization information further includes: the expiration time of the access rights;
The storage module generates a third verifiable statement according to the first digital identity information; wherein the third verifiable claim is used to prove that the second user has access to the first verifiable claim in the authorization information; and
Storing the authorization information, the third verifiable claim and third identification information of the third verifiable claim in association with the second blockchain;
transmitting the third identification information to the second user so that the second user transmits the third access request according to the third identification information;
the sending module 503 obtains, from the second blockchain, the authorization information and the third verifiable statement that are stored in association according to the third identification information in the third access request; and
And if the first digital identity information in the third access request is matched with the first digital identity information in the third verifiable statement and the current time does not exceed the deadline in the authorization information, sending the first verifiable statement in the authorization information to the second user.
Optionally, the apparatus further comprises: a generating module;
The receiving module 501 receives an application request of a verifiable statement sent by a first user before receiving a key acquisition request sent by the first user; the application request comprises application information and storage information;
the generation module generates the first verifiable statement according to the application information; and
And according to the storage information, the generated first verifiable statement is sent to a corresponding first service end, so that the first service end stores the first verifiable statement.
The authorization processing device based on the verifiable statement provided by one or more embodiments of the present disclosure acquires a corresponding public key from the second blockchain and sends the public key to the first user when receiving a key acquisition request sent by the first user, so that the first user can grant the second user access rights to the first verifiable statement of the first user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
It should be noted that, in this specification, an embodiment of the authorization processing apparatus based on the verifiable statement and an embodiment of the authorization processing method based on the verifiable statement are based on the same inventive concept, so that a specific implementation of this embodiment may refer to a corresponding implementation of the authorization processing method based on the verifiable statement, and a repetition is omitted.
Further, corresponding to the above-described authorization processing method based on the verifiable statement, one or more embodiments of the present disclosure further provide an authorization processing system based on the verifiable statement based on the same technical concept. FIG. 22 is a schematic diagram illustrating the composition of an authorization processing system based on verifiable claims, as shown in FIG. 22, according to one or more embodiments of the present disclosure, the system comprising: a first client 601 of a first user, a first service 602 and a second service 603 corresponding to the first client 601;
The first client 601, in response to an authorization operation that the first user grants a second user access right to the first verifiable statement of the first user, sends a key acquisition request to the second server 603 according to the first digital identity information of the second user; receiving a public key corresponding to the first digital identity information sent by the second server 603; generating authorization information according to the public key and the first verifiable statement, and sending an authorization request to the first server 602 according to the authorization information;
The first server 602 receives the authorization request, and generates authorization record information according to the authorization information and the first identification information of the first verifiable statement; storing the authorization record information into a first blockchain, and sending authorization success information to the first client 601;
the second server 603 receives the key obtaining request and obtains a public key corresponding to the first digital identity information from a second blockchain; and sending the obtained public key to the first client 601.
Optionally, the first client 601 encrypts the first verifiable statement according to a specified first key to obtain a ciphertext of the first verifiable statement; encrypting the first key according to the public key to obtain a ciphertext of the first key; and generating the authorization information according to the ciphertext of the first verifiable statement and the ciphertext of the first key.
Optionally, as shown in fig. 23, the system further includes: a second client 604 of a second user;
The second client 604, when the first user corresponds to the same first service end as the second user, responds to the access operation of the verifiable statement of the second user, sends an address query request to the second service end 603, receives the access address of the first service end 602 sent by the second service end 603, and sends the first access request of the verifiable statement to the first service end 602 according to the access address; and
And when the second user corresponds to a different first service end with the first user, responding to the access operation of the verifiable statement of the second user, and sending a third access request of the verifiable statement to the second service end 603.
According to the authorization processing system based on the verifiable statement, which is provided by one or more embodiments of the present disclosure, a first client obtains a public key corresponding to first digital identity information of a second user from a second server, and generates authorization information based on the obtained public key and the first verifiable statement, so that an authorization request is sent to the first server according to the authorization information, so that the first server stores authorization record information into a first blockchain; the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
It should be noted that, in this specification, an embodiment of the authorization processing system based on the verifiable statement and an embodiment of the authorization processing method based on the verifiable statement are based on the same inventive concept, so that a specific implementation of this embodiment may refer to a corresponding implementation of the authorization processing method based on the verifiable statement, and a repetition is omitted.
Further, in correspondence to the above-described verifiable statement-based authorization processing method, based on the same technical concept, one or more embodiments of the present disclosure further provide a verifiable statement-based authorization processing device, which is configured to perform the above-described verifiable statement-based authorization processing method, and fig. 24 is a schematic structural diagram of a verifiable statement-based authorization processing device provided by one or more embodiments of the present disclosure.
As shown in fig. 24, the authorization processing device based on the verifiable statement may have a relatively large difference due to different configurations or capabilities, may include one or more processors 701 and a memory 702, and may have one or more stored applications or data stored in the memory 702. Wherein the memory 702 may be transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown in the figures), each of which may include a series of computer-executable instructions in an authorized processing device based on a verifiable claim. Still further, the processor 701 may be configured to communicate with the memory 702 and execute a series of computer executable instructions in the memory 702 on an authorized processing device based on the verifiable claim. The authenticatable claim-based authorization processing device can also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input/output interfaces 705, one or more keyboards 706, and the like.
In one particular embodiment, a verifiable claim-based authorization processing device includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and wherein the one or more programs may include one or more modules, and wherein each module may include a series of computer-executable instructions for the verifiable claim-based authorization processing device, and wherein execution of the one or more programs by one or more processors comprises computer-executable instructions for:
receiving an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request comprises authorization information, and the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user;
Generating authorization record information according to the authorization information and the first identification information of the first verifiable statement;
And storing the authorization record information into a first blockchain, and sending authorization success information to the first user.
The authorization processing device based on the verifiable statement provided by one or more embodiments of the present disclosure generates authorization record information according to authorization information in an authorization request when receiving the authorization request sent by a first user, and stores the authorization record information into a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
Optionally, the computer executable instructions, when executed, correspond to the same first service end by the second user as the first user; the authorization record information further includes: the first digital identity information;
after sending the authorization success information to the first user, the method further comprises:
Receiving a first access request of a verifiable statement sent by the second user; wherein the first access request includes the first digital identity information and the first identification information;
And according to the first digital identity information and the first identification information, inquiring the associated authorization record information from the first blockchain, and sending the first verifiable statement in the inquired authorization record information to the second user.
Optionally, the computer executable instructions, when executed, include: the ciphertext of the first verifiable claim and the ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key;
Said sending said first verifiable statement in said queried authorization record information to said second user comprises:
and sending the queried ciphertext of the first verifiable statement and the ciphertext of the first key in the authorization record information to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
Optionally, the computer executable instructions, when executed, further comprise: first signature data obtained by carrying out signature processing on the appointed data according to a private key corresponding to the first digital identity information;
said querying the associated authorization record information from the first blockchain based on the first digital identity information and the first identification information includes:
Acquiring a public key corresponding to the first digital identity information;
And verifying the first signature data by adopting the obtained public key, and if the verification is passed, inquiring the associated authorization record information from the first blockchain according to the first digital identity information and the first identification information.
Optionally, the computer executable instructions, when executed, further comprise, after receiving the first access request of the verifiable claim sent by the second user:
Recording the receiving time of the first access request;
After the sending the first verifiable statement in the queried authorization record information to the second user, the method further comprises:
Generating access record information of the first verifiable statement according to the first identification information, the first digital identity information and the receiving time;
And storing the access record information into the first blockchain.
Optionally, the computer executable instructions, when executed, correspond to different first servers for the second user and the first user; the authorization record information further includes: the first digital identity information;
after the authorization record information is saved in the first blockchain, the method further includes:
Receiving an acquisition request of the authorization information sent by a second server; wherein the acquisition request includes the first digital identity information and the first identification information;
If the associated authorization record information is queried from the first blockchain according to the first digital identity information and the first identification information, transmitting the authorization information in the authorization record information to the second server; and the second server side stores the authorization information in a second blockchain, and when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information stored in the second blockchain is sent to the second user.
Optionally, the computer executable instructions, when executed, further comprise:
Receiving a processing request of a verifiable statement sent by the first user; wherein the processing request is used for requesting any one of revocation processing, freezing processing and unfreezing processing of the first verifiable statement; the processing request comprises the first identification information;
if the first verifiable statement meets the preset processing condition, changing the state information of the first verifiable statement according to the processing request;
generating change record information according to the first identification information and the changed state information;
and saving the change record information to a first blockchain.
Optionally, the computer executable instructions, when executed, further comprise: processing type information;
the determining that the first verifiable statement meets preset processing conditions comprises the following steps:
Acquiring state information of the current state of the first verifiable statement, and if the acquired state information is matched with the state information associated with the preset processing type information, determining that the first verifiable statement meets the preset processing condition; or alternatively
Acquiring state information of the current state of the verifiable statement and the processing frequency of the first user on the first verifiable statement within a preset duration, and if the acquired state information is matched with the state information associated with the preset processing type information and the processing frequency is smaller than the preset frequency, determining that the first verifiable statement meets preset processing conditions.
Optionally, the computer executable instructions, when executed, further comprise, before receiving the authorization request sent by the first user:
Receiving the first verifiable statement sent by the second server; the first verifiable statement is generated by the second server based on an application request of the verifiable statement sent by the first user;
The first verifiable statement is saved.
Optionally, the computer executable instructions, when executed, further comprise, after said saving said first verifiable claim:
Receiving a second access request of the verifiable statement sent by the first user, wherein the second access request comprises the first identification information;
acquiring the first verifiable statement corresponding to the stored first identification information;
and sending the acquired first verifiable statement to the first user.
The authorization processing device based on the verifiable statement provided by one or more embodiments of the present disclosure generates authorization record information according to authorization information in an authorization request when receiving the authorization request sent by a first client, and stores the authorization record information in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
In another particular embodiment, a verifiable claim-based authorization processing device includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and wherein the one or more programs may include one or more modules, and wherein each module may include a series of computer-executable instructions for the verifiable claim-based authorization processing device, and wherein execution of the one or more programs by one or more processors comprises computer-executable instructions for:
Receiving a key acquisition request sent by a first user, wherein the key acquisition request comprises first digital identity information of a second user;
Obtaining a public key corresponding to the first digital identity information from a second blockchain;
And sending the obtained public key to the first user so that the first user grants the second user access right to the first verifiable statement of the first user based on the public key.
The authorization processing device based on the verifiable statement provided by one or more embodiments of the present disclosure acquires a corresponding public key from the second blockchain and sends the public key to the first user when receiving a key acquisition request sent by the first user, so that the first user can grant the second user access rights to the first verifiable statement of the first user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
Optionally, the computer executable instructions, when executed, obtain a public key corresponding to the first digital identity information from the second blockchain, including:
querying the associated first document from the second blockchain according to the first digital identity information;
And obtaining a public key from the queried first document.
Optionally, the computer executable instructions, when executed, correspond to the same first service end for the first user and the second user; the first server is used for storing and managing verifiable statement;
after the obtained public key is sent to the first user, the method further comprises:
Receiving an address query request sent by the second user; wherein the address query request includes first digital identity information of the second user;
querying the second blockchain for an associated first document according to the first digital identity information;
acquiring an access address of the first service end from the first document;
And sending the acquired access address to the second user, so that the second user sends a first access request of the verifiable statement to the first service end according to the access address to request to access the first verifiable statement.
Optionally, the computer executable instructions, when executed, correspond to different first servers for the first user and the second user; the first server is used for storing and managing verifiable statement;
after the obtained public key is sent to the first user, the method further comprises:
Acquiring authorization information of the access right from the first server corresponding to the first user; the first user sends the authorization information to the first service end, so that the first service end stores authorization record information into a first blockchain according to the authorization information; the authorization information is generated based on the public key and the first verifiable claim;
saving the authorization information to the second blockchain; and
And when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information is sent to the second user.
Optionally, when the computer executable instructions are executed, the obtaining authorization information of the access right from the first server corresponding to the first user includes:
if a data migration request sent by the first user is received, sending an acquisition request of the authorization information to a first server corresponding to the first user according to the first digital identity information and the first identification information of the first verifiable statement included in the data migration request; the first server side obtains associated authorization record information from the first blockchain according to the first digital identity information and the first identification information, and returns authorization information in the authorization record information;
And receiving the authorization information sent by the first server.
Optionally, the computer executable instructions, when executed, include: the ciphertext of the first verifiable claim and the ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key;
said sending said first verifiable claim in said authorization information to said second user comprises:
and sending the ciphertext of the first verifiable statement and the ciphertext of the first key to the second user, so that the second user can decrypt the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and can decrypt the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
Optionally, the computer executable instructions, when executed, further comprise: the expiration time of the access rights;
The saving the authorization information into the second blockchain includes:
generating a second verifiable statement according to the authorization information;
Storing the second verifiable claim and a second identification information association of the second verifiable claim into the second blockchain;
transmitting the second identification information to the second user so that the second user transmits the third access request according to the second identification information;
said sending said first verifiable claim in said authorization information to said second user comprises:
acquiring the second verifiable statement stored in association from the second blockchain according to the second identification information in the third access request;
Obtaining the authorization information from the second verifiable claim;
And if the current time is not determined to exceed the deadline in the authorization information, sending a first verifiable statement in the authorization information to the second user.
Optionally, the computer executable instructions, when executed, further comprise: the expiration time of the access rights;
The saving the authorization information into the second blockchain includes:
Generating a third verifiable statement according to the first digital identity information; wherein the third verifiable claim is used to prove that the second user has access to the first verifiable claim in the authorization information;
storing the authorization information, the third verifiable claim and third identification information of the third verifiable claim in association with the second blockchain;
transmitting the third identification information to the second user so that the second user transmits the third access request according to the third identification information;
said sending said first verifiable claim in said authorization information to said second user comprises:
acquiring the authorization information and the third verifiable statement which are stored in an associated way from the second blockchain according to the third identification information in the third access request;
And if the first digital identity information in the third access request is matched with the first digital identity information in the third verifiable statement and the current time does not exceed the deadline in the authorization information, sending the first verifiable statement in the authorization information to the second user.
Optionally, the computer executable instructions, when executed, further comprise, before receiving the key acquisition request sent by the first user:
receiving an application request of the verifiable statement sent by the first user; the application request comprises application information and storage information;
generating the first verifiable statement according to the application information;
And according to the storage information, the generated first verifiable statement is sent to a corresponding first service end, so that the first service end stores the first verifiable statement.
The authorization processing device based on the verifiable statement provided by one or more embodiments of the present disclosure acquires a corresponding public key from the second blockchain and sends the public key to the first user when receiving a key acquisition request sent by the first user, so that the first user can grant the second user access rights to the first verifiable statement of the first user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
It should be noted that, in this specification, an embodiment of the authorization processing device based on the verifiable statement and an embodiment of the authorization processing method based on the verifiable statement are based on the same inventive concept, so that a specific implementation of this embodiment may refer to a corresponding implementation of the authorization processing method based on the verifiable statement, and a repetition is omitted.
Further, in response to the above-described authorization processing method based on the verifiable statement, based on the same technical concept, one or more embodiments of the present disclosure further provide a storage medium, which is used to store computer executable instructions, in a specific embodiment, the storage medium may be a U disc, an optical disc, a hard disk, or the like, where the computer executable instructions stored in the storage medium can implement the following flow when executed by a processor:
receiving an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request comprises authorization information, and the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user;
Generating authorization record information according to the authorization information and the first identification information of the first verifiable statement;
And storing the authorization record information into a first blockchain, and sending authorization success information to the first user.
When the computer executable instructions stored in the storage medium provided by one or more embodiments of the present disclosure are executed by the processor, when an authorization request sent by a first client is received, authorization record information is generated according to authorization information in the authorization request, and the authorization record information is stored in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, correspond to the same first service end by the second user as the first user; the authorization record information further includes: the first digital identity information;
after sending the authorization success information to the first user, the method further comprises:
Receiving a first access request of a verifiable statement sent by the second user; wherein the first access request includes the first digital identity information and the first identification information;
And according to the first digital identity information and the first identification information, inquiring the associated authorization record information from the first blockchain, and sending the first verifiable statement in the inquired authorization record information to the second user.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, include: the ciphertext of the first verifiable claim and the ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key;
Said sending said first verifiable statement in said queried authorization record information to said second user comprises:
and sending the queried ciphertext of the first verifiable statement and the ciphertext of the first key in the authorization record information to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, the first access request further comprises: first signature data obtained by carrying out signature processing on the appointed data according to a private key corresponding to the first digital identity information;
said querying the associated authorization record information from the first blockchain based on the first digital identity information and the first identification information includes:
Acquiring a public key corresponding to the first digital identity information;
And verifying the first signature data by adopting the obtained public key, and if the verification is passed, inquiring the associated authorization record information from the first blockchain according to the first digital identity information and the first identification information.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, further comprise, after receiving the first access request of the verifiable claim sent by the second user:
Recording the receiving time of the first access request;
After the sending the first verifiable statement in the queried authorization record information to the second user, the method further comprises:
Generating access record information of the first verifiable statement according to the first identification information, the first digital identity information and the receiving time;
And storing the access record information into the first blockchain.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, correspond to different first servers for the second user and the first user; the authorization record information further includes: the first digital identity information;
after the authorization record information is saved in the first blockchain, the method further includes:
Receiving an acquisition request of the authorization information sent by a second server; wherein the acquisition request includes the first digital identity information and the first identification information;
If the associated authorization record information is queried from the first blockchain according to the first digital identity information and the first identification information, transmitting the authorization information in the authorization record information to the second server; and the second server side stores the authorization information in a second blockchain, and when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information stored in the second blockchain is sent to the second user.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, further comprise:
Receiving a processing request of a verifiable statement sent by the first user; wherein the processing request is used for requesting any one of revocation processing, freezing processing and unfreezing processing of the first verifiable statement; the processing request comprises the first identification information;
if the first verifiable statement meets the preset processing condition, changing the state information of the first verifiable statement according to the processing request;
generating change record information according to the first identification information and the changed state information;
and saving the change record information to a first blockchain.
Optionally, the storage medium stores computer executable instructions that when executed by the processor, the processing request further comprises: processing type information;
the determining that the first verifiable statement meets preset processing conditions comprises the following steps:
Acquiring state information of the current state of the first verifiable statement, and if the acquired state information is matched with the state information associated with the preset processing type information, determining that the first verifiable statement meets the preset processing condition; or alternatively
Acquiring state information of the current state of the verifiable statement and the processing frequency of the first user on the first verifiable statement within a preset duration, and if the acquired state information is matched with the state information associated with the preset processing type information and the processing frequency is smaller than the preset frequency, determining that the first verifiable statement meets preset processing conditions.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, further comprise, before the receiving the authorization request sent by the first user:
Receiving the first verifiable statement sent by the second server; the first verifiable statement is generated by the second server based on an application request of the verifiable statement sent by the first user;
The first verifiable statement is saved.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, further comprise, after said saving said first verifiable claim:
Receiving a second access request of the verifiable statement sent by the first user, wherein the second access request comprises the first identification information;
acquiring the first verifiable statement corresponding to the stored first identification information;
and sending the acquired first verifiable statement to the first user.
When the computer executable instructions stored in the storage medium provided by one or more embodiments of the present disclosure are executed by the processor, when an authorization request sent by a first user is received, authorization record information is generated according to authorization information in the authorization request, and the authorization record information is stored in a first blockchain; the authorization information is generated based on the first verifiable statement and a public key corresponding to first digital identity information of the second user, which is acquired from the second server in advance. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met; and by storing the authorization record information into the blockchain, not only the validity of authorization is ensured, but also the traceable and granted access authority of the authorization record can be effectively verified.
In another specific embodiment, the storage medium may be a usb disk, an optical disc, a hard disk, or the like, where the computer executable instructions stored in the storage medium when executed by the processor implement the following procedures:
Receiving a key acquisition request sent by a first user, wherein the key acquisition request comprises first digital identity information of a second user;
Obtaining a public key corresponding to the first digital identity information from a second blockchain;
And sending the obtained public key to the first user so that the first user grants the second user access right to the first verifiable statement of the first user based on the public key.
One or more embodiments of the present disclosure provide for a storage medium storing computer-executable instructions that, when executed by a processor, upon receiving a key acquisition request sent by a first user, acquire a corresponding public key from a second blockchain and send the public key to the first user such that the first user can grant access to a first verifiable claim of the first user to the second user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, obtain the public key corresponding to the first digital identity information from the second blockchain, including:
querying the associated first document from the second blockchain according to the first digital identity information;
And obtaining a public key from the queried first document.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, correspond to the same first service end for the first user and the second user; the first server is used for storing and managing verifiable statement;
after the obtained public key is sent to the first user, the method further comprises:
Receiving an address query request sent by the second user; wherein the address query request includes first digital identity information of the second user;
querying the second blockchain for an associated first document according to the first digital identity information;
acquiring an access address of the first service end from the first document;
And sending the acquired access address to the second user, so that the second user sends a first access request of the verifiable statement to the first service end according to the access address to request to access the first verifiable statement.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, correspond to different first servers for the first user and the second user; the first server is used for storing and managing verifiable statement;
after the obtained public key is sent to the first user, the method further comprises:
Acquiring authorization information of the access right from the first server corresponding to the first user; the first user sends the authorization information to the first service end, so that the first service end stores authorization record information into a first blockchain according to the authorization information; the authorization information is generated based on the public key and the first verifiable claim;
saving the authorization information to the second blockchain; and
And when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information is sent to the second user.
Optionally, the computer executable instructions stored in the storage medium, when executed by the processor, obtain the authorization information of the access right from the first server corresponding to the first user, including:
if a data migration request sent by the first user is received, sending an acquisition request of the authorization information to a first server corresponding to the first user according to the first digital identity information and the first identification information of the first verifiable statement included in the data migration request; the first server side obtains associated authorization record information from the first blockchain according to the first digital identity information and the first identification information, and returns authorization information in the authorization record information;
And receiving the authorization information sent by the first server.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, include: the ciphertext of the first verifiable claim and the ciphertext of the first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key; the ciphertext of the first key is obtained by encrypting the first key according to the public key;
said sending said first verifiable claim in said authorization information to said second user comprises:
and sending the ciphertext of the first verifiable statement and the ciphertext of the first key to the second user, so that the second user can decrypt the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and can decrypt the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
Optionally, the storage medium stores computer executable instructions that when executed by the processor, the authorization information further includes: the expiration time of the access rights;
The saving the authorization information into the second blockchain includes:
generating a second verifiable statement according to the authorization information;
Storing the second verifiable claim and a second identification information association of the second verifiable claim into the second blockchain;
transmitting the second identification information to the second user so that the second user transmits the third access request according to the second identification information;
said sending said first verifiable claim in said authorization information to said second user comprises:
acquiring the second verifiable statement stored in association from the second blockchain according to the second identification information in the third access request;
Obtaining the authorization information from the second verifiable claim;
And if the current time is not determined to exceed the deadline in the authorization information, sending a first verifiable statement in the authorization information to the second user.
Optionally, the storage medium stores computer executable instructions that when executed by the processor, the authorization information further includes: the expiration time of the access rights;
The saving the authorization information into the second blockchain includes:
Generating a third verifiable statement according to the first digital identity information; wherein the third verifiable claim is used to prove that the second user has access to the first verifiable claim in the authorization information;
storing the authorization information, the third verifiable claim and third identification information of the third verifiable claim in association with the second blockchain;
transmitting the third identification information to the second user so that the second user transmits the third access request according to the third identification information;
said sending said first verifiable claim in said authorization information to said second user comprises:
acquiring the authorization information and the third verifiable statement which are stored in an associated way from the second blockchain according to the third identification information in the third access request;
And if the first digital identity information in the third access request is matched with the first digital identity information in the third verifiable statement and the current time does not exceed the deadline in the authorization information, sending the first verifiable statement in the authorization information to the second user.
Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, further comprise, before the receiving the key acquisition request sent by the first user:
receiving an application request of the verifiable statement sent by the first user; the application request comprises application information and storage information;
generating the first verifiable statement according to the application information;
And according to the storage information, the generated first verifiable statement is sent to a corresponding first service end, so that the first service end stores the first verifiable statement.
One or more embodiments of the present disclosure provide for a storage medium storing computer-executable instructions that, when executed by a processor, upon receiving a key acquisition request sent by a first user, acquire a corresponding public key from a second blockchain and send the public key to the first user such that the first user can grant access to a first verifiable claim of the first user to the second user based on the public key. Therefore, the access authorization of the verifiable statement is realized, and the authorization requirement that the user grants the access authority of the verifiable statement to other users in different service scenes is met.
It should be noted that, in the present specification, the embodiment about the storage medium and the embodiment about the authorization processing method based on the verifiable statement are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the corresponding authorization processing method based on the verifiable statement, and the repetition is omitted.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
In the 30 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable GATE ARRAY, FPGA)) is an integrated circuit whose logic functions are determined by user programming of the device. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented with "logic compiler (logic compiler)" software, which is similar to the software compiler used in program development and writing, and the original code before being compiled is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but HDL is not just one, but a plurality of kinds, such as ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language), and VHDL (Very-High-SPEED INTEGRATED Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application SPECIFIC INTEGRATED Circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each unit may be implemented in the same piece or pieces of software and/or hardware when implementing the embodiments of the present specification.
One skilled in the relevant art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
One or more embodiments of the present specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing description is by way of example only and is not intended to limit the present disclosure. Various modifications and changes may occur to those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. that fall within the spirit and principles of the present document are intended to be included within the scope of the claims of the present document.

Claims (25)

1. An authorization processing method based on verifiable statement is applied to a first service end and comprises the following steps:
Receiving an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request includes authorization information including ciphertext of the first verifiable claim and ciphertext of a first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key, wherein the encrypting the first verifiable statement comprises envelope encrypting; the ciphertext of the first key is obtained by encrypting the first key according to a public key corresponding to the first digital identity of the second user;
Generating authorization record information according to the authorization information;
storing the authorization record information into a first blockchain, and sending authorization success information to the first user; the authorization record information in the first blockchain is used to verify the access rights.
2. The method of claim 1, wherein the second user corresponds to the same first service as the first user; the authorization record information further includes: first digital identity information and first identification information of the first verifiable claim;
after sending the authorization success information to the first user, the method further comprises:
Receiving a first access request of a verifiable statement sent by the second user; wherein the first access request includes the first digital identity information and the first identification information;
inquiring the associated authorization record information from the first blockchain according to the first digital identity information and the first identification information;
and sending the queried ciphertext of the first verifiable statement and the ciphertext of the first key in the authorization record information to the second user, so that the second user decrypts the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and decrypts the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
3. The method of claim 2, the first access request further comprising: first signature data obtained by carrying out signature processing on the appointed data according to a private key corresponding to the first digital identity information;
said querying the associated authorization record information from the first blockchain based on the first digital identity information and the first identification information includes:
Acquiring a public key corresponding to the first digital identity information;
And verifying the first signature data by adopting the obtained public key, and if the verification is passed, inquiring the associated authorization record information from the first blockchain according to the first digital identity information and the first identification information.
4. The method of claim 2, further comprising, after receiving the first access request of the verifiable claim sent by the second user:
Recording the receiving time of the first access request;
After the sending the first verifiable statement in the queried authorization record information to the second user, the method further comprises:
Generating access record information of the first verifiable statement according to the first identification information, the first digital identity information and the receiving time;
And storing the access record information into the first blockchain.
5. The method of claim 1, the second user corresponding to a different first server than the first user; the authorization record information further includes: first digital identity information and first identification information of the first verifiable claim;
after the authorization record information is saved in the first blockchain, the method further includes:
Receiving an acquisition request of the authorization information sent by a second server; wherein the acquisition request includes the first digital identity information and the first identification information;
If the associated authorization record information is queried from the first blockchain according to the first digital identity information and the first identification information, transmitting the authorization information in the authorization record information to the second server; and the second server side stores the authorization information in a second blockchain, and when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information stored in the second blockchain is sent to the second user.
6. The method of claim 1, the authorization record information further comprising first identification information of the first verifiable claim, the method further comprising:
Receiving a processing request of a verifiable statement sent by the first user; wherein the processing request is used for requesting any one of revocation processing, freezing processing and unfreezing processing of the first verifiable statement; the processing request comprises the first identification information;
if the first verifiable statement meets the preset processing condition, changing the state information of the first verifiable statement according to the processing request;
generating change record information according to the first identification information and the changed state information;
and saving the change record information to a first blockchain.
7. The method of claim 6, the processing the request further comprising: processing type information;
the determining that the first verifiable statement meets preset processing conditions comprises the following steps:
Acquiring state information of the current state of the first verifiable statement, and if the acquired state information is matched with the state information associated with the preset processing type information, determining that the first verifiable statement meets the preset processing condition; or alternatively
Acquiring state information of the current state of the verifiable statement and the processing frequency of the first user on the first verifiable statement within a preset duration, and if the acquired state information is matched with the state information associated with the preset processing type information and the processing frequency is smaller than the preset frequency, determining that the first verifiable statement meets preset processing conditions.
8. The method according to any one of claims 1-7, further comprising, prior to receiving the authorization request sent by the first user:
Receiving the first verifiable statement sent by the second server; the first verifiable statement is generated by the second server based on an application request of the verifiable statement sent by the first user;
The first verifiable statement is saved.
9. The method of claim 8, after said saving said first verifiable claim, further comprising:
Receiving a second access request of the verifiable statement sent by the first user, wherein the second access request comprises first identification information of the first verifiable statement;
acquiring the first verifiable statement corresponding to the stored first identification information;
and sending the acquired first verifiable statement to the first user.
10. An authorization processing method based on verifiable statement is applied to a second server and comprises the following steps:
Receiving a key acquisition request sent by a first user, wherein the key acquisition request comprises first digital identity information of a second user;
Obtaining a public key corresponding to the first digital identity information from a second blockchain;
The obtained public key is sent to the first user, so that the first user encrypts a first key based on the public key to obtain a ciphertext of the first key, and encrypts a first verifiable statement of the first user according to the first key to obtain a ciphertext of the first verifiable statement, wherein the encryption of the first verifiable statement comprises envelope encryption, authorization is carried out according to the ciphertext of the first key and the ciphertext of the first verifiable statement, and authorization record information is stored in a first blockchain to grant the second user access right to the first verifiable statement; the authorization record information in the first blockchain is used to verify the access rights.
11. The method of claim 10, wherein the obtaining the public key corresponding to the first digital identity information from the second blockchain includes:
querying the associated first document from the second blockchain according to the first digital identity information;
and acquiring a public key corresponding to the first digital identity information from the queried first document.
12. The method of claim 10, wherein the first user and the second user correspond to the same first service end; the first server is used for storing and managing verifiable statement;
after the obtained public key is sent to the first user, the method further comprises:
Receiving an address query request sent by the second user; wherein the address query request includes first digital identity information of the second user;
querying the second blockchain for an associated first document according to the first digital identity information;
acquiring an access address of the first service end from the first document;
And sending the acquired access address to the second user, so that the second user sends a first access request of the verifiable statement to the first service end according to the access address to request to access the first verifiable statement.
13. The method of claim 10, the first user and the second user corresponding to different first servers; the first server is used for storing and managing verifiable statement;
after the obtained public key is sent to the first user, the method further comprises:
Acquiring authorization information of the access right from the first server corresponding to the first user; the first user sends the authorization information to the first service end, so that the first service end stores authorization record information into a first blockchain according to the authorization information; the authorization information is generated based on the public key and the first verifiable claim;
saving the authorization information to the second blockchain; and
And when a third access request of the verifiable statement sent by the second user is received, the first verifiable statement in the authorization information is sent to the second user.
14. The method of claim 13, wherein the obtaining, from the first server corresponding to the first user, the authorization information of the access right includes:
if a data migration request sent by the first user is received, sending an acquisition request of the authorization information to a first server corresponding to the first user according to the first digital identity information and the first identification information of the first verifiable statement included in the data migration request; the first server side obtains associated authorization record information from the first blockchain according to the first digital identity information and the first identification information, and returns authorization information in the authorization record information;
And receiving the authorization information sent by the first server.
15. The method of claim 13, the authorization information comprising: a ciphertext of the first verifiable claim and a ciphertext of the first key;
said sending said first verifiable claim in said authorization information to said second user comprises:
and sending the ciphertext of the first verifiable statement and the ciphertext of the first key to the second user, so that the second user can decrypt the ciphertext of the first key according to the private key corresponding to the first digital identity information to obtain the first key, and can decrypt the ciphertext of the first verifiable statement according to the first key to obtain the first verifiable statement.
16. The method of claim 13, the authorization information further comprising: the expiration time of the access rights;
The saving the authorization information into the second blockchain includes:
generating a second verifiable statement according to the authorization information;
Storing the second verifiable claim and a second identification information association of the second verifiable claim into the second blockchain;
transmitting the second identification information to the second user so that the second user transmits the third access request according to the second identification information;
said sending said first verifiable claim in said authorization information to said second user comprises:
acquiring the second verifiable statement stored in association from the second blockchain according to the second identification information in the third access request;
Obtaining the authorization information from the second verifiable claim;
And if the current time is not determined to exceed the deadline in the authorization information, sending a first verifiable statement in the authorization information to the second user.
17. The method of claim 13, the authorization information further comprising: the expiration time of the access rights;
The saving the authorization information into the second blockchain includes:
Generating a third verifiable statement according to the first digital identity information; wherein the third verifiable claim is used to prove that the second user has access to the first verifiable claim in the authorization information;
storing the authorization information, the third verifiable claim and third identification information of the third verifiable claim in association with the second blockchain;
transmitting the third identification information to the second user so that the second user transmits the third access request according to the third identification information;
said sending said first verifiable claim in said authorization information to said second user comprises:
acquiring the authorization information and the third verifiable statement which are stored in an associated way from the second blockchain according to the third identification information in the third access request;
And if the first digital identity information in the third access request is matched with the first digital identity information in the third verifiable statement and the current time does not exceed the deadline in the authorization information, sending the first verifiable statement in the authorization information to the second user.
18. The method according to any one of claims 10-17, further comprising, prior to receiving the key acquisition request sent by the first user:
receiving an application request of the verifiable statement sent by the first user; the application request comprises application information and storage information;
generating the first verifiable statement according to the application information;
And according to the storage information, the generated first verifiable statement is sent to a corresponding first service end, so that the first service end stores the first verifiable statement.
19. An authorization processing device based on verifiable statement, applied to a first service end, comprising:
A receiving module, which receives an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request includes authorization information including ciphertext of the first verifiable claim and ciphertext of a first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key, wherein the encrypting the first verifiable statement comprises envelope encrypting; the ciphertext of the first key is obtained by encrypting the first key according to a public key corresponding to the first digital identity of the second user;
the generation module generates authorization record information according to the authorization information;
the sending module is used for storing the authorization record information into a first blockchain and sending authorization success information to the first user; the authorization record information in the first blockchain is used to verify the access rights.
20. An authorization processing device based on verifiable statement is applied to a second server side, and comprises:
the device comprises a receiving module, a receiving module and a processing module, wherein the receiving module receives a key acquisition request sent by a first user, and the key acquisition request comprises first digital identity information of a second user;
the first acquisition module acquires a public key corresponding to the first digital identity information from the second blockchain;
The sending module is used for sending the obtained public key to the first user, so that the first user encrypts a first key based on the public key to obtain a ciphertext of the first key, and encrypts a first verifiable statement of the first user according to the first key to obtain a ciphertext of the first verifiable statement, wherein the encryption of the first verifiable statement comprises envelope encryption, authorization processing is carried out according to the ciphertext of the first key and the ciphertext of the first verifiable statement, and authorization record information is stored in a first blockchain to grant the second user access right to the first verifiable statement of the first user; the authorization record information in the first blockchain is used to verify the access rights.
21. An authorization processing system based on verifiable claims, comprising: the system comprises a first client of a first user, a first server and a second server corresponding to the first client;
The first client side responds to the authorization operation of the first user for granting the second user with the first verifiable declaration access right of the first user, and sends a key acquisition request to the second server side according to the first digital identity information of the second user; receiving a public key corresponding to the first digital identity information sent by the second server; encrypting a specified first key according to the public key to obtain a ciphertext of the first key, encrypting the first verifiable statement according to the first key to obtain a ciphertext of the first verifiable statement, wherein the encrypting the first verifiable statement comprises envelope encryption, generating authorization information according to the ciphertext of the first key and the ciphertext of the first verifiable statement, and sending an authorization request to the first service end according to the authorization information;
The first server receives the authorization request and generates authorization record information according to the authorization information; storing the authorization record information into a first blockchain, and sending authorization success information to the first client;
The second server receives the key acquisition request and acquires a public key corresponding to the first digital identity information from a second blockchain; and sending the obtained public key to the first client.
22. An authorization processing device based on a verifiable claim, comprising:
A processor; and
A memory arranged to store computer executable instructions that, when executed, cause the processor to:
Receiving an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request includes authorization information including ciphertext of the first verifiable claim and ciphertext of a first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key, wherein the encrypting the first verifiable statement comprises envelope encrypting; the ciphertext of the first key is obtained by encrypting the first key according to a public key corresponding to the first digital identity of the second user;
Generating authorization record information according to the authorization information;
And storing the authorization record information into a first blockchain, and sending authorization success information to the first user.
23. An authorization processing device based on a verifiable claim, comprising:
A processor; and
A memory arranged to store computer executable instructions that, when executed, cause the processor to:
Receiving a key acquisition request sent by a first user, wherein the key acquisition request comprises first digital identity information of a second user;
Obtaining a public key corresponding to the first digital identity information from a second blockchain;
The obtained public key is sent to the first user, so that the first user encrypts a first key based on the public key to obtain a ciphertext of the first key, and encrypts a first verifiable statement of the first user according to the first key to obtain a ciphertext of the first verifiable statement, wherein the encryption of the first verifiable statement comprises envelope encryption, authorization processing is carried out according to the ciphertext of the first key and the ciphertext of the first verifiable statement, and authorization record information is stored in a first blockchain to grant the second user access rights to the first verifiable statement of the first user; the authorization record information in the first blockchain is used to verify the access rights.
24. A storage medium storing computer-executable instructions that when executed implement the following:
Receiving an authorization request sent by a first user, wherein the authorization request is used for requesting a second user to grant access rights to a first verifiable statement of the first user; the authorization request includes authorization information including ciphertext of the first verifiable claim and ciphertext of a first key; the ciphertext of the first verifiable statement is obtained by encrypting the first verifiable statement according to the first key, wherein the encrypting the first verifiable statement comprises envelope encrypting; the ciphertext of the first key is obtained by encrypting the first key according to a public key corresponding to the first digital identity of the second user;
Generating authorization record information according to the authorization information;
And storing the authorization record information into a first blockchain, and sending authorization success information to the first user.
25. A storage medium storing computer-executable instructions that when executed implement the following:
Receiving a key acquisition request sent by a first user, wherein the key acquisition request comprises first digital identity information of a second user;
Obtaining a public key corresponding to the first digital identity information from a second blockchain;
The obtained public key is sent to the first user, so that the first user encrypts a first key based on the public key to obtain a ciphertext of the first key, and encrypts a first verifiable statement of the first user according to the first key to obtain a ciphertext of the first verifiable statement, wherein the encryption of the first verifiable statement comprises envelope encryption, authorization processing is carried out according to the ciphertext of the first key and the ciphertext of the first verifiable statement, and authorization record information is stored in a first blockchain to grant the second user access rights to the first verifiable statement of the first user; the authorization record information in the first blockchain is used to verify the access rights.
CN202111247089.8A 2020-04-17 2020-04-17 Authorization processing method, device, equipment and system based on verifiable statement Active CN113973016B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111247089.8A CN113973016B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment and system based on verifiable statement

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111247089.8A CN113973016B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment and system based on verifiable statement
CN202010305730.8A CN111431936B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment, system and storage medium based on verifiable statement

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN202010305730.8A Division CN111431936B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment, system and storage medium based on verifiable statement

Publications (2)

Publication Number Publication Date
CN113973016A CN113973016A (en) 2022-01-25
CN113973016B true CN113973016B (en) 2024-07-16

Family

ID=71554261

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010305730.8A Active CN111431936B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment, system and storage medium based on verifiable statement
CN202111247089.8A Active CN113973016B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment and system based on verifiable statement

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010305730.8A Active CN111431936B (en) 2020-04-17 2020-04-17 Authorization processing method, device, equipment, system and storage medium based on verifiable statement

Country Status (2)

Country Link
CN (2) CN111431936B (en)
WO (1) WO2021209041A1 (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431936B (en) * 2020-04-17 2021-09-21 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment, system and storage medium based on verifiable statement
CN111901359B (en) * 2020-08-07 2023-01-31 广州运通链达金服科技有限公司 Resource account authorization method, device, system, computer equipment and medium
CN111814198B (en) 2020-09-11 2021-03-23 支付宝(杭州)信息技术有限公司 Block chain-based user privacy data providing method and device
CN114819932B (en) * 2020-09-21 2024-05-17 支付宝(杭州)信息技术有限公司 Business processing method and device based on block chain
CN112311538B (en) * 2020-10-30 2024-04-23 北京华弘集成电路设计有限责任公司 Identity verification method, device, storage medium and equipment
CN112291245B (en) * 2020-10-30 2023-04-07 北京华弘集成电路设计有限责任公司 Identity authorization method, identity authorization device, storage medium and equipment
KR102409822B1 (en) * 2020-11-03 2022-06-20 (주)드림시큐리티 Apparatus and method for verifying liveness of identity information
CN112100610B (en) * 2020-11-20 2021-05-04 支付宝(杭州)信息技术有限公司 Processing method, device and equipment for login and user login related services
CN113918984A (en) * 2020-12-11 2022-01-11 京东科技信息技术有限公司 Application access method and system based on block chain, storage medium and electronic equipment
CN113947471B (en) * 2020-12-25 2024-09-27 支付宝(杭州)信息技术有限公司 Method, device and equipment for constructing risk assessment model
CN112738253B (en) * 2020-12-30 2023-04-25 北京百度网讯科技有限公司 Block chain-based data processing method, device, equipment and storage medium
CN112434348B (en) * 2021-01-27 2021-04-20 支付宝(杭州)信息技术有限公司 Data verification processing method, device and equipment
CN112507370A (en) * 2021-02-03 2021-03-16 支付宝(杭州)信息技术有限公司 Electronic license verification method based on block chain network
CN113472807B (en) * 2021-02-22 2023-03-21 支付宝(杭州)信息技术有限公司 Private communication method and device between users
CN112926092B (en) * 2021-03-30 2024-07-02 支付宝(杭州)信息技术有限公司 Privacy-protecting identity information storage and identity authentication method and device
CN113162762B (en) * 2021-04-16 2022-07-19 北京深思数盾科技股份有限公司 Key authorization method, encryption machine, terminal and storage medium
CN113312664B (en) * 2021-06-01 2022-06-28 支付宝(杭州)信息技术有限公司 User data authorization method and user data authorization system
CN113282956B (en) * 2021-06-03 2022-04-29 网易(杭州)网络有限公司 House purchasing data processing method, device and system and electronic equipment
CN113806809B (en) * 2021-11-17 2022-02-18 北京溪塔科技有限公司 Job seeker information disclosure method and system based on block chain
CN114417287B (en) * 2022-03-25 2022-09-06 阿里云计算有限公司 Data processing method, system, device and storage medium
CN115102711B (en) * 2022-05-09 2024-01-02 支付宝(杭州)信息技术有限公司 Information authorization method, device and system
CN114884679B (en) * 2022-05-16 2024-01-19 江苏科技大学 Intellectual property right authorizing method and device based on blockchain

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431936A (en) * 2020-04-17 2020-07-17 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment and system based on verifiable statement

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9992022B1 (en) * 2017-02-06 2018-06-05 Northern Trust Corporation Systems and methods for digital identity management and permission controls within distributed network nodes
US11716320B2 (en) * 2018-03-27 2023-08-01 Workday, Inc. Digital credentials for primary factor authentication
CN110998639B (en) * 2019-03-04 2024-04-16 创新先进技术有限公司 Real estate management system using blockchain network
CN110049060A (en) * 2019-04-28 2019-07-23 南京理工大学 Distributed trusted identity based on block chain deposits card method and system
CN110706379B (en) * 2019-09-20 2022-03-11 广州广电运通金融电子股份有限公司 Access control method and device based on block chain
CN110795501A (en) * 2019-10-11 2020-02-14 支付宝(杭州)信息技术有限公司 Method, device, equipment and system for creating verifiable statement based on block chain
CN113542288B (en) * 2019-10-11 2023-06-30 支付宝(杭州)信息技术有限公司 Service authorization method, device, equipment and system
CN110768968B (en) * 2019-10-11 2022-08-19 支付宝(杭州)信息技术有限公司 Authorization method, device, equipment and system based on verifiable statement
CN110929231A (en) * 2019-12-06 2020-03-27 北京阿尔山区块链联盟科技有限公司 Digital asset authorization method and device and server
CN110990804B (en) * 2020-03-03 2020-08-14 支付宝(杭州)信息技术有限公司 Resource access method, device and equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431936A (en) * 2020-04-17 2020-07-17 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment and system based on verifiable statement

Also Published As

Publication number Publication date
WO2021209041A1 (en) 2021-10-21
CN111431936A (en) 2020-07-17
CN111431936B (en) 2021-09-21
CN113973016A (en) 2022-01-25

Similar Documents

Publication Publication Date Title
CN113973016B (en) Authorization processing method, device, equipment and system based on verifiable statement
CN112818380B (en) Backtracking processing method, device, equipment and system for business behaviors
JP7080242B2 (en) Authentication method and blockchain-based authentication data processing method and equipment
CN111680274B (en) Resource access method, device and equipment
CN113542288B (en) Service authorization method, device, equipment and system
CN110222531B (en) Method, system and equipment for accessing database
CN116340955A (en) Data processing method, device and equipment based on block chain
CN113010870B (en) Service processing method, device and equipment based on digital certificate
CN111191268A (en) Storage method, device and equipment capable of verifying statement
CN111190974B (en) Method, device and equipment for forwarding and acquiring verifiable statement
CN114819932B (en) Business processing method and device based on block chain
CN112967054B (en) Data management method, device and equipment
CN111917711B (en) Data access method and device, computer equipment and storage medium
CN111783071A (en) Password-based and privacy data-based verification method, device, equipment and system
CN114398623A (en) Method for determining security policy
CN115941336B (en) Data processing method, device and equipment
CN112182509A (en) Method, device and equipment for detecting abnormity of compliance data
CN117494178A (en) Function access method, device and storage medium
CN113420284B (en) Login and user login related service processing method, device and equipment
CN113497805B (en) Registration processing method, device, equipment and system
CN115766115B (en) Identity verification method and device, storage medium and electronic equipment
CN112214545B (en) Business processing method and device based on block chain
CN111784550B (en) Method, device and equipment for processing inherited service
CN114138899B (en) Data streaming method and device based on block chain
CN114301710B (en) Method for determining whether message is tampered, secret pipe platform and secret pipe system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240920

Address after: Room 803, floor 8, No. 618 Wai Road, Huangpu District, Shanghai 200010

Patentee after: Ant blockchain Technology (Shanghai) Co.,Ltd.

Country or region after: China

Address before: 310000 801-11 section B, 8th floor, 556 Xixi Road, Xihu District, Hangzhou City, Zhejiang Province

Patentee before: Alipay (Hangzhou) Information Technology Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right