CN114928447B - Data management method and system based on distributed identity - Google Patents
Data management method and system based on distributed identity Download PDFInfo
- Publication number
- CN114928447B CN114928447B CN202210125719.2A CN202210125719A CN114928447B CN 114928447 B CN114928447 B CN 114928447B CN 202210125719 A CN202210125719 A CN 202210125719A CN 114928447 B CN114928447 B CN 114928447B
- Authority
- CN
- China
- Prior art keywords
- data
- verification
- information
- party
- scene
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000013523 data management Methods 0.000 title claims abstract description 33
- 238000012795 verification Methods 0.000 claims abstract description 371
- 239000000758 substrate Substances 0.000 claims 2
- 230000004044 response Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 13
- 238000007689 inspection Methods 0.000 description 6
- 238000012800 visualization Methods 0.000 description 4
- 238000000586 desensitisation Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a data management method and system based on distributed identity, and belongs to the technical field of blockchain. The method comprises the following steps: the user side sends the data to be managed to the data side in the block chain; the data side generates a trusted certificate and verification information according to the data, the trusted certificate and the verification information are sent to the user side, and the verification information is used for online verification or offline verification; the user side receives the trusted certificate and the verification information; the scene sends a verification request to a user side; the user side generates data information according to the data and the verification request, and sends the data information, the trusted voucher and the verification information to the scene side; the scene side selects a corresponding verification mode according to the verification information, and the data information, the trusted voucher and the verification information are verified by adopting the verification mode. The application can perform offline verification when the verification capability of the scene party is enough and the requirement of service compliance is not high; on-line verification is performed when the verification capability of the scene party is insufficient or the requirement of service compliance is high.
Description
Technical Field
The embodiment of the application relates to the technical field of blockchain, in particular to a data management method and system based on distributed identity.
Background
The user terminal can send the self identity data to the data party on the blockchain, the data party can return a certificate to the user terminal, and then, when the scene party needs to verify the identity data of the user terminal, the certificate can be obtained from the user terminal, and the offline verification is carried out according to the certificate.
The accuracy of the off-line verification depends on the party of the scene, and the off-line verification cannot meet the verification requirement when the verification capability of the party of the scene is insufficient or when the requirement of the verification on the business compliance is high.
Disclosure of Invention
The embodiment of the application provides a data management method and a data management system based on distributed identities, which are used for solving the problem that offline verification cannot meet the verification requirement when the verification capability of a scene party is insufficient or the requirement of verification on service compliance is high. The technical scheme is as follows:
in one aspect, a method for data management based on distributed identities is provided, the method comprising:
the user side sends the data to be managed to the data side in the block chain;
the data party generates a trusted certificate and verification information according to the data, the trusted certificate and the verification information are sent to the user party, the trusted certificate contains a user identifier, and the verification information is used for online verification or offline verification;
The user side receives the trusted certificate and the verification information;
the scene sends a verification request to the user side;
the user side generates data information according to the data and the verification request, and sends the data information, the trusted voucher and the verification information to the scene side;
And the scene party selects a corresponding verification mode according to the verification information, and adopts the verification mode to verify the data information, the trusted certificate and the verification information, wherein the verification mode is online verification or offline verification.
In a possible implementation manner, when the verification information is used for online verification, the verification information contains a verification identifier distributed by the data party;
when the verification information is used for offline verification, the verification information comprises a root hash value generated according to the data.
In one possible implementation manner, when the verification information is used for online verification, the verifying the data information, the trusted credential and the verification information by using the verification manner includes:
the scene sends a verification request to the data party, wherein the verification request comprises the data information, the trusted certificate and the verification information;
And the data party verifies the verification identification in the verification information, acquires the data stored in the chain according to the user identification in the trusted certificate after the verification is passed, verifies the data information according to the data, and returns a verification result to the scene party.
In one possible implementation, after the data party generates the trusted credential and the verification information from the data, the method further includes: the data party generates a corresponding relation between a user identifier in the trusted voucher and a verification identifier in the verification information;
The data party verifies the verification identification in the verification information, and the method comprises the following steps: the data party reads the verification identification in the verification information and the user identification in the trusted certificate, detects whether the corresponding relation between the verification identification and the user identification exists, and if the corresponding relation exists, determines that the verification is passed.
In one possible implementation manner, when the data includes a plurality of fields arranged in a predetermined order, the verifying the data information according to the data includes:
when the data information contains the plaintext of a part of fields and the field hash value of a part of fields, the data party replaces the plaintext of each field with the corresponding field hash value;
The data party carries out hash operation on field hash values of all fields to obtain a first hash value;
the data party acquires a root hash value generated according to the data from a chain;
The data party verifies whether the root hash value and the first hash value are identical.
In one possible implementation, the method further includes:
After the data party acquires the data, replacing the plaintext of each field in the data with a field hash value of the corresponding field;
And the data party carries out hash operation on the field hash values of all the fields, and stores the obtained root hash value in a uplink manner.
In one possible implementation manner, when the verification information is used for offline verification, the verifying the data information, the trusted credential and the verification information by using the verification manner includes:
when the data information contains the plaintext of a part of fields and the field hash value of a part of fields, the scene party replaces the plaintext of each field with the corresponding field hash value;
The scene party carries out hash operation on the field hash values of all the fields to obtain a second hash value;
the scene party obtains a key according to the trusted certificate, and decrypts the root hash value in the verification information according to the key;
the scene party verifies whether the root hash value is the same as the second hash value.
In one possible implementation manner, when the data includes a plurality of fields arranged in a predetermined order, the user side generates data information according to the data and the authentication request, including:
the user side obtains plaintext of a part of fields and field hash values of the part of fields from the data according to the content requested by the verification request;
And the user side arranges the plaintext and the field hash value according to the preset sequence to obtain the data information.
In one possible implementation, before the data party generates the trusted credential and the verification information from the data, the method further includes:
The data party checks the source and the use range of the data;
after determining that the source and the usage range are correct, the data party verifies the data according to preset verification logic;
After the verification is passed, the data side triggers the execution of the step of generating the trusted credential and the verification information from the data.
In one aspect, a data management system based on distributed identities is provided, the data management system comprising a user side, a data side and a scene side;
The user side is used for sending the data to be managed to the data side in the blockchain;
The data party is used for generating a trusted certificate and verification information according to the data, and sending the trusted certificate and the verification information to the user party, wherein the trusted certificate contains a user identifier, and the verification information is used for performing online verification or offline verification;
The user side is further used for receiving the trusted certificate and the verification information;
the scene party is used for sending a verification request to the user party;
The user side is further used for generating data information according to the data and the verification request, and sending the data information, the trusted certificate and the verification information to the scene side;
The scene party is also used for selecting a corresponding verification mode according to the information in the verification information, and verifying the data information, the trusted certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
The technical scheme provided by the embodiment of the application has the beneficial effects that at least:
The verification information fed back by the data to the user side can be used for online verification or offline verification, and after the scene side acquires the verification information of the user side, the scene side can select a corresponding online or offline verification mode according to the verification information, and the data information, the trusted certificate and the verification information are verified in the verification mode. Therefore, the off-line verification can be performed when the verification capability of the scene party is enough and the requirement of the service compliance is not high, so that the verification flow is simplified; and performing online verification when the verification capability of the scene party is insufficient or the requirement of service compliance is high, so as to improve the verification accuracy.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a method flow diagram of a distributed identity-based data management method provided by one embodiment of the present application;
FIG. 2 is a method flow diagram of a distributed identity based data management method provided by one embodiment of the present application;
FIG. 3 is a schematic diagram of an application certificate provided in one embodiment of the present application;
FIG. 4 is a schematic diagram of data information provided by one embodiment of the present application;
FIG. 5 is a schematic diagram of a return credential provided by one embodiment of the present application;
FIG. 6 is a schematic diagram of secure storage provided by one embodiment of the present application;
FIG. 7 is a schematic diagram of request data provided by one embodiment of the present application;
FIG. 8 is a schematic diagram of return data provided by one embodiment of the present application;
FIG. 9 is a schematic diagram of online verification provided by one embodiment of the application;
FIG. 10 is a schematic diagram of offline verification provided by one embodiment of the application;
FIG. 11 is a schematic diagram of a data management flow provided by an embodiment of the present application;
FIG. 12 is a block diagram of a distributed identity based data management system according to one embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the following detailed description of the embodiments of the present application will be given with reference to the accompanying drawings.
Referring to fig. 1, a method flowchart of a data management method based on distributed identities according to an embodiment of the present application is shown, where the data management method based on distributed identities may be applied to a terminal. The data management method based on the distributed identity can comprise the following steps:
in step 101, the user side sends data to be managed to the data side in the blockchain.
And the user side assembles the data to be managed. The data to be managed comprises sensitive data of the user and other data, wherein the sensitive data can be identity information of the user, such as name, age, address, contact information, identity card number and the like; the other data may be service data or extension data, which is not limited in this embodiment.
After the assembled data is obtained, the user side can send a credential application request carrying the data to the data side through a trusted network channel. The trusted network channel is a channel for encrypting and transmitting data based on an end-to-end key, namely, a user side can encrypt a credential application request by using the end-to-end key, and then the ciphertext is sent to the data side through the trusted network channel.
The user side may directly send the credential application request to the data side, or may call the data side security control to send the credential application request to the data side, which is not limited in this embodiment.
It should be noted that, in this embodiment, it is assumed that a service-related credential template and definition have been predefined according to the service requirement of the data credential, so that collaboration and interconnection of trusted data ecological scenarios can be implemented.
Step 102, the data party generates a trusted certificate and verification information according to the data, and sends the trusted certificate and the verification information to the user party, wherein the trusted certificate contains a user identifier, and the verification information is used for performing online verification or offline verification.
The data party can receive the ciphertext through the trusted network channel and decrypt the ciphertext by utilizing the end-to-end key to obtain a credential application request; or the data party can call the data party security control to receive the ciphertext, and decrypt the ciphertext by using the end-to-end key to obtain the credential application request. The data party may check and verify the data as described in the embodiments below.
The data party generates a trusted credential and authentication information based on the data. The trusted voucher can comprise a user identifier and user data, and also can comprise customized service data, wherein the user identifier is a character string which can uniquely identify a user, and the user data can comprise data which is convenient for visualization, such as a user name, a head portrait and the like, and can also comprise sensitive data. The user data may be extracted by the data party from the received data.
Since the two verification modes of online verification and offline verification are provided in this embodiment, the data party can generate different verification information according to different verification modes, and the specific generation mode is described in the embodiment below.
The data party can send the trusted certificate and the verification information to the user party as response data; or the data party can also acquire personalized customization data of scene requirements, and the trusted certificate, the verification information and the personalized customization data are used as response data to be sent to the user party.
When sending the response data, the data party can directly send the response data to the user party through the trusted network channel, or can call the data party security control, and send the response data to the user party through the trusted network channel, and the embodiment is not limited.
The data party can also call a public information storage service to store some public information of the data party, such as documents, credential template definition specification data, metadata, services and the like.
Step 103, the user side receives the trusted credential and the verification information.
The user side may directly receive the response data sent by the data side through the trusted network channel, or may call the data side security control, and receive the response data sent by the data side through the trusted network channel, which is not limited in this embodiment.
The user may extract the trusted credential and authentication information from the received response data packet. When the trusted voucher information comprises the user identification, the user data and the customized service data, the user side can store the user identification and the data which are convenient for visualization in the trusted voucher locally, the sensitive data are processed by adopting the desensitization logic and then stored in the local or cloud, and the customized service data are selectively stored in the local or cloud.
The user side can also call the public information storage service to store some public information of the user side, such as documents, credential template definition specification data, metadata, services and the like.
Step 104, the scene sends a verification request to the user side.
Under a certain application scene, when the identity of a user needs to be verified, the scene party can construct a verification request according to the content needing to be verified and a preset template, and the verification request is sent to the user party through a trusted network channel.
And 105, the user side generates data information according to the data and the verification request and sends the data information, the trusted voucher and the verification information to the scene side.
The user side can receive the verification request through the trusted network channel, call the public information service to verify the identity and the effectiveness of the scene side, call the public information service to acquire the stored trusted certificates and verification information after the verification is passed, generate data information according to the content requested by the verification request, use a preset template to construct return data, and send the return data containing the data information, the trusted certificates and the verification information to the scene side through the trusted network channel.
And 106, selecting a corresponding verification mode by the scene side according to the verification information, and verifying the data information, the trusted voucher and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification.
The scene party can receive the data information, the trusted voucher and the verification information through the trusted network channel, determines whether to perform online verification or offline verification according to the content of the verification information, and verifies the data information, the trusted voucher and the verification information in a corresponding verification mode, and the specific verification flow is described in the embodiment below.
In summary, according to the data management method based on the distributed identity provided by the embodiment of the application, the verification information fed back by the data to the user side can be used for online verification or offline verification, and after the scene side obtains the verification information of the user side, the scene side can select a corresponding online or offline verification mode according to the verification information, and the verification mode is adopted to verify the data information, the trusted certificate and the verification information. Therefore, the off-line verification can be performed when the verification capability of the scene party is enough and the requirement of the service compliance is not high, so that the verification flow is simplified; and performing online verification when the verification capability of the scene party is insufficient or the requirement of service compliance is high, so as to improve the verification accuracy.
Referring to fig. 2, a flowchart of a method for managing data based on distributed identities according to an embodiment of the present application is shown, where the method for managing data based on distributed identities may be applied to a terminal. The data management method based on the distributed identity can comprise the following steps:
In step 201, the user side sends data to be managed to the data side in the blockchain.
And the user side assembles the data to be managed. The data to be managed comprises sensitive data of the user and other data, wherein the sensitive data can be identity information of the user, such as name, age, address, contact information, identity card number and the like; the other data may be service data or extension data, which is not limited in this embodiment.
After the assembled data is obtained, the user side can send a credential application request carrying the data to the data side through a trusted network channel, as shown in fig. 3. The trusted network channel is a channel for encrypting and transmitting data based on an end-to-end key, namely, a user side can encrypt a credential application request by using the end-to-end key, and then the ciphertext is sent to the data side through the trusted network channel.
The user side may directly send the credential application request to the data side, or may call the data side security control to send the credential application request to the data side, which is not limited in this embodiment.
Step 202, the data party checks the source and the usage range of the data, and verifies the data according to the preset verification logic after determining that the source and the usage range are correct.
The data party can receive the ciphertext through the trusted network channel and decrypt the ciphertext by utilizing the end-to-end key to obtain a credential application request; or the data party can call the data party security control to receive the ciphertext, and decrypt the ciphertext by using the end-to-end key to obtain the credential application request.
In this embodiment, the data side also needs to check the source and usage range of the data. The source of the inspection data, that is, information such as identity of the inspection user, and the application range of the inspection data may be to inspect specific data, for example, to inspect authenticity of the inspection data.
In implementation, an inspection rule may be preset in the data party, and the data party may inspect the data according to the inspection rule. After determining the source and scope of use of the data, the data party may also verify the data according to verification logic. Specifically, the data party may verify the data according to the verification logic, or may invoke a third party data verification service, which verifies the data according to the verification logic.
Step 203, after the verification is passed, the data side generates a trusted credential and verification information according to the data, and sends the trusted credential and the verification information to the user side, wherein the trusted credential contains a user identifier, and the verification information is used for performing online verification or offline verification.
The data party generates a trusted credential and authentication information based on the data. The trusted voucher can comprise a user identifier and user data, and also can comprise customized service data, wherein the user identifier is a character string which can uniquely identify a user, and the user data can comprise data which is convenient for visualization, such as a user name, a head portrait and the like, and can also comprise sensitive data. The user data may be extracted by the data party from the received data.
Since the two verification modes of online verification and offline verification are provided in the embodiment, the data party can generate different verification information according to different verification modes. Specifically, when the verification information is used for online verification, the verification information contains verification identifications distributed by the data party, and at the moment, the data party also needs to generate a corresponding relationship between the user identifications in the trusted certificates and the verification identifications in the verification information; when the authentication information is used for offline authentication, the authentication information includes a root hash value generated from the data. The flow of generating the root hash value on the data side is described below.
Specifically, after the data party obtains the data, the plaintext of each field in the data can be replaced by the field hash value of the corresponding field; the data side carries out hash operation on the field hash values of all the fields, and the obtained root hash value is stored in a chain.
For example, referring to fig. 4, the data includes five fields of name, gender, birth year, hobbies and adult proof, and the data can calculate the field hash value hash1 of the plaintext of the name; calculating a field hash value hash2 of the plaintext of the gender; calculating a field hash value hash3 of a plaintext of the birth year and month; calculating a field hash value hash4 of plaintext of the hobbies; calculating a field hash value hash5 of a plaintext of the adult proof; the 5 field hash values are arranged in a predetermined order, such as hash1-hash2-hash3-hash4-hash5; and carrying out hash operation on the arranged contents to obtain a root hash value RootHash.
The data party can add the root hash value to the verification information, encrypt the root hash value by using the private key of the data party, and store the obtained ciphertext in a uplink manner.
The data party can send the trusted certificate and the verification information to the user party as response data; or the data party can also acquire personalized customization data of scene requirements, and send the trusted voucher, the verification information and the personalized customization data to the user party as response data, as shown in fig. 5.
When sending the response data, the data party can directly send the response data to the user party through the trusted network channel, or can call the data party security control, and send the response data to the user party through the trusted network channel, and the embodiment is not limited.
The user side receives the trusted credential and authentication information, step 204.
The user side may directly receive the response data sent by the data side through the trusted network channel, or may call the data side security control, and receive the response data sent by the data side through the trusted network channel, which is not limited in this embodiment.
The user may extract the trusted credential and authentication information from the received response data packet. When the trusted credential information includes the user identifier, the user data and the customized service data, the user side may store the user identifier and the data that is convenient for visualization in the trusted credential locally, process the sensitive data by using the desensitization logic, and store the processed sensitive data locally or in the cloud, and selectively store the customized service data locally or in the cloud, as shown in fig. 6.
In step 205, the scene sends a verification request to the user side.
In a certain application scenario, when the identity of the user needs to be verified, the scenario party can construct a verification request according to the content needing to be verified and a preset template, and the verification request is sent to the user party through a trusted network channel, as shown in fig. 7.
Step 206, when the data contains a plurality of fields arranged according to a predetermined sequence, the user side obtains the plaintext of part of the fields and the field hash value of part of the fields from the data according to the content requested by the verification request; and the user side arranges the plaintext and the field hash value according to a preset sequence to obtain data information.
Under a certain supervision standard, after receiving a verification request, a user side needs to verify the identity of the user side by using a preset authoritative data source so that the scene side can confirm the identity of the user side. In a first implementation, the authentication may be performed by the user side when the identity information to be authenticated is more sensitive. Specifically, the user side can send a request carrying sensitive identity information such as an identity card number, a name and the like to the authoritative data source, the authoritative data source verifies the sensitive identity information in the request, a verification result is generated and sent to the user side, and the user side feeds the verification result back to the scene side. In a second implementation, the authentication may be performed by the party of the scene when the identity information to be authenticated is insensitive. Specifically, the user side can send non-sensitive identity information such as a subject card to the scene side, the scene side sends a request carrying the non-sensitive identity information to the authoritative data source, the authoritative data source verifies the non-sensitive identity information in the request, and a verification result is generated and sent to the scene side.
In this embodiment, the user side may selectively disclose a part of the data, and another part of the data is represented by a field hash value of the data. Still taking the five fields of name, gender, birth month, hobbies and adult proof of the user as examples in the data, and the user side determines the plaintext of revealing the name and adult proof, the plaintext of the name, hash2, hash3, hash4 and the plaintext of adult proof are included in the data information generated by the user side.
Step 207, the user side sends the data information, the trusted credential and the authentication information to the scene side.
The user side can receive the verification request through the trusted network channel, call the public information service to verify the identity and the validity of the scene side, call the public information service to acquire the stored trusted certificates and verification information after the verification is passed, generate data information according to the content requested by the verification request, construct return data by using a preset template, and send the return data containing the data information, the trusted certificates and the verification information to the scene side through the trusted network channel, as shown in fig. 8.
It should be noted that, when information is transmitted between the user side and the scene side, if a system platform exists between the user side and the scene side, and the system platform is allowed to buffer the information (non-sensitive information), the user side may send the information to the system platform first, and the system platform forwards the information to the scene side, where an end-to-end data channel does not need to be established. If a system platform exists between the user side and the scene side, and the system platform is forbidden to buffer the information (sensitive information), the connection mode (such as an IP address and the like) of the opposite terminal can be acquired from the platform public service, then a peer-to-peer data channel is established with the opposite terminal, and the information is transmitted through the data channel.
And step 208, the scene side selects a corresponding verification mode according to the verification information, and verifies the data information, the trusted voucher and the verification information in the verification mode, wherein the verification mode is online verification or offline verification.
The scene party can receive the data information, the trusted voucher and the verification information through the trusted network channel, determines whether to perform online verification or offline verification according to the content of the verification information, and verifies the data information, the trusted voucher and the verification information in a corresponding verification mode.
(1) When the verification information is used for online verification, a scene sends a verification request to a data party, wherein the verification request contains data information, a trusted credential and verification information; and the data party verifies the verification identification in the verification information, acquires the data stored in the chain according to the user identification in the trusted certificate after the verification is passed, verifies the data information according to the data, and returns a verification result to the scene party.
Wherein the scene party may send a verification request to the data party via a trusted network channel, as shown in fig. 9. After receiving the verification request, the data party can call the public information service to verify the identity and validity of the scene party. After the verification is passed, the data party can verify the verification identification in the verification information. Specifically, the data party can read the verification identifier in the verification information and the user identifier in the trusted certificate, detect whether the corresponding relationship between the verification identifier and the user identifier exists, and if the corresponding relationship exists, determine that the verification is passed.
When the data information contains the plaintext of a part of the fields and the field hash value of the part of the fields, the data party can replace the plaintext of each field with the corresponding field hash value; performing hash operation on field hash values of all fields to obtain a first hash value; acquiring a root hash value generated according to data from a chain; it is verified whether the root hash value and the first hash value are identical as shown in fig. 9.
Still taking the plaintext of the name, hash2, hash3, hash4 and plaintext of the adult proof as examples in the data information, the data party can calculate the field hash value hash1 of the plaintext of the name; calculating a field hash value hash5 of a plaintext of the adult proof; the 5 field hash values are arranged in a predetermined order, such as hash1-hash2-hash3-hash4-hash5; performing hash operation on the arranged contents to obtain a first hash value; comparing whether the first hash value is the same as RootHash stored on the chain; if the first hash value is identical to RootHash, generating a verification result of successful verification; if the first hash value and RootHash are different, a verification result of verification failure is generated.
(2) When the verification information is used for offline verification and the data information contains plaintext of a part of fields and field hash values of the part of fields, the scene party replaces the plaintext of each field with the corresponding field hash value; performing hash operation on the field hash values of all the fields to obtain a second hash value; obtaining a key according to the trusted voucher, decrypting a root hash value in the verification information according to the key; it is verified whether the root hash value is identical to the second hash value as shown in fig. 10.
Still taking the plaintext of the name, the plaintext of the hash2, the plaintext of the hash3, the plaintext of the hash4 and the plaintext of the adult proof as an example in the data information, the scene party can calculate the field hash value hash1 of the plaintext of the name; calculating a field hash value hash5 of a plaintext of the adult proof; the 5 field hash values are arranged in a predetermined order, such as hash1-hash2-hash3-hash4-hash5; performing hash operation on the arranged contents to obtain a second hash value; comparing whether RootHash in the second hash value and the verification information are the same or not; if the second hash value is identical to RootHash, generating a verification result of successful verification; if the second hash value and RootHash are different, a verification result of verification failure is generated.
As shown in fig. 11, in summary, the data management method may include the following simplified flow: (1) a user applies for credentials to a party; (2) the data returns the credentials to the user side; (3) the user side stores data; (4) applying data to the user side by the scene direction; (5) the user returns data to the scene party; (6) the scene party performs off-line verification; (7) the scene party requests the data party to verify; (8) the data side returns the verification result. Wherein, the step (6) and the step (7-8) are alternatively executed.
It should be noted that, under a certain supervision rule, the data to be managed sent to the data party by the user is only stored in the authoritative data party, i.e. the data does not go out of the data party. For example, when the user applies for the certificate to the data side, the trusted certificate fed back to the data side only comprises the result data or the desensitized data such as hash; when the scene direction data party applies for verification information, the data direction scene party feeds back the verification information instead of the data original text, so that the safety of the data can be ensured.
In summary, according to the data management method based on the distributed identity provided by the embodiment of the application, the verification information fed back by the data to the user side can be used for online verification or offline verification, and after the scene side obtains the verification information of the user side, the scene side can select a corresponding online or offline verification mode according to the verification information, and the verification mode is adopted to verify the data information, the trusted certificate and the verification information. Therefore, the off-line verification can be performed when the verification capability of the scene party is enough and the requirement of the service compliance is not high, so that the verification flow is simplified; and performing online verification when the verification capability of the scene party is insufficient or the requirement of service compliance is high, so as to improve the verification accuracy.
Referring to fig. 12, a block diagram of a data management system based on distributed identities according to an embodiment of the present application is shown, where the data management system based on distributed identities may be applied in a terminal. The distributed identity based data management system may include a user side 1210, a data side 1220, and a scene side 1230;
a user side 1210 for transmitting data to be managed to a data side 1220 in the blockchain;
The data party 1220 is configured to generate a trusted credential and authentication information according to the data, send the trusted credential and the authentication information to the user party 1210, where the trusted credential includes a user identifier, and the authentication information is used for online authentication or offline authentication;
the user side 1210 is further configured to receive a trusted credential and authentication information;
Scene party 1230 for sending an authentication request to user party 1210;
The user side 1210 is further configured to generate data information according to the data and the authentication request, and send the data information, the trusted credential, and the authentication information to the scene side 1230;
the scene party 1230 is further configured to select a corresponding verification mode according to information in the verification information, and verify the data information, the trusted certificate and the verification information by adopting the verification mode, where the verification mode is online verification or offline verification.
In an alternative embodiment, when the authentication information is used for online authentication, the authentication information includes an authentication identifier allocated by the data party 1220;
when the authentication information is used for offline authentication, the authentication information includes a root hash value generated from the data.
In an alternative embodiment, when the authentication information is used for online authentication, the scenario party 1230 is further configured to send an authentication request to the data party 1220, where the authentication request includes data information, trusted credentials, and authentication information;
The data party 1220 is further configured to verify the verification identifier in the verification information, obtain the data stored in the chain according to the user identifier in the trusted certificate after the verification is passed, verify the data information according to the data, and return a verification result to the scene party 1230.
In an alternative embodiment, data party 1220 is further configured to:
after the trusted certificate and the verification information are generated according to the data, generating a corresponding relation between a user identifier in the trusted certificate and a verification identifier in the verification information;
And reading the verification identifier in the verification information and the user identifier in the trusted certificate, detecting whether the corresponding relation between the verification identifier and the user identifier exists, and if the corresponding relation exists, determining that the verification is passed.
In an alternative embodiment, when the data includes a plurality of fields arranged in a predetermined order, the data party 1220 is further configured to:
When the data information contains the plaintext of a part of the fields and the field hash value of the part of the fields, replacing the plaintext of each field with the corresponding field hash value;
performing hash operation on field hash values of all fields to obtain a first hash value;
Acquiring a root hash value generated according to data from a chain;
it is verified whether the root hash value and the first hash value are identical.
In an alternative embodiment, data party 1220 is further configured to:
After the data is obtained, replacing the plaintext of each field in the data with the field hash value of the corresponding field;
Performing hash operation on the field hash values of all the fields, and storing the obtained root hash value in a chain.
In an alternative embodiment, when authentication information is used for offline authentication, scene party 1230 is also used to:
When the data information contains the plaintext of a part of the fields and the field hash value of the part of the fields, replacing the plaintext of each field with the corresponding field hash value;
performing hash operation on the field hash values of all the fields to obtain a second hash value;
Obtaining a key according to the trusted voucher, decrypting a root hash value in the verification information according to the key;
and verifying whether the root hash value is identical to the second hash value.
In an alternative embodiment, when the data includes a plurality of fields arranged in a predetermined order, the user side 1210 is further configured to:
Acquiring plaintext of a part of fields and field hash values of the part of fields from data according to the content requested by the verification request;
And arranging the plaintext and the field hash value according to a preset sequence to obtain data information.
In an alternative embodiment, data party 1220 is further configured to:
checking the source and the range of use of the data before generating the trusted voucher and the verification information from the data;
after determining that the source and the use range are correct, verifying the data according to preset verification logic;
After the verification is passed, the step of generating trusted certificates and verification information from the data is triggered to be performed.
In summary, in the data management system based on distributed identity provided by the embodiment of the present application, the verification information fed back by the data to the user side may be used for online verification or offline verification, and after the scene side obtains the verification information of the user side, the scene side may select a corresponding online or offline verification mode according to the verification information, and verify the data information, the trusted certificate and the verification information by adopting the verification mode. Therefore, the off-line verification can be performed when the verification capability of the scene party is enough and the requirement of the service compliance is not high, so that the verification flow is simplified; and performing online verification when the verification capability of the scene party is insufficient or the requirement of service compliance is high, so as to improve the verification accuracy.
One embodiment of the application provides a computer-readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement a distributed identity based data management method as described above.
One embodiment of the present application provides a terminal including a processor and a memory having at least one instruction stored therein, the instruction being loaded and executed by the processor to implement a distributed identity based data management method as described above.
It should be noted that: in the data management system based on the distributed identity according to the above embodiment, only the division of the functional modules is used for illustration, and in practical application, the above-mentioned function allocation may be performed by different functional modules according to needs, that is, the internal structure of the data management system based on the distributed identity is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data management system based on the distributed identities provided in the above embodiment and the data management method embodiment based on the distributed identities belong to the same concept, and the specific implementation process of the data management system based on the distributed identities is detailed in the method embodiment, which is not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description should not be taken as limiting the embodiments of the application, but rather should be construed to cover all modifications, equivalents, improvements, etc. that may fall within the spirit and principles of the embodiments of the application.
Claims (9)
1. A method of data management based on distributed identities, the method comprising:
the user side sends the data to be managed to the data side in the block chain;
the data party generates a trusted certificate and verification information according to the data, the trusted certificate and the verification information are sent to the user party, the trusted certificate contains a user identifier, and the verification information is used for online verification or offline verification;
The user side receives the trusted certificate and the verification information;
the scene sends a verification request to the user side;
the user side generates data information according to the data and the verification request, and sends the data information, the trusted voucher and the verification information to the scene side;
The scene party selects a corresponding verification mode according to the verification information, and adopts the verification mode to verify the data information, the trusted certificate and the verification information, wherein the verification mode is online verification or offline verification;
When the verification information is used for online verification, the verification information contains verification identifiers distributed by the data party; the step of verifying the data information, the trusted certificate and the verification information by adopting the verification mode comprises the following steps: the scene sends a verification request to the data party, wherein the verification request comprises the data information, the trusted certificate and the verification information; and the data party verifies the verification identification in the verification information, acquires the data stored in the chain according to the user identification in the trusted certificate after the verification is passed, verifies the data information according to the data, and returns a verification result to the scene party.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
When the verification information is used for offline verification, the verification information comprises a root hash value generated according to the data.
3. The method of claim 1, wherein the step of determining the position of the substrate comprises,
After the data party generates the trusted credential and the verification information from the data, the method further comprises: the data party generates a corresponding relation between a user identifier in the trusted voucher and a verification identifier in the verification information;
The data party verifies the verification identification in the verification information, and the method comprises the following steps: the data party reads the verification identification in the verification information and the user identification in the trusted certificate, detects whether the corresponding relation between the verification identification and the user identification exists, and if the corresponding relation exists, determines that the verification is passed.
4. The method according to claim 1, wherein when a plurality of fields arranged in a predetermined order are included in the data, the verifying the data information according to the data includes:
when the data information contains the plaintext of a part of fields and the field hash value of a part of fields, the data party replaces the plaintext of each field with the corresponding field hash value;
The data party carries out hash operation on field hash values of all fields to obtain a first hash value;
the data party acquires a root hash value generated according to the data from a chain;
The data party verifies whether the root hash value and the first hash value are identical.
5. The method according to claim 4, wherein the method further comprises:
After the data party acquires the data, replacing the plaintext of each field in the data with a field hash value of the corresponding field;
And the data party carries out hash operation on the field hash values of all the fields, and stores the obtained root hash value in a uplink manner.
6. The method of claim 1, wherein when the authentication information is used for offline authentication, the employing the authentication method to authenticate the data information, the trusted credential, and the authentication information comprises:
when the data information contains the plaintext of a part of fields and the field hash value of a part of fields, the scene party replaces the plaintext of each field with the corresponding field hash value;
The scene party carries out hash operation on the field hash values of all the fields to obtain a second hash value;
the scene party obtains a key according to the trusted certificate, and decrypts the root hash value in the verification information according to the key;
the scene party verifies whether the root hash value is the same as the second hash value.
7. The method according to claim 1, wherein when a plurality of fields arranged in a predetermined order are included in the data, the user side generates data information from the data and the authentication request, comprising:
the user side obtains plaintext of a part of fields and field hash values of the part of fields from the data according to the content requested by the verification request;
And the user side arranges the plaintext and the field hash value according to the preset sequence to obtain the data information.
8. The method according to any of claims 1 to 7, wherein before the data party generates trusted credentials and verification information from the data, the method further comprises:
The data party checks the source and the use range of the data;
after determining that the source and the usage range are correct, the data party verifies the data according to preset verification logic;
After the verification is passed, the data side triggers the execution of the step of generating the trusted credential and the verification information from the data.
9. A data management system based on distributed identity, which is characterized by comprising a user side, a data side and a scene side;
The user side is used for sending the data to be managed to the data side in the blockchain;
The data party is used for generating a trusted certificate and verification information according to the data, and sending the trusted certificate and the verification information to the user party, wherein the trusted certificate contains a user identifier, and the verification information is used for performing online verification or offline verification;
The user side is further used for receiving the trusted certificate and the verification information;
the scene party is used for sending a verification request to the user party;
The user side is further used for generating data information according to the data and the verification request, and sending the data information, the trusted certificate and the verification information to the scene side;
the scene party is further used for selecting a corresponding verification mode according to the information in the verification information, and verifying the data information, the trusted certificate and the verification information by adopting the verification mode, wherein the verification mode is online verification or offline verification;
When the verification information is used for online verification, the scene party is also used for sending a verification request to the data party, wherein the verification request comprises the data information, the trusted certificate and the verification information; the data party is also used for verifying the verification identification in the verification information, acquiring the data stored on the chain according to the user identification in the trusted certificate after verification is passed, verifying the data information according to the data, and returning a verification result to the scene party.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210125719.2A CN114928447B (en) | 2022-02-10 | 2022-02-10 | Data management method and system based on distributed identity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210125719.2A CN114928447B (en) | 2022-02-10 | 2022-02-10 | Data management method and system based on distributed identity |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114928447A CN114928447A (en) | 2022-08-19 |
CN114928447B true CN114928447B (en) | 2024-04-30 |
Family
ID=82804853
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210125719.2A Active CN114928447B (en) | 2022-02-10 | 2022-02-10 | Data management method and system based on distributed identity |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114928447B (en) |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104836780A (en) * | 2014-02-12 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Data interaction method, verifying terminal, server and system |
US9280645B1 (en) * | 2012-11-15 | 2016-03-08 | Emc Corporation | Local and remote verification |
CN109347878A (en) * | 2018-11-30 | 2019-02-15 | 西安电子科技大学 | The data verification of decentralization and data safety transaction system and method |
CN109951489A (en) * | 2019-03-27 | 2019-06-28 | 深圳市网心科技有限公司 | A kind of digital identification authentication method, unit, system and storage medium |
CN111159288A (en) * | 2019-12-16 | 2020-05-15 | 郑杰骞 | Method, system, device and medium for storing, verifying and realizing chain structure data |
CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
CN112073479A (en) * | 2020-08-26 | 2020-12-11 | 重庆邮电大学 | Method and system for controlling de-centering data access based on block chain |
KR20210051077A (en) * | 2019-10-29 | 2021-05-10 | 성균관대학교산학협력단 | Methods and systems for managing identification based on blockchain |
KR20210065012A (en) * | 2019-11-26 | 2021-06-03 | 세종텔레콤 주식회사 | Certificate management server based on blockchain and method thereof and computer program |
CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
CN113836554A (en) * | 2021-09-26 | 2021-12-24 | 网易(杭州)网络有限公司 | Method for managing certificate information based on block chain, electronic equipment and storage medium |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100306112A1 (en) * | 2009-06-01 | 2010-12-02 | Userstar Information System Co., Ltd. | Online trading method and system with mechanism for verifying authenticity of a product |
EP3814965A1 (en) * | 2018-06-27 | 2021-05-05 | Newbanking APS | Securely managing authenticated user-data items |
CN111222165B (en) * | 2020-01-10 | 2022-09-23 | 北京百度网讯科技有限公司 | Multi-party computing method, device, equipment and medium based on block chain |
-
2022
- 2022-02-10 CN CN202210125719.2A patent/CN114928447B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9280645B1 (en) * | 2012-11-15 | 2016-03-08 | Emc Corporation | Local and remote verification |
CN104836780A (en) * | 2014-02-12 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Data interaction method, verifying terminal, server and system |
CN109347878A (en) * | 2018-11-30 | 2019-02-15 | 西安电子科技大学 | The data verification of decentralization and data safety transaction system and method |
WO2020191928A1 (en) * | 2019-03-27 | 2020-10-01 | 深圳市网心科技有限公司 | Digital identity authentication method, device, apparatus and system, and storage medium |
CN109951489A (en) * | 2019-03-27 | 2019-06-28 | 深圳市网心科技有限公司 | A kind of digital identification authentication method, unit, system and storage medium |
KR20210051077A (en) * | 2019-10-29 | 2021-05-10 | 성균관대학교산학협력단 | Methods and systems for managing identification based on blockchain |
KR20210065012A (en) * | 2019-11-26 | 2021-06-03 | 세종텔레콤 주식회사 | Certificate management server based on blockchain and method thereof and computer program |
CN111159288A (en) * | 2019-12-16 | 2020-05-15 | 郑杰骞 | Method, system, device and medium for storing, verifying and realizing chain structure data |
WO2021120253A1 (en) * | 2019-12-16 | 2021-06-24 | 郑杰骞 | Data storage method and verification method for blockchain structure, blockchain structure implementation method, blockchain-structured system, device, and medium |
CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
CN112073479A (en) * | 2020-08-26 | 2020-12-11 | 重庆邮电大学 | Method and system for controlling de-centering data access based on block chain |
CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
CN113836554A (en) * | 2021-09-26 | 2021-12-24 | 网易(杭州)网络有限公司 | Method for managing certificate information based on block chain, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114928447A (en) | 2022-08-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10824701B2 (en) | System and method for mapping decentralized identifiers to real-world entities | |
US10516538B2 (en) | System and method for digitally signing documents using biometric data in a blockchain or PKI | |
US11038670B2 (en) | System and method for blockchain-based cross-entity authentication | |
EP3788522B1 (en) | System and method for mapping decentralized identifiers to real-world entities | |
US11757640B2 (en) | Non-fungible token authentication | |
JP7083892B2 (en) | Mobile authentication interoperability of digital certificates | |
CN109325342B (en) | Identity information management method, device, computer equipment and storage medium | |
CN112632581A (en) | User data processing method and device, computer equipment and storage medium | |
CN106464496A (en) | Method and system for creating a certificate to authenticate a user identity | |
KR20060112182A (en) | Method and system for identity recognition | |
CN110247758B (en) | Password management method and device and password manager | |
CN110020869B (en) | Method, device and system for generating block chain authorization information | |
US20140289531A1 (en) | Communication system, relay device, and non-transitory computer readable medium | |
US20210051159A1 (en) | Unified authentication system for decentralized identity platforms | |
CN114338242B (en) | Cross-domain single sign-on access method and system based on block chain technology | |
CN113312664A (en) | User data authorization method and user data authorization system | |
CA2526237C (en) | Method for provision of access | |
CN111880919A (en) | Data scheduling method, system and computer equipment | |
US20240236076A1 (en) | Authenticating Data And Communication Sources | |
CN114666168A (en) | Decentralized identity certificate verification method and device, and electronic equipment | |
CN114428661A (en) | Mirror image management method and device | |
CN114928447B (en) | Data management method and system based on distributed identity | |
Johnson et al. | Rethinking Single Sign-On: A Reliable and Privacy-Preserving Alternative with Verifiable Credentials | |
CN114021157A (en) | Identity information management method, system, device and medium based on identification analysis | |
CN114978681B (en) | Service application authorization method and device based on block chain and processor |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |