CN115134091A - Management method of distributed digital identity identifier - Google Patents

Management method of distributed digital identity identifier Download PDF

Info

Publication number
CN115134091A
CN115134091A CN202210834230.2A CN202210834230A CN115134091A CN 115134091 A CN115134091 A CN 115134091A CN 202210834230 A CN202210834230 A CN 202210834230A CN 115134091 A CN115134091 A CN 115134091A
Authority
CN
China
Prior art keywords
user
private key
key
distributed digital
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210834230.2A
Other languages
Chinese (zh)
Inventor
薛永庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Microchip Sensing Technology Co ltd
Original Assignee
Beijing Microchip Sensing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Microchip Sensing Technology Co ltd filed Critical Beijing Microchip Sensing Technology Co ltd
Priority to CN202210834230.2A priority Critical patent/CN115134091A/en
Publication of CN115134091A publication Critical patent/CN115134091A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a management method of distributed digital identity identifiers, S1, acquiring user registration information; s2, generating a main private key, a public private key and a unique DID according to the user registration information, generating a user private key through the main private key and the DID, returning the DID, the user private key and the main public key and storing; and S3, the verifying party acquires the DID of the user and verifies the label through the DID. The invention simplifies the management of the distributed digital identity, does not need to maintain the DID document, does not need to maintain the mapping relation between the DID and the public key, does not need to inquire the mapping relation between the DID and the public key in other systems when verifying the signature, and can realize off-line signature verification.

Description

Management method of distributed digital identity identifier
Technical Field
The invention relates to the technical field of block chains, in particular to a management method of a distributed digital identity identifier.
Background
A distributed digital identity identifier (DID) is an identifier consisting of a string of characters used to represent a digital identity that can be globally unique without the need for a central registry. Typically, an entity may possess multiple identities, each assigned a unique DID value, and an asymmetric key associated therewith. There is no correlation information between different identities, thus effectively avoiding the collection of owner identity information.
Distributed identity Identifiers (DID) are Decentralized verifiable digital Identifiers, and have the characteristics of being distributed, autonomously controllable, cross-chain multiplexing and the like. The entity can autonomously complete the registration, parsing, updating or revocation operations of the DID. The DID is specifically resolved into a DID Document that includes a unique identification code of the DID, a list of public keys and detailed information of the public keys (holder, encryption algorithm, key status, etc.), and other attribute descriptions of the DID holder.
The DID is associated with a DID Document (DID Document). The DID infrastructure can be thought of as a global key-value database, where the database is a blockchain, distributed ledger or distributed network that is all DID-compatible. In this virtual database, the key is a DID and the value is a DID document. The purpose of the DID document is to describe the public key, authentication protocol and service endpoints that are necessary to direct cryptographically verifiable interactions with an identified entity. In the prior art, in the process of distributed digital identity management, a DID document needs to be maintained, and a mapping relationship between a DID and a public key needs to be maintained, that is, one or more public keys need to be bound to each DID, which makes it difficult to implement an offline signature verification process.
Therefore, how to provide a simplified management method for distributed digital identifiers is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, the present invention provides a management method for distributed digital identities, which is used to implement simplified management of distributed digital identities.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method of managing distributed digital identity identifiers, comprising the steps of:
s1, acquiring user registration information;
s2, generating a main private key, a public private key and a unique DID according to the user registration information, generating a user private key through the main private key and the DID, and returning and storing the DID, the user private key and the main public key;
and S3, the verifier acquires the DID of the user and acquires the public key of the user through the DID to realize signature verification.
Preferably, the user registration information in S1 includes a user identification number, a mobile phone number, a location and/or a company.
Preferably, in S2, the key generation center generates and stores the master private key and the public private key by using random numbers.
Preferably, when the DID is generated by the server in S2:
when the user registers the DID, the server generates a new DID, inquires whether the new DID exists in the current storage or not, and if not, associates and binds the current user and the newly generated DID.
Preferably, when the DID is generated by the user in S2:
and the user generates a DID (do it yourself) and submits the DID to the server when registering to the server, and after the server receives the DID, the server inquires whether the DID exists in the current storage, if so, returns error information, and if not, continues to execute the registration logic.
Preferably, the DID generating algorithms include self-growing ID, UUID, and snowflake algorithms.
Preferably, the specific contents of S3 include:
s31, a user signs service information by using a user private key of the user, and the service information and the signature are sent to the verifier;
and S32, the verifier acquires user DID from the service information, generates a user public key by using the main public key and the DID, and verifies by using the user public key, the service information and the signed information.
Compared with the prior art, the technical scheme of the invention has the advantages that the management method of the distributed digital identity identifier has the following advantages:
1. the invention provides a simpler and more convenient distributed digital identity management method, which does not need DID binding a public key any more, but calculates the public key by the main public key and the DID, and simplifies the steps of generating and maintaining the DID document by the digital identity management method in the prior art;
2. the invention does not need to go to other systems and then to inquire the mapping relation of the corresponding DID and the public key when the verifier verifies the signature, and can realize off-line signature verification.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating a DID generation flow in a management method for a distributed digital identity provided by the present invention;
fig. 2 is a schematic diagram of a signature verification process in the management method of the distributed digital identity identifier according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a management method of a distributed digital identity identifier, which comprises the following steps:
s1, acquiring user registration information;
s2, generating a main private key, a public private key and a unique DID according to the user registration information, generating a user private key through the main private key and the DID, and returning and storing the DID, the user private key and the main public key;
and S3, the verifier acquires the DID of the user and acquires the public key of the user through the DID to realize signature verification.
It should be noted that:
in the distributed digital identity logic, the signature adding and the signature checking are involved. In asymmetric encryption, a private key is required to be used for signing to generate a signature value during signing, and the signature value and a public key are required to be used for verification during signature verification. The DID generated in the W3C standard is bound to a public key to verify whether the signature value is attributed to the DID.
In this embodiment, the distributed digital identity is managed by an elliptic curve bilinear pairing algorithm, which is used to maintain the generation of the user public and private keys through the main public and private keys.
In order to further implement the above technical solution, the user registration information in S1 includes a user identification number, a mobile phone number, a location and/or a company.
In order to further implement the above technical solution, in S2, the key generation center generates and stores the master private key and the public private key by using random numbers.
In order to further implement the above technical solution, when the DID is generated by the server in S2:
the server generates a DID (differential identification) unique to the whole network and stores the DID in a storage of the server;
when the user registers the DID, the server generates a new DID, inquires whether the new DID exists from the current storage, and if not, associates and binds the current user and the newly generated DID.
In order to further implement the above technical solution, when the DID is generated by the user in S2:
and the user generates a DID (do it yourself) and submits the DID to the server when registering to the server, and after the server receives the DID, the server inquires whether the DID exists in the current storage, if so, returns error information, and if not, continues to execute the registration logic.
In order to further implement the above technical solution, the algorithms for generating DID include self-increment ID, UUID and snowflake algorithms.
In order to further implement the above technical solution, the specific content of S3 includes:
s31, the user signs the service information by using the own user private key and sends the service information and the signature to a verifier;
and S32, the verifier acquires the user DID from the service information, generates a user public key by using the main public key and the DID, and verifies the user public key, the service information and the signature information.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (7)

1. A method for managing distributed digital identifiers, comprising the steps of:
s1, acquiring user registration information;
s2, generating a main private key, a public private key and a unique DID according to the user registration information, generating a user private key through the main private key and the DID, and returning and storing the DID, the user private key and the main public key;
and S3, the verifying party acquires the DID of the user, and acquires the public key of the user through the DID to realize signature verification.
2. The method as claimed in claim 1, wherein the user registration information in S1 includes a user identification number, a mobile phone number, a location and/or a company.
3. The method for managing distributed digital identity identifiers of claim 1, wherein the key generation center generates and stores the master private key and the public private key by random numbers in S2.
4. The method for managing distributed digital identity identifiers of claim 1, wherein when the DID is generated by the server in S2:
when the user registers the DID, the server generates a new DID, inquires whether the new DID exists from the current storage, and if not, associates and binds the current user and the newly generated DID.
5. The method for managing distributed digital identities according to claim 1, wherein when a DID is generated by a user in S2:
and the user generates a DID (do it yourself) and submits the DID to the server when registering to the server, and after the server receives the DID, the server inquires whether the DID exists in the current storage, if so, returns error information, and if not, continues to execute the registration logic.
6. The method of claim 1, wherein the DID generation algorithm comprises self-growth ID, UUID and snowflake algorithm.
7. The method for managing distributed digital identity identifiers according to claim 1, wherein the details of S3 include:
s31, a user signs service information by using a user private key of the user, and the service information and the signature are sent to the verifier;
and S32, the verifier acquires user DID from the service information, generates a user public key by using the main public key and the DID, and verifies by using the user public key, the service information and the signed information.
CN202210834230.2A 2022-07-14 2022-07-14 Management method of distributed digital identity identifier Pending CN115134091A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210834230.2A CN115134091A (en) 2022-07-14 2022-07-14 Management method of distributed digital identity identifier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210834230.2A CN115134091A (en) 2022-07-14 2022-07-14 Management method of distributed digital identity identifier

Publications (1)

Publication Number Publication Date
CN115134091A true CN115134091A (en) 2022-09-30

Family

ID=83383898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210834230.2A Pending CN115134091A (en) 2022-07-14 2022-07-14 Management method of distributed digital identity identifier

Country Status (1)

Country Link
CN (1) CN115134091A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116011028A (en) * 2022-12-21 2023-04-25 蚂蚁区块链科技(上海)有限公司 Electronic signature method, electronic signature device and electronic signature system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116011028A (en) * 2022-12-21 2023-04-25 蚂蚁区块链科技(上海)有限公司 Electronic signature method, electronic signature device and electronic signature system
CN116011028B (en) * 2022-12-21 2023-10-20 蚂蚁区块链科技(上海)有限公司 Electronic signature method, electronic signature device and electronic signature system

Similar Documents

Publication Publication Date Title
US11784788B2 (en) Identity management method, device, communications network, and storage medium
CN110138560B (en) Double-proxy cross-domain authentication method based on identification password and alliance chain
CN110268677B (en) Cross-chain interaction using domain name scheme in blockchain system
CN110958111B (en) Block chain-based identity authentication mechanism of electric power mobile terminal
CN110264200B (en) Block chain data processing method and device
CN101286840B (en) Key distributing method and system using public key cryptographic technique
CN111884815A (en) Block chain-based distributed digital certificate authentication system
JP7426402B2 (en) Method and apparatus for realizing ID-based key management in smart contracts
CN113824563B (en) Cross-domain identity authentication method based on block chain certificate
WO2014035748A1 (en) Method and device for dynamically updating and maintaining certificate path data across remote trust domains
CN111490873B (en) Certificate information processing method and system based on block chain
CN112583596A (en) Complete cross-domain identity authentication method based on block chain technology
CN111815321A (en) Transaction proposal processing method, device, system, storage medium and electronic device
CN111586049A (en) Lightweight key authentication method and device for mobile internet
CN114465817B (en) Digital certificate system and method based on TEE predictor clusters and blockchain
CN113726522A (en) Internet of things equipment processing method and device based on block chain
MX2012011584A (en) Locating network resources for an entity based on its digital certificate.
CN111371562A (en) Super book Fabric-SDK (Standard software development kit) cryptographic algorithm expansion and transformation method
CN114615642A (en) Vehicle identity authentication method and device in vehicle-to-vehicle communication, vehicle and storage medium
CN115134091A (en) Management method of distributed digital identity identifier
CN108632037B (en) Public key processing method and device of public key infrastructure
CN114297678A (en) Operation method, device, equipment and storage medium of union chain system
CN110138558A (en) Transmission method, equipment and the computer readable storage medium of session key
WO2023231782A1 (en) Data integrity verification system
Zheng et al. [Retracted] An Anonymous Authentication Scheme in VANETs of Smart City Based on Certificateless Group Signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination