CN115396114A - Authorization method, device, equipment and system based on verifiable statement - Google Patents

Authorization method, device, equipment and system based on verifiable statement Download PDF

Info

Publication number
CN115396114A
CN115396114A CN202211007801.1A CN202211007801A CN115396114A CN 115396114 A CN115396114 A CN 115396114A CN 202211007801 A CN202211007801 A CN 202211007801A CN 115396114 A CN115396114 A CN 115396114A
Authority
CN
China
Prior art keywords
user
authorization
information
statement
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211007801.1A
Other languages
Chinese (zh)
Inventor
刘佳伟
孙善禄
刘丹
代平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202211007801.1A priority Critical patent/CN115396114A/en
Publication of CN115396114A publication Critical patent/CN115396114A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the specification provides an authorization method, an authorization device, authorization equipment and an authorization system based on verifiable statements, wherein the method comprises the following steps: the method comprises the steps that a server side obtains service type information of a verifiable statement to be issued by a first user to a second user, and obtains a corresponding statement authorization template according to the service type information; sending a statement authorization template to a client of a first user, and receiving authorization related information, which is returned by the client of the first user and is provided by the first user based on the statement authorization template; and confirming whether the verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.

Description

Authorization method, device, equipment and system based on verifiable statement
The application is a divisional application of an invention patent application with the application date of 2019.10.11, the application number of 201910964126.3 and the name of 'authorization method, device, equipment and system based on verifiable statement'.
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to an authorization method, an authorization device, an authorization apparatus, and an authorization system based on verifiable claims.
Background
In life and work, people often entrust other users (hereinafter referred to as proxy users) with the business required to be transacted. In the current business entrusting and handling process, a user and a proxy user generally negotiate the details of proxy handling business offline, and set up an entrusting protocol and a signing protocol of paper, so that the protocol is taken as a right certificate that a proxy has to handle a certain business of the user, and therefore, the proxy user needs to carry the signed paper protocol with him when handling the business. The method for granting the service processing authority to the agent offline has low efficiency, and inevitably has the condition that the agent forgets to carry the signed paper protocol, thereby influencing the service processing.
Disclosure of Invention
One or more embodiments of the present specification provide an authorization method based on verifiable declarations, which is applied to a server. The authorization method comprises the steps of obtaining service type information of a verifiable statement to be issued by a first user to a second user, and obtaining a corresponding statement authorization template according to the service type information. And sending the declaration authorization template to the client of the first user, and receiving authorization related information returned by the client of the first user and provided by the first user based on the declaration authorization template. And confirming whether a verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
One or more embodiments of the present specification provide an authorization method based on a verifiable assertion, which is applied to a client of a first user. The authorization method comprises the step of responding to the issuing operation of the verifiable statement of the first user and sending an issuing request of the verifiable statement to the server. The issuing request is used for requesting to issue a verifiable statement for granting the business processing permission to a second user so as to enable the second user to process the specified business of the first user. The issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information. And displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template. And sending the authorization related information to the server, so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
One or more embodiments of the present specification provide an authorization apparatus based on a verifiable statement, which is applied to a server. The authorization device comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring the service type information of a verifiable statement to be issued by a first user to a second user and acquiring a corresponding statement authorization template according to the service type information. The authorization apparatus also includes a sending module that sends the claim authorization template to a client of the first user. The authorization device also comprises a receiving module which receives the authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template. The authorization apparatus further includes a determination module that confirms whether to issue a verifiable statement to the second user based on the authorization-related information. The authorization device also comprises a generating module, and if the determination result of the determining module is yes, a verifiable statement is generated according to the authorization related information and is sent to the client of the second user.
One or more embodiments of the present specification provide an authorization apparatus based on a verifiable assertion, applied to a client of a first user. The authorization apparatus includes a first transmission module that transmits an issuance request of a verifiable statement to a server in response to an issuance operation of a verifiable statement by a first user. The issuing request is used for requesting to issue a verifiable statement for granting the business processing permission to a second user so as to enable the second user to process the specified business of the first user. The issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information. The authorization device also comprises a display acquisition module for displaying the statement authorization template returned by the server and acquiring the authorization related information provided by the first user based on the statement authorization template. The authorization device also comprises a second sending module which is used for sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
One or more embodiments of the present specification provide a verifiable claims-based authorization system that includes a client of a first user, a server, and a client of a second user. The client of the first user responds to the verifiable statement issuing operation of the first user and sends a verifiable statement issuing request to the server; the issuing request is used for requesting to issue a verifiable statement for granting business processing permission to a second user so that the second user can process the specified business of the first user; the issuing request comprises the service type information of the specified service; and displaying the statement authorization template returned by the server, acquiring authorization related information provided by the first user based on the statement authorization template, and sending the authorization related information to the server. The server side acquires service type information from the issuing request, acquires a corresponding statement authorization template according to the service type information, and sends the statement authorization template to the client side of the first user; and receiving the authorization related information sent by the client of the first user, generating a verifiable statement according to the authorization related information, and sending the verifiable statement to the client of the second user. And the client of the second user receives the verifiable statement sent by the server.
One or more embodiments of the present specification provide an authenticatable claim-based authorization device, comprising a processor. The authorizing device also includes a memory arranged to store computer-executable instructions. When the computer executable instruction is executed, the processor obtains service type information of a verifiable statement to be issued by a first user to a second user, and obtains a corresponding statement authorization template according to the service type information. And sending the declaration authorization template to the client of the first user, and receiving authorization related information returned by the client of the first user and provided by the first user based on the declaration authorization template. And confirming whether a verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
One or more embodiments of the present specification provide a verifiable claim-based authorization device comprising a processor. The authorizing device also includes a memory arranged to store computer-executable instructions. The computer executable instructions, when executed, cause the processor to send a request for issuance of a verifiable statement to a server in response to issuance of a verifiable statement by a first user. The issuing request is used for requesting to issue a verifiable statement for granting the business processing permission to a second user so as to enable the second user to process the specified business of the first user. The issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information. And displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template. And sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
One or more embodiments of the present specification provide a storage medium for storing computer-executable instructions. The computer executable instruction obtains service type information of a verifiable statement to be issued by a first user to a second user when being executed, and obtains a corresponding statement authorization template according to the service type information. And sending the statement authorization template to the client of the first user, and receiving authorization related information provided by the first user based on the statement authorization template, wherein the authorization related information is returned by the client of the first user. And confirming whether a verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
One or more embodiments of the present specification provide a storage medium for storing computer-executable instructions. The computer-executable instructions, when executed, send a request to issue a verifiable statement to a server in response to an issue operation of the verifiable statement by the first user. The issuing request is used for requesting to issue a verifiable statement for granting the business processing permission to a second user so as to enable the second user to process the specified business of the first user. The issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information. And displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template. And sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and that other drawings can be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a schematic diagram of a first scenario of an authorization method based on a verifiable assertion according to one or more embodiments of the present specification;
FIG. 2 is a diagram illustrating a second scenario of an authorization method based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 3 is a first flowchart of an authorization method based on verifiable claims according to one or more embodiments of the present disclosure;
FIG. 4 is a flow diagram of generating a verifiable claim provided by one or more embodiments of the present specification;
FIG. 5 is a second flowchart of an authorization method based on verifiable claims according to one or more embodiments of the present disclosure;
FIG. 6 is a flow diagram of generating issuance record information provided by one or more embodiments of the present specification;
FIG. 7 is a third flowchart of an authorization method based on verifiable claims according to one or more embodiments of the present disclosure;
fig. 8 is a schematic flow chart of obtaining authorization-related information according to one or more embodiments of the present disclosure;
FIG. 9 is a fourth flowchart of an authorization method based on verifiable claims according to one or more embodiments of the present disclosure;
FIG. 10 is a schematic illustration of a query interface provided in one or more embodiments of the present description;
FIG. 11 is a schematic illustration of an authentication interface provided in one or more embodiments of the present description;
FIG. 12 is a fifth flowchart of an authorization method based on verifiable claims according to one or more embodiments of the present disclosure;
FIG. 13 is a first flowchart of validating a verifiable claim provided in one or more embodiments of the present specification;
FIG. 14 is a second flowchart of validating a verifiable claim provided in one or more embodiments of the present specification;
FIG. 15 is a schematic diagram illustrating a first module of an authorization apparatus based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 16 is a diagram illustrating a second module of an authorization apparatus based on a verifiable claim according to one or more embodiments of the present disclosure;
FIG. 17 is a schematic diagram illustrating components of an authorization system based on verifiable claims in accordance with one or more embodiments of the present disclosure;
fig. 18 is a schematic structural diagram of an authorization device based on a verifiable assertion according to one or more embodiments of the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments described herein without making any inventive step shall fall within the scope of protection of this document.
Fig. 1 is a schematic view of an application scenario of an authorization method based on a verifiable assertion according to one or more embodiments of the present specification, as shown in fig. 1, the scenario includes: the method comprises the steps that a client side of a first user, a client side and a server side of a second user are connected; the client of the first user and the client of the second user can be a mobile phone, a tablet computer, a desktop computer, a portable notebook computer and the like; the server side can be an independent server or a server cluster consisting of a plurality of servers; and the client of the first user and the client of the second user are in communication connection with the server through a wireless network respectively.
Specifically, a first user operates a client of the first user, a service type of a verifiable statement to be issued is specified, and the client responds to the issuing operation of the verifiable statement of the first user and sends an issuing request of the verifiable statement to a server; the issuing request is used for requesting to issue a verifiable statement for granting the business processing permission to the second user so that the second user can process the specified business of the first user; furthermore, the issued request comprises the service type information of the specified service; the server side acquires the service type information from the issuing request, acquires a corresponding statement authorization template according to the service type information, and sends the statement authorization template to the client side of the first user; the client side of the first user displays the statement authorization template returned by the server side, acquires authorization related information provided by the first user based on the statement authorization template, and sends the authorization related information to the server side; the server receives authorization related information sent by the client of the first user, confirms whether a verifiable statement is issued to the second user or not according to the authorization related information, and generates the verifiable statement and sends the verifiable statement to the client of the second user according to the authorization related information if the verifiable statement is issued to the second user; and the client of the second user receives the verifiable statement sent by the server. Therefore, the first user can generate the verifiable statement by operating the client side of the first user to perform online data interaction with the server side, namely the server side can act on the first user to process the appointed service of the first user according to the verifiable statement, so that the second user can act on the first user based on the verifiable statement without performing offline negotiation, paper protocol signing and other operations on the first user and the second user, and the agent authorization efficiency is improved; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Further, as shown in fig. 2, the scenario may further include at least one blockchain node (only one is shown in fig. 2) in the blockchain, after the server generates the verifiable statement, the server generates the issuance record information according to the verifiable statement, and sends the issuance record information to the blockchain node, so that the blockchain node stores the issuance record information into the blockchain; therefore, when the second user processes the specified service of the first user based on the verifiable statement, the verifiable statement provided by the second user can be verified based on the issuance record information stored in the block chain, and the service safety is ensured.
Based on the above application scenario architecture, one or more embodiments of the present specification provide an authorization method based on a verifiable assertion, fig. 3 is a flowchart of the authorization method based on a verifiable assertion provided by one or more embodiments of the present specification, and the method in fig. 3 can be executed by the server in fig. 1, as shown in fig. 3, and includes the following steps:
step S102, acquiring service type information of a verifiable statement to be issued by a first user to a second user, and acquiring a corresponding statement authorization template according to the service type information;
specifically, an issuing request which is sent by a client of a first user and can verify a statement is received, and service type information is obtained from the issuing request; the issuing request is used for requesting the second user to issue a verifiable statement for granting the business processing permission so that the second user can process the specified business of the first user, and the issuing request comprises the business type information of the specified business.
Step S104, sending a statement authorization template to a client of a first user;
step S106, receiving authorization related information which is returned by the client of the first user and provided by the first user based on the statement authorization template;
and S108, confirming whether the verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
In one or more embodiments of the present specification, the server performs online data interaction with the client, that is, a verifiable statement may be generated according to the authorization-related information sent by the client of the first user, so that the second user may proxy the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
In order to enable the service end to quickly obtain the corresponding declaration authorization template according to the service type information, in one or more embodiments of the present specification, association record information between the service type information and the declaration authorization template may be preset, and the association record information is stored in the service end, and correspondingly, in step S102, according to the service type information, obtaining the corresponding declaration authorization template includes:
and acquiring the associated statement authorization template from the association record information of the service type information and the statement authorization template according to the service type information.
Considering that a service model of a service provider is not constant, in order to avoid a problem that a server does not update a statement authorization template stored by the server and thus a verifiable statement issuance failure is caused, in one or more embodiments of the present specification, the statement authorization template may also be uploaded to a block chain by the service provider through a node device in the block chain, so that when a service mode changes, the service provider may upload a new statement authorization template to the block chain in time; correspondingly, in step S102, according to the service type information, obtaining a corresponding declaration authorization template includes:
step M2, according to the service type information, obtaining the associated template identifier in the associated record information of the service type information and the template identifier of the declaration authorization template;
and step M4, acquiring a corresponding statement authorization template from the statement authorization templates stored in the block chain through the second block chain node according to the acquired template identifier.
Specifically, according to the acquired template identifier, a template acquisition request is sent to the second blockchain node; and the second block chain link point inquires the corresponding last statement authorization template stored to the block chain from the block chain according to the template identification in the template acquisition request according to the sequence of the storage time from the statement authorization template to the block chain, and returns the inquired statement authorization template to the server. Therefore, by acquiring the statement authorization template from the block chain, the acquired statement authorization template can be ensured to be accurate and effective.
In order to avoid that the authorization-related information sent by the client of the first user contains bad information, such as yellow, gambling, poison and other related information, in one or more embodiments of the present specification, a risk control condition is preset, and whether a verifiable statement is issued to the second user is confirmed based on the risk control condition and the authorization-related information; specifically, the step S108 of confirming whether to issue the verifiable statement to the second user according to the authorization related information includes:
and N, determining whether the authorization related information meets a preset risk control condition, and if so, confirming to issue a verifiable statement to the second user.
Optionally, a large amount of texts are collected in advance and marked with sensitive information (such as relevant information of yellow, gambling, poison and the like) to obtain a training set, the training set is trained based on a neural network to obtain a detection model, and whether the authorization relevant information meets a preset risk control condition is determined based on the detection model; namely, the step N of determining whether the authorization-related information satisfies the preset risk control condition includes: detecting the authorization related information by adopting a pre-trained detection model, and determining whether the authorization related information meets a preset risk control condition according to a detection result;
specifically, the authorization related information is input into a pre-trained detection model to detect the authorization related information to obtain a detection result; and if the detection result indicates that the authorization related information contains sensitive information, determining that the authorization related information does not meet the preset risk control condition, and if the detection result indicates that the authorization related information does not contain sensitive information, determining that the authorization related information meets the preset risk control condition. It should be noted that the training process of the detection model may be set in practical application according to needs, and is not limited in this specification.
Or presetting a blacklist of sensitive information, storing the blacklist into a block chain, and determining whether the authorization related information meets a preset risk control condition based on the blacklist; namely, the step N of determining whether the authorization-related information satisfies the preset risk control condition includes: and matching the authorization related information with an authorization blacklist stored in the block chain through the first block chain node point, and determining whether the authorization related information meets a preset risk control condition according to a matching result.
Specifically, a risk detection request is sent to a first block chain node according to the authorization related information, the first block chain calls an intelligent contract, the authorization related information included in the risk detection request is matched with an authorization blacklist stored in the block chain, and a matching result is sent to a server side; and the server determines the type of the matching result, determines that the authorization related information does not meet the preset risk control condition if the matching result is successful, and determines that the authorization related information meets the preset risk control condition if the matching result is failed.
Further, if the authorization-related information does not meet the risk control condition, confirming that a verifiable statement is not issued to the second user, and returning an issuance result of an issuance failure to the client of the first user, so that the client of the first user displays the issuance failure information.
By determining whether the authorization related information meets the risk control condition, the adverse effect on the life and the society of people due to the fact that the authorization related information contains the bad information is effectively avoided.
In order to avoid the subsequent trouble caused by the first user providing the wrong authorization-related information, in one or more embodiments of the present specification, the generating the verifiable statement according to the authorization-related information in step S108 includes:
step T2, inquiring whether the first user grants a service processing authority for the second user or not through the client of the first user;
specifically, according to the authorization related information and/or the statement authorization template, generating inquiry information; the inquiry information comprises the related information of the second user and the related information of the specified service; and sending inquiry information to the client of the first user so as to display an inquiry interface comprising the relevant information of the second user and the relevant information of the specified service on the client of the first user, and inquiring whether the first user grants service processing permission for the second user.
It should be noted that the query information may also include related information of the first user, may also include related information of only the specified service, and may be set by itself as needed in practical application; further, for different services, the information of the service processing permission to be granted may be included in the authorization-related information, or may be fixed information existing in the declaration authorization template. Correspondingly, generating the query information according to the authorization-related information and/or the declaration authorization template may include: according to the digital identity information of the first user and the digital identity information of the second user which are included by the authorization related information, the related information of the first user and the related information of the second user, such as user names, contact information and the like, are inquired on a specified platform or mechanism, the related information of specified services is obtained from the authorization related information and/or a statement authorization template, and inquiry information is generated according to the obtained user information of the first user, the user information of the second user and the service information of the specified services.
Taking the example that the service type of the verifiable statement issued by the first user for the second user is bank loan, the statement authorization template may have fixed related information describing loan service, but information such as loan amount, loan bank, loan time and the like may be specified by the first user through the client, that is, included in the authorization related information; the server side inquires that the name of the first user is a Li secure on a specified platform or mechanism according to the digital identity information of the first user, which is included in the authorization related information, inquires that the name of the second user is a Wang secure on the specified platform or mechanism according to the digital identity information of the second user, the related information of the specified service, which is acquired from the authorization related information and the declaration authorization template, includes that the specified service is a bank loan, the loan time is 8 months and 3 days in 2019, the loan amount is 1,000,000 yuan, and the loan bank is bank 1, so that the generated inquiry information is that the Li secure initiates a loan to the bank 1 in 2019 and 8 months and 3 days in 2019, and the loan amount is 1,000,000 yuan.
The digital identity information of the first user and the digital identity information of the second user are respectively obtained by the first user and the second user applying from a specified platform in advance. For example, a user operates a client installed in a terminal device of the user and having a digital identity information application function, sends a digital identity information application request to a designated platform, and the designated platform deputys the user to apply for a public and private key pair, generates digital identity information according to a public key therein, generates a document (DID doc) corresponding to the digital identity information of the user, sends the generated digital identity information to the corresponding client, and stores related information such as the public key, an encryption protocol and the like into the generated document; for another example, a user operates a client installed in a terminal device of the user and having a digital identity information application function, and sends a digital identity information application request to a designated platform, where the digital identity application request includes information such as an identity document number of the user, and after the designated platform performs real-person authentication (such as face-brushing authentication, fingerprint authentication, and the like) on the user, the designated platform generates digital identity information of the user according to the identity document number of the user and generates a document corresponding to the digital identity information of the user, sends the generated digital identity information to the corresponding client, acquires a public key corresponding to the digital identity information of the user, and stores the acquired public key and other related information in the generated document. It should be noted that the application process of the digital identity information is not specifically limited in this specification, and may be set in an actual application according to the need.
And step T4, if the first user is confirmed to grant the service processing authority to the second user, generating a verifiable statement according to the authorization related information.
Therefore, the inquiry information is sent to the client of the first user, so that the first user can verify the inquiry information, the wrong service processing permission granted to the second user due to the wrong authorization related information is effectively avoided, and the guarantee is provided for maintaining the benefit of the first user.
In order to improve the issuing efficiency of the verifiable statement, in one or more embodiments of the present specification, after sending query information to the client of the first user, as long as receiving confirmation authorization information returned by the client of the first user, it is confirmed that the first user grants a service processing right to the second user; correspondingly, the step T4 of confirming that the first user grants the service processing permission to the second user includes:
and if the confirmation authorization information returned by the client of the first user is obtained, confirming that the first user grants the service processing permission to the second user.
Considering that different businesses have different degrees of relevance to the interests of the user, for example, financial businesses have higher relevance to the interests of the user, such as bank loans and the like; the correlation between the application service participating in a public welfare activity and the benefit of the user is relatively weak; based on this, in one or more embodiments of the present specification, security levels of different services may be preset, and when the security level of a specific service corresponding to a verifiable statement issued by a first user request meets a preset condition, an identity of the first user is verified to ensure security; the division of the security level and the setting of the preset condition can be set in practical application according to needs, and the specification is not limited specifically; correspondingly, the step T4 of confirming that the first user grants the service processing permission to the second user includes:
if the security level of the designated service meets the preset condition and confirmation authorization information returned by the client of the first user is acquired, performing identity authentication on the first user through the client of the first user; if the identity authentication is passed, confirming that the first user grants the service processing authority for the second user;
or if the security level of the designated service does not meet the preset condition and the confirmation authorization information returned by the client of the first user is acquired, confirming that the first user grants the service processing permission to the second user.
The authentication of the first user through the client of the first user comprises the following steps:
step A2, sending an identity authentication request to a client of a first user so that the client of the first user performs identity authentication operation on the first user;
and step A4, performing identity authentication on the first user according to the identity authentication information returned by the client of the first user.
The identity authentication information may be biometric information, such as any one or more of a human face, a fingerprint, an iris, and the like, and may also be authentication information in the form of an authentication code. If the authentication information is biometric information, step A4 may include: matching the identity authentication information with the identity information of the user stored in a database of the designated mechanism, if the matching is successful, determining that the identity authentication of the first user passes, and if the matching is failed, determining that the identity authentication of the first user fails, and sending an authentication result of the authentication failure to the client of the first user; the system comprises a database, a third-party organization, a user identity authentication server and a user identity authentication server, wherein the designated organization is a credible third-party organization, has authority and legality, stores the identity information of the user in the database, and authenticates the identity authentication information of the user by accessing the database; the designated institution is, for example, a police office. And if the identity authentication information is the authentication code, matching the authentication code returned by the client of the first user with the authentication code stored by the client, if the matching is successful, determining that the identity authentication of the first user passes, and if the matching fails, determining that the identity authentication of the first user fails, and sending an authentication result of the authentication failure to the client of the first user. By carrying out identity authentication on the first user, the phenomenon that other users maliciously impersonate the first user can be avoided, and the safety is further improved.
In order to enable the second user to process the specified service of the first user based on the verifiable statement, no additional information related to the verifiable statement needs to be provided, such as proving that the verifiable statement is the proving information issued by the first user for the second user; in one or more embodiments of the present description, the digital identity information of the first user, the digital identity information of the second user, and the like are all recorded in the verifiable claims; specifically, as shown in fig. 4, the step S108 of generating the verifiable statement according to the authorization-related information includes:
b2, acquiring service processing authority information to be granted from the authorization related information and/or the declaration authorization template;
specifically, for different services, the service processing permission information to be granted may be included in the authorization related information or may be fixed information existing in the declaration authorization template, and in actual application, the service processing permission information to be granted is obtained from the authorization related information and/or the declaration authorization template according to an actual situation.
Step B4, generating a declaration identification of the verifiable declaration;
specifically, a statement mark capable of verifying a statement is generated according to a generation mechanism of a preset statement mark; the generation mechanism of the preset declaration identification can be set in practical application according to needs, for example, one or more pieces of information included in the creation request are calculated, and the calculation result or part of information in the calculation result is used as the declaration identification; or dynamically generating the declaration identification according to a preset dynamic generation mechanism, wherein the dynamic generation mechanism can ensure that the declaration identification generated each time is different.
Step B6, signing preset first designated information by adopting a private key of a first user to obtain signature data;
optionally, the server-side agent user maintains the private key of the user, and correspondingly, step B6 includes: acquiring a related private key from related recording information of the digital identity information and the private key according to the digital identity information of the first user, and signing preset first designated information by using the acquired private key to obtain signature data;
or, a designated hosting platform agent user maintains the private key of the user, and correspondingly, the step B6 includes: sending a private key acquisition request to the escrow platform according to the digital identity information of the first user, and receiving a private key returned by the escrow platform; signing preset first designated information by using the received private key to obtain signature data;
or, the user maintains its own private key, and correspondingly, step B6 includes: sending a private key acquisition request to a client of a first user according to the digital identity information of the first user, and receiving a private key returned by the client of the first user; signing preset first designated information by using the received private key to obtain signature data;
the first specific information may be digital identity information of the first user, or may be partial information or all information in the service processing permission information, or may also be information preset by the server, and the specific content of the first specific information is not specifically limited in this specification.
It should be noted that the execution order of step B2, step B4 and step B6 may be interchanged with each other.
And step B8, generating a verifiable statement according to the service processing authority information, the statement identification, the signature data, the digital identity information of the first user and the digital identity information of the second user.
Generating a declaration identification and signature data, and generating a verifiable declaration according to the declaration identification, the signature data, the digital identity information of the first user, the digital identity information of the second user and the service processing authority information, so that the verifiable declaration can be distinguished according to the declaration identification, and when the second user processes the specified service of the first user based on the verifiable declaration, the authenticity of the verifiable declaration can be verified, for example, a corresponding document (DID doc) can be indexed according to the digital identity information of the first user in the verifiable declaration, a public key of the first user is obtained from the document, and the signature verification operation is performed on the signature data in the verifiable declaration by adopting the obtained public key; or, sending a public key acquisition request to a specified platform or mechanism according to the digital identity information of the first user in the verifiable claim, receiving the public key returned by the specified platform or mechanism, and performing signature verification operation on the signature data in the verifiable claim by adopting the received public key; thereby ensuring that the verifiable claim was issued by the first user for the second user, and not forged.
In order to perform more comprehensive verification on the authenticity and validity of the verifiable statement when the second user processes the specified service of the first user based on the verifiable statement, in one or more embodiments of the present specification, as shown in fig. 5, after step S108, the method further includes:
step S110, generating issuing record information according to the verifiable statement;
step S112, the issuing record information is sent to the block chain nodes, so that the block chain nodes store the issuing record information into the block chain.
By storing the issued processing record information in the blockchain, sufficient verification basis can be provided for verification of the verifiable statement when the second user processes the specified service of the first user based on the verifiable statement.
Because different users have different requirements on the privacy of personal information, when the first user issues the verifiable statement for the second user, the first user can also set the hiding attribute of the verifiable statement; or the first user operates the client side of the first user in advance, and when the client side is set to issue the verifiable statement for any second user, the uniform hiding attribute of the verifiable statement is set, if the verifiable statement is not public; correspondingly, when the hidden attribute is private, as shown in fig. 6, step S110 includes:
step S110-2, calculating a hash value of the digital identity information of the first user;
step S110-4, calculating a hash value of the digital identity information of the second user;
step S110-6, calculating a hash value of second specified information in the verifiable statement;
the second specified information may be digital identity information of the first user, digital identity information of the second user, service processing permission information, declaration identification and validity field, or may be any one or a combination of several of the digital identity information of the first user, the digital identity information of the second user, the service processing permission information, the declaration identification and the validity field; wherein the validity field characterizes the state in which the verifiable assertion is located, e.g., valid state, invalid state.
It should be noted that the execution sequences of step S110-2, step S110-4, and step S110-6 may be interchanged with each other, and the calculation algorithm of the hash value may be set in practice.
And S110-8, performing association recording on each calculated hash value, statement identification and validity field, and taking recorded information as issuing record information.
By calculating the hash value of the digital identity information of the first user, the digital identity information of the second user and the second specified information and generating the issued record information according to the hash value, the safety of the private data of the user is effectively ensured; meanwhile, the issued record information is stored in the blockchain, so that when a second user processes the specified service of the first user based on the verifiable statement, the verifiable statement can be verified more comprehensively based on the issued record information in the blockchain, the authenticity and the validity of the verifiable statement are ensured, and the service safety is ensured.
Further, when the hidden attribute set by the first user is public, step S110 includes:
carrying out associated recording on the verifiable statement, the digital identity information of the first user, the digital identity information of the second user, the statement identifier and the validity field, and taking the recorded information as issuing recorded information; wherein the validity field characterizes the state in which the verifiable assertion is located.
Therefore, by storing the plaintext of the verifiable statement in the blockchain, when the second user processes the specified service of the first user based on the verifiable statement, the authenticity and the validity of the verifiable statement can be verified more directly based on the issuing record information in the blockchain, thereby ensuring the service safety.
In order to make the first user aware of the issue result, in one or more embodiments of the present specification, after step S108, the method further includes:
and sending an issuing result of successful issuing to the client of the first user so that the client of the first user displays information of successful issuing.
In practical application, the first user can also operate the client thereof to freeze and revoke the verifiable statement that the client grants the business processing authority to the second user, for example, after the second user completes the designated business processing of the first user, in order to avoid embezzlement of the corresponding verifiable statement, when the first user determines that the corresponding designated business is not processed any more within a certain period of time, the corresponding verifiable statement can be frozen, so that the verifiable statement is in an invalid state, and the client applies for recovering the validity of the verifiable statement when needing to use the verifiable statement; for another example, after the verifiable statement is generated, if the first user wants to change the service processing permission information, the corresponding generated verifiable statement may be revoked, and the like; based on this, in one or more embodiments of the present specification, the method further comprises:
step T2, receiving a statement processing request sent by a client of a first user, wherein the statement processing request comprises a statement identifier of a verifiable statement to be processed;
wherein, the declaration processing request is used for requesting to freeze, unfreeze, revoke and the like the verifiable declaration.
T4, according to the statement identification of the verifiable statement to be processed, representing the validity field of the state of the verifiable statement to generate statement processing record information;
and step T6, sending the declaration processing record information to the third block chain node so that the third block chain node saves the declaration processing record information into the block chain.
By storing the statement processing record information into the blockchain, when the second user transacts the specified business of the first user based on the verifiable statement, a sufficient verification basis can be provided for the verification of the verifiable statement, and illegal business operation caused by embezzlement of the verifiable statement can be effectively avoided.
It should be noted that the first blockchain node, the second blockchain node, and the third blockchain node may be the same blockchain link node or different blockchain nodes.
In one or more embodiments of the present description, a server performs online data interaction with a client, that is, a verifiable statement may be generated according to authorization-related information sent by the client of a first user, so that a second user may proxy the first user to process a specified service of the first user based on the verifiable statement, without requiring the first user and the second user to perform offline negotiation, signing a paper protocol, and the like, thereby improving proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Corresponding to the authorization method based on verifiable claims described in fig. 3 to fig. 6, based on the same technical concept, one or more embodiments of the present specification provide another authorization method based on verifiable claims; fig. 7 is a flowchart illustrating another authorization method based on verifiable claims according to one or more embodiments of the present disclosure, where the method in fig. 7 can be performed by the client of the first user in fig. 1, as shown in fig. 7, and the method includes the following steps:
step S202, responding to the issuing operation of the verifiable statement of the first user, and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting the business processing permission to the second user so that the second user can process the specified business of the first user; the issuing request comprises the service type information of the designated service, so that the server side obtains a corresponding statement authorization template according to the service type information;
step S204, showing a statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template;
step S206, the authorization related information is sent to the server, so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
In one or more embodiments of the present specification, a client of a first user performs online data interaction with a server, so that the server generates a verifiable statement according to authorization-related information, so that a second user can proxy the first user to process a specified service of the first user based on the verifiable statement, without performing offline negotiation, paper agreement signing, and other operations between the first user and the second user, thereby improving proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
In order to avoid that the first user provides bad information such as relevant information of yellow, gambling, poison and the like based on the declaration authorization template, in one or more embodiments of the present specification, the item to be edited in the declaration authorization template presents candidate information in an enumerated manner, so that the first user selects the information required by the first user from the candidate information; specifically, as shown in fig. 8, the obtaining of the authorization-related information provided by the first user based on the claim authorization template in step S204 includes:
step R2, when the triggering operation of the first user on the items to be compiled in the declaration authorization template is detected, corresponding candidate information is determined;
specifically, if the item to be edited is related information of the first user or the second user, such as digital identity information, a home address, and the like, the first user may operate the client thereof to perform pre-editing, and the client stores the information edited by the first user when acquiring the information edited by the first user; when detecting the triggering operation of the first user on the corresponding to-be-edited item in the declaration authorization template, acquiring corresponding information from the stored information as candidate information; and if the items to be edited are related information such as services, the server correspondingly sends the candidate information, the associated information of the items to be edited and the statement authorization template to the client of the first user, and correspondingly, when the client detects that the first user triggers the corresponding items to be edited in the statement authorization template, the corresponding candidate information is obtained from the associated information sent by the server.
R4, displaying the candidate information, and displaying the target candidate information selected by the first user from the candidate information in the item to be edited;
and R6, if the submission operation of the first user is detected, acquiring the information displayed in each item to be edited to obtain authorization related information provided by the first user based on the statement authorization template.
Therefore, the candidate information is displayed for the first user to select, the editing of the first user is reduced, and the first user can be effectively prevented from providing bad information based on the statement authorization template.
In order to avoid that the first user provides wrong authorization-related information, in one or more embodiments of the present specification, as shown in fig. 9, after the step S206 of sending the authorization-related information to the server, the method further includes:
step S208, receiving inquiry information sent by the server, wherein the inquiry information comprises the related information of the second user and the related information of the designated service;
step S210, displaying an inquiry interface for inquiring whether the first user grants the service processing permission to the second user or not according to the inquiry information;
step S212, feeding back information to the server based on the operation of the first user, so that when the server confirms that the first user grants the service processing right to the second user based on the fed-back information, a verifiable statement is generated according to the authorization related information.
Taking the first user as the second user to grant the right to transact the loan service as an example, the query information sent by the service end is that a lie authorized king initiates a loan to the bank 1 in 2019 on 8/3, and the loan amount is 1,000,000 yuan, and correspondingly, a schematic diagram of a query interface is shown in fig. 10. It should be noted that fig. 10 is only used for illustration and is not limited by the user, and the specific style of the query interface may be set as required in practical applications.
Furthermore, because different services have different degrees of correlation with user benefits, in order to ensure safety, the server side can perform identity authentication on the first user when determining that the safety level of a specified service corresponding to a verifiable statement issued by the first user for the second user meets a preset condition according to preset safety levels of different services; correspondingly, the step S212 of feeding back information to the server based on the operation of the first user includes:
if the confirmation authorization operation of the first user on the inquiry interface is detected, sending confirmation authorization information to the server; and if an identity authentication request sent by the server is received, performing identity authentication operation on the first user, and feeding back identity authentication information to the server, so that the server performs identity authentication on the first user based on the identity authentication information.
The identity authentication operation can be to acquire biological characteristic information of the first user and also can be to acquire an authentication code submitted by the first user; correspondingly, the identity verification information may be biometric information, such as any one or more of a human face, a fingerprint, an iris, and the like, and may also be verification information in the form of a verification code. Taking the collected face image as an example, as shown in fig. 11, if the triggering operation of the first user on the "confirm authorization" control on the inquiry interface is detected, the confirm authorization information is sent to the server; and when receiving an authentication request of the server, displaying a face acquisition interface to acquire a face image of the first user, and sending the acquired face image to the server, so that the server performs authentication on the first user based on the face image. Therefore, the phenomenon that other users impersonate the first user can be avoided, and the safety is improved.
In order to make the first user know the authorization result, after the authorization related information is sent to the server in step S206, the method further includes:
and receiving an issuing result sent by the server, and displaying issuing success information or issuing failure information according to the issuing result.
Further, in order to ensure safety, step S202 may further include:
acquiring login information of a first user, and executing step S202 if the login information is verified to be passed; and if the login information is not verified, prompting login failure information.
The login information may be an account name and a login password, or may be a face image of the user, that is, a face image of the user is collected, and when the face image passes verification, step S202 is executed. Therefore, other users can be prevented from maliciously serving as the first user to grant the service processing permission to the second user, and the safety is improved.
Further, the first user may further operate its client to freeze, unfreeze, revoke, and the like, the verifiable statement issued by the first user, and correspondingly, the method further includes:
step W2, responding to the verifiable statement processing operation of the first user, and determining the statement identification of the verifiable statement to be processed;
step W4, according to the statement identification of the verifiable statement to be processed, sending a statement processing request to the server side, so that the server side generates statement processing record information according to the statement identification of the verifiable statement to be processed and the validity field representing the state of the verifiable statement to be processed, and the statement processing record information is stored into the block chain through a third block chain link point;
therefore, not only can a sufficient verification basis be provided for the verification of the verifiable statement when the business processing is carried out based on the verifiable statement, but also illegal business operation caused by the embezzlement of the verifiable statement can be effectively avoided.
In one or more embodiments of the present specification, a client of a first user performs online data interaction with a server, so that the server generates a verifiable statement according to authorization-related information, so that a second user can proxy the first user to process a specified service of the first user based on the verifiable statement, without performing offline negotiation, paper agreement signing, and other operations between the first user and the second user, thereby improving proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling the business, and the convenience is greatly improved.
Corresponding to the authorization method based on the verifiable claim, based on the same technical concept, one or more embodiments of the present specification further provide an authorization method based on the verifiable claim, which is applied to a third blockchain node; fig. 12 is a flowchart of an authorization method based on verifiable claims applied to a third blockchain node according to one or more embodiments of the present disclosure, and as shown in fig. 12, the method includes the following steps:
step S302, receiving issuing record information sent by a server, wherein the issuing record information is information generated after the server generates a verifiable statement according to an issuing request sent by a first user;
step S304, storing the issuing record information into the block chain.
In one or more embodiments of the present specification, by storing the issuance record information in the blockchain, authenticity and validity of the issuance record information can be ensured based on non-falsification of the blockchain, so that when the second user processes the specified service of the first user based on the verifiable statement, the verifiable statement provided by the second user can be verified based on the issuance record information stored in the blockchain by the third blockchain node, thereby ensuring service security.
To facilitate verifying the validity of the verifiable claims, in one or more embodiments of the present specification, the method further comprises:
receiving statement processing record information sent by a server, and storing the statement processing record information into a block chain; wherein, the statement processing record information comprises statement identification of the processed verifiable statement, a validity field for characterizing the state of the verifiable statement, and the like.
Based on each record information stored in the blockchain, the third blockchain node can comprehensively verify the verifiable statement to be verified when receiving a statement verification request sent by a third party, wherein the third party can be a service provider, and when the verifiable statement passes verification, the third blockchain node processes the specified service of the first user based on the verifiable statement; for example, the second user acts the first user to handle loan business in a bank based on the verifiable statement, wherein the bank is a third party, and when the bank determines that the verifiable statement provided by the second user is true and valid, the loan business of the first user is processed based on the business processing authority information in the verifiable statement. Specifically, the method further comprises:
step D2, receiving a declaration verification request sent by a third party, wherein the declaration verification request comprises a verifiable declaration to be verified;
and D4, calling the intelligent contract deployed in the block chain, and verifying the verifiable statement to be verified according to the record information about the verifiable statement to be verified, which is stored in the block chain.
Therefore, the verifiable statement to be verified is automatically verified based on the intelligent contract without human participation, so that the problem of manual false detection is avoided, and the verification efficiency is improved; and the verifiable statement is verified based on the record information stored in the block chain, so that the authenticity and the validity of the verifiable statement can be ensured, and the service safety is ensured.
Considering that the first user may freeze and revoke the verifiable statement, when verifying the verifiable statement to be verified, it is first required to verify whether the verifiable statement is in a valid state; moreover, considering that different businesses have different degrees of relevance to the interests of the user, for example, business transacted in financial aspects has higher relevance to the interests of the user, such as bank loan and the like; the correlation between the business of joining members and participating in public activities and the interests of the users is relatively weak. Based on this, in one or more embodiments of the present specification, the security levels of different services may be preset, wherein the division criteria of the security levels may be set in practical applications according to the needs, for example, the security level of financial services such as bank account opening and loan is high, and the security level of services such as joining members and participating in public welfare activities is low; or when the first user issues a verifiable statement for the second user, the first user sets a safety mechanism by himself, wherein the verifiable statement comprises safety mechanism information set by the user; correspondingly, when it is determined that the security level of the specific service transacted based on the verifiable statement to be verified is low or it is determined that the first user confirmation is not required according to the security mechanism information in the verifiable statement, as shown in fig. 13, the step D4 verifies the verifiable statement to be verified according to the record information about the verifiable statement to be verified, which includes:
step E2, inquiring target record information about the verifiable statement to be verified from the record information stored in the block chain according to the statement identifier included in the verifiable statement to be verified;
specifically, according to the sequence of the storage time of each piece of record information stored to the block chain, according to the statement identifier in the verifiable statement to be verified, the corresponding last piece of record information is inquired in the block chain, and if the validity field in the inquired last piece of record information represents that the verifiable statement is in an invalid state, the last piece of record information is used as target record information; and if the validity field in the inquired last piece of record information represents that the verifiable statement is in a valid state, and the last piece of record information is not the only record information corresponding to the statement identification in the verifiable statement to be verified, inquiring the corresponding first piece of record information in the block chain according to the statement identification in the verifiable statement to be verified to obtain the issued record information, and taking the issued record information and the last piece of record information as target record information. It should be noted that, when the last piece of record information is the only record information corresponding to the statement identifier in the verifiable statement to be verified, the record information is the issuance record information of the verifiable statement to be verified.
Step E4, if the verifiable statement to be verified is in a valid state according to the validity field in the target record information, determining whether the verifiable statement to be verified is legal or not according to the target record information;
specifically, a validity field is read from the last piece of record information included in the target record information, and if the read validity field represents that the verifiable statement is in an invalid state, verification failure information is sent to a third party; and if the read validity field represents that the verifiable statement is in a valid state, determining whether the verifiable statement to be verified is legal or not according to the issuing record information in the target record information.
And E6, if the verifiable statement to be verified is determined to be legal, determining that the verifiable statement to be verified passes the verification.
Therefore, when the security level of the service transacted based on the verifiable statement is low or the first user does not need to confirm according to the security mechanism set by the first user, the verifiable statement is verified based on the record information stored in the block chain, the authenticity and the validity of the verifiable statement are ensured, and the service security is guaranteed.
Further, in order to avoid the theft of the verifiable statement, or when it is determined that the security level of the service transacted based on the verifiable statement is higher, or it is determined that the confirmation of the first user is required according to the security mechanism set by the first user, as shown in fig. 14, in step D4, the verifying the verifiable statement to be verified according to the issuance record information stored in the block chain includes:
step F2, inquiring target record information of the verifiable statement to be verified from the record information stored in the block chain according to the statement identification in the verifiable statement to be verified;
the implementation process of this step can be referred to the related description, and the repetition part is not described herein again.
Step F4, if the verifiable statement to be verified is determined to be in the valid state according to the validity field in the target record information, sending a service confirmation request to the client of the first user according to the digital identity information of the first user in the verifiable statement to be verified, and determining whether the confirmation information of the first user is acquired through the client of the first user;
specifically, a validity field in the last piece of record information included in the target record information is read, and if the read validity field represents that the verifiable statement is in an invalid state, verification failure information is sent to a third party; if the read validity field represents that the verifiable statement is in a valid state, acquiring a related client identifier from the digital identity information of the user and the related record information of the client identifier according to the digital identity information of the first user in the verifiable statement to be verified; sending a service confirmation request to the client corresponding to the obtained client identification; when the client receives the service confirmation request, displaying information to be confirmed included in the service confirmation request, and when the confirmation operation of the first user is detected, returning the confirmation information to the block chain node; it should be noted that, the specific content of the information to be confirmed may be set in an actual application according to needs, and this is not specifically limited in the embodiment of the present specification.
Step F6, determining whether the verifiable statement to be verified is legal or not according to the target record information;
and F8, if the confirmation information of the first user is acquired and the verifiable statement to be verified is determined to be legal, determining that the verifiable statement to be verified passes the verification.
Specifically, if the verifiable statement to be verified is in a valid state according to the validity field in the target record information, a service confirmation request is sent to the client of the first user according to the digital identity information of the first user in the verifiable statement to be verified, if confirmation information returned by the client of the first user is received, whether the verifiable statement to be verified is legal is determined according to the issuing record information in the target record information, and if the verifiable statement to be verified is legal, the verifiable statement to be verified passes verification is determined.
Therefore, when the security level of the specific service transacted based on the verifiable statement is higher or the first user needs to confirm according to the security mechanism set by the first user, the first user confirms by sending a service confirmation request to the client of the first user, and the verifiable statement is verified based on the record information stored in the block chain, so that the risk of embezzlement of the verifiable statement can be avoided, the authenticity and the validity of the verifiable statement are ensured, and the guarantee is provided for the service security.
It should be noted that, step E2 and step F2 may further include:
reading valid deadline time from the verifiable statement to be verified, and if the verifiable statement to be verified is determined to be in an invalid state according to the read valid deadline time, sending verification failure information to a third party; and if the verifiable statement to be verified is determined to be in a valid state according to the read valid deadline, inquiring target record information about the verifiable statement to be verified from the record information stored in the block chain according to the statement identification.
Because different users have different requirements on personal information privacy, the first user can also set a hiding attribute of a verifiable statement which grants business processing permission to the second user, and when the hiding attribute is not public, the issuing record information stored in the block chain comprises a hash value of digital identity information of the user, a hash value of digital identity information of the service end, a hash value of second specified information in the verifiable statement, a statement identifier and a validity field; correspondingly, in step E4 and step F6, determining whether the verifiable statement to be verified is legal according to the target record information includes:
step H2, according to the digital identity information of the first user in the verifiable statement, acquiring a public key of the first user, and verifying the signature information in the verifiable statement by adopting the public key of the first user;
specifically, according to the digital identity information of the first user in the verifiable statement, indexing a corresponding document (DID doc), and acquiring the public key of the first user from the document; or acquiring a corresponding public key from pre-stored associated record information of the digital identity information of the first user and the public key according to the digital identity information of the first user; or, according to the digital identity information of the first user in the verifiable statement, sending a public key acquisition request to a specified platform or mechanism, and receiving the public key sent by the specified platform or mechanism; and verifying the signature information in the verifiable declaration by using the acquired public key.
Step H4, calculating a hash value of second specified information in the verifiable statement, acquiring the hash value corresponding to the verifiable statement from the issued record information included in the target record information, and matching the calculated hash value of the second specified information with the acquired hash value corresponding to the verifiable statement;
and step H6, if the signature information passes verification and the hash value is successfully matched, determining that the verifiable statement is legal.
Specifically, the public key of the first user is obtained according to the digital identity information of the first user in the verifiable statement, the signature information in the verifiable statement is verified by adopting the public key of the first user, if the verification is passed, the hash value of the second specifying information in the verifiable statement is calculated, the hash value corresponding to the verifiable statement is obtained from the issuing record information included in the target record information, the calculated hash value of the second specifying information is matched with the hash value corresponding to the obtained verifiable statement, and if the matching is successful, the verifiable statement is determined to be legal.
Therefore, when the hash value corresponding to the verifiable statement is stored in the blockchain, the hash value of the second specified information in the verifiable statement is calculated and compared with the hash value corresponding to the verifiable statement in the issued record information, so that the validity of the verifiable statement is verified, and the service safety is guaranteed.
Further, when the hidden attribute of the verifiable statement set by the first user is public, the issued record information stored in the block chain includes the verifiable statement, and correspondingly, in step E4 and step F6, determining whether the verifiable statement is legal according to the target record information includes:
k2, acquiring a public key of the first user according to the digital identity information of the first user in the verifiable statement, and verifying the signature information in the verifiable statement by adopting the public key of the first user;
k4, matching the verifiable statement to be verified with the verifiable statement in the issued record information;
and K6, if the matching is successful and the signature information passes the verification, determining that the verifiable statement to be verified is legal.
Specifically, according to the digital identity information of the first user in the verifiable statement, the public key of the first user is obtained, the signature information in the verifiable statement is verified by adopting the public key of the first user, if the verification is passed, the verifiable statement is obtained from the issuing record information included in the target record information, the verifiable statement to be verified is matched with the obtained verifiable statement, and if the matching is successful, the legitimacy of the verifiable statement to be verified is determined. The process of obtaining the public key of the first user may refer to the foregoing related description, and the repeated parts are not described herein again; therefore, when the verifiable statement is stored in the block chain, the signature information in the verifiable statement to be verified is verified, and the verifiable statement to be verified is matched with the verifiable statement stored in the block chain, so that the effective verification of the verifiable statement is realized, and the guarantee is provided for the service safety.
In one or more embodiments of the present specification, by storing the issuance record information and other record information of the verifiable statement to the blockchain, when the second user acts on a specific service based on the verifiable statement, the first user can verify the verifiable statement provided by the second user based on the record information stored in the blockchain, which not only can ensure the service safety, but also does not require the service provider to perform visual inspection on the paper authorization protocol provided by the second user, thereby improving the verification efficiency and the verification accuracy.
On the basis of the same technical concept, the authorization method based on the verifiable assertion described in correspondence with fig. 3 to fig. 6 above, one or more embodiments of the present specification further provide an authorization apparatus based on the verifiable assertion, which is applied to the server. Fig. 15 is a schematic block diagram illustrating an authorization apparatus based on a verifiable assertion according to one or more embodiments of the present specification, where the apparatus is configured to perform the authorization method based on a verifiable assertion described in fig. 3 to 6, and as shown in fig. 15, the apparatus includes:
the acquiring module 401 acquires service type information of a verifiable statement to be issued by a first user to a second user, and acquires a corresponding statement authorization template according to the service type information;
a sending module 402 that sends the claim authorization template to a client of the first user;
a receiving module 403, configured to receive authorization-related information returned by the client of the first user and provided by the first user based on the claim authorization template;
a first determination module 404 that confirms whether a verifiable statement is issued to the second user based on the authorization-related information;
a first generating module 405, configured to generate a verifiable statement according to the authorization-related information and send the verifiable statement to the client of the second user if the determination result of the first determining module 404 is yes.
In one or more embodiments of the present description, through online data interaction with a client, a verifiable statement may be generated according to the authorization-related information sent by the client of a first user, so that a second user may act on the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving the authorization efficiency of the agent; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Optionally, the first determining module 404 determines whether the authorization-related information meets a preset risk control condition, and if the risk control condition is met, confirms that a verifiable statement is issued to the second user.
Optionally, the first determining module 404 detects the authorization-related information by using a pre-trained detection model, and determines whether the authorization-related information meets a preset risk control condition according to a detection result; alternatively, the first and second liquid crystal display panels may be,
and matching the authorization related information with an authorization blacklist stored in a block chain through a first block chain link point, and determining whether the authorization related information meets a preset risk control condition according to a matching result.
Optionally, the first determining module 404, if the authorization-related information does not satisfy the risk control condition, confirms that a verifiable statement is not issued to the second user, and returns an issuance result of an issuance failure to the client of the first user, so that the client of the first user displays the issuance failure information.
Optionally, the obtaining module 401 obtains the associated declaration authorization template in the associated record information of the service type information and the declaration authorization template according to the service type information; alternatively, the first and second electrodes may be,
acquiring a related template identifier in the related record information of the service type information and the template identifier of the declaration authorization template according to the service type information; acquiring a corresponding statement authorization template from the statement authorization templates stored in the block chain through a second block chain node according to the acquired template identifier; and the statement authorization template stored in the blockchain is uploaded by a service provider.
Optionally, the obtaining module 401 receives an issuance request of the verifiable statement sent by a client of a first user; the issuing request is used for requesting to issue a verifiable statement for granting a business processing permission to the second user so as to enable the second user to process the specified business of the first user, and the issuing request comprises business type information of the specified business; and (c) a second step of,
and acquiring the service type information from the issuing request.
Optionally, the apparatus further comprises: a second determination module;
the second determining module inquires whether the first user grants the service processing permission to the second user through the client of the first user;
the first generating module 405, if the second determining module determines that the first user grants the service processing permission to the second user, generates a verifiable statement according to the authorization-related information.
Optionally, the second determining module generates query information according to the authorization-related information and/or the declaration authorization template, where the query information includes the related information of the second user and the related information of the specified service; and the number of the first and second groups,
and sending the inquiry information to the client of the first user so as to display an inquiry interface comprising the relevant information of the second user and the relevant information of the specified service on the client of the first user, and inquiring whether the first user grants the service processing permission for the second user.
Optionally, the second determining module performs identity authentication on the first user through the client of the first user if the security level of the specified service meets a preset condition and confirmation authorization information returned by the client of the first user is acquired; if the identity authentication is passed, confirming that the first user grants the service processing permission for the second user;
or if the security level of the specified service does not meet the preset condition and the confirmation authorization information returned by the client of the first user is acquired, confirming that the first user grants the service processing permission to the second user.
Or if the confirmation authorization information returned by the client of the first user is obtained, confirming that the first user grants the service processing permission to the second user.
Optionally, the second determining module sends an authentication request to the client of the first user, so that the client of the first user collects authentication information of the first user; and the number of the first and second groups,
and performing identity authentication on the first user according to the identity verification information returned by the client of the first user.
Optionally, the apparatus further comprises: a second generation module;
the second generation module generates issuing record information according to the verifiable statement; and the number of the first and second groups,
and sending the issuing record information to a third block chain node so that the third block chain node stores the issuing record information into a block chain.
Optionally, the authorization-related information comprises digital identity information of the first user and digital identity information of the second user;
the first generating module 405, obtaining the service processing permission information to be granted from the authorization related information and/or the declaration authorization template; and (c) a second step of,
generating a claim identification for the verifiable claim;
signing preset first designated information by using a private key of the first user to obtain signature data;
and generating a verifiable statement according to the service processing authority information, the statement identification, the signature data, the digital identity information of the first user and the digital identity information of the second user.
Optionally, the sending module 402 sends an issuance result of successful issuance to the client of the first user after the first generating module 405 sends the verifiable statement to the client of the second user, so that the client of the first user displays the issuance success information.
The authorization device based on the verifiable statement provided by one or more embodiments of the present specification, by performing online data interaction with the client, can generate the verifiable statement according to the authorization-related information sent by the client of the first user, so that the second user can act on the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing paper protocol, and the like between the first user and the second user, thereby improving the authorization efficiency of the agent; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
It should be noted that, the embodiment of the authorization apparatus based on the verifiable statement in this specification and the embodiment of the authorization method based on the verifiable statement in this specification are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the authorization method based on the verifiable statement that is applied to the server side, and repeated details are omitted.
Further, corresponding to the authorization method based on verifiable claims described in fig. 7 to fig. 9, based on the same technical concept, one or more embodiments of the present specification further provide an authorization apparatus based on verifiable claims, which is applied to a client of a first user. Fig. 16 is a schematic block diagram illustrating an authorization apparatus based on a verifiable assertion according to one or more embodiments of the present specification, where the apparatus is configured to perform the authorization method based on a verifiable assertion described in fig. 7 to 9, and as shown in fig. 16, the apparatus includes:
a first sending module 501, configured to send a request for issuing a verifiable statement to a server in response to an issuing operation of the verifiable statement by a first user; the issuing request is used for requesting to issue a verifiable statement for granting business processing permission to a second user so that the second user can process the specified business of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information;
a display module 502 for displaying the declaration authorization template returned by the server;
an obtaining module 503, configured to obtain authorization-related information provided by the first user based on the claim authorization template;
a second sending module 504, configured to send the authorization-related information to the server, so that the server generates a verifiable statement according to the authorization-related information and sends the verifiable statement to the client of the second user.
In one or more embodiments of the present specification, by performing online data interaction with the server, the server generates a verifiable statement according to authorization-related information, so that the second user can proxy the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Optionally, the obtaining module 503 determines corresponding candidate information when detecting a trigger operation of the first user on the to-be-edited item in the declaration authorization template; and the number of the first and second groups,
displaying the candidate information, and displaying target candidate information selected by the first user from the candidate information in the item to be edited;
and if the submission operation of the first user is detected, acquiring the information displayed in each item to be edited to obtain authorization related information provided by the first user based on the statement authorization template.
Optionally, the presentation module 502 is configured to receive query information sent by the server, where the query information includes related information of the second user and related information of the specified service; and the number of the first and second groups,
according to the inquiry information, showing an inquiry interface used for inquiring whether the first user grants the service processing permission to the second user;
the second sending module 504 is configured to feed back information to the server based on the operation of the first user, so that when the server confirms that the first user grants the service processing right to the second user based on the fed-back information, a verifiable statement is generated according to the authorization-related information.
Optionally, the second sending module 504 is configured to send authorization confirmation information to the server if it is detected that the first user performs authorization confirmation operation on the query interface; and if an authentication request sent by the server is received, performing authentication operation on the first user, and feeding back authentication information to the server, so that the server performs authentication on the first user based on the authentication information.
Optionally, the display module 502 receives an issuance result sent by the server; and the number of the first and second groups,
and displaying successful issuing information or failed issuing information according to the issuing result.
The authorization device based on the verifiable statement provided by one or more embodiments of the present specification performs online data interaction with the server, so that the server generates the verifiable statement according to the authorization-related information, so that the second user can proxy the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing paper protocol and other operations between the first user and the second user, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling the business, and the convenience is greatly improved.
It should be noted that, the embodiment of the authorization apparatus based on the verifiable statement in this specification and the embodiment of the authorization method based on the verifiable statement in this specification are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the authorization method based on the verifiable statement that is applied to the client of the first user, and repeated details are not repeated.
Further, corresponding to the authorization method based on verifiable claims described above, based on the same technical concept, one or more embodiments of the present specification further provide an authorization system based on verifiable claims, and fig. 17 is a schematic composition diagram of an authorization system based on verifiable claims provided by one or more embodiments of the present specification, as shown in fig. 17, the system includes: a client 601 of a first user, a server 602 and a client 603 of a second user;
the client 601 of the first user responds to the verifiable statement issuing operation of the first user and sends an issuing request of the verifiable statement to the server 602; the issuing request is used for requesting to issue a verifiable statement for granting business processing permission to a second user so that the second user can process the specified business of the first user; the issuing request comprises the service type information of the specified service; displaying the statement authorization template returned by the server 602, acquiring authorization related information provided by the first user based on the statement authorization template, and sending the authorization related information to the server 602;
the server 602 acquires the service type information from the issuance request, acquires a corresponding statement authorization template according to the service type information, and sends the statement authorization template to the client 601 of the first user; receiving the authorization related information sent by the client 601 of the first user, confirming whether to issue a verifiable statement to the second user according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client 603 of the second user;
the client 603 of the second user receives the verifiable statement sent by the server 602.
Optionally, the system further comprises: a block chain 604;
after generating the verifiable statement, the server 602 generates issuance record information according to the verifiable statement, and sends the issuance record information to a third blockchain node in the blockchain 604, so that the third blockchain node stores the issuance record information in the blockchain 604.
In the authorization system based on the verifiable statement provided by one or more embodiments of the present specification, the server performs online data interaction with the client, that is, generates the verifiable statement according to the authorization-related information sent by the client of the first user, so that the second user can act on the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing paper protocol, and the like between the first user and the second user, thereby improving the authorization efficiency of the agent; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
It should be noted that, the embodiment of the authorization system based on the verifiable statement in this specification and the embodiment of the authorization method based on the verifiable statement in this specification are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the corresponding authorization method based on the verifiable statement, and repeated details are not repeated.
Further, corresponding to the authorization method based on verifiable claims described above, based on the same technical concept, one or more embodiments of the present specification further provide an authorization device based on verifiable claims, which is used for executing the authorization method based on verifiable claims described above, and fig. 18 is a schematic structural diagram of an authorization device based on verifiable claims provided in one or more embodiments of the present specification.
As shown in fig. 18, the authorization device based on the verifiable assertion may have a relatively large difference due to different configurations or performances, and may include one or more processors 701 and a memory 702, where one or more stored applications or data may be stored in the memory 702. Memory 702 may be, among other things, transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in an authorization device based on a verifiable claim. Still further, the processor 701 may be configured to communicate with the memory 702 to execute a series of computer-executable instructions in the memory 702 on an authorization device based on a verifiable claim. The verifiable claims based authorization apparatus may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input-output interfaces 705, one or more keyboards 706, and the like.
In a particular embodiment, a verifiable claims-based authorization device includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs can include one or more modules, and each module can include a series of computer-executable instructions for the verifiable claims-based authorization device, and the one or more programs configured for execution by the one or more processors include computer-executable instructions for:
acquiring service type information of a verifiable statement to be issued by a first user to a second user, and acquiring a corresponding statement authorization template according to the service type information;
sending the claim authorization template to a client of the first user;
receiving authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template;
and confirming whether a verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
In one or more embodiments of the present specification, through online data interaction with a client, a verifiable statement may be generated according to authorization-related information sent by a client of a first user, so that a second user may act on the first user to process a specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving the authorization efficiency of the agent; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Optionally, the computer executable instructions, when executed, said confirming whether to issue a verifiable statement to the second user in accordance with the authorization-related information comprise:
determining whether the authorization related information meets a preset risk control condition;
confirming issuance of a verifiable statement to the second user if the risk control condition is satisfied.
Optionally, the computer-executable instructions, when executed, determine whether the authorization-related information satisfies a preset risk control condition, including:
detecting the authorization related information by adopting a pre-trained detection model, and determining whether the authorization related information meets a preset risk control condition according to a detection result; alternatively, the first and second electrodes may be,
and matching the authorization related information with an authorization blacklist stored in a block chain through a first block chain link point, and determining whether the authorization related information meets a preset risk control condition according to a matching result.
Optionally, the computer executable instructions, when executed, further comprise:
and if the authorization related information does not meet the risk control condition, confirming that a verifiable statement is not issued to the second user, and returning an issuance result of issuance failure to the client of the first user, so that the client of the first user displays issuance failure information.
Optionally, when executed, the computer-executable instructions obtain, according to the service type information, a corresponding declaration authorization template, including:
acquiring a related statement authorization template from the business type information and the related record information of the statement authorization template according to the business type information; alternatively, the first and second electrodes may be,
acquiring a related template identifier in the related record information of the service type information and the template identifier of the declaration authorization template according to the service type information; acquiring a corresponding statement authorization template from the statement authorization templates stored in the block chain through a second block chain node according to the acquired template identifier; and the statement authorization template stored in the blockchain is uploaded by a service provider.
Optionally, when executed, the computer-executable instructions obtain service type information of a verifiable statement to be issued by a first user to a second user, including:
receiving an issuance request of the verifiable statement sent by a client of a first user; the issuing request is used for requesting to issue a verifiable statement for granting a business processing permission to the second user so as to enable the second user to process the specified business of the first user, and the issuing request comprises business type information of the specified business;
and acquiring the service type information from the issuing request.
Optionally, the computer executable instructions, when executed, generate a verifiable statement according to the authorization-related information, comprising:
inquiring whether the first user grants the service processing permission for the second user or not through the client of the first user;
and if the first user is confirmed to grant the service processing permission to the second user, generating a verifiable statement according to the authorization related information.
Optionally, when executed, the computer-executable instructions ask, via the client of the first user, whether the first user grants the service processing permission for the second user, including:
generating inquiry information according to the authorization related information and/or the statement authorization template, wherein the inquiry information comprises the related information of the second user and the related information of the specified service;
and sending the inquiry information to the client of the first user so as to display an inquiry interface comprising the relevant information of the second user and the relevant information of the specified service on the client of the first user, and inquiring whether the first user grants the service processing permission for the second user.
Optionally, when executed, the confirming that the first user grants the service processing permission to the second user includes:
if the security level of the specified service meets a preset condition and confirmation authorization information returned by the client of the first user is acquired, performing identity verification on the first user through the client of the first user; if the identity authentication is passed, confirming that the first user grants the service processing permission for the second user;
or, if the security level of the specified service does not meet the preset condition and the confirmation authorization information returned by the client of the first user is acquired, confirming that the first user grants the service processing permission to the second user.
Or if the confirmation authorization information returned by the client of the first user is obtained, confirming that the first user grants the service processing permission to the second user.
Optionally, the computer executable instructions, when executed, said authenticating the first user by the client of the first user, comprise:
sending an authentication request to the client of the first user so that the client of the first user acquires authentication information of the first user;
and performing identity authentication on the first user according to the identity verification information returned by the client of the first user.
Optionally, the computer executable instructions, when executed, further include, after generating a verifiable statement according to the authorization-related information:
generating issuing record information according to the verifiable statement;
and sending the issuing record information to a third block chain node so that the third block chain node stores the issuing record information into a block chain.
Optionally, the computer executable instructions, when executed, the authorization-related information comprises digital identity information of the first user and digital identity information of the second user;
generating a verifiable statement according to the authorization-related information, comprising:
acquiring service processing authority information to be granted from the authorization related information and/or the declaration authorization template;
generating the verifiable a declaration identification of the declaration;
signing preset first designated information by using a private key of the first user to obtain signature data;
and generating a verifiable statement according to the service processing authority information, the statement identification, the signature data, the digital identity information of the first user and the digital identity information of the second user.
Optionally, the computer-executable instructions, when executed, further comprise, after sending to the client of the second user:
and sending an issuance result of successful issuance to the client of the first user, so that the client of the first user displays issuance success information.
The authorization device based on the verifiable declaration provided by one or more embodiments of the present specification, through performing online data interaction with the client, may generate the verifiable declaration according to the authorization-related information sent by the client of the first user, so that the second user may proxy the first user to process the specified service of the first user based on the verifiable declaration without performing offline negotiation, signing paper protocol, and the like between the first user and the second user, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
In another embodiment, a verifiable claims-based authorization device includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the verifiable claims-based authorization device, and the one or more programs configured for execution by the one or more processors include computer-executable instructions for:
responding to the issuing operation of the verifiable statement of the first user, and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting business processing permission to a second user so that the second user can process the specified business of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information;
displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template;
and sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
In one or more embodiments of the present specification, by performing online data interaction with the server, the server generates a verifiable statement according to authorization-related information, so that the second user can proxy the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Optionally, the computer-executable instructions, when executed, obtain authorization-related information provided by the first user based on the claim authorization template, including:
when the triggering operation of the first user on the items to be edited in the statement authorization template is detected, determining corresponding candidate information;
displaying the candidate information, and displaying target candidate information selected by the first user from the candidate information in the item to be edited;
and if the submission operation of the first user is detected, obtaining the information displayed in each item to be edited to obtain authorization related information provided by the first user based on the statement authorization template.
Optionally, when executed, the computer-executable instructions, after sending the authorization-related information to the server, further include:
receiving inquiry information sent by the server, wherein the inquiry information comprises the related information of the second user and the related information of the specified service;
according to the inquiry information, showing an inquiry interface used for inquiring whether the first user grants the service processing permission to the second user or not;
and feeding back information to the server based on the operation of the first user, so that when the server confirms that the first user grants the business processing right to the second user based on the fed-back information, a verifiable statement is generated according to the authorization related information.
Optionally, when executed by computer executable instructions, the security level of the specified service satisfies a preset condition, and the feeding back information to the server based on the operation of the first user includes:
if the first user is detected to confirm the authorization operation on the inquiry interface, sending confirmation authorization information to the server; and if an identity authentication request sent by the server is received, executing identity authentication operation on the first user, and feeding back identity authentication information to the server, so that the server performs identity authentication on the first user based on the identity authentication information.
Optionally, when executed, the computer-executable instructions, after sending the authorization-related information to the server, further include:
receiving an issuing result sent by the server;
and displaying successful issuing information or failed issuing information according to the issuing result.
The authorization device based on the verifiable statement provided by one or more embodiments of the present specification performs online data interaction with the server, so that the server generates the verifiable statement according to the authorization-related information, so that the second user can proxy the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing paper protocol and other operations between the first user and the second user, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
It should be noted that, the embodiment of the authorization apparatus based on a verifiable statement in this specification and the embodiment of the authorization method based on a verifiable statement in this specification are based on the same inventive concept, so that for the specific implementation of this embodiment, reference may be made to the implementation of the corresponding authorization method based on a verifiable statement, and repeated parts are not described again.
Further, corresponding to the authorization method based on verifiable claims described above, based on the same technical concept, one or more embodiments of the present specification further provide a storage medium for storing computer-executable instructions, where in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and the storage medium stores computer-executable instructions that, when executed by a processor, implement the following processes:
acquiring service type information of a verifiable statement to be issued by a first user to a second user, and acquiring a corresponding statement authorization template according to the service type information;
sending the claim authorization template to a client of the first user;
receiving authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template;
and confirming whether a verifiable statement is issued to the second user or not according to the authorization related information, if so, generating the verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
In one or more embodiments of the present description, through online data interaction with a client, a verifiable statement may be generated according to the authorization-related information sent by the client of a first user, so that a second user may act on the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving the authorization efficiency of the agent; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Optionally, the storage medium stores computer executable instructions that when executed by the processor, said confirming whether to issue a verifiable statement to the second user based on the authorization-related information, comprising:
determining whether the authorization-related information meets a preset risk control condition;
confirming issuance of a verifiable statement to the second user if the risk control condition is satisfied.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, determine whether the authorization-related information satisfies a preset risk control condition, including:
detecting the authorization related information by adopting a pre-trained detection model, and determining whether the authorization related information meets a preset risk control condition according to a detection result; alternatively, the first and second electrodes may be,
and matching the authorization related information with an authorization blacklist stored in a block chain through a first block chain link point, and determining whether the authorization related information meets a preset risk control condition according to a matching result.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise:
and if the authorization related information does not meet the risk control condition, confirming that a verifiable statement is not issued to the second user, and returning an issuance result of issuance failure to the client of the first user, so that the client of the first user displays issuance failure information.
Optionally, when executed by a processor, the computer-executable instructions stored in the storage medium obtain a corresponding declaration authorization template according to the service type information, where the method includes:
acquiring a related statement authorization template from the business type information and the related record information of the statement authorization template according to the business type information; alternatively, the first and second electrodes may be,
acquiring a related template identifier in the related record information of the service type information and the template identifier of the declaration authorization template according to the service type information; acquiring a corresponding statement authorization template from the statement authorization templates stored in the block chain through a second block chain node according to the acquired template identifier; and the statement authorization template stored in the blockchain is uploaded by a service provider.
Optionally, the computer-executable instructions stored in the storage medium, when executed by the processor, obtain service type information of a verifiable statement to be issued by the first user to the second user, including:
receiving an issuance request of the verifiable statement sent by a client of a first user; the issuing request is used for requesting to issue a verifiable statement for granting a business processing permission to the second user so as to enable the second user to process the specified business of the first user, and the issuing request comprises business type information of the specified business;
and acquiring the service type information from the issuing request.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, generate a verifiable statement based on the authorization-related information, comprising:
inquiring whether the first user grants the service processing permission for the second user or not through the client of the first user;
and if the first user is confirmed to grant the service processing permission to the second user, generating a verifiable statement according to the authorization related information.
Optionally, the storage medium stores computer-executable instructions that, when executed by a processor, ask the first user whether to grant the service processing right for the second user through the client of the first user, including:
generating inquiry information according to the authorization related information and/or the declaration authorization template, wherein the inquiry information comprises the related information of the second user and the related information of the specified service;
and sending the inquiry information to the client of the first user so as to display an inquiry interface comprising the related information of the second user and the related information of the specified service on the client of the first user, and inquiring whether the first user grants the service processing permission for the second user or not.
Optionally, the computer-executable instructions stored in the storage medium, when executed by the processor, confirm that the first user grants the service processing permission to the second user, include:
if the security level of the specified service meets a preset condition and confirmation authorization information returned by the client of the first user is acquired, performing identity authentication on the first user through the client of the first user; if the identity authentication is passed, confirming that the first user grants the service processing permission for the second user;
or, if the security level of the specified service does not meet the preset condition and the confirmation authorization information returned by the client of the first user is acquired, confirming that the first user grants the service processing permission to the second user.
Or if the confirmation authorization information returned by the client of the first user is acquired, confirming that the first user grants the service processing permission to the second user.
Optionally, the storage medium stores computer-executable instructions that, when executed by a processor, authenticate the first user by a client of the first user, comprising:
sending an authentication request to the client of the first user so that the client of the first user acquires authentication information of the first user;
and performing identity authentication on the first user according to the identity verification information returned by the client of the first user.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise, after generating the verifiable statement according to the authorization-related information:
generating issuing record information according to the verifiable statement;
and sending the issuing record information to a third block chain node so that the third block chain node stores the issuing record information into a block chain.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, cause the authorization-related information to include digital identity information of the first user and digital identity information of the second user;
the generating a verifiable statement according to the authorization-related information includes:
acquiring service processing authority information to be granted from the authorization related information and/or the declaration authorization template;
generating a claim identification for the verifiable claim;
signing preset first designated information by using a private key of the first user to obtain signature data;
and generating a verifiable statement according to the service processing authority information, the statement identification, the signature data, the digital identity information of the first user and the digital identity information of the second user.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise, after said sending to the client of the second user:
and sending an issuance result of successful issuance to the client of the first user, so that the client of the first user displays issuance success information.
When executed by a processor, the computer-executable instructions stored in the storage medium provided by one or more embodiments of the present specification may generate a verifiable statement according to the authorization-related information sent by the client of the first user by interacting with data on a line of the client of the first user, so that the second user may act on the first user to process the specified service of the first user based on the verifiable statement, without the first user and the second user performing offline negotiation, signing a paper protocol, and the like, thereby improving the authorization efficiency of the agent; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
In another specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, or the like, and the storage medium stores computer-executable instructions that, when executed by the processor, implement the following process:
responding to the issuing operation of the verifiable statement of the first user, and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting business processing permission to a second user so that the second user can process the specified business of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template according to the service type information;
displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template;
and sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
In one or more embodiments of the present specification, by performing online data interaction with the server, the server generates a verifiable statement according to authorization-related information, so that the second user can proxy the first user to process the specified service of the first user based on the verifiable statement, without performing offline negotiation, signing a paper protocol, and the like between the first user and the second user, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, obtain authorization-related information provided by the first user based on the claim authorization template, including:
when the triggering operation of the first user on the to-be-edited item in the statement authorization template is detected, determining corresponding candidate information;
displaying the candidate information, and displaying target candidate information selected by the first user from the candidate information in the item to be edited;
and if the submission operation of the first user is detected, acquiring the information displayed in each item to be edited to obtain authorization related information provided by the first user based on the statement authorization template.
Optionally, the storage medium stores computer-executable instructions, which when executed by the processor, further includes, after the sending the authorization-related information to the server:
receiving inquiry information sent by the server, wherein the inquiry information comprises the related information of the second user and the related information of the specified service;
according to the inquiry information, showing an inquiry interface used for inquiring whether the first user grants the service processing permission to the second user;
and feeding back information to the server based on the operation of the first user, so that when the server confirms that the first user grants the business processing right to the second user based on the fed-back information, a verifiable statement is generated according to the authorization related information.
Optionally, when executed by a processor, the computer-executable instructions stored in the storage medium enable the security level of the specified service to meet a preset condition, and the feeding back information to the server based on the operation of the first user includes:
if the first user is detected to confirm the authorization operation on the inquiry interface, sending confirmation authorization information to the server; and if an authentication request sent by the server is received, performing authentication operation on the first user, and feeding back authentication information to the server, so that the server performs authentication on the first user based on the authentication information.
Optionally, the storage medium stores computer-executable instructions, which when executed by the processor, further includes, after the sending the authorization-related information to the server:
receiving an issuing result sent by the server;
and displaying successful issuing information or failed issuing information according to the issuing result.
When executed by a processor, the computer-executable instructions stored in the storage medium provided by one or more embodiments of the present specification enable a server to generate a verifiable statement according to authorization-related information by performing online data interaction with the server, so that a second user can act on the first user to process a specified service of the first user based on the verifiable statement, without the first user and the second user performing offline negotiation, signing a paper protocol, and the like, thereby improving the proxy authorization efficiency; meanwhile, the verifiable statement can be stored in the client of the second user in an electronic form, so that the second user does not need to carry a signed paper authorization protocol when acting on the first user for handling business, convenience is improved, the use of consumables such as paper is reduced, energy can be saved, cost is reduced, environmental protection and sanitation are realized, and social benefits are improved.
It should be noted that the embodiment of the storage medium in this specification and the embodiment of the authorization method based on the verifiable statement in this specification are based on the same inventive concept, so that specific implementation of this embodiment may refer to implementation of the corresponding authorization method based on the verifiable statement, and repeated details are not repeated.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
In the 30 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as ABEL (Advanced Boolean Expression Language), AHDL (alternate Hardware Description Language), traffic, CUPL (core universal Programming Language), HDCal, jhddl (Java Hardware Description Language), lava, lola, HDL, PALASM, rhyd (Hardware Description Language), and vhigh-Language (Hardware Description Language), which is currently used in most popular applications. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in multiple software and/or hardware when implementing the embodiments of the present description.
One skilled in the art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present document and is not intended to limit the present document. Various modifications and changes may occur to those skilled in the art from this document. Any modifications, equivalents, improvements, etc. which come within the spirit and principle of the disclosure are intended to be included within the scope of the claims of this document.

Claims (24)

1. An authorization method based on verifiable statement, applied to a server, includes:
acquiring service type information of a verifiable statement to be issued by a first user to a second user, and acquiring a corresponding statement authorization template from a block chain according to the service type information; wherein the claim authorization template stored in the blockchain is provided by a service provider;
sending the claim authorization template to a client of the first user;
receiving authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template;
and determining whether the authorization related information contains preset sensitive information, if not, generating a verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user so as to provide the verifiable statement to the service provider when the second user processes the specified service of the first user.
2. The method of claim 1, wherein the determining whether the authorization-related information includes preset sensitive information comprises:
detecting the authorization related information by adopting a pre-trained detection model, and determining whether the authorization related information contains preset sensitive information or not according to a detection result; alternatively, the first and second electrodes may be,
and matching the authorization related information with an authorization blacklist stored in a block chain through a first block chain link point, and determining whether the authorization related information contains preset sensitive information according to a matching result.
3. The method of claim 1, further comprising:
if the authorization related information contains preset sensitive information, confirming that a verifiable statement is not issued to the second user, and returning an issuance result of an issuance failure to the client of the first user, so that the client of the first user displays the issuance failure information.
4. The method of claim 1, wherein the obtaining a corresponding declaration authorization template from a blockchain according to the service type information comprises:
acquiring a related template identifier in the related record information of the service type information and the template identifier of the declaration authorization template according to the service type information; and acquiring a corresponding declaration authorization template from declaration authorization templates stored in the blockchain through the second blockchain node according to the acquired template identifier.
5. The method of claim 1, wherein the obtaining of the service type information of the verifiable statement to be issued by the first user to the second user comprises:
receiving an issuance request of the verifiable statement sent by a client of a first user; the issuing request is used for requesting to issue a verifiable statement for granting a service processing permission to the second user so as to enable the second user to process the specified service of the first user, and the issuing request comprises service type information of the specified service;
and acquiring the service type information from the issuing request.
6. The method of claim 5, the generating and sending a verifiable statement to the client of the second user based on the authorization-related information, comprising:
generating inquiry information according to the authorization related information and/or the declaration authorization template, wherein the inquiry information comprises the related information of the second user and the related information of the specified service;
sending the query information to the client of the first user so as to display a query interface comprising the relevant information of the second user and the relevant information of the specified service on the client of the first user, so as to query whether the first user grants the service processing permission for the second user;
and if the first user is confirmed to grant the service processing permission to the second user, generating a verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user.
7. The method of claim 6, the confirming that the first user granted the business process permission to the second user comprises:
if the security level of the specified service meets a preset condition and confirmation authorization information returned by the client of the first user is acquired, performing identity authentication on the first user through the client of the first user; if the identity authentication is passed, confirming that the first user grants the service processing permission to the second user;
or if the security level of the specified service does not meet the preset condition and the confirmation authorization information returned by the client of the first user is acquired, confirming that the first user grants the service processing permission to the second user;
or if the confirmation authorization information returned by the client of the first user is obtained, confirming that the first user grants the service processing permission to the second user.
8. The method of claim 7, the authenticating the first user by the client of the first user comprising:
sending an authentication request to the client of the first user so that the client of the first user acquires authentication information of the first user;
and performing identity authentication on the first user according to the identity verification information returned by the client of the first user.
9. The method of claim 1, after generating a verifiable statement based on the authorization-related information, further comprising:
generating issuing record information according to the verifiable statement;
and sending the issuing record information to a third block chain node so that the third block chain node stores the issuing record information into a block chain.
10. The method of claim 1, the authorization-related information comprising digital identity information of the first user and digital identity information of the second user;
generating a verifiable statement according to the authorization-related information, comprising:
acquiring service processing authority information to be granted from the authorization related information and/or the declaration authorization template;
generating a claim identification for the verifiable claim;
signing preset first designated information by adopting the private key of the first user to obtain signature data;
and generating a verifiable statement according to the service processing authority information, the statement identification, the signature data, the digital identity information of the first user and the digital identity information of the second user.
11. The method of any of claims 1-10, after sending to the client of the second user, further comprising:
and sending an issuing result of successful issuing to the client of the first user so that the client of the first user displays information of successful issuing.
12. An authorization method based on verifiable declarations, applied to a client of a first user, includes:
responding to the issuing operation of the verifiable statement of the first user, and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting a service processing permission to a second user, so that the verifiable statement is provided for a service provider of a specified service when the second user processes the specified service of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template from a block chain according to the service type information; the claim authorization template stored in the blockchain is provided by the service provider;
displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template;
and sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
13. The method of claim 12, wherein the obtaining authorization-related information provided by the first user based on the claim authorization template comprises:
when the triggering operation of the first user on the items to be edited in the statement authorization template is detected, determining corresponding candidate information;
displaying the candidate information, and displaying target candidate information selected by the first user from the candidate information in the item to be edited;
and if the submission operation of the first user is detected, acquiring the information displayed in each item to be edited to obtain authorization related information provided by the first user based on the statement authorization template.
14. The method of claim 12, wherein the security level of the specific service satisfies a preset condition, and the feeding back information to the server based on the operation of the first user comprises:
if the first user is detected to confirm the authorization operation on the inquiry interface, sending confirmation authorization information to the server; and if an authentication request sent by the server is received, performing authentication operation on the first user, and feeding back authentication information to the server, so that the server performs authentication on the first user based on the authentication information.
15. The method according to any of claims 12-14, further comprising, after sending the authorization-related information to the server:
receiving an issuing result sent by the server;
and displaying successful issuing information or failed issuing information according to the issuing result.
16. An authorization device based on verifiable statement, applied to a server, comprises:
the acquisition module acquires service type information of a verifiable statement to be issued by a first user to a second user, and acquires a corresponding statement authorization template from a block chain according to the service type information; wherein the claim authorization template stored in the blockchain is provided by a service provider;
a sending module that sends the claim authorization template to a client of the first user;
a receiving module, which receives the authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template;
the first determining module is used for determining whether the authorization related information contains preset sensitive information or not;
and the generating module is used for generating a verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user if the determination result of the first determining module is negative, so that the verifiable statement is provided for the service provider when the second user processes the specified service of the first user.
17. The apparatus of claim 16, wherein the first and second electrodes are disposed in a common plane,
the acquisition module acquires the associated template identifier from the associated record information of the service type information and the template identifier of the declaration authorization template according to the service type information; acquiring a corresponding statement authorization template from the statement authorization templates stored in the block chain through a second block chain node according to the acquired template identifier; and the statement authorization template stored in the block chain is uploaded by a service provider.
18. An authorization apparatus based on verifiable claims, applied to a client of a first user, comprising:
the first sending module is used for responding to the issuing operation of the verifiable statement of the first user and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting a service processing permission to a second user, so that the verifiable statement is provided for a service provider of a specified service when the second user processes the specified service of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template from a block chain according to the service type information; the claim authorization template stored in the blockchain is provided by the service provider;
the display module displays the statement authorization template returned by the server;
the acquisition module acquires authorization related information provided by the first user based on the statement authorization template;
and the second sending module is used for sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
19. The apparatus of claim 18, wherein the first and second electrodes are disposed in a substantially cylindrical configuration,
the acquisition module is used for determining corresponding candidate information when the triggering operation of the first user on the to-be-edited item in the statement authorization template is detected; and (c) a second step of,
displaying the candidate information, and displaying target candidate information selected by the first user from the candidate information in the item to be edited;
and if the submission operation of the first user is detected, acquiring the information displayed in each item to be edited to obtain authorization related information provided by the first user based on the statement authorization template.
20. An authenticatable claim-based authorization system, comprising: the client side and the server side of the first user and the client side of the second user;
the client of the first user responds to the verifiable statement issuing operation of the first user and sends a verifiable statement issuing request to the server; the issuing request is used for requesting to issue a verifiable statement for granting a service processing permission to a second user, so that the verifiable statement is provided for a service provider of a specified service when the second user processes the specified service of the first user; the issuing request comprises the service type information of the specified service; displaying a statement authorization template returned by the server, acquiring authorization related information provided by the first user based on the statement authorization template, and sending the authorization related information to the server;
the server side acquires service type information from the issuing request and acquires a corresponding statement authorization template from a block chain according to the service type information, wherein the statement authorization template stored in the block chain is provided by the service provider; sending the claim authorization template to a client of the first user; receiving the authorization related information sent by the client of the first user, determining whether the authorization related information contains preset sensitive information, if not, generating a verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user;
and the client of the second user receives the verifiable statement sent by the server.
21. An authenticatable claim-based authorization device, comprising:
a processor; and the number of the first and second groups,
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring service type information of a verifiable statement to be issued by a first user to a second user, and acquiring a corresponding statement authorization template from a block chain according to the service type information; wherein the claim authorization template stored in the blockchain is provided by a service provider;
sending the claim authorization template to a client of the first user;
receiving authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template;
and determining whether the authorization related information contains preset sensitive information, if not, generating a verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user so as to provide the verifiable statement to the service provider when the second user processes the specified service of the first user.
22. An authenticatable claim-based authorization device, comprising:
a processor; and;
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
responding to the issuing operation of the verifiable statement of the first user, and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting a service processing permission to a second user, so that the verifiable statement is provided for a service provider of a specified service when the second user processes the specified service of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template from a block chain according to the service type information; the claim authorization template stored in the blockchain is provided by a service provider;
displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template;
and sending the authorization related information to the server, so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
23. A storage medium storing computer-executable instructions that when executed implement the following:
acquiring service type information of a verifiable statement to be issued by a first user to a second user, and acquiring a corresponding statement authorization template from a block chain according to the service type information; wherein the claim authorization template stored in the blockchain is provided by a service provider;
sending the claim authorization template to a client of the first user;
receiving authorization-related information returned by the client of the first user and provided by the first user based on the statement authorization template;
and determining whether the authorization related information contains preset sensitive information, if not, generating a verifiable statement according to the authorization related information and sending the verifiable statement to the client of the second user so as to provide the verifiable statement to the service provider when the second user processes the specified service of the first user.
24. A storage medium storing computer-executable instructions that when executed implement the following:
responding to the issuing operation of the verifiable statement of the first user, and sending an issuing request of the verifiable statement to the server; the issuing request is used for requesting to issue a verifiable statement for granting a service processing permission to a second user, so that the verifiable statement is provided for a service provider of a specified service when the second user processes the specified service of the first user; the issuing request comprises the service type information of the specified service, so that the server side obtains a corresponding statement authorization template from a block chain according to the service type information; the statement authorization template stored in the blockchain is provided by a service provider;
displaying the statement authorization template returned by the server, and acquiring authorization related information provided by the first user based on the statement authorization template;
and sending the authorization related information to the server so that the server generates a verifiable statement according to the authorization related information and sends the verifiable statement to the client of the second user.
CN202211007801.1A 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement Pending CN115396114A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211007801.1A CN115396114A (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211007801.1A CN115396114A (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement
CN201910964126.3A CN110768968B (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201910964126.3A Division CN110768968B (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement

Publications (1)

Publication Number Publication Date
CN115396114A true CN115396114A (en) 2022-11-25

Family

ID=69331659

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910964126.3A Active CN110768968B (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement
CN202211007801.1A Pending CN115396114A (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201910964126.3A Active CN110768968B (en) 2019-10-11 2019-10-11 Authorization method, device, equipment and system based on verifiable statement

Country Status (1)

Country Link
CN (2) CN110768968B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111680274B (en) * 2020-03-03 2022-11-22 支付宝(杭州)信息技术有限公司 Resource access method, device and equipment
CN113497805B (en) * 2020-04-01 2023-08-04 支付宝(杭州)信息技术有限公司 Registration processing method, device, equipment and system
CN111190974B (en) * 2020-04-10 2021-01-26 支付宝(杭州)信息技术有限公司 Method, device and equipment for forwarding and acquiring verifiable statement
CN113973016A (en) * 2020-04-17 2022-01-25 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment and system based on verifiable statement
CN111752968B (en) * 2020-06-12 2021-11-23 支付宝(杭州)信息技术有限公司 Identity file processing method, device, equipment and storage medium
CN111753291B (en) * 2020-06-18 2023-03-10 支付宝(杭州)信息技术有限公司 Application container creating method, device and equipment
CN112311538B (en) * 2020-10-30 2024-04-23 北京华弘集成电路设计有限责任公司 Identity verification method, device, storage medium and equipment
CN114238887A (en) * 2020-11-20 2022-03-25 支付宝(杭州)信息技术有限公司 Method, device and equipment for processing voice authorization and voice related service
CN112738253B (en) * 2020-12-30 2023-04-25 北京百度网讯科技有限公司 Block chain-based data processing method, device, equipment and storage medium
CN113221142A (en) * 2021-05-11 2021-08-06 支付宝(杭州)信息技术有限公司 Authorization service processing method, device, equipment and system
CN113312664B (en) * 2021-06-01 2022-06-28 支付宝(杭州)信息技术有限公司 User data authorization method and user data authorization system
CN113395281B (en) * 2021-06-11 2022-11-01 网易(杭州)网络有限公司 Verification method and device capable of verifying statement and electronic equipment
CN114756901B (en) * 2022-04-11 2022-12-13 敏于行(北京)科技有限公司 Operational risk monitoring method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106447853B (en) * 2016-09-14 2019-01-11 浙江维融电子科技股份有限公司 A kind of self-service bank's system having multistage identification function
CN109754267A (en) * 2018-12-29 2019-05-14 百度在线网络技术(北京)有限公司 Brand authorization method, device, equipment and medium based on block chain
CN109727044A (en) * 2018-12-29 2019-05-07 百度在线网络技术(北京)有限公司 Brand transaction methods, device, equipment and medium based on block chain
CN109801152A (en) * 2019-01-24 2019-05-24 中国农业银行股份有限公司 Supplementary pension method for processing business and system based on block chain
CN110210207A (en) * 2019-05-30 2019-09-06 中国联合网络通信集团有限公司 Authorization method and equipment

Also Published As

Publication number Publication date
CN110768968A (en) 2020-02-07
CN110768968B (en) 2022-08-19

Similar Documents

Publication Publication Date Title
CN110768968B (en) Authorization method, device, equipment and system based on verifiable statement
CN110768967B (en) Service authorization method, device, equipment, system and storage medium
WO2021068636A1 (en) Block chain-based creation method, apparatus, device and system for verifiable claim
JP6859506B2 (en) Digital certificate management methods, devices, and systems
US11818253B2 (en) Trustworthy data exchange using distributed databases
EP3905078A1 (en) Identity verification method and system therefor
US11539526B2 (en) Method and apparatus for managing user authentication in a blockchain network
KR20180017734A (en) System and method for authentication, user terminal, authentication server and service server for executing the same
CN112100594B (en) Service processing method, device and equipment based on block chain
CN111369242A (en) Method for recovering block chain assets through intelligent contracts, wallet and block chain link points
AU2020407439A1 (en) Data management systems and methods
CN113221142A (en) Authorization service processing method, device, equipment and system
CA3178249A1 (en) Systems and methods for conducting remote attestation
US20230376947A1 (en) De-centralized authentication in a network system
KR102593468B1 (en) Apparatus and method for authenticating and managing electronic signatures
CN111784550B (en) Method, device and equipment for processing inherited service
Sanzi et al. Trust Profiling to Enable Adaptive Trust Negotiation in Mobile Devices
CN115484065A (en) Identity verification method, device and equipment based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination