CN115632794A - Distributed digital identity verification system, method and related device - Google Patents

Distributed digital identity verification system, method and related device Download PDF

Info

Publication number
CN115632794A
CN115632794A CN202211288928.5A CN202211288928A CN115632794A CN 115632794 A CN115632794 A CN 115632794A CN 202211288928 A CN202211288928 A CN 202211288928A CN 115632794 A CN115632794 A CN 115632794A
Authority
CN
China
Prior art keywords
identity
distributed digital
target user
digital identity
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211288928.5A
Other languages
Chinese (zh)
Inventor
张红霞
宫纪超
延安
马闪闪
吴殿丞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202211288928.5A priority Critical patent/CN115632794A/en
Publication of CN115632794A publication Critical patent/CN115632794A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The system comprises a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target verifying party and a processing unit corresponding to a target proving party, wherein the first identity management unit responds to a service request operation triggered by the target user to generate a distributed digital identity verification request of the target user, the second identity management unit can verify the attribute of the target user according to zero knowledge proof, and generates a distributed digital identity reading operation request of the target user when the attribute verification result passes, and the processing unit acquires a distributed digital identity file stored in a block chain network according to the identity, verifies the verification request information according to the distributed digital identity file and sends the verification result to the target verifying party. In the whole process, the target user can use the verifiable declaration to initiate authentication to the target verifier, and data intercommunication is realized based on the authentication.

Description

Distributed digital identity verification system, method and related device
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a distributed digital identity authentication system, method, and related apparatus.
Background
With the rapid development of the digital society, the digital identity plays a considerable role in the network security and informatization of the digital society. The digital identity is characterized in that a user can be identified through digital information, and the digital identity can be used for binding, inquiring and verifying digital information generated by user behaviors.
In the traditional banking business, a user initiates authentication to a banking institution needing to handle business, and the banking institution stores the digital identity of the user after the authentication is completed so as to verify the identity of the user when the user handles business later. At present, the digital identity of a user is generally managed in a centralized manner in the banking industry, and the functions of business management and control, operation supervision and data audit are achieved.
However, in a centralized management mode, a user needs to repeatedly authenticate to different organizations handling services, and user digital identity information stored among the organizations forms a data island, so that the data island is difficult to communicate with each other, and security problems such as identity privacy data leakage of the user are easily caused.
Disclosure of Invention
In order to solve the above technical problems, the present application provides a distributed digital authentication system, method and related device,
the embodiment of the application discloses the following technical scheme:
in one aspect, an embodiment of the present application provides a distributed digital identity verification system, where the system includes a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target verifier, and a processing unit corresponding to a target issuer:
the first identity management unit is used for responding to a service request operation triggered by the target user and generating a distributed digital identity authentication request of the target user; the distributed digital authentication request comprises an identity of the target user, a zero-knowledge proof of a verifiable claim of the target user, and a signature of an overall message comprising the identity and the zero-knowledge proof of the verifiable claim;
the second identity management unit is used for performing attribute verification on the target user according to the zero knowledge proof, and generating a distributed digital identity reading operation request of the target user if the attribute verification result is passed; the distributed digital identity reading operation request comprises an identity of the target user and request verification information;
and the processing unit is used for acquiring the distributed digital identity file stored in the block chain network according to the identity, verifying the verification request information according to the distributed digital identity file to obtain a verification result, and sending the verification result to the target verifier.
On the other hand, an embodiment of the present application provides a distributed digital identity authentication method, where the method is applied to a distributed digital identity authentication system, where the distributed digital identity authentication system includes a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target authenticator, and a processing unit corresponding to a target authenticator, and the method includes:
responding to a service request operation triggered by the target user through the first identity management unit, and generating a distributed digital identity authentication request of the target user; the distributed digital authentication request comprises an identity of the target user, a zero-knowledge proof of a verifiable claim of the target user, and a signature of an overall message comprising the identity and the zero-knowledge proof of the verifiable claim;
performing attribute verification on the target user through the second identity management unit according to the zero knowledge proof, and if the attribute verification result is that the attribute verification result is passed, generating a distributed digital identity reading operation request of the target user; the distributed digital identity reading operation request comprises an identity of the target user and request verification information;
reading, by the processing unit, the distributed digital identity file stored in the blockchain network according to the identity, verifying the request verification information according to the distributed digital identity file to obtain a verification result, and sending the verification result to the target verifier.
In yet another aspect, an embodiment of the present application provides a computer device, including a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the distributed digital identity verification method of the above aspect according to instructions in the program code.
In yet another aspect, the present application provides a computer-readable storage medium for storing a computer program for executing the distributed digital authentication method of the above aspect.
In yet another aspect, embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the distributed digital authentication method described in the above aspect.
According to the technical scheme, when a target user needs to handle related services at a target verification party, related verification can be carried out through the distributed digital identity verification system so as to facilitate service handling and the like. In practical application, the first identity management unit can respond to a service request operation triggered by a target user to generate a distributed digital identity authentication request of the target user, wherein the distributed digital identity authentication request comprises an identity of the target user, a zero-knowledge proof of an authenticatable statement and a signature of an integral message, and the integral message refers to the identity and the zero-knowledge proof of the authenticatable statement. And the second identity management unit can perform attribute verification on the target user according to the zero-knowledge proof, completes attribute verification on the target user on the basis of not revealing user privacy data of the target user, generates a distributed digital identity reading operation request of the target user when the attribute verification result is passed, comprises an identity of the target user and verification request information, and further the processing unit acquires a distributed digital identity file stored in the block chain network according to the identity, verifies the verification request information according to the distributed digital identity file, and sends the verification result to the target verification party. The target verifying party can initiate authentication to the target verifying party by using a verifiable statement which is issued by the authorization authentication in advance and a zero-knowledge proof of the verifiable statement, and then the target verifying party can complete verification by using a distributed digital identity file stored in a block chain network through the target verifying party based on data interaction with the target verifying party, and the target verifying party can perform subsequent operations such as business handling according to a verification result. In the whole process, the target user can directly verify by using the verifiable statement issued by the target certificate issuer and the zero-knowledge proof of the verifiable statement without submitting the identity data of the target user to the target verifier, and correspondingly, the target verifier directly obtains the verification result without verifying the identity data of the target user but in a data interaction mode with the target certificate issuer. In the whole verification process, the used data can be the data which is authorized and authenticated by the target user in advance, so that the data intercommunication can be realized through the verification mechanism. Meanwhile, attribute verification is carried out based on zero-knowledge proof, and the problems that the identity privacy data of the user is leaked and the like can be avoided.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a structural diagram of a distributed digital identity authentication system according to an embodiment of the present application;
FIG. 2 is a schematic flow chart illustrating a verifiable claim write operation provided by an embodiment of the present application;
fig. 3 is a schematic flowchart of a distributed digital identity write operation according to an embodiment of the present application;
fig. 4 is a structural diagram of a distributed digital identity authentication apparatus according to an embodiment of the present application;
fig. 5 is a block diagram of an identity manager according to an embodiment of the present application;
fig. 6 is a structural diagram of a read operator according to an embodiment of the present disclosure;
FIG. 7 is a block diagram of an identity write operator according to an embodiment of the present application;
FIG. 8 is a block diagram of a declarative write operator as provided by an embodiment of the application;
fig. 9 is a flowchart of a distributed digital identity authentication method according to an embodiment of the present application;
fig. 10 is a schematic flowchart of a distributed digital authentication operation according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The following examples are intended to illustrate in particular:
fig. 1 is a structural diagram of a distributed digital identity verification system provided in an embodiment of the present application, where the system includes a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target verifier, and a processing unit corresponding to a target prover:
and the first identity management unit is used for responding to the service request operation triggered by the target user and generating a distributed digital identity authentication request of the target user.
The target user may be any user who needs to handle the related service, and the target authenticator may be a mechanism corresponding to the related service that the target user needs to handle, that is, the target user needs to handle the related service at the target authenticator. At this time, the target user may trigger a service request operation, and accordingly, the first identity management unit corresponding to the target user may generate a distributed digital identity authentication request of the target user in response to the service request operation triggered by the target user, so as to authenticate the target authenticator. The distributed digital authentication request includes an identification of the target user, a zero-knowledge proof of the verifiable claims of the target user, and a signature of an overall message, which refers to the identification and the zero-knowledge proof of the verifiable claims. In practical application, the whole message can be signed by using the private key of the target user, so that whether the target user is the interactive person of the session or not can be verified based on the signature subsequently.
The verifiable statement is a tamper-proof certificate which is signed and encrypted by a certificate issuing party, generally comprises the attribute information of the name, age, academic calendar, occupation and the like of a user, which is associated with the digital identity of the user, has the characteristics of cryptology safety, privacy protection and machine readable property, and can ensure that the verifying party trusts that a certain conclusion is correct under the condition of not providing any useful information for the verifying party by zero knowledge certification, and has the properties of completeness, reliability and zero knowledge. Therefore, the target user can verify the target verification party by using the zero-knowledge certificate of the verifiable statement, and the data safety is guaranteed while the verification is finished.
And the second identity management unit is used for performing attribute verification on the target user according to the zero knowledge certificate, and generating a distributed digital identity reading operation request of the target user if the attribute verification result is that the attribute verification result is passed.
When a target verifier receives a distributed digital identity verification request of a target user, a second identity management unit corresponding to the target verifier can perform attribute verification on the target user according to a zero-knowledge certificate, if the attribute verification result is passed, the target user is indicated to meet the condition that the target verifier handles related services for the target user, and then a distributed digital identity reading operation request of the target user can be generated, wherein the distributed digital identity reading operation request comprises an identity of the target user and request verification information, so that the identity of the target user can be further verified, for example, the authority of the target user is verified by using a public key obtained according to the identity, whether the target user is an interactive person of the session is further verified, and whether the authority of a verifiable statement is legal or not can be verified in a signature verification mode. It can be understood that, when the attribute verification result is failed, it indicates that the target user does not meet the condition for the target verifying party to transact the related service for the target user, and at this time, the operation may be directly interrupted, and a message of verification failure is directly returned to the target user, so that the operation for transacting the related service for the target user is not continued.
In a possible implementation manner, the system may further include a parsing unit:
the analysis unit is used for analyzing the distributed digital identity authentication request, determining a target authentication party corresponding to the service request operation, and sending the distributed digital identity authentication request to the second identity management unit;
and the analysis unit is also used for analyzing the distributed digital identity reading operation request, determining a target certificate issuer corresponding to the distributed digital identity reading operation request and sending the distributed digital identity reading operation request to the processing unit.
Because the target user may handle different services for different authenticators, the parsing unit may be deployed to parse the distributed digital authentication request of the target user to determine the target authenticator corresponding to the service request operation triggered by the target user, and then the parsing unit distributes the distributed digital authentication request of the target user to the second identity management unit corresponding to the target authenticator. Similarly, the analysis unit may also analyze the distributed digital identity read operation request, determine a target issuing party corresponding to the distributed digital identity read operation request, and distribute the distributed digital identity read operation request to the target issuing party.
The verifiable statement of the target user can be issued by a verifiable statement issuing party, and in one possible implementation, the system can further comprise a certificate issuing processing unit corresponding to the verifiable statement issuing party:
the first identity management unit is also used for responding to a verifiable statement write operation request triggered by a target user and sending the verifiable statement write operation request to the analysis unit; the verifiable declaration write operation request comprises an identity identification of a target user, an attribute to be authorized and a signature of the target user;
the analysis unit is also used for analyzing the verifiable statement write operation request, determining a verifiable statement certificate issuer corresponding to the verifiable statement write operation request, and sending the verifiable statement write operation request to the verifiable statement certificate issuer;
and the certificate issuing processing unit is used for verifying the verifiable statement information corresponding to the target user according to the identity, generating the verifiable statement of the target user if the verification is passed, and sending the verifiable statement to the first identity management unit.
The attribute to be authorized can be an identity attribute that the target user wants to issue authority authentication through the verifiable assertion issuing party. For example, when the target user wants to authoritatively authenticate the age attribute of the target user by the verifiable declaration prover, the age attribute may be set as the attribute to be authorized. The signature can be generated by signing the identity and the attribute to be authorized based on the private key of the user, so that the verifiable declaration prover can verify whether the target user is the interactive person of the session or not in a signature verification mode.
In the actual data interaction, in order to ensure the data security, in a possible implementation manner, the identity of the target user, the attribute to be authorized of the target user and the signature included in the verifiable declaration write operation request can be encrypted as a whole, so that the data can be transmitted in a ciphertext form in the data interaction process, and the data security is improved.
When the target user needs to generate the verifiable statement, the verifiable statement write operation request can be triggered, and then the analysis unit analyzes the verifiable statement write operation request to determine a corresponding verifiable statement prover, and further distributes the verifiable statement write operation request to the verifiable statement prover. Accordingly, after the verifiable assertion generator receives the verifiable assertion request of the target user, the certification processing unit can verify the verifiable assertion information corresponding to the target user, and the verifiable assertion information can be identity attribute information that the target user wants to prove the authenticity and the like of the target user based on the verifiable assertion, and when the verification is passed, the verifiable assertion is generated for the target user and is returned to the first identity management unit corresponding to the target user. Based on the method, the authoritative endorsement guarantee of the identity attribute information of the target user is realized. Correspondingly, if the verification fails, the related operation of the target user is terminated. It is to be understood that the verifiable statement write operation request may include operations such as updating and revoking of the verifiable statement in addition to applying for the verifiable statement.
In practical applications, issuing of the verifiable declaration may be implemented based on a verifiable declaration write operation flow, and specifically, as shown in fig. 2, the verifiable declaration write operation flow may include: the target user sends a verifiable statement write operation request through the first identity management unit, the verifiable statement write operation request comprises application, update or overhead operation of the verifiable statement, and the verifiable statement write operation request is distributed to a specified verifiable statement issuing party after being analyzed by the analysis unit, and specifically can be distributed to a corresponding issuing processing unit of the verifiable statement issuing party. The verifiable statement issuing party firstly verifies the verifiable statement information through the verification unit after receiving the verifiable statement write operation request, if the verification is passed, the issuing processing unit issues and generates a verifiable statement to realize the authority endorsement of the identity attribute information of the target user, and if the verification is failed, the related operation of the user is terminated. At the same time, an issued verifiable claim may also be returned.
And the processing unit is used for acquiring the distributed digital identity file stored in the block chain network according to the identity, verifying the verification request information according to the distributed digital identity file to obtain a verification result, and sending the verification result to the target verification party.
The block chain is an innovative application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like in the internet era. The digital identity infrastructure can be modified in a distributed mode by utilizing the characteristics of decentralized architecture, incapability of uplink data tampering, consistency and synchronization of nodes in the whole network and the like. On the basis of ensuring the safety and the integrity of the digital identity information, the identity authentication mode of the banking user is optimized to solve the problems that the user identity data is difficult to intercommunicate, the cross-banking-institution service efficiency is low and the like. Therefore, data intercommunication can be realized by using the blockchain network, and specifically, nodes of the blockchain network can be maintained at the target proving party so that the target proving party can perform relevant operations such as verification.
The processing unit corresponding to the target certificate issuer can acquire the distributed digital identity file of the target user stored in the blockchain network, and then verify the request verification information of the target user sent by the target verifier according to the distributed digital identity file to obtain a verification result, and send the verification result to the target verifier, so that the target verifier can perform subsequent operations such as business handling for the target user according to the verification result. For example, if the verification result is a pass, the target verifier may provide the transaction service corresponding to the service request operation for the target user (for example, if the service request operation triggered by the target user is a purchase of a financial product, the target verifier provides the purchase service of the financial product for the target user), and if the verification result is a fail, the target user is denied to be provided with the transaction service corresponding to the service request operation.
In one possible implementation, the system may further include a contract execution unit:
the processing unit is also used for generating an intelligent contract calling request according to the identity and sending the intelligent contract calling request to the contract execution unit;
and the contract execution unit is used for reading the distributed digital identity file according to the intelligent contract calling request sent by the processing unit and sending the distributed digital identity file to the processing unit.
Specifically, the processing unit generates an intelligent contract calling request according to the identity of the target user, and then sends the intelligent contract calling request to the contract execution unit, and then the contract execution unit can read the distributed digital identity file of the target user stored in the block chain according to the intelligent contract unit calling request and return the distributed digital identity file to the processing unit, that is, the processing unit corresponding to the target licensor can read the data stored in the block chain through the contract execution unit based on the intelligent contract calling request.
In one possible implementation, the contract execution unit may include a contract driver and a contract read-write pipeline, specifically:
the contract driver is used for executing a preset distributed digital identity intelligent contract code according to the intelligent contract calling request to obtain an execution result;
and the contract read-write pipeline is used for reading the distributed digital identity file according to the execution result.
That is, data interaction with the blockchain network may be performed with the contract read-write pipeline through the contract driver to read the distributed digital identity file stored in the blockchain network.
In order to realize data intercommunication, after a target user completes signature verification and obtains a self distributed digital identity file, the self distributed digital identity file can be uploaded and stored to a block chain network, so that after one-time verification, the generated identity data can be used subsequently, and the purposes of one-time verification and multiple use are realized, and the subsequent use can be different verification parties. Therefore, in a possible implementation, the system may further include a block chain storage unit, specifically:
the first identity management unit is also used for responding to the uplink storage operation of the distributed digital identity file triggered by the target user, generating a distributed digital identity writing operation request and sending the distributed digital identity writing operation request to the processing unit; the distributed digital identity write operation request comprises a distributed digital identity file;
the processing unit is also used for verifying the distributed digital identity file, and if the verification is passed, the processing unit sends the distributed digital identity file to the block chain storage unit;
and the block chain storage unit is used for storing the distributed digital identity file.
Based on the method, the distributed digital identity file of the user is uploaded and stored to the block chain network, so that after one-time verification, the data after the verification can be used subsequently, and data intercommunication is realized.
In practical applications, the storage of the distributed digital identity file may be implemented based on a distributed digital identity writing operation, and specifically, as shown in fig. 3, the distributed digital identity writing operation may include: the target user sends out a distributed digital identity write operation request through the first identity management unit, the distributed digital identity write operation request can comprise application, update or revoke operation of a distributed digital identity file, and the distributed digital identity write operation request is analyzed and processed through the analysis unit and then is distributed to a processing unit corresponding to a designated certificate issuer. And then after the certification issuer receives the distributed digital identity write operation request, verifying the distributed digital identity information by a verification unit corresponding to the certification issuer, if the verification is passed, writing data to the blockchain network by a contract adapter, specifically, calling a corresponding identity write operator and an intelligent contract adapter by a processing unit corresponding to the certification issuer to send a processing result to a contract execution unit, and if the verification is failed, terminating the related operation of the user. And then the contract execution unit calls a contract read-write pipeline through a contract driver, the request processing result information is sent to the block chain storage unit, and the block chain storage unit stores the distributed digital identity file in the request processing result in the block chain network and can also return the distributed digital identity file.
According to the technical scheme, when a target user needs to handle related services at a target verification party, related verification can be carried out through the distributed digital identity verification system so as to facilitate service handling and the like. In practical application, the first identity management unit can respond to a service request operation triggered by a target user to generate a distributed digital identity authentication request of the target user, wherein the distributed digital identity authentication request comprises an identity of the target user, a zero-knowledge proof of an authenticatable statement and a signature of an integral message, and the integral message refers to the identity and the zero-knowledge proof of the authenticatable statement. And the second identity management unit can perform attribute verification on the target user according to the zero-knowledge proof, completes attribute verification on the target user on the basis of not revealing user privacy data of the target user, generates a distributed digital identity reading operation request of the target user when the attribute verification result is passed, comprises an identity of the target user and verification request information, and further the processing unit acquires a distributed digital identity file stored in the block chain network according to the identity, verifies the verification request information according to the distributed digital identity file, and sends the verification result to a target verification party. Therefore, the verification is completed by the target certification party by using the distributed digital identity file stored in the block chain network, and the target certification party can perform subsequent operations such as service handling according to the verification result. In the whole process, the target user can directly verify by using the verifiable statement issued by the target certificate issuer and the zero-knowledge proof of the verifiable statement without submitting the identity data of the target user to the target verifier, and correspondingly, the target verifier directly obtains the verification result without verifying the identity data of the target user but in a data interaction mode with the target certificate issuer. In the whole verification process, the used data can be the data which is authorized and authenticated by the target user in advance, so that the data intercommunication can be realized through the verification mechanism. Meanwhile, attribute verification is performed based on zero-knowledge proof, so that the problems of identity privacy data leakage and the like of a user can be avoided.
Correspondingly, the embodiment of the application further provides a distributed digital identity authentication device, and a structural diagram of the device can be seen in fig. 4, and a distributed deployment architecture adopted by each unit of the distributed digital identity authentication device is flexibly deployed at a user side, a verification party and a certificate issuing party based on the distributed deployment architecture. Specifically, the method comprises the following steps:
and the identity management unit can be used for managing the life cycle of the distributed digital identity, the verifiable statement and the zero-knowledge proof of the verifiable statement of the target user. It is understood that the identity management unit includes an identity management unit (e.g. a first identity management unit) on the user side and an identity management unit (e.g. a second identity management unit) on the authenticator side. Specifically, the identity management unit mainly comprises an identity manager and a memory. The identity manager is used for generating and verifying a lifecycle management request of a distributed digital identity and a verifiable statement and a zero-knowledge proof of the verifiable statement, wherein the lifecycle management specifically comprises application, update and reimbursement, and can be divided into distributed digital identity write operation, verifiable statement write operation and distributed digital identity verification operation according to functions. The memory is used for storing a distributed digital identity file and verifiable claims of a target user.
As shown in fig. 5, the identity manager mainly includes a distributed digital identity file management operator, a verifiable declaration management operator, a zero-knowledge proof generation operator, and a zero-knowledge proof verification operator, specifically:
the distributed digital identity file management operator is mainly used for managing the distributed digital identity file, and the main flow comprises the following steps: the target user generates distributed digital identity application, update and revoke files through a distributed digital identity file management operator, further encapsulates the distributed digital identity write operation request and specifies the address of a distributed digital identity card sender processing unit, sends the request to an analysis unit, receives and analyzes an execution result returned by the analysis unit, and stores the result in a memory.
The verifiable statement management operator is mainly used for managing the verifiable statement, and the main flow comprises the following steps: the target user generates a verifiable statement application, an updating file and a revoke file through the verifiable statement management operator, further encapsulates a verifiable statement write operation request and specifies the address of the distributed digital identity card sender processing unit, sends the request to the analysis unit, receives and analyzes an execution result returned by the analysis unit and stores the result in the memory.
The zero knowledge proof generation operator is mainly used for generating the zero knowledge proof of the verifiable statement, and the main flow comprises the following steps: the target user generates a zero-knowledge proof capable of verifying the statement through a zero-knowledge proof generating operator, further encapsulates the distributed digital identity verification operation request and specifies the address of the identity management unit (such as the address of a second identity management unit) of the distributed digital identity verifier, sends the request to the analysis unit, and receives and analyzes the execution result returned by the analysis unit.
The zero-knowledge proof verification operator is mainly used for verifying the zero-knowledge proof of a verifiable statement, and realizes the verification of the identity attribute of a target user on the premise of not acquiring the real identity attribute information of the target user, and the main flow comprises the following steps: the verifier verifies the verifiable declared zero-knowledge proof through a zero-knowledge proof verification operator so as to verify the attribute of the identity attribute information of the target user, if the verification is passed, the distributed digital identity reading operation and the address of a processing unit of a designated distributed digital identity card sender (such as the address of the processing unit corresponding to the target card sender) are packaged, the request is sent to the analysis unit, if the verification is not passed, the relevant operation is terminated, an error is returned, and the execution result returned by the analysis unit is received and analyzed.
And the analysis unit mainly comprises a request filter and a request distributor. The request filter is configured to parse the request of the identity management unit (i.e., the distributed digital identity authentication request sent by the first identity management unit and the distributed digital identity reading operation request sent by the second identity management unit) and identify the target authenticator and the target authenticator. The request distributor is configured to distribute the request of the identity manager to a specified target verifying party or a specified target proving party according to the analysis result of the request filter, and specifically may send the corresponding request according to a target address corresponding to the target verifying party or a target address corresponding to the target proving party.
And the processing unit is used for analyzing the operation on the chain in the distributed digital identity request and calling the corresponding reader-writer and the block chain adapter to process the request. The processing unit mainly comprises a contract operation filter, a read operator, an identity write operator, a declaration write operator and an intelligent contract adapter.
The contract operation filter is used for analyzing the request operation type and distributing the request to the corresponding read-write operator to process the request. The read operator mainly includes a data analysis operator, an intelligent contract query operator, and a verification operator, which can be specifically shown in fig. 6. The data analysis operator is used for processing a distributed digital identity reading operation request of a user, and analyzing a distributed digital identity file and an identity label thereof in the request; the intelligent contract query operator is used for initiating distributed digital identity intelligent contract query operation and querying data on the chain through the intelligent contract adapter; and the verification operator is used for sending the request verification information and the on-link information to the verification unit for correctness verification and returning a verification result to the analysis unit. The main process comprises the following steps: analyzing and acquiring a distributed digital identity reading operation request distributed by an analyzing unit, acquiring the identity identifications of a target user and a certificate issuer from the request, packaging a distributed digital identity contract inquiry operation, acquiring the public keys of the user and the certificate issuer on an analyzing chain through a contract adapter, calling a verifying unit to verify the correctness of request verification information and data on the chain, and returning a verification result to the analyzing unit.
The identity writing operator is used for processing a distributed digital identity writing operation request of a user, analyzing a distributed digital identity file in the request, carrying out identity validity verification through the verification unit, and linking the distributed digital identity file to be stored to the block chain network through the intelligent contract adapter after the verification is passed. The main process mainly comprises the following steps: and analyzing and acquiring a distributed digital identity write operation request distributed by the analysis unit, if the request is in a distributed digital identity updating and revoking stage, extracting a distributed digital identity from the request, packaging a distributed digital identity contract query operation, acquiring a user public key on an analysis chain through a contract adapter, and calling the verification unit to verify the identity validity. If the verification is passed, the updating operation of the distributed digital identity contract is packaged, the distributed digital identity file after chain authentication is passed through the contract adapter, if the verification is not passed, the relevant operation is terminated, an error is returned, and meanwhile, a processing result is returned to the analysis unit. The identity writing operator mainly comprises a data analysis operator, an intelligent contract updating operator, an intelligent contract inquiry operator and a verification operator, and can be specifically shown in fig. 7.
The declaration write operator is used for processing a verifiable declaration write operation request of a user, analyzing the verifiable declaration in the request, performing declaration validity verification through the verification unit, calling the digital signature operator to issue the verifiable declaration after the verification is passed, and returning the verifiable declaration to the analysis unit. The main process comprises the following steps: the method comprises the steps of analyzing and acquiring a verifiable statement write operation request distributed by an analyzing unit, extracting a distributed digital identity from the request, packaging a distributed digital identity contract inquiry operation, acquiring a user public key on an analyzing chain through a contract adapter, and calling the verifying unit to verify the validity of the statement. If the verification is passed, continuously verifying whether the identity attribute declaration of the user is real information, if the verification is not passed, terminating the related operation, and returning an error; if the verification is passed, calling a digital signature operator to issue a generated verifiable statement, returning the generated verifiable statement to the analysis unit, and if the verification is not passed, terminating the related operation and returning an error. The declaration write operator mainly includes a data parsing operator, a verification operator, a digital signature operator, and an intelligent contract query operator, which can be specifically shown in fig. 8.
And the verification unit is used for verifying the legality or correctness of the request and the data on the link. The verification unit mainly comprises an identity legality verifier, a declaration legality verifier and a correctness verifier. The method comprises the following specific steps:
the identity legality verifier is used for processing a distributed digital identity write operation request, performing normative check on data such as a distributed digital identity file and a contract version in the request, verifying the validity of signature information of the distributed digital identity file, and confirming the relevance between a request initiator (such as a target user) and request information. The main process comprises the following steps: receiving and analyzing the distributed digital identity write operation request and the information of the user public key on the chain sent by the processing unit, acquiring the detailed information of the distributed digital identity, and performing data normalization verification on the information of the distributed digital identity, the user public key, the user signature, the contract version and the like contained in the detailed information of the distributed digital identity. And if the verification is passed, continuously verifying the validity of the user signature information, verifying the user signature information by using the user public key in the application stage, verifying the user signature information by using the user public key and the user public key on the link in the updating and revoking stage, and if the verification is not passed, terminating the related operation and returning an error. And meanwhile, returning a verification result to the processing unit.
The declaration legality verifier is used for verifying the declaration write operation request, checking the normalization of data such as a verifiable declaration request file and a contract version in the request, verifying signature information of the verifiable declaration request, and confirming the relevance of a request initiator (such as a target user) and request information (such as verifiable declaration information). The main process comprises the following steps: the receiving and analyzing processing unit sends a verifiable statement write operation request and the information of the public key of the user on the chain, obtains the detailed statement information, and carries out data normalization verification on the distributed digital identity, the user attribute description, the user signature and the contract version information contained in the detailed statement information. And if the verification is passed, continuously using the public key of the user on the chain to verify the signature information of the user, and if the verification is not passed, terminating the related operation and returning an error. Meanwhile, the verification result is returned to the processing unit.
The correctness verifier is used for reading the operation request of the distributed digital identity, and for the request sent by the processing unit, the message signature in the request and the signature information capable of verifying the statement are verified by using the user public key and the public key of the issuer inquired on the chain, and the correctness of the statement and the association between the statement and the issuer are confirmed. The main process comprises the following steps: and receiving and analyzing the read operation request data, the public key of the user on the link and the public key information of the authenticator sent by the processing unit, acquiring detailed information, and performing data normalization verification on information such as a message signature, a verifiable statement signature and verifiable statement hash value information contained in the detailed information. And if the verification is passed, calculating the hash value of the request data, using the hash value and the public key of the user on the link as the input verification message to verify the signature validity, and if the verification is not passed, terminating the related operation and returning an error. If the verification is passed, the verifiable statement hash value and the public key of the certificate issuer on the chain are continuously used as input to verify the validity of the verifiable statement signature so as to ensure that the user statement is the endorsement of the authoritative bank institution, and if the verification is not passed, the relevant operation is terminated, and an error is returned. Meanwhile, the verification result is returned to the processing unit.
And the contract execution unit mainly comprises a contract driver and a contract read-write pipeline and is used for carrying out data interaction with the blockchain network. The contract driver is used for executing preset distributed digital identity intelligent contract codes, and the codes realize distributed digital identity service logic functions and read-write functions on a block chain network; the contract read-write pipeline is used for writing the execution result of the contract driver into a block chain network (specifically, a block chain storage unit) or inquiring data on the chain from the block chain network. The main business process comprises the following steps: the intelligent contract adapter of the processing unit sends a request to a contract driver of a corresponding contract execution unit, then the contract adapter calls a corresponding distributed digital identity service contract method to perform service processing on the request according to a method address of a distributed digital identity intelligent contract code in the request, after the service processing is completed, the contract adapter calls a block chain network code reading and writing method, and an execution result is written into the block chain network, or corresponding data is read from the block chain network (such as reading a distributed digital identity file). The intelligent contract adapter is used for adapting to different contract execution units, converting a request processing result according to the type and the data protocol of an actual block chain network, and forwarding the processing result to the contract execution unit.
The block chain storage unit is used for storing the distributed digital identity file of the user and mainly comprises a distributed memory. The distributed memory provides a high-availability storage environment for the distributed digital identity device, guarantees the authenticity and reliability of the distributed digital identity file on a block chain network, and can realize the whole network sharing of the distributed digital identity file and the data intercommunication.
It can be understood that, since the functions performed by the user side, the verifying party, and the issuing party in the distributed digital identity verification process are different, in actual deployment, dynamic adjustment may be performed based on the device structure shown in fig. 4, and then deployment may be performed based on a distributed manner. For example, the parsing unit may be deployed to the issuing party and the verifying party, and address information of each issuing party and verifying party in the distributed digital identity federation is maintained, and the user and the verifying party may configure a parsing unit address list in the identity management unit. For another example, the processing unit, the verification unit, the contract execution unit, and the blockchain storage unit may be deployed in a certificate issuer server, so as to implement party-authenticated multi-party verification of distributed digital identities for users, thereby achieving identity portability. The distributed digital identity federation may include the target user, the target verifier, and the target licensor as described above, and it may be understood that other users, verifiers, and licensors may also be included.
The distributed digital identity authentication method provided by the embodiment of the application can be implemented by computer equipment, and the computer equipment can be terminal equipment or a server, wherein the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server providing cloud computing services. The terminal devices include, but are not limited to, mobile phones, computers, intelligent voice interaction devices, intelligent household appliances, vehicle-mounted terminals, and the like. The terminal device and the server may be directly or indirectly connected through wired or wireless communication, which is not limited in this application.
Fig. 9 is a flowchart of a distributed digital authentication method according to an embodiment of the present application, where the method is applied to a distributed digital authentication system, where the distributed digital authentication system includes a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target authenticator, and a processing unit corresponding to a target authenticator, and the method includes S901-S903:
s901: responding to a service request operation triggered by a target user through a first identity management unit to generate a distributed digital identity authentication request of the target user; the distributed digital identity verification request comprises an identity of a target user, a zero-knowledge proof of a verifiable statement of the target user and a signature of an overall message, and the overall message comprises the identity and the zero-knowledge proof of the verifiable statement;
s902: performing attribute verification on the target user through a second identity management unit according to the zero-knowledge proof, and if the attribute verification result is passed, generating a distributed digital identity reading operation request of the target user; the distributed digital identity reading operation request comprises an identity of a target user and request verification information;
s903: and reading the distributed digital identity file stored in the block chain network according to the identity through the processing unit, verifying the request verification information according to the distributed digital identity file to obtain a verification result, and sending the verification result to the target verification party.
In a possible implementation manner, the system further includes a parsing unit, and the method further includes:
analyzing the distributed digital identity authentication request through the analysis unit, determining the target authentication party corresponding to the service request operation, and sending the distributed digital identity authentication request to the second identity management unit;
and analyzing the distributed digital identity reading operation request through the analysis unit, determining a target licensor corresponding to the distributed digital identity reading operation request, and sending the distributed digital identity reading operation request to the processing unit.
In one possible implementation, the system further includes a certification processing unit corresponding to the verifiable assertion prover, and the method further includes:
responding to a verifiable statement write operation request triggered by the target user through the first identity management unit, and sending the verifiable statement write operation request to the analysis unit; the verifiable statement write operation request comprises an identity of the target user, an attribute to be authorized of the target user and a signature;
analyzing the verifiable statement write operation request through the analysis unit, determining a verifiable statement certificate sender corresponding to the verifiable statement write operation request, and sending the verifiable statement write operation request to the verifiable statement certificate sender;
and verifying the verifiable statement information corresponding to the target user through the certification processing unit according to the identity, if the verifiable statement information passes the verification, generating the verifiable statement of the target user, and sending the verifiable statement to the first identity management unit.
In one possible implementation, the system further includes a contract execution unit, and the method further includes:
generating an intelligent contract calling request according to the identity through the processing unit, and sending the intelligent contract calling request to the contract execution unit;
and reading the distributed digital identity file according to the intelligent contract calling request sent by the processing unit through the contract execution unit, and sending the distributed digital identity file to the processing unit.
In one possible implementation manner, the contract execution unit includes a contract driver and a contract read-write pipeline, and the reading, by the contract execution unit, the distributed digital identity file according to the intelligent contract invocation request sent by the processing unit includes:
executing preset distributed digital identity intelligent contract codes according to the intelligent contract calling request through the contract driver to obtain an execution result;
and reading the distributed digital identity file according to the execution result through the contract read-write pipeline.
In one possible implementation, the system further includes a block chain storage unit, and the method further includes:
responding to the uplink storage operation of the distributed digital identity file triggered by the target user through the first identity management unit, generating a distributed digital identity writing operation request, and sending the distributed digital identity writing operation request to the processing unit; the distributed digital identity write operation request comprises the distributed digital identity file;
verifying the distributed digital identity file through the processing unit, and if the distributed digital identity file passes the verification, sending the distributed digital identity file to the block chain storage unit;
and storing the distributed digital identity file through the block chain storage unit.
It is understood that it substantially corresponds to the system embodiment, so that reference may be made to the preceding section of the description of the system embodiment for the relevant points.
Fig. 10 is a schematic flowchart of a distributed digital identity verification operation provided in an embodiment of the present application, where verification of a distributed digital identity may be completed based on the distributed digital identity verification operation, and the distributed digital identity verification operation flow may include: a target user generates a zero-knowledge proof capable of verifying a statement by calling a first identity management unit to generate a distributed digital identity verification request; and the data is distributed to the identity management unit of the specified verification party (the second identity management unit of the target verification party) through the analysis unit. The target verifying party performs attribute verification on the target user, specifically, the target verifying party verifies the zero-knowledge proof of the verifiable statement by calling the second identity management unit, if the verification is passed, the distributed digital identity reading operation request is sent by the second identity management unit, and if the verification is failed, the related operation of the target user is terminated. And then the distributed digital identity reading operation request is distributed to a specified processing unit of the issuing party (the processing unit of the target issuing party) through the analysis unit. And after receiving the distributed digital identity reading operation request, the processing unit of the target certification party calls a contract execution unit to read the distributed digital identity file stored in the block chain network, and if the verification fails, the related operation of the target certification party is terminated. Specifically, the contract execution unit invokes a contract read-write pipeline through a contract driver, reads the distributed digital identity file in the block chain network and returns the digital identity file to the processing unit, and then the processing unit invokes the verification unit to verify the request verification information. If the verification is passed, returning authentication success, allowing the target user to access the financial service provided by the target verifier, and providing the service handling service and the like which conform to the service request operation for the target user by the target verifier; and if the verification fails, terminating the related operation of subsequent access of the target user, and no longer providing the service handling service consistent with the service request operation for the target user.
It will be appreciated that it corresponds substantially to the system embodiment, so that reference may be made to the preceding section for the system embodiment.
In yet another aspect, an embodiment of the present application provides a computer device, including a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the distributed digital identity authentication method provided by the above embodiments according to instructions in the program code.
The computer device may include a terminal device or a server, and the aforementioned distributed digital authentication system may be configured in the computer device.
In still another aspect, an embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program, where the computer program is used to execute the distributed digital identity authentication method provided in the foregoing embodiment.
In addition, the embodiment of the present application also provides a computer program product including instructions, which when run on a computer, causes the computer to execute the distributed digital identity authentication method provided by the above embodiment.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as a Read-only Memory (ROM), a RAM, a magnetic disk, or an optical disk.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement without inventive effort.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The foregoing detailed description has been directed to a distributed digital authentication system, method, and related apparatus, which are provided in the embodiments of the present application, and the specific examples are used herein to illustrate the principles and implementations of the present application, but the above description is only provided to help understand the method of the present application. Also, variations in the specific embodiments and applications of the methods of the present application will occur to those skilled in the art.
In view of the foregoing, it is not intended that the present disclosure be limited to the specific embodiments disclosed, and that any modifications or alterations that may occur to those skilled in the art and which are within the scope of the disclosure are intended to be covered by the appended claims. Moreover, the present application can be further combined to provide more implementations on the basis of the implementations provided by the above aspects.

Claims (10)

1. A distributed digital identity authentication system is characterized by comprising a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target authenticator and a processing unit corresponding to a target authenticator:
the first identity management unit is used for responding to a service request operation triggered by the target user and generating a distributed digital identity authentication request of the target user; the distributed digital authentication request comprises an identity of the target user, a zero-knowledge proof of a verifiable claim of the target user, and a signature of an overall message comprising the identity and the zero-knowledge proof of the verifiable claim;
the second identity management unit is used for performing attribute verification on the target user according to the zero knowledge proof, and generating a distributed digital identity reading operation request of the target user if the attribute verification result is passed; the distributed digital identity reading operation request comprises an identity identification of the target user and request verification information;
and the processing unit is used for acquiring the distributed digital identity file stored in the block chain network according to the identity, verifying the request verification information according to the distributed digital identity file to obtain a verification result, and sending the verification result to the target verifier.
2. The system according to claim 1, characterized in that the system further comprises a parsing unit:
the analysis unit is configured to analyze the distributed digital authentication request, determine the target authenticator corresponding to the service request operation, and send the distributed digital authentication request to the second identity management unit;
the analysis unit is further configured to analyze the distributed digital identity read operation request, determine a target issuing party corresponding to the distributed digital identity read operation request, and send the distributed digital identity read operation request to the processing unit.
3. The system of claim 2, further comprising a certification processing unit operable to verify correspondence of a claim prover:
the first identity management unit is further configured to respond to a verifiable statement write operation request triggered by the target user, and send the verifiable statement write operation request to the parsing unit; the verifiable statement write operation request comprises an identity of the target user, an attribute to be authorized of the target user and a signature;
the analysis unit is further configured to analyze the verifiable statement write operation request, determine a verifiable statement issuer corresponding to the verifiable statement write operation request, and send the verifiable statement write operation request to the verifiable statement issuer;
the certification processing unit is used for verifying the verifiable statement information corresponding to the target user according to the identity, if the verifiable statement information passes the verification, the verifiable statement of the target user is generated, and the verifiable statement is sent to the first identity management unit.
4. The system of claim 1, further comprising a contract execution unit:
the processing unit is further configured to generate an intelligent contract invoking request according to the identity, and send the intelligent contract invoking request to the contract execution unit;
and the contract execution unit is used for reading the distributed digital identity file according to the intelligent contract calling request sent by the processing unit and sending the distributed digital identity file to the processing unit.
5. The system of claim 4, wherein the contract execution unit comprises a contract driver and a contract read-write pipeline:
the contract driver is used for executing a preset distributed digital identity intelligent contract code according to the intelligent contract calling request to obtain an execution result;
and the contract read-write pipeline is used for reading the distributed digital identity file according to the execution result.
6. The system according to any one of claims 1-5, wherein the system further comprises a blockchain storage unit:
the first identity management unit is further configured to generate a distributed digital identity write operation request in response to a distributed digital identity file uplink storage operation triggered by the target user, and send the distributed digital identity write operation request to the processing unit; the distributed digital identity write operation request comprises the distributed digital identity file;
the processing unit is further configured to verify the distributed digital identity file, and if the distributed digital identity file passes the verification, send the distributed digital identity file to the block chain storage unit;
and the block chain storage unit is used for storing the distributed digital identity file.
7. A distributed digital identity authentication method is applied to a distributed digital identity authentication system, the distributed digital identity authentication system comprises a first identity management unit corresponding to a target user, a second identity management unit corresponding to a target authenticator and a processing unit corresponding to a target authenticator, and the method comprises the following steps:
responding to a service request operation triggered by the target user through the first identity management unit, and generating a distributed digital identity authentication request of the target user; the distributed digital authentication request comprises an identity of the target user, a zero-knowledge proof of a verifiable claim of the target user, and a signature of an overall message comprising the identity and the zero-knowledge proof of the verifiable claim;
performing attribute verification on the target user through the second identity management unit according to the zero knowledge proof, and if the attribute verification result is that the attribute verification result is passed, generating a distributed digital identity reading operation request of the target user; the distributed digital identity reading operation request comprises an identity identification of the target user and request verification information;
reading, by the processing unit, the distributed digital identity file stored in the blockchain network according to the identity, verifying the request verification information according to the distributed digital identity file to obtain a verification result, and sending the verification result to the target verifier.
8. A computer device, the computer device comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method of claim 7 in accordance with instructions in the program code.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium is used for storing a computer program for performing the method of claim 7.
10. A computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of claim 7.
CN202211288928.5A 2022-10-20 2022-10-20 Distributed digital identity verification system, method and related device Pending CN115632794A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211288928.5A CN115632794A (en) 2022-10-20 2022-10-20 Distributed digital identity verification system, method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211288928.5A CN115632794A (en) 2022-10-20 2022-10-20 Distributed digital identity verification system, method and related device

Publications (1)

Publication Number Publication Date
CN115632794A true CN115632794A (en) 2023-01-20

Family

ID=84907048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211288928.5A Pending CN115632794A (en) 2022-10-20 2022-10-20 Distributed digital identity verification system, method and related device

Country Status (1)

Country Link
CN (1) CN115632794A (en)

Similar Documents

Publication Publication Date Title
KR102440626B1 (en) Digital certificate management methods, devices, computer devices and storage media
CN110602138B (en) Data processing method and device for block chain network, electronic equipment and storage medium
JP7109569B2 (en) Digital certificate verification method and its device, computer equipment and computer program
US11038883B2 (en) System and method for decentralized-identifier creation
CN110535648B (en) Electronic certificate generation and verification and key control method, device, system and medium
CN112115205B (en) Cross-chain trust method, device, equipment and medium based on digital certificate authentication
CA2914956C (en) System and method for encryption
CN112199721A (en) Authentication information processing method, device, equipment and storage medium
CN111815321A (en) Transaction proposal processing method, device, system, storage medium and electronic device
CN113452704B (en) Distributed identity identification-based credible interconnection method and device for heterogeneous industrial equipment
CN109981287A (en) A kind of code signature method and its storage medium
CN115460019B (en) Method, apparatus, device and medium for providing digital identity-based target application
CN114760071B (en) Zero-knowledge proof based cross-domain digital certificate management method, system and medium
CN114666168A (en) Decentralized identity certificate verification method and device, and electronic equipment
Saleem et al. ProofChain: An X. 509-compatible blockchain-based PKI framework with decentralized trust
CN110910110A (en) Data processing method and device and computer storage medium
CN113328854A (en) Service processing method and system based on block chain
Boontaetae et al. RDI: Real digital identity based on decentralized PKI
CN110602218B (en) Method and related device for assembling cloud service in user-defined manner
CN112150158B (en) Block chain transaction delivery verification method and device
CN113869901B (en) Key generation method, key generation device, computer-readable storage medium and computer equipment
CN115632794A (en) Distributed digital identity verification system, method and related device
CN116975936B (en) Finance qualification proving method and finance qualification verifying method
CN117061089B (en) Voting management method, device, equipment and storage medium
US20240146537A1 (en) Computer-readable recording medium storing data management program, data management method, and data management apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination