CN116647371A - Identity authorization method and device based on blockchain - Google Patents

Identity authorization method and device based on blockchain Download PDF

Info

Publication number
CN116647371A
CN116647371A CN202310491967.3A CN202310491967A CN116647371A CN 116647371 A CN116647371 A CN 116647371A CN 202310491967 A CN202310491967 A CN 202310491967A CN 116647371 A CN116647371 A CN 116647371A
Authority
CN
China
Prior art keywords
identity
authorization
blockchain
provider
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310491967.3A
Other languages
Chinese (zh)
Inventor
窦方钰
陈锣斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202310491967.3A priority Critical patent/CN116647371A/en
Publication of CN116647371A publication Critical patent/CN116647371A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses an identity authorization method based on a blockchain, which is applied to a server corresponding to a blockchain with a decentralised digital identity, wherein blockchain members in the blockchain comprise an identity authentication provider, an identity authentication user and an identity authentication verifier; the method comprises the following steps: receiving an authorization request initiated by any identity authentication user to authorize the identity of the identity authentication party; wherein the authorization request includes authorization information related to a locally stored traceable identification and a de-centralized digital identity of an identification provider providing the traceable identification; and in response to the authorization request, generating an authorization record based on the authorization information and the de-centralized digital identity of the identity provider, and saving the authorization record into a blockchain.

Description

Identity authorization method and device based on blockchain
Technical Field
The present invention relates to a blockchain technology, and in particular, to a blockchain-based identity authorization method and apparatus.
Background
The decentralised digital identity (Decentralized Identity, DID) is a digital identity system realized based on a blockchain technology, and has the characteristics of ensuring the authenticity and credibility of data, protecting the privacy safety of users, being strong in portability and the like.
A certain DID user may endorse certain identity information of another DID user and generate an identification to be provided to the other DID user. This identification-providing DID user may be referred to as an identification provider and another DID user may be referred to as an identification consumer.
Further, the identification party may authorize the identification to other DID users to prove the authenticity of the identity of the user by endorsements of the identification provider. Other DID users that are authorized to authenticate may be referred to as authentication verifiers.
Because the identity is endorsed by the credit of the identity provider, the identity is prevented from being abused or the identity of other people is fraudulent; there is a need to provide a traceable identity authorization scheme.
Disclosure of Invention
One of the purposes of the invention is to provide an identity authorization method based on blockchain, which can realize traceable identity authorization in the decentralised digital identity.
Based on the above object, the present invention provides a blockchain-based identity authorization method applied to a server corresponding to a blockchain with a decentralised digital identity, wherein blockchain members in the blockchain comprise an identity authentication provider, an identity authentication user and an identity authentication verifier; the method comprises the following steps:
receiving an authorization request initiated by any identity authentication user to authorize the identity of the identity authentication party; wherein the authorization request includes authorization information related to a locally stored traceable identification and a de-centralized digital identity of an identification provider providing the traceable identification;
and in response to the authorization request, generating an authorization record based on the authorization information and the de-centralized digital identity of the identity provider, and saving the authorization record into a blockchain.
In the invention, the authorization record generated after the authorization information is bound with the decentralised digital identity of the identity provider is stored in the blockchain, so that the identity using party can track each time the identity is authorized, and the authorization record cannot be tampered.
Further, in some embodiments, the identification user also stores locally non-traceable identification provided by the identification provider;
the traceable identification and the non-traceable identification have the same identification information, and a traceable field which indicates whether traceability exists is set;
the field value of the traceable field in the traceable identification is a first field value, and the field value of the traceable field in the non-traceable identification is a second field value; the first field value indicates traceability and the second field value indicates non-traceability.
Further, in some embodiments, the authorization information includes identity information of all or part of the traceable identity that the identity user selected to authorize; and in the process of selecting the identity information by the identity card user, displaying the identity card requesting authorization to the identity card user in a visual mode as a traceable identity card.
Further, in some embodiments, the method further comprises:
receiving a traceability request initiated by any identity proving provider; wherein the trace back request includes a de-centralized digital identity of the identity provider;
responding to the traceability request, and inquiring a target authorization record with the decentralised digital identity of the identity card provider in the authorization records of all identity card user certificates in the blockchain;
and returning the target authorization record to the identity provider for the identity provider to view.
Further, in some embodiments, the blockchain has stored therein an identity public key corresponding to the decentralized digital identity of the identity provider;
the generating an authorization record based on the authorization information and the de-centralized digital identity of the identification provider includes:
querying an identity public key corresponding to the decentralized digital identity of the identity provider from a blockchain;
encrypting the authorization information sum based on the identity public key;
an authorization record is generated based on the encrypted authorization information and the decentralized digital identity of the identification provider.
Further, in some embodiments, the returning the target authorization record to the identification provider for viewing by the identification provider includes:
and returning the target authorization record to the identity authentication provider so that the identity authentication provider decrypts the encrypted authorization information in the target authorization record based on the locally stored identity private key.
Further, in some embodiments, the authorization request includes an off-centered digital identity of an identity verifier, the blockchain having stored therein an identity public key corresponding to the off-centered digital identity of the identity verifier; the method further comprises the steps of:
inquiring an identity public key corresponding to the decentralised digital identity of the identity verification party from a blockchain in response to the authorization request;
encrypting the authorization information based on the identity public key, and sending the encrypted authorization information to the identity verification party; and the identification verification party decrypts the encrypted authorization information based on the locally stored identity private key to obtain the authorization information authorized by the identification user.
Further, in some embodiments, the server includes a blockchain, i.e., a service platform.
The invention also provides an identity authorization device based on the blockchain, which is applied to a service end corresponding to the blockchain of the decentralised digital identity, wherein the blockchain member in the blockchain comprises an identity authentication provider, an identity authentication user and an identity authentication verifier; the device comprises:
the receiving module is used for receiving an authorization request initiated by any identity authentication user for carrying out identity authorization to the identity authentication party; wherein the authorization request includes authorization information related to a locally stored traceable identification and a de-centralized digital identity of an identification provider providing the traceable identification;
and the response module is used for responding to the authorization request, generating an authorization record based on the authorization information and the decentralised digital identity of the identity authentication provider, and storing the authorization record in a blockchain.
The present invention also provides a computer readable storage medium storing a computer program which when executed by a processor implements any of the blockchain-based identity authorization methods described above.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor implements any of the above blockchain-based identity authorization methods when executing the program.
The identity authorization method and device based on the blockchain have the following beneficial effects:
the invention binds the authorization information with the decentralised digital identity of the identity authentication provider; on one hand, authorization records generated based on binding authorization information and the decentralised digital identity of an identity provider are stored in a blockchain, so that each time the identity provider authorizes the identity, the authorization records can be tracked and cannot be tampered. On the other hand, the identification provider can inquire all authorization records bound with the self-decentralised digital identity from the blockchain, and can know the authorization condition of each issued identification from the authorization records. Thus, traceable identity authorization under the decentralised digital identity scene is realized.
Drawings
FIG. 1 schematically illustrates a schematic diagram of an identity authorization system under a blockchain;
FIG. 2 is a flow chart illustrating an exemplary blockchain-based identity authorization method of the present invention;
FIG. 3 is a schematic diagram of an exemplary identity authorization system under a blockchain modified in accordance with the present invention;
FIG. 4 is a schematic diagram illustrating encryption and decryption based on FIG. 3;
fig. 5 schematically illustrates a block chain-based identity authorization device according to the present invention.
Detailed Description
The blockchain-based identity authorization method and apparatus, the computer-readable storage medium, and the electronic device according to the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments, but the detailed description is not meant to limit the invention.
First, some technical concepts related to the present invention will be described.
The decentralised digital identity (Decentralized Identity, DID) is a digital identity system realized based on a blockchain technology, and has the characteristics of ensuring the authenticity and credibility of data, protecting the privacy safety of users, being strong in portability and the like.
In implementation, DID typically requires the help of a decentralized public key infrastructure (Decentralized Public Key Infrastructure, DPKI). The DPKI-based blockchain may provide an infrastructure for cryptographic technology-based security services, in particular by generating an identity public-private key pair associated with the DID, and encrypting and decrypting the data to be transmitted according to the identity public-private key to ensure the authenticity and trustworthiness of the data transmitted.
Reference is now made to the schematic diagram of an identity authorization system under a blockchain as shown in fig. 1.
The blockchain members in the blockchain may be classified into an identification provider, an identification user, and an identification verifier according to roles.
First, the identification provider, identification user, and identification verifier all need to register their DID in the blockchain.
The registration may be that the blockchain member stores the existing DID in the blockchain, or may refer to that the newly-networked blockchain member performs the DID registration through the blockchain to obtain the blockchain-generated DID.
The identification provider can endorse certain identity information of the identification user and generate an identification to be provided to the identification user.
Further, the identity authentication party may authorize the identity authentication to the identity authentication party to authenticate the identity authentication party with the identity provider's endorsement.
Because the identity is endorsed by the credit of the identity provider, the identity is prevented from being abused or the identity of other people is fraudulent; there is a need to provide a traceable identity authorization scheme.
In one embodiment of the invention, a blockchain-based identity authorization method is provided, which can realize traceable identity authorization.
Fig. 2 schematically illustrates a flowchart of a blockchain-based identity authorization method according to the present invention in an embodiment, which may be applied to a server corresponding to a blockchain for decentralizing digital identities.
The following description is directed to a schematic diagram of an improved blockchain identity authorization system shown in fig. 3.
As shown in fig. 3, the identity authorization system may include a blockchain (blockchain of DID shown in fig. 3) for implementing the decentralized digital identities, which have registered on the respective blockchain members stored therein; the blockchain members may include an identification provider, an identification consumer, and an identification verifier.
The authorization record for traceability by the identification provider may have a blockchain of authorization records. The blockchain of the authorization record may be the same blockchain as the DID blockchain or may be a different blockchain than the DID blockchain.
When belonging to the same blockchain, the generated authorization record of the authorization of the identity card user can be directly stored in the DID blockchain.
When the identification information does not belong to the same blockchain, the generated authorization record authorized by the identification user is required to be separately stored in another blockchain (such as the blockchain of the authorization record in fig. 3); and, the server needs to connect with the DID blockchain and the blockchain of the authorization record at the same time.
In some embodiments, the server (not shown) may be located between the identity provider, the identity consumer, and the identity verifier, since the identity provider, the identity consumer, and the identity verifier may interact with the blockchain through the server.
In some embodiments, the server may include a blockchain as a service (BaaS, blockchain as a Service) platform. The BaaS platform may be referred to as a BaaS cloud, and may provide a simple and easy-to-use, one-key deployment, quick verification, and flexible customizable blockchain services, such as query services, verification services, registration services, and certificate-storing services, for example, by providing a manner of pre-written software for activities occurring on the blockchain (such as subscription and notification, user verification, database management, and remote update), and for an identity provider, an identity consumer, and an identity verifier connected to the BaaS platform.
Returning to fig. 2, the blockchain-based identity authorization method may include the following steps:
210: receiving an authorization request initiated by any identity authentication user to authorize the identity of the identity authentication party; wherein the authorization request includes authorization information associated with a locally stored traceable identification and a decentralised digital identity of an identification provider providing the traceable identification.
In the invention, an identity provider can generate identity for an identity user and send the generated identity to the identity user and store the identity to the identity user locally.
The identification may be expressed as an endorsement of certain identity information of the identification user by the identification provider. The identification may for example comprise verifiable credentials (Verifiable Claims or Verifiable Credentials, VC). In addition to the endorsed identity information, a digital signature of the identity provider may be appended to the verifiable credential.
In some embodiments, the identification user also stores locally non-traceable identification provided by the identification provider;
the traceable identification and the non-traceable identification have the same identification information, and a traceable field which indicates whether traceability exists is set;
the field value of the traceable field in the traceable identification is a first field value, and the field value of the traceable field in the non-traceable identification is a second field value; the first field value indicates traceability and the second field value indicates non-traceability.
The following is illustrated by the VC example shown in table 1:
TABLE 1
The identification provider with DID being issuer0001 generates and sends the identification provider with DID being user0001 to two VCs. A trace field trace for tracing is added to the two VCs, and the trace field trace is used for defining whether the current VC can trace back.
When the field value is the first field value (e.g., 1 in table 1), it indicates that VC can trace back; and when the field value is the second field value (e.g., 0 in table 1), VC is not traceable. In general, VC may not be traceable by default.
In some embodiments, the authorization information includes identity information of all or part of the traceable identity that the identity consumer selected to authorize; and in the process of selecting the identity information by the identity card user, displaying the identity card requesting authorization to the identity card user in a visual mode as a traceable identity card.
In the invention, because the identity card can comprise a plurality of different identity information (such as name, card number, date of departure, etc.), all the identity information may not need to be authorized in actual application; thus, in the client interface of the identification user, interactive options for the user to select which identity information to authorize may be displayed. Thus, the authorization information carried in the authorization request can be the identity information of the user selected authorization.
In addition, as indicated above, two VCs may be stored locally by the identity user, so that interactive options for the user to choose which identity to authorize may also be displayed in the client interface.
If the user selects non-traceable identification, the subsequent process will follow the process shown in fig. 1, described above, in which way the identification provider will not be able to trace back to the present authorization.
If the user selects a traceable identification, the subsequent process proceeds according to the process shown in FIG. 2, i.e., a subsequent step 220 is performed, in which the identification provider can trace back to the current authorization
When the user selects the traceable identification, the identification user can be visually prompted to request the authorized identification as the traceable identification. For example, a prompt message "the current authorization process will be recorded and can be traced" is displayed in the client interface of the identification user.
220: and in response to the authorization request, generating an authorization record based on the authorization information and the de-centralized digital identity of the identity provider, and saving the authorization record into a blockchain.
In the invention, authorization information is bound with the decentralised digital identity of the identity authentication provider; on one hand, authorization records generated based on binding authorization information and the decentralised digital identity of an identity provider are stored in a blockchain, so that each time the identity provider authorizes the identity, the authorization records can be tracked and cannot be tampered.
Please join the authorization information shown in table 2 below:
TABLE 2
In the present invention, the authorization information may include, in addition to the identity information in the traceable identification (name, identification number, date of birth in table 2) of the identification party selecting authorization, the decentralised digital identity of the identification party (User 0001 in table 2), the identity of the identification party (Vc 001 in table 2), the decentralised digital identity of the identification party (Sp 001 in table 2) and the authorization time (2022-12-04 18:00:00 in table 2).
Further, the authorization information in table 2 is stored in the blockchain together with the decentralized digital identity of the identity provider as an authorization record.
In some embodiments, the method further comprises:
receiving a traceability request initiated by any identity proving provider; wherein the trace back request includes a de-centralized digital identity of the identity provider;
responding to the traceability request, and inquiring a target authorization record with the decentralised digital identity of the identity card provider in the authorization records of all identity card user certificates in the blockchain;
and returning the target authorization record to the identity provider for the identity provider to view.
In the invention, the identity authentication provider can initiate a tracing request to a server so as to inquire all target authorization records containing self-decentralised digital identities stored in a blockchain; and then obtaining the authorization information in each target authorization record.
For different identity-using parties who issue identity certificates from the same identity-provider, the authorization record generated for each traceable identity-authorization contains the same identity-provider DID;
the identification provider can thus simultaneously obtain authorization records for the respective certificates of the different identification users.
With the above embodiment, the identification provider can query all authorization records bound to the self-decentralised digital identity from the blockchain, and can know the authorization condition of each issued identification from the authorization records. Thus, traceable identity authorization under the decentralised digital identity scene is realized.
In some embodiments, the blockchain is authenticated with an identity public key corresponding to the decentralized digital identity of the identity provider;
the generating an authorization record based on the authorization information and the de-centralized digital identity of the identification provider includes:
querying an identity public key corresponding to the decentralized digital identity of the identity provider from a blockchain;
encrypting the authorization information sum based on the identity public key;
an authorization record is generated based on the encrypted authorization information and the decentralized digital identity of the identification provider.
In practical application, as all people can access the data stored in the blockchain and comprise the authorization records, the authorization information relates to the privacy of the user; under the condition that privacy data of the user is paid more attention to at present, the invention can encrypt the authorization information before the authorization record related to the authorization information is stored in a chain. The specific encryption process may be as follows:
in the invention, the identity public key associated with the DID of the identity provider, the identity user and the identity verifier can be stored in the blockchain, and the identity private key corresponding to the identity public key is locally stored by the blockchain member.
The following is a schematic diagram of adding encryption and decryption on the basis of fig. 3 with reference to fig. 4. In fig. 4, the public key pubkey1 of the identity provider, the public key pubkey2 of the identity verification party and the public key pubkey3 of the identity verification party can be stored in the blockchain, and the private key prikey1 of the identity provider, the private key prikey2 of the identity verification party and the private key prikey3 of the identity verification party are stored locally.
The server or the identity authentication user can inquire an identity public key1 corresponding to the identity authentication provider DID from the blockchain; and encrypting the authorization information based on the public identity key1, and then generating an authorization record and uploading a certificate based on the encrypted authorization information and the DID of the ID provider.
With the above embodiment, since the authorization information stored in the blockchain is encrypted, other third parties can only know that the user (i.e. the identity authentication user) has authorized the identity authentication, but do not know which user is specifically, nor who is authorized, and what content is authorized. So that the privacy of the user can be well protected.
Further, in some embodiments, the returning the target authorization record to the identification provider for viewing by the identification provider includes:
and returning the target authorization record to the identity authentication provider so that the identity authentication provider decrypts the encrypted authorization information in the target authorization record based on the locally stored identity private key.
As previously described, since the authorization information for the uplink certificate is encrypted, the identification provider needs to decrypt the authorization information in the queried target authorization record. Specifically, since the authorization information in the target authorization record is encrypted by using the identity public key of the identity provider, only the identity provider holding the identity private key corresponding to the identity public key can decrypt the authorization information to obtain all decrypted authorization information.
With continued reference to fig. 4, after querying the target authorization records associated with the self DID, the identification provider may decrypt the encrypted authorization information in each target authorization record using the locally stored identity private key 1.
Assuming that the decrypted authorization information is shown in table 2 above, the identification provider can trace back to the identification "Vc001" issued to the User with the DID being "User0001", the User with the DID being "Sp001" at "2022-12-04 18:00:00", and the authorization contents being "name, document number, date of birth".
By means of the above-described embodiments it is ensured that only the identification provider providing the authorized identification can decrypt the encrypted authorization information. After decryption, detailed authorization information can be obtained, and the detailed authorization information can be analyzed by an identification provider so as to identify whether dangerous behaviors such as misuse, fraudulent use and the like of the identification exist.
In some embodiments, the authorization request includes an off-centered digital identity of an identity verifier, the blockchain having stored therein an identity public key corresponding to the off-centered digital identity of the identity verifier; the method further comprises the steps of:
inquiring an identity public key corresponding to the decentralised digital identity of the identity verification party from a blockchain in response to the authorization request;
encrypting the authorization information based on the identity public key, and sending the encrypted authorization information to the identity verification party; and the identification verification party decrypts the encrypted authorization information based on the locally stored identity private key to obtain the authorization information authorized by the identification user.
In the invention, since the identity authentication is performed to the identity verification party, the authorized authorization information is required to be sent to the identity verification party.
Similarly to the aforementioned authorization record upchain credentials, it is also necessary to encrypt authorization information related to the private data; the difference is that here the encryption is performed using the public key of the identity verifier; correspondingly, after receiving the authorization information, the authentication verifier also needs to decrypt the authorization information by using the locally stored identity private key to obtain detailed authorization information.
With continued reference to the example of fig. 4, the server or the proof of identity user may query the blockchain for the public key3 of the identity corresponding to the proof of identity verifier DID; and encrypts the authorization information based on the identity public key3, and then transmits the encrypted authorization information to the identity verification party. Further, the authentication verifier decrypts the encrypted authorization information using a locally stored identity private key 3.
Through the embodiment, the privacy of the identity authentication user can be well protected by encrypting the authorization information, and the detailed authorization information can be ensured to be obtained by the identity authentication Fang Jiemi; thereby realizing the identity authorization flow.
It should be noted that, in the example of fig. 4, the public key and the private key of the identity card user are not used, because they are not used as the identity card user. In practice, the roles between the identity provider, the identity user and the identity verifier may vary, and the private and public identity keys prikey2 and pubkey2 are used when the blockchain member corresponding to private identity key prikey2 in fig. 4 is used as the identity provider or the identity verifier.
Corresponding to the embodiment of the identity authorization method based on the blockchain, the invention also provides an embodiment of the identity authorization device based on the blockchain.
Referring to fig. 5, a block diagram of a blockchain-based identity authorization device according to the present invention, which corresponds to the embodiment shown in fig. 2, is shown, and the device may be applied to a server corresponding to a blockchain with a decentralised digital identity, where blockchain members in the blockchain include an identity provider, an identity verification party, and an identity verification party; the device comprises:
a receiving module 410, configured to receive an authorization request initiated by any one of the identity verification users to perform identity authorization to the identity verification party; wherein the authorization request includes authorization information related to a locally stored traceable identification and a de-centralized digital identity of an identification provider providing the traceable identification;
and a response module 420, configured to generate an authorization record based on the authorization information and the decentralized digital identity of the identification provider in response to the authorization request, and to store the authorization record in a blockchain.
Further, in some embodiments, the identification user also stores locally non-traceable identification provided by the identification provider;
the traceable identification and the non-traceable identification have the same identification information, and a traceable field which indicates whether traceability exists is set;
the field value of the traceable field in the traceable identification is a first field value, and the field value of the traceable field in the non-traceable identification is a second field value; the first field value indicates traceability and the second field value indicates non-traceability.
Further, in some embodiments, the authorization information includes identity information of all or part of the traceable identity that the identity user selected to authorize; and in the process of selecting the identity information by the identity card user, displaying the identity card requesting authorization to the identity card user in a visual mode as a traceable identity card.
Further, in some embodiments, the apparatus further comprises:
the request tracing module is used for receiving a tracing request initiated by any identity proving provider; wherein the trace back request includes a de-centralized digital identity of the identity provider;
the traceability response module is used for responding to the traceability request and inquiring a target authorization record with the decentralised digital identity of the identity authentication provider in the authorization records of all the identity authentication user side certificates in the blockchain; and returning the target authorization record to the identification provider for viewing by the identification provider.
Further, in some embodiments, the blockchain has stored therein an identity public key corresponding to the decentralized digital identity of the identity provider;
the response module 420 is further configured to query a blockchain for an identity public key corresponding to the decentralized digital identity of the identity provider; encrypting the authorization information sum based on the identity public key; an authorization record is generated based on the encrypted authorization information and the decentralized digital identity of the identification provider.
Further, in some embodiments, the traceback response module is further configured to return the target authorization record to the identification provider, so that the identification provider decrypts the encrypted authorization information in the target authorization record based on the locally stored identity private key.
Further, in some embodiments, the authorization request includes an off-centered digital identity of an identity verifier, the blockchain having stored therein an identity public key corresponding to the off-centered digital identity of the identity verifier;
the response module 420 is further configured to query, in response to the authorization request, from a blockchain, an identity public key corresponding to the decentralized digital identity of the proof of identity verifier; encrypting the authorization information based on the identity public key, and sending the encrypted authorization information to the identity verification party; and the identification verification party decrypts the encrypted authorization information based on the locally stored identity private key to obtain the authorization information authorized by the identification user.
Further, in some embodiments, the server includes a blockchain, i.e., a service platform.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present invention. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The internal functional modules and structures of the described blockchain-based identity authorization device are shown and described, and the substantial execution subject of the device can be an electronic device, which comprises:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform an embodiment of any of the blockchain-based identity authorization methods described above.
In the above embodiment of the electronic device, it should be understood that the processor may be a processing unit (english: central Processing Unit, abbreviated as CPU), or may be another general purpose processor, a digital signal processor (english: digital Signal Processor, abbreviated as DSP), an application specific integrated circuit (english: application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc., and the aforementioned memory may be a read-only memory (ROM), a random access memory (random access memory, RAM), a flash memory, a hard disk, or a solid state disk. The steps of a method disclosed in connection with the embodiments of the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.
In addition, the invention also provides a computer readable storage medium, and instructions in the computer readable storage medium, when executed by a processor of an electronic device, can enable the electronic device to execute any embodiment of the blockchain-based identity authorization method.
It should be noted that the above-mentioned embodiments are merely examples of the present invention, and it is obvious that the present invention is not limited to the above-mentioned embodiments, and many similar variations are possible. All modifications attainable or obvious from the present disclosure set forth herein should be deemed to be within the scope of the present disclosure.

Claims (11)

1. The identity authorization method based on the blockchain is applied to a server corresponding to the blockchain of the decentralised digital identity, and blockchain members in the blockchain comprise an identity authentication provider, an identity authentication user and an identity authentication verifier; the method comprises the following steps:
receiving an authorization request initiated by any identity authentication user to authorize the identity of the identity authentication party; wherein the authorization request includes authorization information related to a locally stored traceable identification and a de-centralized digital identity of an identification provider providing the traceable identification;
and in response to the authorization request, generating an authorization record based on the authorization information and the de-centralized digital identity of the identity provider, and saving the authorization record into a blockchain.
2. The blockchain-based identity authorization method of claim 1, wherein the identity verification user locally stores non-traceable identity verification provided by the identity verification provider;
the traceable identification and the non-traceable identification have the same identification information, and a traceable field which indicates whether traceability exists is set;
the field value of the traceable field in the traceable identification is a first field value, and the field value of the traceable field in the non-traceable identification is a second field value; the first field value indicates traceability and the second field value indicates non-traceability.
3. A blockchain-based identity authorization method as in claim 2, the authorization information comprising all or part of the traceable identity information that the identity party selects to authorize; and in the process of selecting the identity information by the identity card user, displaying the identity card requesting authorization to the identity card user in a visual mode as a traceable identity card.
4. The blockchain-based identity authorization method of claim 1, the method further comprising:
receiving a traceability request initiated by any identity proving provider; wherein the trace back request includes a de-centralized digital identity of the identity provider;
responding to the tracing request, and inquiring all identity-proof user side certificates in the blockchain
A target authorization record having an off-centered digital identity of the identity provider;
and returning the target authorization record to the identity provider for the identity provider to view.
5. The blockchain-based identity authorization method of claim 4, wherein the blockchain has an identity public key stored therein that corresponds to the decentralized digital identity of the identity provider;
the generating an authorization record based on the authorization information and the de-centralized digital identity of the identification provider includes:
querying an identity public key corresponding to the decentralized digital identity of the identity provider from a blockchain;
encrypting the authorization information sum based on the identity public key;
an authorization record is generated based on the encrypted authorization information and the decentralized digital identity of the identification provider.
6. The blockchain-based identity authorization method of claim 5, the returning the target authorization record to the identity provider for viewing by the identity provider, comprising:
and returning the target authorization record to the identity authentication provider so that the identity authentication provider decrypts the encrypted authorization information in the target authorization record based on the locally stored identity private key.
7. The blockchain-based identity authorization method of claim 1, the authorization request including an off-centered digital identity of an identity verifier, the blockchain having stored therein an identity public key corresponding to the off-centered digital identity of the identity verifier; the method further comprises the steps of:
inquiring an identity public key corresponding to the decentralised digital identity of the identity verification party from a blockchain in response to the authorization request;
encrypting the authorization information based on the identity public key, and sending the encrypted authorization information to the identity verification party; and the identification verification party decrypts the encrypted authorization information based on the locally stored identity private key to obtain the authorization information authorized by the identification user.
8. The blockchain-based identity authorization method of claim 1, wherein the server comprises a blockchain-as-a-service platform.
9. The identity authorization device based on the blockchain is applied to a server corresponding to a blockchain with a decentralised digital identity, and blockchain members in the blockchain comprise an identity authentication provider, an identity authentication user and an identity authentication verifier; the device comprises:
the receiving module is used for receiving an authorization request initiated by any identity authentication user for carrying out identity authorization to the identity authentication party; wherein the authorization request includes authorization information related to a locally stored traceable identification and a de-centralized digital identity of an identification provider providing the traceable identification;
and the response module is used for responding to the authorization request, generating an authorization record based on the authorization information and the decentralised digital identity of the identity authentication provider, and storing the authorization record in a blockchain.
10. A computer readable storage medium storing a computer program which, when executed by a processor, implements the method of any of the preceding claims 1-8.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1-8 when the program is executed.
CN202310491967.3A 2023-05-04 2023-05-04 Identity authorization method and device based on blockchain Pending CN116647371A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310491967.3A CN116647371A (en) 2023-05-04 2023-05-04 Identity authorization method and device based on blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310491967.3A CN116647371A (en) 2023-05-04 2023-05-04 Identity authorization method and device based on blockchain

Publications (1)

Publication Number Publication Date
CN116647371A true CN116647371A (en) 2023-08-25

Family

ID=87642601

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310491967.3A Pending CN116647371A (en) 2023-05-04 2023-05-04 Identity authorization method and device based on blockchain

Country Status (1)

Country Link
CN (1) CN116647371A (en)

Similar Documents

Publication Publication Date Title
CN109756485B (en) Electronic contract signing method, electronic contract signing device, computer equipment and storage medium
CN110086608B (en) User authentication method, device, computer equipment and computer readable storage medium
US8078879B2 (en) Data certification method and apparatus
KR101985179B1 (en) Blockchain based id as a service
CN113114451B (en) Data statistical analysis method and system for enterprise cloud ERP system based on homomorphic encryption
CN109450843B (en) SSL certificate management method and system based on block chain
CN112187798B (en) Bidirectional access control method and system applied to cloud-side data sharing
CN111030814A (en) Key negotiation method and device
CN110597836B (en) Information inquiry request response method and device based on block chain network
CN110020869B (en) Method, device and system for generating block chain authorization information
US20220014354A1 (en) Systems, methods and devices for provision of a secret
CN112905979B (en) Electronic signature authorization method and device, storage medium and electronic device
WO2020042508A1 (en) Method, system and electronic device for processing claim incident based on blockchain
CN112765626A (en) Authorization signature method, device and system based on escrow key and storage medium
JPH11298470A (en) Key distribution method and system
CN114553441A (en) Electronic contract signing method and system
CN113868684A (en) Signature method, device, server, medium and signature system
CN111770081B (en) Role authentication-based big data confidential file access method
CN111245594B (en) Homomorphic operation-based collaborative signature method and system
JP7209518B2 (en) Communication device, communication method, and communication program
KR101449806B1 (en) Method for Inheriting Digital Information
KR101933090B1 (en) System and method for providing electronic signature service
CN116647371A (en) Identity authorization method and device based on blockchain
US20220271948A1 (en) Owner identity confirmation system, certificate authority server and owner identity confirmation method
CN116611098B (en) File encryption mobile storage method and system, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination