CN116662950A - Identity authentication method and device based on blockchain - Google Patents

Identity authentication method and device based on blockchain Download PDF

Info

Publication number
CN116662950A
CN116662950A CN202310504301.7A CN202310504301A CN116662950A CN 116662950 A CN116662950 A CN 116662950A CN 202310504301 A CN202310504301 A CN 202310504301A CN 116662950 A CN116662950 A CN 116662950A
Authority
CN
China
Prior art keywords
identity
real
blockchain
provider
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310504301.7A
Other languages
Chinese (zh)
Inventor
窦方钰
陈锣斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202310504301.7A priority Critical patent/CN116662950A/en
Publication of CN116662950A publication Critical patent/CN116662950A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses an identity authentication method based on a blockchain, which comprises the following steps: receiving an authorization request of identification initiated by a user in a blockchain; wherein, the authorization request comprises the identity authentication and the real name authentication of the user; identity verification of the entity digital signature by a first provider in the blockchain using a locally stored first identity private key; the real-name identity is subjected to digital signature identity authentication by a second provider in the blockchain by using a locally stored second identity private key; querying a first identity public key and a second identity public key from a blockchain in response to an authorization request; signing the digital signature of the identity certificate of the entity based on the first identity public key, and signing the digital signature of the identity certificate based on the second identity public key; after the digital signature of the identity certification of the entity and the digital signature of the identity certification of the entity pass verification, the identity authentication passing for the user is determined.

Description

Identity authentication method and device based on blockchain
Technical Field
The present invention relates to a blockchain technology, and in particular, to a blockchain-based identity authentication method and apparatus.
Background
Blockchain technology, also known as distributed ledger technology, is an emerging technology that is commonly engaged in "accounting" by several computing devices, together maintaining a complete distributed database. The blockchain technology is widely applied in a plurality of fields because of the characteristics of decentralization, disclosure transparency, capability of each computing device to participate in database recording and capability of quickly performing data synchronization among the computing devices.
The decentralised digital identity (Decentralized Identity, DID) is a digital identity system realized based on a blockchain technology, and has the characteristics of ensuring the authenticity and credibility of data, protecting the privacy safety of users, being strong in portability and the like.
Disclosure of Invention
One of the purposes of the invention is to provide an identity authentication method based on a blockchain, which can realize the cross-chain authentication of the decentralised digital identity.
Based on the above object, the present invention provides a blockchain-based identity authentication method, which is applied to a verifier of identity authentication in a blockchain of a decentralized digital identity, wherein the blockchain stores identity public keys associated with the decentralized digital identity uploaded by respective blockchain members; the blockchain member comprises an identity provider, an identity user and an identity verifier; the method comprises the following steps:
Receiving an authorization request of identification initiated by a user in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; the identity verification of the entity is digitally signed by a first provider in the blockchain by using a locally stored first identity private key after the entity verification of the user is passed; the real-name identity authentication is digitally signed by a second provider in the blockchain by using a locally stored second identity private key after the identity authentication is checked and passed;
in response to the authorization request, querying a blockchain for a first public identity key of the first provider certificate and a second public identity key of the second provider certificate;
signing the digital signature of the real-name identity certificate based on the first identity public key, and signing the digital signature of the real-name identity certificate based on the second identity public key;
and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
Further, in some embodiments, the identity issued by the provider is provided with a rank field representing the type of identity;
The field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
Further, in some embodiments, an association field that represents an associated identity credential is also provided in the real name identity credential; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
Further, in some embodiments, the identity credentials and the real name credentials in the authorization request are encrypted by the user using a third identity public key of the validation method that is authenticated in a blockchain;
before the querying the blockchain for the first identity public key of the first provider forensic certificate and the second identity public key of the second provider forensic certificate, further comprising:
and decrypting the encrypted real identity verification and real name identity verification by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext.
Further, in some embodiments, after the determining that the identity authentication for the user passes, further comprising:
Acquiring identity information in the identity authentication of the entity of the plaintext and business information in the identity authentication of the entity; and performing related business operation based on the identity information and the business information.
The invention also provides another identity authentication method based on the blockchain, which is applied to a user of identity identification in the blockchain of the decentralised digital identity, wherein the identity public key associated with the decentralised digital identity uploaded by each blockchain member is stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the method comprises the following steps:
sending a first request for identity verification of an entity to a first provider in a blockchain, wherein the first request comprises a decentralised digital identity of the user; the first provider performs real-person verification on the user, and generates real-person identification based on the decentralised digital identity of the user and the identity information of the user acquired in the real-person verification process after the real-person verification is passed;
storing the identity certification of the entity issued by the first provider; wherein the entity identity attestation is digitally signed by the first provider using a locally stored first identity private key;
Sending a second request for applying real-name identity authentication to a second provider in a blockchain, wherein the second request comprises the decentralised digital identity of the user and the real-name identity authentication; the second provider is enabled to check the identity of the entity, and after the check is passed, a real-name identity is generated based on the decentralised digital identity of the user and the identity of the entity;
storing the real-name identity certificate issued by the second provider; wherein the real-name identification is digitally signed by the second provider using a locally stored second identity private key.
Further, in some embodiments, further comprising:
initiating an authorization request of identity authentication to a verifier in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; so that the verifier performs signature verification on the identity verification and the real-name identity verification.
Further, in some embodiments, the identity issued by the provider of the blockchain is provided with a rank field representing the type of identity;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
Further, in some embodiments, an association field that represents an associated identity credential is also provided in the real name identity credential; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
Further, in some embodiments, the identity credentials and the real name credentials in the authorization request are encrypted by the user using a third identity public key of the validation method that is authenticated in a blockchain;
the verifying party performs signature verification on the identity certification of the entity and the identity certification of the entity, and the method comprises the following steps:
decrypting the encrypted real identity verification and real name identity verification by the verifier by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext; querying a blockchain for a first identity public key of the first provider certificate and a second identity public key of the second provider certificate; signing the digital signature of the real-name identity certificate based on the first identity public key, and signing the digital signature of the real-name identity certificate based on the second identity public key; and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
The invention also provides an identity authentication device based on the blockchain, which is applied to a verifier of identity authentication in the blockchain of the decentralised digital identity, wherein the identity public key associated with the decentralised digital identity uploaded by each blockchain member is stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the device comprises:
the receiving module is used for receiving an authorization request of the identification initiated by the user in the blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; the identity verification of the entity is digitally signed by a first provider in the blockchain by using a locally stored first identity private key after the entity verification of the user is passed; the real-name identity authentication is digitally signed by a second provider in the blockchain by using a locally stored second identity private key after the identity authentication is checked and passed;
the inquiring module is used for inquiring the first identity public key of the first provider certificate and the second identity public key of the second provider certificate from the blockchain;
The signature verification module is used for verifying the digital signature of the identity certification of the entity based on the first identity public key and verifying the digital signature of the identity certification of the entity based on the second identity public key;
and the determining module is used for determining that the identity authentication aiming at the user passes after the digital signature of the identity certification and the real name identity certification passes.
The invention also provides an identity authentication device based on the blockchain, which is applied to a user of identity authentication in the blockchain of the decentralised digital identity, wherein the identity public key associated with the decentralised digital identity uploaded by each blockchain member is stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the device comprises:
a first application module, configured to send a first request for application entity identity verification to a first provider in a blockchain, where the first request includes a decentralised digital identity of the user; the first provider performs real-person verification on the user, and generates real-person identification based on the decentralised digital identity of the user and the identity information of the user acquired in the real-person verification process after the real-person verification is passed;
The first storage module is used for storing the identity certification of the entity issued by the first provider; wherein the entity identity attestation is digitally signed by the first provider using a locally stored first identity private key;
the second application module is used for sending a second request for applying real-name identity authentication to a second provider in the blockchain, wherein the second request comprises the decentralised digital identity of the user and the real-name identity authentication; the second provider is enabled to check the identity of the entity, and after the check is passed, a real-name identity is generated based on the decentralised digital identity of the user and the identity of the entity;
the second storage module is used for storing the real-name identification issued by the second provider; wherein the real-name identification is digitally signed by the second provider using a locally stored second identity private key.
The identity authentication method and device based on the blockchain has the following beneficial effects:
the invention introduces the grade field in the format of the traditional identity, thereby expanding the types of different identity, and particularly expanding the identity authentication and the real name identity authentication. In the scene requiring real names, the identity of the user can be ensured to be authenticated by the combination of the real name identity and the real name identity; and in the scene that a real name is not needed, the traditional identification can still be used.
Drawings
FIG. 1 schematically illustrates a schematic diagram of a blockchain of decentralised digital identities;
FIG. 2 is a flow chart illustrating a blockchain-based authentication method of the present invention with a user as an executing subject;
FIG. 3 is a schematic diagram of a blockchain of an improved decentralised digital identity of the present invention;
FIG. 4 is a diagram schematically illustrating the data structure of an extended entity identity and real name identity of the present invention;
FIG. 5 is a flow chart illustrating a blockchain-based authentication method of the present invention with a verifier as an executive body;
FIG. 6 is a schematic diagram schematically illustrating a block chain based authentication device according to the present invention;
fig. 7 is a schematic block diagram schematically illustrating a blockchain-based authentication device according to the present invention.
Detailed Description
The blockchain-based identity authentication method and apparatus, the computer-readable storage medium, and the electronic device according to the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments, but the detailed description is not meant to limit the invention.
First, some technical concepts related to the present invention will be described.
The decentralised digital identity (Decentralized Identity, DID) is a digital identity system realized based on a blockchain technology, and has the characteristics of ensuring the authenticity and credibility of data, protecting the privacy safety of users, being strong in portability and the like.
In implementation, DID also requires the help of a decentralised public key infrastructure (Decentralized Public Key Infrastructure, DPKI). The blockchain based on the DPKI can provide an infrastructure of security services based on cryptography, particularly by generating an identity public-private key pair associated with the DID, and digitally signing and verifying data to be transmitted according to the identity public-private key, so as to ensure the authenticity and credibility of the transmitted data.
Reference is now made to the schematic diagram of a blockchain of a decentralised digital identity shown in fig. 1.
The blockchain members in the blockchain can be classified into a provider of identification, a user of identification and a verifier of identification according to roles. Wherein the provider, the user, and the verifier all need to register their DID in the blockchain.
In the application stage, the user can apply for the identity certificate from the provider, endorse certain identity information of the user by the provider, and generate the identity certificate provided for the user.
In the using stage, if the user has certain service requirements which need to be executed by the verifier, the user can authorize the identity to the verifier, and the verifier verifies the identity to confirm the authenticity of the identity; and after confirming that the identity is true, executing relevant business operation for the user.
In some application scenarios, in addition to verifying the authenticity of an identification provided by a user, there is a need for verifying whether the corresponding user of the identification performs real-name verification.
For example, a certain de-centralized digital identity DID holds an identification of a digital blind person, and uses the identification to apply for operation related services to the verifier.
At this time, the verifier needs to determine whether the party using the identification of the digital blind person is truly blind, in addition to verifying the validity of the identification.
Accordingly, in a similar scenario, the application process of identity authentication is also involved, and there is also a need for real-name authentication to the user before the provider issues the identity authentication to the user.
For example, when a user applies for digital blindman identification using a DID to a blindman identification, the blindman needs to verify the real name identity of the DID to ensure that the user is indeed blind.
In the related art, real-name verification can be performed in the process of registering the DID by the user, but the identity generated in this manner is subjected to real-name verification, which not only has the original purpose of decentralizing the digital identity, but also does not have the requirement of real-name verification in all application scenes.
Based on the above, the invention aims to provide a scheme for identity authentication based on block chains, which takes account of different application scene requirements. The class field is introduced in the format of the traditional identity, thereby expanding the types of different identities, in particular expanding the identity and the real name identity. In the scene requiring real names, the identity of the user can be ensured to be authenticated by the combination of the real name identity and the real name identity; while in a scenario where real names are not required, traditional identification (without real name verification) can still be used.
In one embodiment of the invention, a method of blockchain-based identity authentication is presented. Fig. 2 schematically illustrates a flowchart of a blockchain-based authentication method according to an embodiment of the present invention, which may be applied to a user of identity identification in a blockchain.
The block chain diagram of the improved de-centralized digital identity shown in FIG. 3 is described below.
As previously mentioned, the present invention extends different types of identity, including real and real name identity, as well as traditional identity (hereinafter referred to as plain identity). As shown in fig. 3, the present invention classifies the providers of the identity document, the provider capable of generating the identity document is called a first provider, the provider capable of generating the identity document is called a second provider, and the provider capable of generating the common identity document is called a third provider. In general, the first provider may include some authority with real-name authentication capabilities.
The user of the identity certificate can apply for common identity certificate, identity certificate of the entity and/or identity certificate of the entity according to actual requirements.
It should be noted that the identity authentication needs to be held before the application of the identity authentication. Accordingly, when authorizing the real-name identity, the real-name identity and the real-name identity need to be authorized to the verifier together.
Returning to fig. 2, the blockchain-based identity authentication method may include the following steps:
210, sending a first request for identity verification of an entity to a first provider in a blockchain, wherein the first request comprises a decentralised digital identity of the user; and the first provider performs real-person verification on the user, and generates real-person identification based on the decentralised digital identity of the user and the identity information of the user acquired in the real-person verification process after the real-person verification is passed.
When the method is implemented, a user can apply for the identity certification of the entity from a first provider, and the first provider can conduct the entity verification on the user after obtaining the DID of the user.
Specifically, the real person verification may include collecting identity information of the user, and determining whether the user corresponding to the DID is the principal based on the identity information.
The identity information may include, but is not limited to, name, document number, biometric characteristics, and the like.
The biological characteristics related to the biological recognition may include, for example, an eye feature, a voiceprint, a fingerprint, a palmprint, a heartbeat, a pulse, a chromosome, DNA, a human tooth bite, and the like. The eye pattern may include biological features such as iris, sclera, etc.
And under the condition that the first provider compares and accords the acquired identity information with the identity information reserved by the user, determining that the verification of the real person is passed.
Further, after the verification of the real person is passed, generating an identity certification of the real person based on the DID of the user and (all or part of) identity information of the user acquired in the verification process of the real person.
In the invention, a grade field is introduced into the format of the traditional identification, so that the identification issued by the provider of the blockchain is provided with the grade field representing the identification type;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
The entity identity, real name identity and common identity may each comprise verifiable credentials (Verifiable Claims or Verifiable Credentials, VC), for example. In addition to the endorsed identity information, a digital signature of the provider of the identity document may be appended to the verifiable credential.
For an entity's identity proof, this may be expressed as an endorsement of the first provider with certain identity information of the user.
In general, reference may be made to existing standards for formats in identity, such as the W3C (World Wide Web Consortium ) standard.
Under the W3C standard, the fields included in the identification may have the following meanings:
the "issuer" field indicates the provider DID to which this VC corresponds;
the "issuanceDate" field indicates the time of generation of this VC;
the "VCID" field indicates the identification ID of the current VC;
the "objectidid" field indicates the user of this VC;
the "values" field indicates the identity information of the user of this VC endorsement;
the "proof" field indicates the digital signature of the provider that generated this VC.
The data structure diagram of the extended real-person proof and real-name proof of identity of the present invention is shown below in connection with fig. 4.
Taking the actual person identification (actual VC) shown in the upper part of fig. 4 as an example, the level field is extended on the basis of the conventional VC format of the W3C standard; from this level field, this VC is known to be an actual VC; from other fields, the identifier of this real VC is "VC001ID", which is generated by the first provider of "DID002" and provided to the user of "DID 001"; the identity information of the endorsement is "{ name: thirdly, stretching; certificate number: 112334466} ", the signature string of this first provider of" DID002 "digitally signed is" xx001".
220, storing the identity certificate issued by the first provider; wherein the identity attestation is digitally signed by the first provider using a locally stored first identity private key.
The user may store the identity certificate issued by the first provider locally after it has been obtained. This entity identity attestation may be digitally signed by the first provider using a locally stored first identity private key; taking fig. 4 as an example, the signature string "xx001" in the "proof" field of the real VC is the result of the digital signature performed by the first provider.
230, sending a second request for real-name identity verification to a second provider in the blockchain, wherein the second request comprises the decentralised digital identity of the user and the real-name identity verification; and the second provider is used for verifying the identity of the entity, and after verification is passed, the identity of the entity is generated based on the decentralised digital identity of the user and the identity of the entity.
After the user successfully applies for the identity authentication, the user can further apply for the identity authentication.
In practice, the user may apply for an actual identity attestation from the second provider and take place the user's own DID to the second provider along with the actual identity attestation of the aforementioned application. After the second provider obtains the identity of the user, the second provider may verify the identity of the user to confirm the authenticity of the identity of the user.
Because the identity certification of the entity is digitally signed by the first provider using the first identity private key, the identity certification of the entity can be checked by using the first identity public key corresponding to the first identity private key.
If the verification is successful, indicating that the identity of the entity is indeed generated by the first provider and digitally signed, the identity information in the entity may be considered to be authentic and valid based on the credit of the first provider.
After the verification passes, the second provider may generate a real-name identification based on the user's de-centralized digital identity and the real-name identification.
As with the identity of the entity, the rank field is also added to the identity of the entity, but the field value of the rank field is a second field value (representing the identity of the entity).
Further, in some embodiments, an association field that represents an associated identity credential is also provided in the real name identity credential; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
Referring again to fig. 4, taking the real name identification (real name VC) shown in the lower part of fig. 4 as an example, it is known that this VC is a real name VC according to the level field, and the real person VC of the associated "VC001ID" is known according to the association field (i.e., the real person VC in the upper part of fig. 4); from other fields, the real name VC is identified as "VC002ID", which is generated by the second provider of "DID003" and provided to the user of "DID 001"; the identity information of the endorsement is "{ service type: XX } "the signature string of this second provider of" DID003 "digitally signed is" XX002".
By adding the associated field in the real-name identity, the identity of the entity submitted when applying for the real-name identity can be traced.
240, storing the real-name identity issued by the second provider; wherein the real-name identification is digitally signed by the second provider using a locally stored second identity private key.
The user may store the identity certificate issued by the second provider locally after it has been obtained. This entity identity attestation may be digitally signed by a second provider using a locally stored second identity private key; taking fig. 4 as an example, the signature string "xx002" in the "proof" field of real-name VC is the result of digital signature by the second provider.
It should be noted that, in the present invention, the first provider and the second provider are different providers, and in practical application, the first provider and the second provider may be the same provider.
Through the embodiment, the grade field is introduced into the format of the traditional identity, so that different identity types are expanded, and the identity authentication and the real name identity authentication are specifically expanded. In the scene requiring real names, the identity of the user can be ensured to be authenticated by the combination of the real name identity and the real name identity; while in a scenario where real names are not required, traditional identification (without real name verification) can still be used.
For a scene requiring real names, further, in some embodiments, the method further includes:
initiating an authorization request of identity authentication to a verifier in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; so that the verifier performs signature verification on the identity verification and the real-name identity verification.
In the implementation, because the identity verification and the real-name identity verification are digitally signed, the verifier needs to verify the identity verification and the real-name identity verification authorized by the user to determine the authenticity of the identity verification and the real-name identity verification. The details of the verification of the signature by the verifier will be described in the following embodiment in connection with fig. 5.
Further, in some embodiments, the identity credentials and the real name credentials in the authorization request are encrypted by the user using a third identity public key of the validation method that is authenticated in a blockchain;
the verifying party performs signature verification on the identity certification of the entity and the identity certification of the entity, and the method comprises the following steps:
decrypting the encrypted real identity verification and real name identity verification by the verifier by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext; querying a blockchain for a first identity public key of the first provider certificate and a second identity public key of the second provider certificate; signing the digital signature of the real-name identity certificate based on the first identity public key, and signing the digital signature of the real-name identity certificate based on the second identity public key; and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
In the implementation, since the identity authentication and the real name authentication are encrypted by the user, the verifier needs to decrypt the encrypted identity authentication and real name authentication to obtain the plain-text identity authentication and real name authentication. The details of encryption and decryption will be described later in connection with the embodiment of fig. 5.
In addition to fig. 2, fig. 5 schematically illustrates a flowchart of another blockchain-based authentication method according to an embodiment of the present invention, which can be applied to a verifier in a blockchain.
As shown in fig. 5, the blockchain-based identity authentication method may include the following steps:
510: receiving an authorization request of identification initiated by a user in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; the identity verification of the entity is digitally signed by a first provider in the blockchain by using a locally stored first identity private key after the entity verification of the user is passed; and the real-name identity authentication is digitally signed by a second provider in the blockchain by using a locally stored second identity private key after the authentication of the real-name identity authentication is passed.
In practical applications, some services require the user to prove their identity, which requires the user to authorize the identity authentication by the verifier, so that the verifier can verify the identity authentication and provide relevant services or perform relevant business operations for the user after the verification passes (indicating that the identity of the user is true).
In a scenario requiring real names, the use direction verifier is required to provide real-name identity verification and real-name identity verification of the user.
Reference may be made to the foregoing embodiments for identity verification and real name identity verification, for example:
in some embodiments, the identity issued by the provider is provided with a rank field representing the type of identity;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
In some embodiments, the real-name identity is further provided with an association field for representing the associated real-name identity; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
For specific related technical details, reference may be made to the foregoing embodiments, and details are not repeated here.
520: and responding to the authorization request, and inquiring the first identity public key of the first provider certificate and the second identity public key of the second provider certificate from a blockchain.
530: and verifying the digital signature of the identity certification based on the first identity public key, and verifying the digital signature of the identity certification based on the second identity public key.
Because both the identity of the entity and the identity of the entity are digitally signed, the verifying party needs to verify the identity of the entity and the identity of the entity authorized by the user to determine the authenticity of the identity of the entity and the identity of the entity.
In the invention, the provider, the user and the verifier can store the identity public key associated with the DID of the identity in the blockchain, and the identity private key corresponding to the identity public key is locally stored by the blockchain member.
When the method is realized, the verifier can inquire a first identity public key of the first provider certificate and a second identity public key of the second provider certificate from the blockchain; and verifying the digital signature of the identity certification based on the first identity public key, and verifying the digital signature of the identity certification based on the second identity public key.
240: and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
If the digital signature of the real person identity and the digital signature of the real name identity pass verification, the real person identity is proved to be generated by a first provider, and the real name identity is proved to be generated by a second provider; then the identity of the user can be proved to be true and trusted by the identity proof of the entity and the identity proof of the real name based on the credit of the first provider and the second provider; in this way, authentication passing for the user can be determined.
Through the embodiment, the grade field is introduced into the format of the traditional identity, so that different identity types are expanded, and the identity authentication and the real name identity authentication are specifically expanded. In the scene requiring real names, the identity of the user can be ensured to be authenticated by the combination of the real name identity and the real name identity; while in a scenario where real names are not required, traditional identification (without real name verification) can still be used.
Further, in some embodiments, after the determining that the identity authentication for the user passes, further comprising:
Acquiring identity information in the identity authentication of the entity of the plaintext and business information in the identity authentication of the entity; and performing related business operation based on the identity information and the business information.
Taking fig. 4 as an example, the identity of the user { name: thirdly, stretching; certificate number: 112334466}, and the real name identification includes the service type: XX; assuming that XX is the telephone bill inquiry and the verification party is the communication carrier, the verification party can inquire the telephone bill of the user of Zhang San and certificate number 112334466 after confirming that the identity authentication of the user passes, and returns the inquired telephone bill to the user.
Through the embodiment, the real name authentication requirement of the real name scene can be realized through the real name identification and the real name identification, and the related business operation in the scene can be executed by utilizing the related information in the real name identification and the real name identification, and the business operation result is fed back to the user; thereby completing the complete flow of the related business.
Further, in some embodiments, the identity credentials and the real name credentials in the authorization request are encrypted by the user using a third identity public key of the validation method that is authenticated in a blockchain;
Before the querying the blockchain for the first identity public key of the first provider forensic certificate and the second identity public key of the second provider forensic certificate, further comprising:
and decrypting the encrypted real identity verification and real name identity verification by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext.
In practical application, because the data leakage risk exists in the data transmission process, the user can encrypt the identity certificate and the real name identity certificate sent to the verification party.
The specific encryption process may be as follows:
as previously described, the provider, the user, and the verifier may store the identity public key associated with their DID in the blockchain, while the identity private key corresponding to the identity public key is stored locally by the blockchain member.
The user can inquire a third identity public key corresponding to the DID of the verifier from the blockchain; encrypting the identity authentication and the real name authentication based on the third identity public key, and encrypting the encrypted identity authentication and the encrypted real name authentication and sending the encrypted identity authentication and the encrypted real name authentication to the verification party.
And after receiving the encrypted real identity verification and real name identity verification, the verifier can decrypt based on the third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext.
By the embodiment, since the identity authentication and the real name authentication are encrypted, even if the identity authentication and the real name authentication are intercepted by other third parties, the identity authentication and the real name authentication of a plaintext cannot be obtained without a decrypted third party identity private key. So that the data security can be effectively ensured.
Corresponding to the embodiment of the identity authentication method based on the blockchain, the invention also provides an embodiment of the identity authentication device based on the blockchain.
Referring to fig. 6, a block chain-based identity authentication device according to the present invention is a block chain-based identity authentication device, which corresponds to the embodiment shown in fig. 5, and the device may be applied to a verifier of identity authentication in a block chain of a decentralized digital identity, where the identity public key associated with the decentralized digital identity uploaded by a respective block chain member is stored in the block chain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the device comprises:
a receiving module 610 that receives an authorization request for identification initiated by a user in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; the identity verification of the entity is digitally signed by a first provider in the blockchain by using a locally stored first identity private key after the entity verification of the user is passed; the real-name identity authentication is digitally signed by a second provider in the blockchain by using a locally stored second identity private key after the identity authentication is checked and passed;
A querying module 620 configured to query a blockchain for a first public identity key of the first provider certificate and a second public identity key of the second provider certificate;
the signature verification module 630 is configured to verify a digital signature of the identity of the entity based on the first identity public key, and verify a digital signature of the identity of the entity based on the second identity public key;
and the determining module 640 is configured to determine that the identity authentication for the user passes after the identity verification of the entity and the digital signature of the entity are both checked.
Further, in some embodiments, the identity issued by the provider is provided with a rank field representing the type of identity;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
Further, in some embodiments, an association field that represents an associated identity credential is also provided in the real name identity credential; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
Further, in some embodiments, the identity credentials and the real name credentials in the authorization request are encrypted by the user using a third identity public key of the validation method that is authenticated in a blockchain;
prior to the query module 620, further comprising:
and the decryption module is used for decrypting the encrypted real identity authentication and real name authentication by using a third identity private key stored locally to obtain the real identity authentication and the real name authentication of the plain text.
Further, in some embodiments, after the determining module 640, further includes:
the execution module is used for acquiring the identity information in the plain-text identity authentication and the service information in the real-name identity authentication; and performing related business operation based on the identity information and the business information.
Referring to fig. 7, a block chain-based identity authentication device according to the present invention is a block chain-based identity authentication device, which corresponds to the embodiment shown in fig. 2, and the device may be applied to a party using identification in a block chain of a decentralized digital identity, where the public identity key associated with the decentralized digital identity uploaded by a respective block chain member is stored in the block chain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the device comprises:
A first application module 710, configured to send a first request for application entity identity verification to a first provider in a blockchain, where the first request includes a decentralised digital identity of the user; the first provider performs real-person verification on the user, and generates real-person identification based on the decentralised digital identity of the user and the identity information of the user acquired in the real-person verification process after the real-person verification is passed;
a first storage module 720, configured to store the identity certificate issued by the first provider; wherein the entity identity attestation is digitally signed by the first provider using a locally stored first identity private key;
a second application module 730, configured to send a second request for applying real-name identification to a second provider in a blockchain, where the second request includes the user's de-centralized digital identity and the real-name identification; the second provider is enabled to check the identity of the entity, and after the check is passed, a real-name identity is generated based on the decentralised digital identity of the user and the identity of the entity;
A second storage module 740, configured to store the real-name identification issued by the second provider; wherein the real-name identification is digitally signed by the second provider using a locally stored second identity private key.
Further, in some embodiments, further comprising:
the authorization module is used for initiating an authorization request of identity authentication to a verifier in the blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; so that the verifier performs signature verification on the identity verification and the real-name identity verification.
Further, in some embodiments, the identity issued by the provider of the blockchain is provided with a rank field representing the type of identity;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
Further, in some embodiments, an association field that represents an associated identity credential is also provided in the real name identity credential; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
Further, in some embodiments, the identity credentials and the real name credentials in the authorization request are encrypted by the user using a third identity public key of the validation method that is authenticated in a blockchain;
the verifying party in the second application module 730 performs signature verification on the identity verification and the real name identity verification, and further includes:
decrypting the encrypted real identity verification and real name identity verification by the verifier by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext; querying a blockchain for a first identity public key of the first provider certificate and a second identity public key of the second provider certificate; signing the digital signature of the real-name identity certificate based on the first identity public key, and signing the digital signature of the real-name identity certificate based on the second identity public key; and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present invention. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The above-described internal functional modules and structural schematic of the blockchain-based identity authentication device, the substantial execution subject of which may be an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform an embodiment of any of the blockchain-based identity authentication methods described above.
In the above embodiment of the electronic device, it should be understood that the processor may be a processing unit (english: central Processing Unit, abbreviated as CPU), or may be another general purpose processor, a digital signal processor (english: digital Signal Processor, abbreviated as DSP), an application specific integrated circuit (english: application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc., and the aforementioned memory may be a read-only memory (ROM), a random access memory (random access memory, RAM), a flash memory, a hard disk, or a solid state disk. The steps of a method disclosed in connection with the embodiments of the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.
In addition, the invention also provides a computer readable storage medium, and instructions in the computer readable storage medium, when executed by a processor of an electronic device, can enable the electronic device to execute any embodiment of the blockchain-based identity authentication method.
It should be noted that the above-mentioned embodiments are merely examples of the present invention, and it is obvious that the present invention is not limited to the above-mentioned embodiments, and many similar variations are possible. All modifications attainable or obvious from the present disclosure set forth herein should be deemed to be within the scope of the present disclosure.

Claims (14)

1. The identity authentication method based on the blockchain is applied to a verifier of identity authentication in a blockchain of the decentralised digital identity, and identity public keys associated with the decentralised digital identity uploaded by respective blockchain members are stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the method comprises the following steps:
receiving an authorization request of identification initiated by a user in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; the identity verification of the entity is digitally signed by a first provider in the blockchain by using a locally stored first identity private key after the entity verification of the user is passed; the real-name identity authentication is digitally signed by a second provider in the blockchain by using a locally stored second identity private key after the identity authentication is checked and passed;
In response to the authorization request, querying a blockchain for a first public identity key of the first provider certificate and a second public identity key of the second provider certificate;
signing the digital signature of the real-name identity certificate based on the first identity public key, and signing the digital signature of the real-name identity certificate based on the second identity public key;
and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
2. The blockchain-based identity authentication method of claim 1, wherein the identity issued by the provider is provided with a rank field representing the type of identity;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
3. The blockchain-based identity authentication method of claim 2, wherein the real-name identity is further provided with an association field for representing the associated real-name identity; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
4. The blockchain-based identity authentication method of claim 1, wherein the entity identity certificate and the real name identity certificate in the authorization request are encrypted by the user using a third identity public key of the verification method of the certificates in the blockchain;
before the querying the blockchain for the first identity public key of the first provider forensic certificate and the second identity public key of the second provider forensic certificate, further comprising:
and decrypting the encrypted real identity verification and real name identity verification by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext.
5. The blockchain-based authentication method of claim 4, further comprising, after the determining that authentication for the user passes:
acquiring identity information in the identity authentication of the entity of the plaintext and business information in the identity authentication of the entity; and performing related business operation based on the identity information and the business information.
6. The identity authentication method based on the blockchain is applied to a user of identity authentication in the blockchain of the decentralised digital identity, and identity public keys associated with the decentralised digital identity uploaded by the respective blockchain members are stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the method comprises the following steps:
Sending a first request for identity verification of an entity to a first provider in a blockchain, wherein the first request comprises a decentralised digital identity of the user; the first provider performs real-person verification on the user, and generates real-person identification based on the decentralised digital identity of the user and the identity information of the user acquired in the real-person verification process after the real-person verification is passed;
storing the identity certification of the entity issued by the first provider; wherein the entity identity attestation is digitally signed by the first provider using a locally stored first identity private key;
sending a second request for applying real-name identity authentication to a second provider in a blockchain, wherein the second request comprises the decentralised digital identity of the user and the real-name identity authentication; the second provider is enabled to check the identity of the entity, and after the check is passed, a real-name identity is generated based on the decentralised digital identity of the user and the identity of the entity;
storing the real-name identity certificate issued by the second provider; wherein the real-name identification is digitally signed by the second provider using a locally stored second identity private key.
7. The blockchain-based identity authentication method of claim 6, further comprising:
initiating an authorization request of identity authentication to a verifier in a blockchain; wherein the authorization request comprises the identity authentication and the real name authentication of the user; so that the verifier performs signature verification on the identity verification and the real-name identity verification.
8. The blockchain-based identity authentication method of claim 6, wherein the identity issued by the provider of the blockchain is provided with a rank field representing the type of identity;
the field values of the rank field include a first field value for representing an identity of an entity, a second field value for representing an identity of an entity, and a third field value for representing a common identity.
9. The blockchain-based identity authentication method of claim 8, wherein the real-name identity is further provided with an association field for representing the associated real-name identity; the associated entity identity certificate refers to the entity identity certificate passed by the entity identity certificate verification signature issued by the second provider.
10. The blockchain-based identity authentication method of claim 7, wherein the entity identity certificate and the real name identity certificate in the authorization request are encrypted by the user using a third identity public key of the verification method of the certificates in the blockchain;
The verifying party performs signature verification on the identity certification of the entity and the identity certification of the entity, and the method comprises the following steps:
decrypting the encrypted real identity verification and real name identity verification by the verifier by using a third identity private key stored locally to obtain the real identity verification and the real name identity verification of the plaintext; querying a blockchain for a first identity public key of the first provider certificate and a second identity public key of the second provider certificate; signing the digital signature of the real-name identity certificate based on the first identity public key, and signing the digital signature of the real-name identity certificate based on the second identity public key; and after the digital signatures of the identity certification and the real name identity certification pass through verification, determining that the identity certification aiming at the user passes.
11. The identity authentication device based on the blockchain is applied to a verifier of identity authentication in a blockchain of the decentralised digital identity, and identity public keys associated with the decentralised digital identity uploaded by respective blockchain members are stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the device comprises:
The receiving module is used for receiving an authorization request of the identification initiated by the user in the blockchain;
wherein the authorization request comprises the identity authentication and the real name authentication of the user; the identity verification of the entity is digitally signed by a first provider in the blockchain by using a locally stored first identity private key after the entity verification of the user is passed; the real-name identity authentication is digitally signed by a second provider in the blockchain by using a locally stored second identity private key after the identity authentication is checked and passed;
the inquiring module is used for inquiring the first identity public key of the first provider certificate and the second identity public key of the second provider certificate from the blockchain;
the signature verification module is used for verifying the digital signature of the identity certification of the entity based on the first identity public key and verifying the digital signature of the identity certification of the entity based on the second identity public key;
and the determining module is used for determining that the identity authentication aiming at the user passes after the digital signature of the identity certification and the real name identity certification passes.
12. The identity authentication device based on the blockchain is applied to a user of identity authentication in a blockchain of the decentralized digital identity, and identity public keys associated with the decentralized digital identity uploaded by respective blockchain members are stored in the blockchain; the blockchain member comprises an identity provider, an identity user and an identity verifier; the device comprises:
a first application module, configured to send a first request for application entity identity verification to a first provider in a blockchain, where the first request includes a decentralised digital identity of the user; the first provider performs real-person verification on the user, and generates real-person identification based on the decentralised digital identity of the user and the identity information of the user acquired in the real-person verification process after the real-person verification is passed;
the first storage module is used for storing the identity certification of the entity issued by the first provider; wherein the entity identity attestation is digitally signed by the first provider using a locally stored first identity private key;
the second application module is used for sending a second request for applying real-name identity authentication to a second provider in the blockchain, wherein the second request comprises the decentralised digital identity of the user and the real-name identity authentication; the second provider is enabled to check the identity of the entity, and after the check is passed, a real-name identity is generated based on the decentralised digital identity of the user and the identity of the entity;
The second storage module is used for storing the real-name identification issued by the second provider; wherein the real-name identification is digitally signed by the second provider using a locally stored second identity private key.
13. A computer readable storage medium storing a computer program which, when executed by a processor, implements the method of any of the preceding claims 1-10.
14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1-10 when executing the program.
CN202310504301.7A 2023-05-04 2023-05-04 Identity authentication method and device based on blockchain Pending CN116662950A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310504301.7A CN116662950A (en) 2023-05-04 2023-05-04 Identity authentication method and device based on blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310504301.7A CN116662950A (en) 2023-05-04 2023-05-04 Identity authentication method and device based on blockchain

Publications (1)

Publication Number Publication Date
CN116662950A true CN116662950A (en) 2023-08-29

Family

ID=87723265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310504301.7A Pending CN116662950A (en) 2023-05-04 2023-05-04 Identity authentication method and device based on blockchain

Country Status (1)

Country Link
CN (1) CN116662950A (en)

Similar Documents

Publication Publication Date Title
JP4870155B2 (en) Electronic passport authentication protocol with enhanced privacy
US9967239B2 (en) Method and apparatus for verifiable generation of public keys
CN108777684B (en) Identity authentication method, system and computer readable storage medium
CN107196966B (en) Identity authentication method and system based on block chain multi-party trust
CN109714167B (en) Identity authentication and key agreement method and equipment suitable for mobile application signature
EP2685400B1 (en) Signature Generation and Verification System and Signature Verification Apparatus
US8670562B2 (en) Generation and use of a biometric key
US7188362B2 (en) System and method of user and data verification
US8615663B2 (en) System and method for secure remote biometric authentication
US7958362B2 (en) User authentication based on asymmetric cryptography utilizing RSA with personalized secret
US6490682B2 (en) Log-on verification protocol
CN1989731A (en) System and method for implementing digital signature using one time private keys
US9860069B2 (en) Group signature using a pseudonym
CN110020869B (en) Method, device and system for generating block chain authorization information
US9722800B2 (en) Method for creating a derived entity of an original data carrier
CN116662950A (en) Identity authentication method and device based on blockchain
EP3035589A1 (en) Security management system for authenticating a token by a service provider server
CN110572257A (en) Anti-quantum computing data source identification method and system based on identity
TWI828001B (en) System for using multiple security levels to verify customer identity and transaction services and method thereof
CN116647371A (en) Identity authorization method and device based on blockchain
WO2023126491A1 (en) Method and system for generating digital signatures using universal composition
CN117014146A (en) Unified identity authentication method based on double factors
CN116418487A (en) Method, device and node equipment for storing and verifying ownership of secret key
CN117370952A (en) Multi-node identity verification method and device based on block chain
CN113691366A (en) Desensitized secure biometric identity authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40094556

Country of ref document: HK