CN116680675A - Credential generation and verification methods, apparatus, systems, and computer readable storage media - Google Patents

Credential generation and verification methods, apparatus, systems, and computer readable storage media Download PDF

Info

Publication number
CN116680675A
CN116680675A CN202310808030.4A CN202310808030A CN116680675A CN 116680675 A CN116680675 A CN 116680675A CN 202310808030 A CN202310808030 A CN 202310808030A CN 116680675 A CN116680675 A CN 116680675A
Authority
CN
China
Prior art keywords
credential
certificate
holder
voucher
issuer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310808030.4A
Other languages
Chinese (zh)
Inventor
陈曦
张育明
梁政锋
黄凯峰
陈鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Merchants Bank Co Ltd
Original Assignee
China Merchants Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Merchants Bank Co Ltd filed Critical China Merchants Bank Co Ltd
Priority to CN202310808030.4A priority Critical patent/CN116680675A/en
Publication of CN116680675A publication Critical patent/CN116680675A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The invention discloses a method, a device, a system and a computer readable storage medium for generating and verifying certificates, wherein the method comprises the following steps: receiving a credential generation instruction sent by a credential holder, and determining a corresponding credential template according to the credential generation instruction; acquiring voucher content information corresponding to the voucher generating instruction, generating a target voucher according to the voucher content information and a voucher template, and uploading the target voucher to a pre-established open license chain; and receiving a credential verification instruction sent by a credential verification party, determining a credential to be verified displayed by a credential holder according to the credential verification instruction, and verifying the credential to be verified based on a target credential stored in an open license chain. The invention generates the target voucher according to the voucher content information and the voucher template corresponding to the voucher holder, so that the ownership of the voucher content information is attributed to the voucher holder, and the privacy security is improved; the credibility verification of the target certificate is ensured by means of the non-falsifying capability of the open license chain, and the credibility of the certificate verification is improved.

Description

Credential generation and verification methods, apparatus, systems, and computer readable storage media
Technical Field
The present invention relates to the technical field of financial science and technology, and in particular, to a method, an apparatus, a system and a computer readable storage medium for generating and verifying certificates.
Background
The authenticity and the effectiveness of the identity, qualification and other contents are proved by showing the certificates, and the method is a common behavior in daily life and work. The current credential generation and verification process generally generates and provides credentials for a user through a trusted third party, the user presents the credentials to a verifier, and the verifier is assisted to verify the authenticity and validity of the credentials through the trusted third party.
However, as the requirements of users on data master rights are higher and higher, the autonomous grasp of the credential files, the true credibility of the credential content and the privacy security protection of the data become basic requirements of the credentials, while the traditional manner of issuing the credentials by a third party needs to rely on the trust of the third party, the ownership of the credentials is not completely given to the users, which results in the reduction of the privacy security of the users, and the lack of uniform supervision when the credibility of the credential verification is reduced because of the assistance of the credibility third party to the verifier.
Therefore, how to improve the privacy security of users and the credibility of credential verification in the process of credential generation and verification is an urgent problem to be solved.
Disclosure of Invention
The invention mainly aims at providing a method, a device, a system and a computer readable storage medium for generating and verifying a certificate, and aims at solving the problem of how to improve the privacy security and the reliability of certificate verification of a user in the process of generating and verifying the certificate.
To achieve the above object, the present invention provides a credential generation and verification method including the steps of:
receiving a credential generation instruction sent by a credential holder, and determining a corresponding credential template according to the credential generation instruction;
acquiring voucher content information corresponding to the voucher generating instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-established open license chain;
and receiving a credential verification instruction sent by the credential verifier, determining a credential to be verified displayed by the credential holder according to the credential verification instruction, and verifying the credential to be verified based on the target credential stored in the open license chain.
Optionally, before the step of receiving the credential generation instruction sent by the credential holder and determining the corresponding credential template according to the credential generation instruction, the method includes:
Receiving registration instructions of a credential holder and a credential issuer, and generating a credential holder identifier, a credential holder private key, a credential issuer identifier and a credential issuer private key according to the registration instructions;
granting the certificate holder identification and the use authority of the certificate holder private key to the certificate holder, uploading the certificate holder identification to a pre-established open permission chain, and hosting the certificate holder private key;
and granting the certificate issuer identification and the use authority of the certificate issuer private key to the certificate issuer, uploading the certificate issuer identification to the open license chain, and hosting the certificate issuer private key.
Optionally, the step of granting the credential issuer identification and the usage rights of the credential issuer private key to the credential issuer, and uploading the credential issuer identification to the open license chain, after the step of hosting the credential issuer private key, includes:
receiving a voucher template registration instruction of the voucher issuer, and generating a corresponding voucher template according to an application scene corresponding to the voucher template registration instruction;
Uploading the credential template to the open license chain.
Optionally, the step of obtaining the voucher content information corresponding to the voucher generating instruction and generating the target voucher according to the voucher content information and the voucher template includes:
acquiring voucher content information corresponding to the voucher generating instruction, filling the voucher content information into the voucher template, and generating a first voucher;
acquiring a credential holder identifier corresponding to the credential holder and a credential issuer identifier corresponding to the credential issuer, and generating a second credential based on the first credential, the credential holder identifier and the credential issuer identifier;
and acquiring a certificate issuer private key corresponding to the certificate issuer, and signing and proving the second certificate by the issuer based on the certificate issuer private key to generate a target certificate.
Optionally, before the step of uploading the target credential to a pre-created open license chain, the method further comprises:
receiving the private key of the certificate holder sent by the certificate holder;
and carrying out holder signing certification on the target certificate according to the private key of the certificate holder, and uploading the target certificate subjected to the holder signing certification to a pre-created open license chain.
Optionally, the step of verifying the credential to be verified based on the target credential stored in the open license chain includes:
acquiring a uplink record corresponding to the target certificate stored in the open license chain, and verifying whether the certificate to be verified is tampered or not according to the uplink record;
acquiring a holder signing certificate corresponding to the target credential stored in the open license chain and a credential holder identifier in the credential to be verified, and verifying whether the credential to be verified belongs to the credential holder based on the holder signing certificate and the credential holder identifier;
and acquiring an issuer signing certificate corresponding to the target certificate and a certificate issuer identification in the to-be-verified certificate stored in the open license chain, and verifying whether the to-be-verified certificate is issued by the certificate issuer based on the issuer signing certificate and the certificate issuer identification.
Optionally, after the step of verifying the credential to be verified based on the target credential stored in the open license chain, the step of verifying the credential to be verified includes:
when receiving a certificate revocation instruction sent by the certificate holder, revoke the target certificate;
And generating a target certificate revocation record and uploading the target certificate revocation record to the open license chain.
In addition, in order to achieve the above object, the present invention also provides a credential generation and verification apparatus including:
the determining module is used for receiving a credential generation instruction sent by a credential holder and determining a corresponding credential template according to the credential generation instruction;
the generation module is used for acquiring the voucher content information corresponding to the voucher generation instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-established open license chain;
and the verification module is used for receiving a credential verification instruction sent by the credential verification party, determining a credential to be verified displayed by the credential holder according to the credential verification instruction, and verifying the credential to be verified based on the target credential stored in the open license chain.
Further, the determining module further includes a registration module, where the registration module is configured to:
receiving registration instructions of a credential holder and a credential issuer, and generating a credential holder identifier, a credential holder private key, a credential issuer identifier and a credential issuer private key according to the registration instructions;
Granting the certificate holder identification and the use authority of the certificate holder private key to the certificate holder, uploading the certificate holder identification to a pre-established open permission chain, and hosting the certificate holder private key;
and granting the certificate issuer identification and the use authority of the certificate issuer private key to the certificate issuer, uploading the certificate issuer identification to the open license chain, and hosting the certificate issuer private key.
Further, the registration module is further configured to:
receiving a voucher template registration instruction of the voucher issuer, and generating a corresponding voucher template according to an application scene corresponding to the voucher template registration instruction;
uploading the credential template to the open license chain.
Further, the generating module is further configured to:
acquiring voucher content information corresponding to the voucher generating instruction, filling the voucher content information into the voucher template, and generating a first voucher;
acquiring a credential holder identifier corresponding to the credential holder and a credential issuer identifier corresponding to the credential issuer, and generating a second credential based on the first credential, the credential holder identifier and the credential issuer identifier;
And acquiring a certificate issuer private key corresponding to the certificate issuer, and signing and proving the second certificate by the issuer based on the certificate issuer private key to generate a target certificate.
Further, the generating module is further configured to:
receiving the private key of the certificate holder sent by the certificate holder;
and carrying out holder signing certification on the target certificate according to the private key of the certificate holder, and uploading the target certificate subjected to the holder signing certification to a pre-created open license chain.
Further, the verification module is further configured to:
acquiring a uplink record corresponding to the target certificate stored in the open license chain, and verifying whether the certificate to be verified is tampered or not according to the uplink record;
acquiring a holder signing certificate corresponding to the target credential stored in the open license chain and a credential holder identifier in the credential to be verified, and verifying whether the credential to be verified belongs to the credential holder based on the holder signing certificate and the credential holder identifier;
and acquiring an issuer signing certificate corresponding to the target certificate and a certificate issuer identification in the to-be-verified certificate stored in the open license chain, and verifying whether the to-be-verified certificate is issued by the certificate issuer based on the issuer signing certificate and the certificate issuer identification.
Further, the verification module further includes a revocation module for:
when receiving a certificate revocation instruction sent by the certificate holder, revoke the target certificate;
and generating a target certificate revocation record and uploading the target certificate revocation record to the open license chain.
In addition, to achieve the above object, the present invention also provides a credential generation and verification system including: a memory, a processor, and a credential generation and verification program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the credential generation and verification method as described above.
In addition, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a credential generation and verification program which, when executed by a processor, implements the steps of the credential generation and verification method as described above.
The certificate generation and verification method provided by the invention receives the certificate generation instruction sent by the certificate holder, and determines the corresponding certificate template according to the certificate generation instruction; acquiring voucher content information corresponding to the voucher generating instruction, generating a target voucher according to the voucher content information and a voucher template, and uploading the target voucher to a pre-established open license chain; and receiving a credential verification instruction sent by a credential verification party, determining a credential to be verified displayed by a credential holder according to the credential verification instruction, and verifying the credential to be verified based on a target credential stored in an open license chain. According to the voucher content information corresponding to the voucher generating instruction of the voucher holder, the target voucher is generated by combining the voucher template, so that ownership of the voucher content information is attributed to the voucher holder, and the privacy security is improved; the target certificate stored in the open license chain is used for verifying the certificate to be verified, and the credibility verification of the target certificate is ensured by means of the non-tamperable capability of the open license chain, so that the credibility of the certificate verification is improved.
Drawings
FIG. 1 is a schematic diagram of a device architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flow chart of a first embodiment of the credential generation and verification method of the present invention;
FIG. 3 is a flow chart of a second embodiment of the credential generation and verification method of the present invention;
FIG. 4 is a schematic diagram of a credential generation and verification system framework of the present invention.
The realization, functional characteristics and advantages of the object of the invention will be further described with reference to the attached drawings.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic device structure of a hardware running environment according to an embodiment of the present invention.
The device of the embodiment of the invention can be a PC or a server device.
As shown in fig. 1, the apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
It will be appreciated by those skilled in the art that the device structure shown in fig. 1 is not limiting of the device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a credential generation and verification program may be included in a memory 1005, which is a type of computer storage medium.
The operating system is a program for managing and controlling the portable credential generation and verification system and software resources, and supports the operation of a network communication module, a user interface module, a credential generation and verification program and other programs or software; the network communication module is used to manage and control the network interface 1002; the user interface module is used to manage and control the user interface 1003.
In the credential generation and verification system shown in fig. 1, the credential generation and verification system invokes a credential generation and verification program stored in a memory 1005 by a processor 1001 and performs operations in various embodiments of the credential generation and verification method described below.
Based on the hardware structure, the embodiment of the credential generation and verification method is provided.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a credential generation and verification method of the present invention, the method comprising:
Step S10, receiving a certificate generation instruction sent by a certificate holder, and determining a corresponding certificate template according to the certificate generation instruction;
step S20, acquiring voucher content information corresponding to the voucher generation instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-created open license chain;
step S30, receiving a certificate verification instruction sent by the certificate verification party, determining a certificate to be verified displayed by the certificate holder according to the certificate verification instruction, and verifying the certificate to be verified based on the target certificate stored in the open license chain.
The credential generation and verification method is applied to a credential generation and verification system of a financial institution, and the credential generation and verification system can be applied to a terminal or PC equipment, so that the description is convenient, and the credential generation and verification system is taken as an example for description; the credential generation and verification system can be accessed to a credential issuer, a credential holder and a credential verifier, wherein the credential issuer refers to a third party issuing corresponding credentials, the credential holder refers to a user, namely a party needing to acquire and display the credentials, and the credential verifier refers to a party needing to verify the credentials displayed by the user; the method comprises the steps that a credential generation and verification system receives a credential generation instruction sent by a credential holder, and a corresponding credential template is determined in a pre-stored credential template set according to the credential generation instruction; the voucher generation and verification system acquires voucher content information corresponding to the voucher generation instruction, generates a target voucher according to the voucher content information and a voucher template, and uploads the target voucher to a pre-created open license chain; when the credential holder displays the credential to be verified to the credential verifier, the credential verifier needs to verify the credential to be verified; the certificate generation and verification system receives a certificate verification instruction sent by a certificate verification party, determines a certificate to be verified displayed by a certificate holder according to the certificate verification instruction, verifies the certificate to be verified based on a target certificate stored in an open license chain, and returns a verification result to the certificate verification party.
The method for generating and verifying the certificate of the embodiment receives a certificate generation instruction sent by a certificate holder, and determines a corresponding certificate template according to the certificate generation instruction; acquiring voucher content information corresponding to the voucher generating instruction, generating a target voucher according to the voucher content information and a voucher template, and uploading the target voucher to a pre-established open license chain; and receiving a credential verification instruction sent by a credential verification party, determining a credential to be verified displayed by a credential holder according to the credential verification instruction, and verifying the credential to be verified based on a target credential stored in an open license chain. According to the voucher content information corresponding to the voucher generating instruction of the voucher holder, the target voucher is generated by combining the voucher template, so that ownership of the voucher content information is attributed to the voucher holder, and the privacy security is improved; the target certificate stored in the open license chain is used for verifying the certificate to be verified, and the credibility verification of the target certificate is ensured by means of the non-tamperable capability of the open license chain, so that the credibility of the certificate verification is improved.
The following will explain each step in detail:
step S10, receiving a certificate generation instruction sent by a certificate holder, and determining a corresponding certificate template according to the certificate generation instruction;
In this embodiment, the credential generation and verification system receives a credential generation instruction sent by a credential holder, and determines a corresponding credential template according to the credential generation instruction; specifically, when the credential holder needs to display the corresponding credential to the credential verifier, the credential holder sends a credential generation instruction to the credential generation and verification system according to the current application scene and the credential content to be displayed, and the credential generation and verification system determines the corresponding credential template according to the received credential generation instruction sent by the credential holder and the credential generation instruction. Taking an application scenario of identity verification as an example, that is, when a credential holder needs to display a corresponding identity credential to the credential verifier, credential content to be displayed is identity information of the credential holder, such as name, age, identity card number, etc., the credential holder accesses a credential generation and verification system, and inputs a credential generation instruction in the credential generation and verification system, where the credential generation instruction includes the identity verification scenario and the credential content to be displayed; the voucher generation and verification system selects a proper identity voucher template from a prestored voucher template set according to the identity verification scene in the voucher generation instruction and the voucher content to be displayed.
Step S20, acquiring voucher content information corresponding to the voucher generation instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-created open license chain;
in this embodiment, after determining the voucher template, the voucher generating and verifying system obtains voucher content information corresponding to the voucher generating instruction, generates a target voucher according to the voucher content information and the voucher template, and uploads the target voucher to the pre-created open license chain. It can be understood that the credential content information is input by the credential holder, so that the credential holder grasps the information of the credential holder, and the privacy security is improved.
Specifically, the step of obtaining the voucher content information corresponding to the voucher generating instruction and generating the target voucher according to the voucher content information and the voucher template includes:
step S201, acquiring voucher content information corresponding to the voucher generation instruction, filling the voucher content information into the voucher template, and generating a first voucher;
in the step, a voucher generating and verifying system acquires voucher content information corresponding to a voucher generating instruction, and the voucher content information is filled into a voucher template to generate a first voucher; taking an application scenario of identity verification as an example, that is, when a credential holder needs to display a corresponding identity credential to the credential verifier, credential content information to be displayed is identity information of the credential holder, such as name, age, identity card number, etc., and the credential generation and verification system correspondingly fills the name, age, identity card number, etc. information in the credential content information into a credential template to obtain a first credential.
Step S202, acquiring a credential holder identifier corresponding to the credential holder and a credential issuer identifier corresponding to the credential issuer, and generating a second credential based on the first credential, the credential holder identifier and the credential issuer identifier;
in this step, the credential generation and verification system obtains a credential holder identifier corresponding to the credential holder and a credential issuer identifier corresponding to the credential issuer, and generates a second credential based on the first credential, the credential holder identifier, and the credential issuer identifier; it should be noted that, the credential holder and the credential issuer access the credential generation and verification system in advance to register, the credential generation and verification system generates the credential holder identifier corresponding to the credential holder and the credential issuer identifier corresponding to the credential issuer, and uploads the credential holder identifier and the credential issuer identifier to the open license chain of the credential generation and verification system; the credential holder identifier and the credential issuer identifier are both DID identifiers, i.e., decentralized Identity distributed digital identities, which are used to represent identities within the DID hierarchy, i.e., to represent the identity of the credential holder in the credential generation and verification system.
Step S203, obtain the private key of the certificate issuer corresponding to the certificate issuer, and sign and prove the second certificate on the basis of the private key of the certificate issuer, so as to generate the target certificate.
In the step, the certificate generation and verification system acquires a certificate issuer private key corresponding to the certificate issuer, and performs issuer signing certification on the second certificate based on the certificate issuer private key to prove that the corresponding certificate is truly and reliable after being issued by the certificate issuer, so as to generate the target certificate. It should be noted that, the credential issuer accesses the credential generating and verifying system in advance to register, the credential generating and verifying system generates the credential issuer identification corresponding to the credential issuer and uploads the credential issuer identification to the open license chain of the credential generating and verifying system, and the credential issuer identification corresponds to one credential issuer private key, and the credential issuer private key is only sent to the credential issuer to be saved.
Specifically, after obtaining the second certificate, the certificate generating and verifying system sends a corresponding certificate generating message to the certificate issuer, the certificate issuer determines the second certificate according to the certificate generating message and carries out auditing on the second certificate, after determining that the second certificate is correct, the certificate issuer sends an issuer signing and proving instruction to the certificate generating and verifying system, and the certificate generating and verifying system obtains a certificate issuer private key corresponding to the certificate issuer according to the signing and proving instruction and carries out issuer signing and proving on the second certificate based on the certificate issuer private key so as to prove that the corresponding certificate belongs to true and reliable after being issued by the certificate issuer, and further generates a target certificate.
Further, before the step of uploading the target credential to a pre-created open license chain, the method comprises:
step S204, receiving the private key of the certificate holder sent by the certificate holder;
step S205, carrying out the holder signing and proving on the target certificate according to the private key of the certificate holder, and uploading the target certificate subjected to the holder signing and proving to a pre-established open license chain.
In steps S204 to S205, the credential generation and verification system receives the credential holder private key sent by the credential holder after generating the target credential; signing and proving the target certificate according to the private key of the certificate holder to prove that the target certificate belongs to the certificate holder; it should be noted that, the credential holder identifier corresponds to a credential holder private key, and the credential holder private key is only sent to the credential holder for storage.
Further, the certificate generation and verification system uploads the target certificate subjected to the signing and proving of the holder to the pre-established open license chain, and then simultaneously sends the target certificate to the certificate holder, and the certificate holder can display the target certificate to the certificate verifier as the certificate to be verified when the certificate needs to be displayed; the credential holder can firstly determine the credential content information which needs to be verified by the credential verifier, and hide other credential content information except the credential content information which needs to be verified by the credential verifier in the credential to be verified, and does not show the credential content information to the credential verifier so as to improve privacy security; for example, taking an application scenario of identity verification as an example, that is, when a credential holder needs to display a corresponding identity credential to the credential verifier, credential contents to be displayed in a credential template include name, age, identity card number and the like of the credential holder, that is, a target template finally generated includes information such as name, age, identity card number and the like of the credential holder, however, in some identity verification scenarios, the credential verifier only needs to verify the identity card number of the credential holder, at this time, the credential holder can send a hiding instruction to a credential generation and verification system, hide the name, age and the like of the credential holder in a credential to be verified, and only display the identity card number of the credential holder in the credential to be verified to the credential verifier.
Step S30, receiving a certificate verification instruction sent by the certificate verification party, determining a certificate to be verified displayed by the certificate holder according to the certificate verification instruction, and verifying the certificate to be verified based on the target certificate stored in the open license chain.
In this embodiment, after the credential holder displays the corresponding credential to be verified to the credential verifier through the credential generating and verifying system, the credential verifier needs to verify the authenticity of the target credential, the credential verifier obtains the credential to be verified displayed by the credential holder, generates a credential verifying instruction based on the credential to be verified, sends the credential verifying instruction to the credential generating and verifying system, receives the credential verifying instruction sent by the credential verifier, determines the credential to be verified displayed by the credential holder according to the credential verifying instruction, verifies the credential to be verified based on the target credential stored in the open license chain, and returns the verification result to the credential verifier.
Specifically, the step of verifying the target credential through a pre-created open license chain includes:
step S301, obtaining a uplink record corresponding to the target certificate stored in the open license chain, and verifying whether the certificate to be verified is tampered according to the uplink record;
In the step, a credential generation and verification system acquires a uplink record corresponding to the target credential stored in an open license chain, and verifies whether the credential to be verified is tampered according to the uplink record; specifically, at each step in the specific generation process of the target credential, the target credential is uploaded to the open license chain to form a uplink record, and generally, any party cannot modify the target credential stored in the open license chain; however, the target credential distributed to the credential holder may be tampered implicitly, so when the credential holder presents the target credential as a credential to be authenticated to the credential verifier, the credential verifier needs to acquire a uplink record corresponding to the target credential stored in the open license chain through the credential generation and authentication system, compare the uplink record with information corresponding to the credential to be authenticated, determine that the credential to be authenticated is not tampered if the uplink record is the same as the information corresponding to the credential to be authenticated, and determine that the credential to be authenticated is tampered if the uplink record is not the same as the information corresponding to the credential to be authenticated.
Step S302, obtaining a holder signing certificate corresponding to the target certificate and a certificate holder identification in the to-be-verified certificate stored in the open license chain, and verifying whether the to-be-verified certificate belongs to the certificate holder based on the holder signing certificate and the certificate holder identification;
In the step, after the credential generation and verification system determines that the credential to be verified is not tampered, acquiring a holder signed certificate corresponding to the target credential stored in the open license chain and a credential holder identifier in the credential to be verified, and verifying whether the credential to be verified belongs to the credential holder based on the holder signed certificate and the credential holder identifier; specifically, the certificate holder identifier in the to-be-verified certificate comprises a certificate holder public key, the certificate generation and verification system performs verification on a holder signing certificate corresponding to the target certificate stored in the open license chain based on the certificate holder public key corresponding to the to-be-verified certificate, if verification is successful, the to-be-verified certificate is determined to belong to the certificate holder, and if verification is failed, the to-be-verified certificate is determined not to belong to the certificate holder.
Step S303, acquiring an issuer signed certificate corresponding to the target credential and a credential issuer identifier in the to-be-verified credential stored in the open license chain, and verifying whether the to-be-verified credential is issued by the credential issuer based on the issuer signed certificate and the credential issuer identifier.
In the step, the credential generation and verification system acquires an issuer signed certificate corresponding to the target credential stored in the open license chain and a credential issuer identification in the credential to be verified, and verifies whether the credential to be verified is issued by the credential issuer based on the issuer signed certificate and the credential issuer identification; specifically, the certificate issuer identifier in the to-be-verified certificate comprises a certificate issuer public key, the certificate generation and verification system performs signature verification on an issuer signing certificate corresponding to the target certificate stored in the open license chain based on the certificate issuer public key corresponding to the to-be-verified certificate, if the signature verification is successful, the to-be-verified certificate is determined to belong to the certificate issuer for issue, and if the signature verification is failed, the to-be-verified certificate is determined not to belong to the certificate issuer for issue.
It can be appreciated that the credential generation and verification system can determine that the credential to be verified is authentic when it is determined that the credential to be verified has not been tampered with and that the credential to be verified belongs to all of the credential holders and that the credential to be verified belongs to the credential issuer issue; the credential generation and verification system may determine that the target credential is not authentic when it is determined that the target credential is tampered with or that the target credential does not belong to the credential holder or that the credential to be verified does not belong to the credential issuer.
Further, step S30 includes, after:
step S40, when receiving a certificate revocation instruction sent by the certificate holder, revoke the target certificate;
step S50, generating a target certificate revocation record and uploading the target certificate revocation record to the open license chain.
In steps S40 to S50, the credential generation and verification system, upon receiving a credential revocation instruction sent by the credential holder, revokes the target credential, causing the target credential to lose its proof efficacy; and generating a target certificate revocation record and uploading the target certificate revocation record to an open license chain. The revoked target certificate can not be falsified by other people, and privacy security is improved.
The certificate generation and verification system of the embodiment receives a certificate generation instruction sent by a certificate holder, and determines a corresponding certificate template according to the certificate generation instruction; acquiring voucher content information corresponding to the voucher generating instruction, generating a target voucher according to the voucher content information and the voucher template, and displaying the target voucher to a voucher verifier; and receiving a credential verification instruction sent by a credential verifier, and verifying the target credential through a pre-established open license chain. Generating a target voucher by combining the voucher template according to the voucher content information corresponding to the voucher generating instruction of the voucher holder, so that the ownership of the voucher content information belongs to the voucher holder, the ownership of the target voucher is completely owned by the voucher holder, and any person cannot forge and impersonate the voucher, thereby improving the privacy security; the target certificate stored in the open license chain is used for verifying the certificate to be verified, and the credibility verification of the target certificate is ensured by means of the non-tamperable capability of the open license chain, so that the credibility of the certificate verification is improved.
Further, referring to fig. 3, a second embodiment of the credential generation and verification method of the present invention is presented based on the first embodiment of the credential generation and verification method of the present invention.
The second embodiment of the credential generation and verification method differs from the first embodiment of the credential generation and verification method in that prior to step S10 it comprises:
step a, receiving registration instructions of a credential holder and a credential issuer, and generating a credential holder identifier, a credential holder private key, a credential issuer identifier and a credential issuer private key according to the registration instructions;
b, granting the certificate holder identification and the use authority of the certificate holder private key to the certificate holder, uploading the certificate holder identification to a pre-established open license chain, and hosting the certificate holder private key;
and c, granting the certificate issuer identification and the use authority of the certificate issuer private key to the certificate issuer, uploading the certificate issuer identification to the open license chain, and hosting the certificate issuer private key.
In this embodiment, the credential generation and verification system needs to register the accessed credential holder and credential issuer first, and the credential generation and verification system receives registration instructions of the credential holder and credential issuer, and generates a credential holder identifier, a credential holder private key, a credential issuer identifier, and a credential issuer private key according to the registration instructions; the certificate generation and verification system grants the certificate holder identifier and the use authority of the certificate holder private key to the certificate holder, uploads the certificate holder identifier to a pre-established open permission chain, stores the certificate holder private key, hosts the certificate holder private key, grants the certificate issuer identifier and the use authority of the certificate issuer private key to the certificate issuer, uploads the certificate issuer identifier to the open permission chain, stores the certificate issuer private key, and hosts the certificate issuer private key; and the target certificate and the certificate to be verified are conveniently generated subsequently.
It can be appreciated that the credential generation and verification system stores and hosts the credential issuer private key and the credential holder private key, ensuring that the credential issuer private key and the credential holder private key are not lost, avoiding unnecessary risks.
Optionally, the credential issuer generates a credential issuer private key, generates a credential issuer identifier based on the credential issuer private key, and when the credential issuer accesses the credential generating and verifying system to register, sends a registration instruction to the credential generating and verifying system, where the registration instruction includes the credential issuer identifier, and when the credential generating and verifying system registers the credential issuer according to the credential issuer identifier, the credential issuer identifier is uploaded to the open license chain, and the credential issuer private key is saved by the credential issuer itself. Similarly, the credential holder generates a credential holder private key, generates a credential holder identifier based on the credential holder private key, and when the credential holder accesses the credential generation and verification system to register, sends a registration instruction to the credential generation and verification system, wherein the registration instruction comprises the credential holder identifier, and the credential generation and verification system registers the credential holder according to the credential holder identifier and uploads the credential holder identifier to the open license chain, and the credential holder private key is automatically saved by the credential holder.
Specifically, step c is followed by:
step d, receiving a voucher template registration instruction of the voucher issuer, and generating a corresponding voucher template according to an application scene corresponding to the voucher template registration instruction;
and e, uploading the certificate template to the open license chain.
In the steps d to e, the credential generating and verifying system receives a credential template registration instruction of a credential issuer, generates a corresponding credential template according to an application scene corresponding to the credential template registration instruction, and uploads the credential template to an open license chain; it should be noted that, the credential generation and verification system manages the corresponding credential templates according to the application scenarios.
The certificate generation and verification system of the embodiment receives registration instructions of the certificate holder and the certificate issuer, provides certificate holder identifiers, certificate holder private keys, certificate issuer identifiers and certificate issuer private keys for the certificate holder and the certificate issuer, facilitates the generation and verification of the certificate, and is beneficial to improving the privacy security of the certificate generation and the credibility of the certificate verification. The certificate generation and verification system generates corresponding certificate templates according to application scenes corresponding to the certificate template registration instructions, and the certificate issuer can generate different templates according to the application scenes to adapt to each application scene, so that the requirements of a large amount of services in the digital era can be responded quickly.
In a specific implementation, a schematic diagram of a framework structure of the credential generation and verification system is shown in fig. 4, and the credential generation and verification system is divided into four layers of a base, a DID service, a service and a user side from the architecture level.
1. The base layer takes an open license chain as a trusted base platform, manages the whole flow of DID and registration, inquiry and verification of the certificate through an intelligent contract, and ensures the authenticity and non-falsification of the DID and the certificate;
2. the DID service layer manages staff such as a credential holder, a credential issuer, a credential verifier and the like, provides a template creation function, supports management such as DID issuing, uplink and the like, and supports processes such as credential issuing, auditing, inquiring, canceling and the like; providing a privacy security calculation tool, and protecting user data security;
3. the business layer supports the application of various proving businesses such as assets, deposit, identity and the like, and the generalized template management capability can be quickly adapted to more business scenes;
4. the user layer, the certificate holder, the certificate issuer, the certificate verifier and the like complete various management operations through the Web background, and DID, the holding, the showing, the verification and the like of the certificate are completed through the applet foreground.
The invention also provides a credential generation and verification device, comprising:
The determining module is used for receiving a credential generation instruction sent by a credential holder and determining a corresponding credential template according to the credential generation instruction;
the generation module is used for acquiring the voucher content information corresponding to the voucher generation instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-established open license chain;
and the verification module is used for receiving a credential verification instruction sent by the credential verification party, determining a credential to be verified displayed by the credential holder according to the credential verification instruction, and verifying the credential to be verified based on the target credential stored in the open license chain.
Further, the determining module further includes a registration module, where the registration module is configured to:
receiving registration instructions of a credential holder and a credential issuer, and generating a credential holder identifier, a credential holder private key, a credential issuer identifier and a credential issuer private key according to the registration instructions;
granting the certificate holder identification and the use authority of the certificate holder private key to the certificate holder, uploading the certificate holder identification to a pre-established open permission chain, and hosting the certificate holder private key;
And granting the certificate issuer identification and the use authority of the certificate issuer private key to the certificate issuer, uploading the certificate issuer identification to the open license chain, and hosting the certificate issuer private key.
Further, the registration module is further configured to:
receiving a voucher template registration instruction of the voucher issuer, and generating a corresponding voucher template according to an application scene corresponding to the voucher template registration instruction;
uploading the credential template to the open license chain.
Further, the generating module is further configured to:
acquiring voucher content information corresponding to the voucher generating instruction, filling the voucher content information into the voucher template, and generating a first voucher;
acquiring a credential holder identifier corresponding to the credential holder and a credential issuer identifier corresponding to the credential issuer, and generating a second credential based on the first credential, the credential holder identifier and the credential issuer identifier;
and acquiring a certificate issuer private key corresponding to the certificate issuer, and signing and proving the second certificate by the issuer based on the certificate issuer private key to generate a target certificate.
Further, the generating module is further configured to:
receiving the private key of the certificate holder sent by the certificate holder;
and carrying out holder signing certification on the target certificate according to the private key of the certificate holder, and uploading the target certificate subjected to the holder signing certification to a pre-created open license chain.
Further, the verification module is further configured to:
acquiring a uplink record corresponding to the target certificate stored in the open license chain, and verifying whether the certificate to be verified is tampered or not according to the uplink record;
acquiring a holder signing certificate corresponding to the target credential stored in the open license chain and a credential holder identifier in the credential to be verified, and verifying whether the credential to be verified belongs to the credential holder based on the holder signing certificate and the credential holder identifier;
and acquiring an issuer signing certificate corresponding to the target certificate and a certificate issuer identification in the to-be-verified certificate stored in the open license chain, and verifying whether the to-be-verified certificate is issued by the certificate issuer based on the issuer signing certificate and the certificate issuer identification.
Further, the verification module further includes a revocation module for:
when receiving a certificate revocation instruction sent by the certificate holder, revoke the target certificate;
and generating a target certificate revocation record and uploading the target certificate revocation record to the open license chain.
The invention also provides a certificate generation and verification system.
The credential generation and verification system of the present invention includes: a memory, a processor, and a credential generation and verification program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the credential generation and verification method as described above.
The method implemented when the credential generation and verification program running on the processor is executed may refer to various embodiments of the credential generation and verification method of the present invention, and will not be described herein.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention has stored thereon a credential generation and verification program which, when executed by a processor, implements the steps of the credential generation and verification method as described above.
The method implemented when the credential generation and verification program running on the processor is executed may refer to various embodiments of the credential generation and verification method of the present invention, and will not be described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein, or any application, directly or indirectly, in the field of other related technology.

Claims (10)

1. A method of credential generation and verification, the method comprising the steps of:
receiving a credential generation instruction sent by a credential holder, and determining a corresponding credential template according to the credential generation instruction;
acquiring voucher content information corresponding to the voucher generating instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-established open license chain;
and receiving a credential verification instruction sent by the credential verifier, determining a credential to be verified displayed by the credential holder according to the credential verification instruction, and verifying the credential to be verified based on the target credential stored in the open license chain.
2. A credential generation and verification method as defined in claim 1, wherein the step of receiving a credential generation instruction sent by a credential holder and determining a corresponding credential template based on the credential generation instruction is preceded by the step of:
Receiving registration instructions of a credential holder and a credential issuer, and generating a credential holder identifier, a credential holder private key, a credential issuer identifier and a credential issuer private key according to the registration instructions;
granting the certificate holder identification and the use authority of the certificate holder private key to the certificate holder, uploading the certificate holder identification to a pre-established open permission chain, and hosting the certificate holder private key;
and granting the certificate issuer identification and the use authority of the certificate issuer private key to the certificate issuer, uploading the certificate issuer identification to the open license chain, and hosting the certificate issuer private key.
3. A credential generation and verification method in accordance with claim 2, wherein the step of granting the credential holder identification and the credential holder private key usage rights to the credential holder and uploading the credential holder identification to a pre-created open license chain, after the step of escrow the credential holder private key, comprises:
receiving a voucher template registration instruction of the voucher issuer, and generating a corresponding voucher template according to an application scene corresponding to the voucher template registration instruction;
Uploading the credential template to the open license chain.
4. The voucher generating and verifying method of claim 1, wherein the step of obtaining voucher content information corresponding to the voucher generating instruction, and generating a target voucher based on the voucher content information and the voucher template comprises:
acquiring voucher content information corresponding to the voucher generating instruction, filling the voucher content information into the voucher template, and generating a first voucher;
acquiring a credential holder identifier corresponding to the credential holder and a credential issuer identifier corresponding to the credential issuer, and generating a second credential based on the first credential, the credential holder identifier and the credential issuer identifier;
and acquiring a certificate issuer private key corresponding to the certificate issuer, and signing and proving the second certificate by the issuer based on the certificate issuer private key to generate a target certificate.
5. A credential generation and verification method in accordance with claim 1, wherein the step of uploading the target credential to a pre-created open license chain is preceded by:
receiving the private key of the certificate holder sent by the certificate holder;
And carrying out holder signing certification on the target certificate according to the private key of the certificate holder, and uploading the target certificate subjected to the holder signing certification to a pre-created open license chain.
6. A credential generation and verification method as defined in claim 5, wherein the step of verifying the credential to be verified based on the target credential stored in the open license chain comprises:
acquiring a uplink record corresponding to the target certificate stored in the open license chain, and verifying whether the certificate to be verified is tampered or not according to the uplink record;
acquiring a holder signing certificate corresponding to the target credential stored in the open license chain and a credential holder identifier in the credential to be verified, and verifying whether the credential to be verified belongs to the credential holder based on the holder signing certificate and the credential holder identifier;
and acquiring an issuer signing certificate corresponding to the target certificate and a certificate issuer identification in the to-be-verified certificate stored in the open license chain, and verifying whether the to-be-verified certificate is issued by the certificate issuer based on the issuer signing certificate and the certificate issuer identification.
7. A credential generation and verification method in accordance with claim 1, wherein after the step of verifying the credential to be verified based on the target credential stored in the open license chain, comprising:
when receiving a certificate revocation instruction sent by the certificate holder, revoke the target certificate;
and generating a target certificate revocation record and uploading the target certificate revocation record to the open license chain.
8. A credential generation and verification device, the credential generation and verification device comprising:
the determining module is used for receiving a credential generation instruction sent by a credential holder and determining a corresponding credential template according to the credential generation instruction;
the generation module is used for acquiring the voucher content information corresponding to the voucher generation instruction, generating a target voucher according to the voucher content information and the voucher template, and uploading the target voucher to a pre-established open license chain;
and the verification module is used for receiving a credential verification instruction sent by the credential verification party, determining a credential to be verified displayed by the credential holder according to the credential verification instruction, and verifying the credential to be verified based on the target credential stored in the open license chain.
9. A credential generation and verification system, the credential generation and verification system comprising: memory, a processor and a credential generation and verification program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the credential generation and verification method of any one of claims 1 to 7.
10. A computer readable storage medium, characterized in that it has stored thereon a credential generation and verification program, which when executed by a processor implements the steps of the credential generation and verification method according to any of claims 1 to 7.
CN202310808030.4A 2023-07-03 2023-07-03 Credential generation and verification methods, apparatus, systems, and computer readable storage media Pending CN116680675A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310808030.4A CN116680675A (en) 2023-07-03 2023-07-03 Credential generation and verification methods, apparatus, systems, and computer readable storage media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310808030.4A CN116680675A (en) 2023-07-03 2023-07-03 Credential generation and verification methods, apparatus, systems, and computer readable storage media

Publications (1)

Publication Number Publication Date
CN116680675A true CN116680675A (en) 2023-09-01

Family

ID=87785591

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310808030.4A Pending CN116680675A (en) 2023-07-03 2023-07-03 Credential generation and verification methods, apparatus, systems, and computer readable storage media

Country Status (1)

Country Link
CN (1) CN116680675A (en)

Similar Documents

Publication Publication Date Title
US11223614B2 (en) Single sign on with multiple authentication factors
CN110958118B (en) Certificate authentication management method, device, equipment and computer readable storage medium
US10833873B2 (en) Credential-based authorization
CN106992988B (en) Cross-domain anonymous resource sharing platform and implementation method thereof
CN106452772B (en) Terminal authentication method and device
CN111224788B (en) Electronic contract management method, device and system based on block chain
US11757640B2 (en) Non-fungible token authentication
CN103856477A (en) Trusted computing system, corresponding attestation method and corresponding devices
US20090288155A1 (en) Determining an identity of a third-party user in an saml implementation of a web-service
Abraham et al. Revocable and offline-verifiable self-sovereign identities
EP2262165B1 (en) User generated content registering method, apparatus and system
US20040083359A1 (en) Delegation by electronic certificate
CN114519206B (en) Method for anonymously signing electronic contract and signature system
CN114666168A (en) Decentralized identity certificate verification method and device, and electronic equipment
JPH1125045A (en) Access control method, its device, attribute certificate issuing device, and machine-readable recording medium
CN112968779A (en) Security authentication and authorization control method, control system and program storage medium
US11461451B2 (en) Document signing system for mobile devices
US11275858B2 (en) Document signing system for mobile devices
CN116680675A (en) Credential generation and verification methods, apparatus, systems, and computer readable storage media
CN114329610A (en) Block chain privacy identity protection method, device, storage medium and system
Fugkeaw et al. Multi-Application Authentication based on Multi-Agent System.
JP2008090701A (en) Authentication access control system and add-in module to be used therefor
CN111555887A (en) Block chain certificate compatibility processing method and device and computer storage medium
CN117641352B (en) Secure access method and device, cloud terminal device and storage medium
CN115022039B (en) Information processing method, apparatus, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination