CN116975810A

CN116975810A - Identity verification method, device, electronic equipment and computer readable storage medium

Info

Publication number: CN116975810A
Application number: CN202310123766.8A
Authority: CN
Inventors: 曾锦辉
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2023-02-02
Filing date: 2023-02-02
Publication date: 2023-10-31

Abstract

The embodiment of the application provides an identity verification method, an identity verification device, electronic equipment and a computer readable storage medium. The method comprises the following steps: receiving identity data of a user and sending the identity data to an identity verification service on a blockchain network; acquiring an access address of an identity authentication interface of an identity authentication source through an identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result certificate fed back by the identity authentication source, and authenticating the identity authentication result certificate based on an authentication public key; and receiving an identity verification result certificate sent by the identity verification service. On one hand, authority and public trust of identity verification can be guaranteed, on the other hand, private data of a user can be guaranteed not to be revealed to a verification method, and in addition, each participant of the identity verification can verify the identity verification result certificate through a verification public key, so that a trust chain of the identity verification is perfected.

Description

Identity verification method, device, electronic equipment and computer readable storage medium

Technical Field

The present application relates to the field of blockchain technologies, and in particular, to an authentication method, an apparatus, an electronic device, and a computer readable storage medium.

Background

In the digital business process, user authentication is a core link for guaranteeing business and data security, and the authentication method can be roughly divided into: an identity verification mode based on a shared key card, an identity verification mode based on biological characteristics and an identity verification mode based on asymmetric keys.

The security of the identity verification mode based on the shared key card is lower, and in the scene with higher security requirement, the identity verification mode based on biological characteristics such as a human face nuclear body or the identity verification mode based on asymmetric keys such as a blockchain network is generally adopted. The human face verification is a mainstream identity verification method of the current business system, but is usually realized based on a centralized system, and lacks authority and creditability.

Disclosure of Invention

The application aims to at least solve one of the technical defects, and the technical scheme provided by the embodiment of the application is as follows:

in a first aspect, an embodiment of the present application provides an authentication method, including:

Receiving identity data of a user, and sending the identity data to an identity verification service on a blockchain network; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

acquiring an access address of an identity authentication interface of an identity authentication source through an identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result certificate fed back by the identity authentication source, and authenticating the identity authentication result certificate based on an authentication public key; the access address and the signature verification public key are issued on the blockchain network by an identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

and receiving an identity verification result certificate sent by the identity verification service, and acquiring an identity verification result of the user based on the identity verification result information in the identity verification result certificate.

In an alternative embodiment of the application, the encryption public key, access address, and signing public key are published by the identity authentication source on the blockchain network by registering the identity authentication source DID identity on a distributed identity DID service in the blockchain network.

In an alternative embodiment of the application, the method further comprises:

acquiring a first DID document corresponding to an identity authentication source DID identifier from a DID service;

and acquiring a signature verification public key based on the first DID document, and carrying out signature verification on the identity verification result certificate based on the signature verification public key.

In an alternative embodiment of the present application, the authentication result voucher is obtained by the DID service in combination with the signature information based on the content signed by the authentication result information.

In an alternative embodiment of the application, the method further comprises:

receiving the service parameters corresponding to the user while receiving the identity data of the user;

and if the authentication result certificate passes and the authentication result information indicates that the authentication of the user passes, performing service processing based on the service parameters to obtain a corresponding service processing result.

In an alternative embodiment of the application, the method further comprises:

and feeding back the service processing result and the authentication result certificate to the user.

In a second aspect, an embodiment of the present application provides an authentication method, including:

transmitting the identity data to a service on the blockchain network, and transmitting the identity data to an identity verification service on the blockchain network through the service; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

the method comprises the steps of obtaining an access address of an identity authentication interface of an identity authentication source through an identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result certificate fed back by the identity authentication source, checking the identity authentication result certificate based on a signature checking public key, and sending the identity authentication result certificate to a business service; the access address and the signature verification public key are issued on the blockchain network by an identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

And receiving an identity verification result certificate sent by the service, and acquiring an identity verification result of the user based on the identity verification result information in the identity verification result certificate.

In an alternative embodiment of the application, the method further comprises:

and acquiring an encryption public key and a signature verification public key based on the first DID document, and carrying out signature verification on the identity verification result certificate based on the signature verification public key.

In an alternative embodiment of the application, the method further comprises:

registering a user DID identifier through the DID service, wherein a second DID document corresponding to the user DID identifier contains authentication mode indication information of the user.

In a third aspect, an embodiment of the present application provides an authentication apparatus, including:

the identity data receiving module is used for receiving the identity data of the user and sending the identity data to the identity verification service on the blockchain network; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

The first identity verification result credential acquisition module is used for acquiring an access address of an identity authentication interface of an identity authentication source through an identity verification service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity verification result credential fed back by the identity authentication source, and verifying the identity verification result credential based on a signature verification public key; the access address and the signature verification public key are issued on the blockchain network by an identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

the first authentication result acquisition module is used for receiving the authentication result certificate sent by the authentication service and acquiring the authentication result of the user based on the authentication result information in the authentication result certificate.

In an alternative embodiment of the application, the apparatus further comprises a first deferral module for:

In an alternative embodiment of the present application, the apparatus further includes a service processing module configured to:

In an alternative embodiment of the present application, the apparatus further includes an authentication result credential forwarding module configured to:

In a fourth aspect, an embodiment of the present application provides an authentication apparatus, including:

the identity data sending module is used for sending the identity data to the business service on the blockchain network and sending the identity data to the identity verification service on the blockchain network through the business service; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

The second identity verification result credential acquisition module is used for acquiring an access address of an identity authentication interface of an identity authentication source through the identity verification service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity verification result credential fed back by the identity authentication source, checking a signature of the identity verification result credential based on a signature verification public key, and sending the identity verification result credential to the service; the access address and the signature verification public key are issued on the blockchain network by an identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

the second authentication result acquisition module is used for receiving the authentication result certificate sent by the business service and acquiring the authentication result of the user based on the authentication result information in the authentication result certificate.

In an alternative embodiment of the application, the device further comprises a second signature verification module for:

In an alternative embodiment of the present application, the apparatus further includes a user DID identity registration module for:

In a fifth aspect, an embodiment of the present application provides an electronic device, including a memory and a processor;

a memory having a computer program stored therein;

a processor for executing a computer program to implement the method provided in the first aspect embodiment, the second aspect embodiment, any optional embodiment of the first aspect or any optional embodiment of the second aspect.

In a sixth aspect, embodiments of the present application provide a computer readable storage medium having a computer program stored thereon, which when executed by a processor implements the embodiments of the first aspect, the embodiments of the second aspect, any optional embodiment of the first aspect, or the methods provided in any optional embodiment of the second aspect.

In a seventh aspect, embodiments of the present application provide a computer program product comprising a computer program which when executed by a processor implements the method provided in the embodiments of the first aspect, the embodiments of the second aspect, any optional embodiment of the first aspect or any optional embodiment of the second aspect.

The technical scheme provided by the embodiment of the application has the beneficial effects that:

the user firstly encrypts the identity data by using an encryption public key issued by an identity authentication source acquired on a blockchain network, then sends the encrypted identity data to a service on the blockchain, the service sends the encrypted identity data to the identity authentication service, the identity authentication service invokes an identity authentication interface by using an access address issued by the identity authentication source acquired on the blockchain network, and sends the encrypted identity data to the identity authentication source through the identity authentication interface, the identity authentication source decrypts and verifies the encrypted identity data, acquires a corresponding identity authentication result certificate, and feeds back the identity authentication result certificate to the identity authentication service through the identity authentication interface, and the identity authentication service verifies the identity authentication result certificate by using a verification public key issued by the identity authentication source acquired on the blockchain network, sends the identity authentication result certificate to the service, and then sends the identity authentication result to the user, so that the user can acquire a corresponding identity authentication result through identity authentication result information contained in the identity authentication result certificate. In the scheme, on one hand, the business service, the identity verification service and the like used in the identity verification process are arranged on the blockchain network, so that the authority and the public trust of the identity verification are ensured, and on the other hand, the encryption public key, the signature verification public key and the like are issued on the blockchain network through the identity verification source so that a user encrypts user data, the private data of the user is prevented from being revealed to a verification method, and in addition, each participant of the identity verification can verify the identity verification result certificate through the signature verification public key, so that the trust chain of the identity verification is perfected.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that are required to be used in the description of the embodiments of the present application will be briefly described below.

FIG. 1 is a diagram of a system architecture on which an authentication method according to an embodiment of the present application is implemented;

FIG. 2 is a schematic diagram of an alternative architecture of a distributed system for use in a blockchain system according to embodiments of the present application;

FIG. 3 is a schematic diagram of an alternative block structure according to an embodiment of the present application;

fig. 4 is a schematic flow chart of an authentication method according to an embodiment of the present application;

FIG. 5 is a protocol layer architecture diagram of a face-based, distributed identity-based, fuselage-based scheme in one example of an embodiment of the present application;

FIG. 6 is a flowchart of another authentication method according to an embodiment of the present application;

FIG. 7 is an overall architecture diagram of a face-based, distributed identity-based, face-based, fuselage-verification scheme in one example of an embodiment of the present application;

FIG. 8 is an interaction timing diagram of components in a distributed identity based face-based kernel approach in one example of implementation of the present application;

FIG. 9 is a block diagram of an authentication device according to an embodiment of the present application;

FIG. 10 is a block diagram of another authentication device according to an embodiment of the present application;

Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described below with reference to the drawings in the present application. It should be understood that the embodiments described below with reference to the drawings are exemplary descriptions for explaining the technical solutions of the embodiments of the present application, and the technical solutions of the embodiments of the present application are not limited.

As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and "comprising," when used in this specification, specify the presence of stated features, information, data, steps, operations, elements, and/or components, but do not preclude the presence or addition of other features, information, data, steps, operations, elements, components, and/or groups thereof, all of which may be included in the present specification. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. The term "and/or" as used herein indicates that at least one of the items defined by the term, e.g., "a and/or B" may be implemented as "a", or as "B", or as "a and B".

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.

Fig. 1 is a system architecture diagram on which an embodiment of the authentication method according to the present application depends, where, as shown in fig. 1, the system may include: an identity holder (i.e., user) 101, a business service (or business contract) 102, an authentication service (or authentication contract) 103, and an authentication source 104. The identity holder 101 is a user who needs to transact a service through the service 102, the service 102 is provided by an verifier, and before the service is processed, the verifier needs to perform identity verification on the identity holder. Both the business service 102 and the authentication service 103 are located on the blockchain network, the business service 102 may be a service for business processing set by an authentication party, the authentication service 103 may be provided by an authentication source 104, the authentication source 104 is an authority trusted by both the authentication party and the identity holder 101, and the identity holder 101 performs an identity backup in advance at the authentication source 104.

Specifically, when the identity holder 101 needs to transact the related digital service through the service 102, in order to ensure the service security and the data security, the verifier providing the service 102 needs to verify the identity holder 101 through the identity verification service 103 provided by the identity verification source, and after the identity verification is passed, the service 102 processes the related digital service. This process will be described in further detail below.

The blockchain network according to the embodiment of the present application may be a distributed system formed by connecting a client and a plurality of nodes (any form of computing device in an access network, such as a server and a user terminal) through a network communication.

Referring To fig. 2, fig. 2 is an optional structural schematic diagram of a distributed system 100 applied To a blockchain system according To an embodiment of the present application, where the distributed system is formed by a plurality of nodes (any form of computing devices in an access network, such as servers and user terminals) and clients, and a Peer-To-Peer (P2P) network is formed between the nodes, and the P2P protocol is an application layer protocol running on top of a transmission control protocol (TCP, transmission Control Protocol) protocol. In a distributed system, any machine, such as a server, a terminal, may join to become a node, including a hardware layer, an intermediate layer, an operating system layer, and an application layer.

Referring to the functionality of each node in the blockchain system shown in fig. 2, the functions involved include:

1) The routing, the node has basic functions for supporting communication between nodes.

Besides the routing function, the node can also have the following functions:

2) The application is used for being deployed in a block chain to realize specific service according to actual service requirements, recording data related to the realization function to form recorded data, carrying a digital signature in the recorded data to represent the source of task data, sending the recorded data to other nodes in the block chain system, and adding the recorded data into a temporary block when the source and the integrity of the recorded data are verified by the other nodes.

For example, the services implemented by the application include:

2.1 Wallet for providing electronic money transactions, including initiating a transaction (i.e., sending a transaction record of the current transaction to other nodes in the blockchain system, the other nodes, after verification, storing record data of the transaction in a temporary block of the blockchain in response to acknowledging that the transaction is valid; of course, the wallet also supports inquiry of remaining electronic money in the electronic money address;

2.2 The shared account book is used for providing the functions of storing, inquiring, modifying and the like of account data, sending record data of the operation on the account data to other nodes in the blockchain system, and after the other nodes verify to be effective, storing the record data into a temporary block as a response for acknowledging that the account data is effective, and also sending confirmation to the node initiating the operation.

2.3 A computerized agreement that can execute the terms of a contract, implemented by code deployed on a shared ledger for execution when certain conditions are met, for completing automated transactions based on actual business demand codes, such as querying the physical distribution status of the goods purchased by the buyer, transferring the electronic money of the buyer to the merchant's address after the buyer signs for the goods; of course, the smart contract is not limited to executing the contract for the transaction, and may execute a contract that processes the received information.

3) The blockchain comprises a series of blocks (blocks) which are connected with each other according to the generated sequence time, the new blocks are not removed once being added into the blockchain, and record data submitted by nodes in the blockchain system are recorded in the blocks.

Referring to fig. 3, fig. 3 is an optional Block Structure (Block Structure) provided in an embodiment of the present application, where each Block includes a hash value of a transaction record stored in the Block (hash value of the Block) and a hash value of a previous Block, and each Block is connected by the hash value to form a Block chain. In addition, the block may include information such as a time stamp at the time of block generation. The Blockchain (Blockchain), which is essentially a de-centralized database, is a string of data blocks that are generated in association using cryptographic methods, each of which contains associated information that is used to verify the validity (anti-counterfeiting) of its information and to generate the next block.

Fig. 4 is a schematic flow chart of an authentication method provided by an embodiment of the present application, where an execution body of the method may be a business service in fig. 1, as shown in fig. 4, and the method may include:

step S401, receiving identity data of a user, and sending the identity data to an identity verification service on a blockchain network; the identity data is encrypted by an encryption public key which is issued on the blockchain network by an identity authentication source.

The identity data of the user may include identity information and biometric information of the user, further, the identity information may be identity card information, name, etc., and the biometric information may be fingerprint information, iris information, face information, etc.

It should be noted that, in the following description of the embodiment of the present application, a scheme will be described by taking an authentication mode of a face and a kernel as an example, and correspondingly, the biometric information is corresponding face and kernel information, or may be face information specifically. However, it can be understood that the authentication method in the scheme of the application is not limited to the face verification method, but can be other authentication methods based on other biological characteristic information.

In addition, before the user transacts the business, the user performs identity backup (or endorsement of identity) in a corresponding form in the identity authentication source, that is, the identity authentication source stores the real identity data of the user, and the real identity data is used for subsequent identity authentication.

In order to ensure that the identity data provided by the user is not acquired by the verifier providing the business service, the identity authentication source can issue a corresponding encryption public key on the blockchain network so as to encrypt the identity data by the user. It can be understood that the user's identity data encrypted by the encrypted public key can only be decrypted by the identity authentication source through the corresponding private key, and then the content of the identity data is obtained for identity authentication.

Specifically, when or before handling the service, the user may acquire an encrypted public key issued by the identity authentication source from the blockchain network, then encrypt the identity data required to be provided by the service by using the acquired encrypted public key, and send the service parameters and the encrypted identity data to the service. After the business service receives the business parameters and the encrypted identity data, the user needs to be authenticated before business processing. Specifically, the business service sends the encrypted identity data to an authentication service on the blockchain network for completing subsequent authentication.

Step S402, an access address of an identity authentication interface of an identity authentication source is obtained through an identity authentication service, the identity authentication interface of the identity authentication source is called based on the access address, identity data is sent to the identity authentication source through the identity authentication interface, an identity authentication result credential fed back by the identity authentication source is received, and an identity authentication result credential is checked based on a signature checking public key; the access address and the signature verification public key are issued on the blockchain network by the identity authentication source, the identity authentication result certificate contains identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key.

The identity authentication source has identity authentication capability and opens the identity authentication capability through the identity authentication interface, so that in order to enable the identity authentication service to use the capability, the identity authentication source issues an access address of the identity authentication interface on the blockchain network, so that the identity authentication service can call the identity authentication interface based on the access address after acquiring the identity authentication address from the blockchain network.

After the authentication based on the identity data is completed, the authentication source generates a corresponding authentication result credential, which may also be referred to as an authentication result VC (Verifiable Credentials, which may verify a digital credential), where the authentication result VC includes at least authentication result information and corresponding signature information in different fields. The signature information is obtained by digital signature of the identity authentication source through a corresponding private key, and the signature information is used for checking signature of a user, business service and identity authentication service to determine that the identity authentication result VC is issued by the identity authentication source. The authentication source may publish the public signature verification key for signature verification on the blockchain network for the user, the business service, and the authentication service to obtain.

Specifically, before invoking an identity authentication interface of an identity authentication source, the identity authentication service obtains an access address of the identity authentication interface and a signature verification public key for signature verification in advance on a blockchain network. After receiving the encrypted identity data sent by the service, the identity verification service calls an identity authentication interface of an identity authentication source through the access address, and sends the encrypted identity data to the identity authentication source through the identity authentication interface. The identity authentication source decrypts the encrypted identity data by using a first private key corresponding to the encrypted public key to obtain the identity information and the face verification information therein, and the identity authentication source verifies the identity information and the face verification information and obtains verification result information (the verification result information can be verification passing or not). The identity authentication source generates a corresponding certificate based on the identity authentication result and a corresponding certificate generation mode, then carries out digital signature on the generated certificate by utilizing a second private key corresponding to the signature verification public key to obtain the identity authentication result VC, and feeds the identity authentication result VC back to the identity authentication service. The authentication service performs authentication on the authentication result VC by using the authentication public key, that is, performs authentication on the signature information by using the authentication public key.

It should be noted that the first private key and the second private key of the identity authentication source may be the same or different, and it is understood that the security is higher when the first private key and the second private key are different.

In addition, the public key for signing verification issued by the identity authentication source on the blockchain can also be acquired by the user and the business service, so that the user and the business service can also sign the identity authentication result VC after receiving the identity authentication result VC.

Step S403, receiving an authentication result VC sent by the authentication service, and obtaining an authentication result of the user based on the authentication result information in the authentication result VC.

Specifically, after receiving the authentication result VC sent by the authentication service, the service may read the authentication result information contained in the corresponding field, thereby obtaining the authentication result of the user.

According to the scheme provided by the application, a user firstly encrypts the identity data by using an encryption public key issued by an identity authentication source acquired on a blockchain network, then sends the encrypted identity data to a service on the blockchain, the service sends the encrypted identity data to an identity authentication service, the identity authentication service invokes an identity authentication interface by using an access address issued by the identity authentication source acquired on the blockchain network, and sends the encrypted identity data to the identity authentication source through the identity authentication interface, the identity authentication source decrypts and verifies the encrypted identity data, and acquires a corresponding identity authentication result VC, and feeds back the identity authentication result VC to the identity authentication service through the identity authentication interface, and the identity authentication service verifies the identity authentication result VC by using a verification public key issued by the identity authentication source acquired on the blockchain network and sends the identity authentication result VC to the service, so that the service can acquire the corresponding identity authentication result through identity authentication result information contained in the identity authentication result VC. In the scheme, on one hand, the business service, the identity verification service and the like used in the identity verification process are arranged on the blockchain network, so that the authority and the public trust of the identity verification are ensured, and on the other hand, the encryption public key, the signature verification public key and the like are issued on the blockchain network through the identity verification source so that a user encrypts user data, the private data of the user is prevented from being revealed to a verification method, and meanwhile, each participant of the identity verification can verify the identity verification result VC through the signature verification public key, so that the trust chain of the identity verification is perfected.

Specifically, as shown in fig. 5, the embodiment of the present application may load the face authentication logic on the distributed identity (Decentralized Identifiers, DID) protocol (or specification) of the W3C (World Wide Web Consortium, web consortium), that is, the operations of issuing the encrypted public key, accessing the address, and signing the public key by the authentication source may be implemented by the corresponding DID service. Specifically, a trust chain of an identity holder, a verifier and an identity authentication source is established through DID protocol interaction capability, and a user privacy protection mechanism applying the DID protocol can ensure that user privacy is not revealed in the identity authentication process. The DID-based face kernel scheme comprises two parts in protocol design: identity source DID identification and user DID identification, face verification result VC (corresponding to identity verification result VC). These two aspects are described in detail below.

According to the DID protocol of W3C, a DID identity is a string of unrecoverable string identities, which does not contain any identity information and cannot be grouped, for example, a certain DID identity may be expressed as: did tdid cm783g1 0xd4d131ce58fbe372ce9a6b11f8d3d75b53ffbd62. DID documents in json format can be resolved through the DID identifiers, and the DID documents contain identification authentication and access modes, and metadata for identity interaction, which are specified by protocols such as transmission encryption and the like. The following describes metadata related to the identity authentication source DID identifier and the user DID identifier, respectively:

1. Identity authentication source DID identification

The identity authentication source registers and publishes the corresponding identity DID identifier on the blockchain through the DID service as a recognized authority, and the identity authentication source DID identifier requires public declaration and authority publishing. The identity holder and the verifier can inquire whether the DID identification of the identity authentication source is legal or not on the chain in the face checking process, and analyze the corresponding DID document, and the following is an exemplary description of key fields of the DID document metadata of the identity authentication source:

a keyAgreement field: the identity authentication source encrypts the public key (supporting a plurality of public keys) for encrypting the identity data, which is disclosed externally. The identity holder encrypts the own identity data by using the encryption public key disclosed by the field, and the verification party (namely the business service) can not acquire the original identity data of the user after receiving the encrypted user data, so that the private information is prevented from being revealed to the verification party. The identity authentication source can decrypt the original text of the identity data of the user by using the private key corresponding to the encryption public key held by the identity authentication source so as to verify the identity data.

service field: the identity authentication source is used for externally disclosing the access address of the identity authentication interface. The face verification contract (corresponding to the identity verification service) obtains the identity verification result of the face verification by calling the face verification interface (corresponding to the identity verification interface) of the identity verification source by using the access address.

The verificationMethod field: the identity authentication source verifies the signature public key of the externally disclosed identity authentication result VC. The embodiment of the application expresses the verification result of the identity authentication source by using the VC in the DID protocol, and an identity holder or a verification party can verify whether the identity authentication result VC is issued by the identity authentication source or not through the verification public key.

2. User DID identification

The user registers and publishes the corresponding identity DID identifier on the blockchain through the DID service, and the verifier and the identity authentication source can inquire the DID document of the user on the chain, so that the identity of the account on the user chain is identified on the basis of the human face kernel. In the embodiment of the application, different blockchain networks can use own account systems to identify user accounts, such as user certificates of alliance chain fabric and user account addresses of public chain Ethernet. If the verifier is a service system based on DID, the user account is also identified by the DID, which is an ideal technical fusion scheme. The user DID identification not only can identify the account on the user chain, but also has stronger protocol operation capability. For example, the verifiationmethod field (an encrypted public key typically used for public identity authentication) in the DID specification is an extensible authentication method. Under the scene of the embodiment of the application, the user identity verification method in the verifiation method field can be defined as the type of the human face kernel body, and a specific identity verification method is disclosed through uri (Uniform Resource Identifier ) so that a verification party knows whether the user is allowed to verify the identity and how to verify the identity by adopting the human face kernel body.

3. Face and body checking result VC

The Voucher (VC) is a verifiable voucher defined in the DID specification, and the voucher issued by the voucher issuer contains a declaration field of its issued content, and the voucher is represented by a json document and digitally signed by the voucher issuer with its private key. The verifier can acquire the declaration content of the VC and verify the certificate, so that the certificate is issued by the appointed issuing, and is not tamperable and repudiated. The embodiment of the application expresses the evidence of the human face verification result returned by the identity authentication source through VC, the human face verification result is issued in the evidence statement content, so that both the human face verification contract (corresponding to the identity authentication service) and the identity holder can verify the authority of the identity authentication result, and the following is an explanation of each field in the example of the identity authentication result VC:

the creationsubject field: the declaration field of the face core result VC at least contains user identification and verification result. Claims are extensible fields, and other relevant fields of authentication information can be added according to the service scenario.

The expationdate field: the expiration time of the certificate can limit the validity of the face and body result in a specified time period.

The issuer field: the DID identification of the credential issuer is the DID identification of the identity authentication source. By this field, it is identified from which authentication source the face and body result is issued

The signatureValue field: the credential issuer signs the content with the private key. The verifying party uses the public signature verification key disclosed in the verification method field of the DID document of the isuer field to verify the digital signature value of the field, and verifies whether the face verification result VC is issued by a corresponding authoritative certification source.

In an alternative embodiment of the present application, the method may further comprise:

and acquiring a signature verification public key based on the first DID document, and carrying out signature verification on the identity verification result VC based on the signature verification public key.

Specifically, the service may obtain a first DID document of the identity authentication source from a DID service on the network of the blockchain, obtain a signature verification public key by parsing a corresponding field of the first DID document, and perform signature verification on the identity verification result VC after obtaining the identity verification result VC.

In an alternative embodiment of the application, the authentication result VC is obtained by the DID service by combining the content issued based on the authentication result information with the signature information.

Specifically, after the authentication source obtains the authentication result information, the authentication result information can be sent to the DID service, the DID service generates corresponding content based on the received authentication result information and the DID specification, the content is fed back to the authentication source, and the authentication source can obtain the corresponding authentication result VC before the content is digitally processed.

It should be noted that, the whole process of obtaining the authentication result VC may be completed by the authentication source, that is, the content generated by the DID service may be generated by the authentication source according to the DID specification.

and if the authentication result VC passes the authentication and the authentication result information indicates that the authentication of the user passes, performing service processing based on the service parameters to obtain a corresponding service processing result.

Specifically, after confirming that the authentication of the user is passed, the service continues to perform service processing based on the service parameters.

and feeding back a service processing result and an identity verification result VC to the user.

Specifically, after the service completes identity verification and service processing, the service processing result and the identity verification result VC can be fed back to the user, and the user can also verify the received identity verification result VC based on the verification public key.

Fig. 6 is a schematic flow chart of an authentication method provided in an embodiment of the present application, where an execution subject of the method may be the identity holder in fig. 1, as shown in fig. 6, and the method may include:

Step S601, sending the identity data to a service on a blockchain network, and sending the identity data to an identity verification service on the blockchain network through the service; the identity data is encrypted by an encryption public key which is issued on the blockchain network by an identity authentication source.

Step S602, an access address of an identity authentication interface of an identity authentication source is obtained through an identity authentication service, the identity authentication interface of the identity authentication source is called based on the access address, identity data is sent to the identity authentication source through the identity authentication interface, an identity authentication result credential VC fed back by the identity authentication source is received, an identity authentication result VC is checked based on a signature checking public key, and the identity authentication result VC is sent to a business service; the access address and the signature verification public key are issued on the blockchain network by an identity authentication source, the identity authentication result VC comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key.

Specifically, before invoking an identity authentication interface of an identity authentication source, the identity authentication service obtains an access address of the identity authentication interface and a signature verification public key for signature verification in advance on a blockchain network. After receiving the encrypted identity data sent by the service, the identity verification service calls an identity authentication interface of an identity authentication source through the access address, and sends the encrypted identity data to the identity authentication source through the identity authentication interface. The identity authentication source decrypts the encrypted identity data by using a first private key corresponding to the encrypted public key to obtain the identity information and the face verification information therein, and the identity authentication source verifies the identity information and the face verification information and obtains verification result information (the verification result information can be verification passing or not). The identity authentication source generates a corresponding certificate based on the identity authentication result and a corresponding certificate generation mode, then carries out digital signature on the generated certificate by utilizing a second private key corresponding to the signature verification public key to obtain the identity authentication result VC, and feeds the identity authentication result VC back to the identity authentication service. The authentication service performs authentication on the authentication result VC by using the authentication public key, that is, performs authentication on the signature information by using the authentication public key. The authentication service will then send the authentication result VC to the traffic service.

Step S603, receiving an authentication result VC sent by the service, and obtaining an authentication result of the user based on the authentication result information in the authentication result VC.

Specifically, after receiving the authentication result VC sent by the service, the identity holder may obtain authentication result information from the relevant field of the authentication result VC, and obtain an authentication result according to the authentication result information, and at the same time, the identity holder may perform a signature verification on the authentication result VC according to the signature verification public key obtained on the blockchain network.

According to the scheme provided by the application, a user firstly encrypts the identity data by using an encryption public key issued by an identity authentication source acquired on a blockchain network, then sends the encrypted identity data to a service on the blockchain, the service sends the encrypted identity data to an identity authentication service, the identity authentication service invokes an identity authentication interface by using an access address issued by the identity authentication source acquired on the blockchain network, and sends the encrypted identity data to the identity authentication source through the identity authentication interface, the identity authentication source decrypts and verifies the encrypted identity data, and acquires a corresponding identity authentication result VC, and feeds back the identity authentication result VC to the identity authentication service through the identity authentication interface, the identity authentication service verifies the identity authentication result VC by using a verification public key issued by the identity authentication source acquired on the blockchain network, and sends the identity authentication result VC to the service, and the service sends the identity authentication result to the user, so that the user can acquire the corresponding identity authentication result through identity authentication result information contained in the identity authentication result VC. In the scheme, on one hand, the business service, the identity verification service and the like used in the identity verification process are arranged on the blockchain network, so that the authority and the public trust of the identity verification are ensured, and on the other hand, the encryption public key, the signature verification public key and the like are issued on the blockchain network through the identity verification source so that a user encrypts user data, the private data of the user is prevented from being revealed to a verification method, and meanwhile, each participant of the identity verification can verify the identity verification result VC through the signature verification public key, so that the trust chain of the identity verification is perfected.

Specifically, the embodiment of the application can bear the face authentication logic on the distributed identity (Decentralized Identifiers, DID) protocol (or specification) of the W3C (World Wide Web Consortium, web consortium), that is, the operations of issuing the encryption public key, accessing the address, signing the public key and the like by the identity authentication source can be realized by the corresponding DID service. Specifically, a trust chain of an identity holder, a verifier and an identity authentication source is established through DID protocol interaction capability, and a user privacy protection mechanism applying the DID protocol can ensure that user privacy is not revealed in the identity authentication process.

and acquiring an encryption public key and a signature verification public key based on the first DID document, and carrying out signature verification on the identity verification result VC based on the signature verification public key.

Specifically, the user may also obtain the first DID document of the identity authentication source from the DID service on the blockchain network, and obtain the corresponding signature verification public key by analyzing the relevant field of the first DID document, and further perform signature verification on the received identity authentication result VC by using the signature verification public key.

Specifically, the user can register the corresponding user DID identifier on the DID service, and the identity verification manner of the user may be through the corresponding second DID document table name, that is, the relevant field of the second DID document carries the identity verification manner indication information, so that the service, the identity verification service and the identity verification source can all learn the identity verification manner indication information of the user.

The identity verification scheme provided by the application is further described by an example, wherein the identity verification mode is a face verification body based on distributed identities, the whole structure of the face verification body is shown in fig. 7, and each component included in the structure is described in detail below:

Identity authentication source: the authority mechanism for providing the user identity verification service of the human face check body is public identity service with public trust which is trusted by a verifier and an identity holder, an identity authentication source can externally disclose authority qualification of the public identity service through the DID identification of a DID service registration mechanism, and the DID document (namely a first DID document) containing service addresses, encryption public keys, certificate verification public keys and other public mechanism information can be resolved through the DID identification of the identity authentication source. The identity authentication source stores face data and identity information of a user recorded in advance, and when the face check verifies the identity of the user, a user identity verification result is obtained by comparing the similarity of the face data.

DID service (or DID contract): the standard basic blockchain application facility platform formed by the DID application service or the DID intelligent contract is not limited to application or pure contract implementation, and the functions mainly comprise two parts:

(1) DID application service: providing an application interface at the API (Application Program Interface ) level includes registering and parsing DID documents, generating verifiable credentials and credential verification services, etc., and providing access in the form of a contract interface if the DID is a pure contract implementation. The identity holder and the identity authentication source register the DID identification through the DID service, and the identity authentication source can issue a face verification result certificate (VC) through the DID service.

(2) DID smart contracts: the on-chain status data storing the DID includes the DID document with which the DID identity is associated, ensuring that the DID identity is public and tamper-proof.

Business service (or business contract): the business system responsible for handling user business requests is not limited to application or pure contract implementations. And the encrypted identity data is used as an identity verification parameter to call a human face kernel contract interface to verify the identity of the user to obtain a result certificate of the human face kernel. And after the user identity verification is passed, the checked user identity information and service parameters are used for completing the service processing flow.

Face-to-body contracts (or face-to-body services, corresponding to authentication services): the human face kernel interface (corresponding to the identity authentication interface) responsible for calling the identity authentication source receives the returned identity authentication result certificate and returns the returned identity authentication result certificate to the business service. The DID identification of the identity card source is arranged in the common contract, and the identity holder and the verifier can verify the legitimacy and the authority of the identity card source from the contract code because the contract code is public and can not be tampered with. The face verification contract analyzes the DID document of the authoritative identity card source through the DID service, and obtains a face verification interface access address and a verification public key of the identity verification result certificate in the document so as to call the face verification interface and the verification face verification result certificate. The interface of the identity authentication source is called by the human face kernel contract, which belongs to the data communication between the on-chain and the off-chain, and the predictor technology is generally required to be applied.

Identity application terminal: the identity terminal, which is autonomously controlled by the identity holder (user), is not limited to an identity wallet, applet or APP, etc. The user realizes the following functions through the identity application terminal:

(1) The user registers the DID identification of the user, and the verification method field of the DID document (namely the second document) can be selectively set as the identity verification mode of the human face kernel, so that the autonomous and controllable user identity verification mode is realized. The business service and the human face kernel contract determine which identity verification mode is adopted by inquiring the identity verification mode of the DID document of the user or confirm whether the identity of the user is verified by using the human face kernel mode.

(2) The user ensures the safety of user identity verification through the identity terminal, which comprises the steps of analyzing the DID identification of the authoritative identity card source from the DID service, and verifying the legitimacy and authority of the identity card source; checking the validity of the human face core contract by inquiring the human face core contract address; and carrying out local verification by a public key of an authoritative identity card source or verifying the validity of a face verification result by a certificate verification function of invoking DID service.

(3) The user analyzes the DID identification of the authoritative identity card source from the DID service through the identity terminal to obtain the public key of the identity information disclosed in the key Agreement field to encrypt the user identity data, wherein the public key comprises face data and identity information data, and the encrypted identity data only has the identity authentication source of the private key to decrypt out the original text, so that the private information of the user is prevented from being revealed to the verifier.

In special situations, the identity application terminal is not an essential component, and a user can finish the uplink execution transaction directly through face recognition.

Fig. 8 is a schematic diagram showing the interaction of authentication in the authentication example shown in fig. 7, and as shown in fig. 8, the authentication process may include the following interaction steps:

(1) The identity authentication source issues an access address, an encryption public key and a signature verification public key of an identity authentication interface on a blockchain network through a DID service in a mode of registering the DID identification of the identity authentication source;

(2) The identity holder issues identity verification mode indication information (or face nuclear mode indication information) of the user in a mode of registering the DID identification of the user on the blockchain network through the DID service;

(3) The identity holder acquires a DID document of an identity authentication source from the DID service, and further acquires an encryption public key and a signature verification public key from the DID document;

(4) After the identity data is obtained, the business parameters and the identity data encrypted by the encryption public key are sent to the business service;

(5) The business service transmits the encrypted identity data to the face nuclear body service;

(6) The face checking service acquires a DID document of an identity authentication source from the DID service, and further acquires a signature verification public key and an access address of a face checking service interface from the DID document;

(7) The face kernel service sends the encrypted identity data to an identity authentication source by calling a face kernel interface mahjong;

(8) The identity authentication source decrypts the encrypted identity data, performs identity authentication after decryption, and further obtains a face verification result VC from the DID service; or the identity authentication source obtains the face identity result VC;

(9) The identity authentication source feeds back the face verification result VC to the face verification service, and the face verification service performs verification on the face verification result VC based on the verification public key;

(10) The face verification service feeds back a face verification result VC to the service, and the service extracts service parameters to complete service processing under the condition that the face verification result VC passes and the identity verification result contained in the face verification result VC indicates that the identity verification is passed;

(11) The business service feeds back a business processing result and a face body checking result VC to the identity holder;

(12) The identity holder sends a face verification result VC to the DID service to carry out face verification audit.

It should be noted that, the interaction steps corresponding to the dashed lines in fig. 8 are unnecessary, and may or may not be performed, so that the implementation of identity verification in this example is not affected.

The embodiment of the application realizes a human face checking method by using a block chain distributed identity technology, essentially solves the problem of the binding of biological characteristics and the on-chain identity of a block chain, can automatically complete the function of executing the block chain transaction of a user through face recognition, namely the human face checking on-body chain, and has obvious advantages compared with a main stream block chain system based on an asymmetric key identity verification mode:

The security is stronger, and the loss of the assets on the chain caused by the leakage of the private key due to personal or hacking attack can be avoided.

In public-private key mode, the user can never perform an on-chain transaction after the private key is lost, and the on-chain asset is permanently lost. In the face kernel upper chain mode, the authority of the user to execute the on-chain transaction binds the inherent biological characteristics of the user, and the irreversible problem of private key loss is avoided.

In public-private key mode, the private key is typically kept in a wallet or key escrow mode, with additional private key management costs to the user or escrow party. In the face kernel upper chain mode, a user can quickly execute blockchain transactions at any time and any place by adopting face biological characteristics, so that the problem of additional user private key management is avoided.

The embodiment of the application realizes the verification process of the human face of the user by the data transmission encryption mechanism of the DID standard without knowing or partially knowing the identity information of the user, avoids the excessive leakage of the user information to the service party, and effectively protects the private data of the user. In the authentication process, the identity holder participates in the human face verification process between the authentication party and the authoritative identity authentication source, the closed loop of the whole human face verification process is completed, and the human face verification process establishes a non-repudiation trust chain and has the characteristics of supervision, audit and backtracking.

The embodiment of the application is based on the DID standard realization of the W3C working group lead, has obvious advantages in protocol interoperability and interoperability, provides application layer protocol support for realization of cross-contract and cross-chain scenes, can be expanded to user identity verification scenes in different service fields, and has higher pushing effect on application development based on DID block chains.

Fig. 9 is a block diagram of an authentication device according to an embodiment of the present application, and as shown in fig. 9, the device 900 may include: an identity data receiving module 901, a first authentication result VC obtaining module 902, and a first authentication result obtaining module 903, where:

the identity data receiving module 901 is used for receiving identity data of a user and sending the identity data to an identity verification service on a blockchain network; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

the first authentication result VC obtaining module 902 is configured to obtain, through an authentication service, an access address of an authentication interface of an authentication source, invoke the authentication interface of the authentication source based on the access address, send identity data to the authentication source through the authentication interface, and receive an authentication result VC fed back by the authentication source, and perform signature verification on the authentication result VC based on a signature verification public key; the method comprises the steps that an access address and a signature verification public key are issued on a blockchain network by an identity authentication source, an identity authentication result VC comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on identity data and a first private key corresponding to an encryption public key, and the signature information is obtained by the identity authentication source based on a signature verification public key and a second private key;

The first authentication result obtaining module 903 is configured to receive an authentication result VC sent by the authentication service, and obtain an authentication result of the user based on authentication result information in the authentication result VC.

In an optional embodiment of the application, the apparatus further comprises an authentication result VC forwarding module configured to:

And feeding back the service processing result and the authentication result VC to the user.

Fig. 10 is a block diagram of an authentication device according to an embodiment of the present application, and as shown in fig. 10, the device 1000 may include: an identity data sending module 1001, a second authentication result VC obtaining module 1002, and a second authentication result obtaining module 1003, where:

the identity data sending module 1001 is configured to send identity data to a service on the blockchain network, and send the identity data to an identity verification service on the blockchain network through the service; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

the second authentication result VC obtaining module 1002 is configured to obtain, by using an authentication service, an access address of an authentication interface of an authentication source, invoke the authentication interface of the authentication source based on the access address, send, by using the authentication interface, identity data to the authentication source, receive, by using the authentication interface, an authentication result VC fed back by the authentication source, and perform signature verification on the authentication result VC based on a signature verification public key, and send the authentication result VC to a service; the method comprises the steps that an access address and a signature verification public key are issued on a blockchain network by an identity authentication source, an identity authentication result VC comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on identity data and a first private key corresponding to an encryption public key, and the signature information is obtained by the identity authentication source based on a signature verification public key and a second private key;

The second authentication result obtaining module 1003 is configured to receive an authentication result VC sent by the service, and obtain an authentication result of the user based on authentication result information in the authentication result VC.

Referring now to fig. 11, a schematic diagram of an electronic device 1100 suitable for use in implementing embodiments of the present application is shown. The electronic device in the embodiment of the present application may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a car-mounted terminal (e.g., car navigation terminal), a wearable device, etc., and a fixed terminal such as a digital TV, a desktop computer, etc. The electronic device shown in fig. 11 is only an example, and should not impose any limitation on the functions and scope of use of the embodiments of the present application.

An electronic device includes: the memory is used for storing programs for executing the methods according to the method embodiments; the processor is configured to execute a program stored in the memory. Herein, the processor may be referred to as a processing device 1101, and the memory may include at least one of a Read Only Memory (ROM) 1102, a Random Access Memory (RAM) 1103, and a storage device 1108, as follows:

as shown in fig. 11, the electronic device 1100 may include a processing means (e.g., a central processor, a graphics processor, etc.) 1101 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1102 or a program loaded from a storage means 1108 into a Random Access Memory (RAM) 1103. In the RAM1103, various programs and data necessary for the operation of the electronic device 1100 are also stored. The processing device 1101, ROM 1102, and RAM1103 are connected to each other by a bus 1104. An input/output (I/O) interface 1105 is also connected to bus 1104.

In general, the following devices may be connected to the I/O interface 1105: input devices 1106 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, and the like; an output device 1107 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 1108, including for example, magnetic tape, hard disk, etc.; and a communication device 1109. The communication means 1109 may allow the electronic device 1100 to communicate wirelessly or by wire with other devices to exchange data. While fig. 11 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.

In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via communications device 1109, or from storage device 1108, or from ROM 1102. The above-described functions defined in the method of the embodiment of the present application are performed when the computer program is executed by the processing means 1101.

The computer readable storage medium of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.

In some implementations, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.

The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.

The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to:

receiving identity data of a user, and sending the identity data to an identity verification service on a blockchain network; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source; the method comprises the steps of obtaining an access address of an identity authentication interface of an identity authentication source through an identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result VC fed back by the identity authentication source, and authenticating the identity authentication result VC based on an authentication public key; the method comprises the steps that an access address and a signature verification public key are issued on a blockchain network by an identity authentication source, an identity authentication result VC comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on identity data and a first private key corresponding to an encryption public key, and the signature information is obtained by the identity authentication source based on a signature verification public key and a second private key; and receiving an authentication result VC sent by the authentication service, and acquiring an authentication result of the user based on authentication result information in the authentication result VC.

Or, sending the identity data to a business service on the blockchain network, and sending the identity data to an identity verification service on the blockchain network through the business service; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source; the method comprises the steps of obtaining an access address of an identity authentication interface of an identity authentication source through an identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result VC fed back by the identity authentication source, authenticating the identity authentication result VC based on an authentication public key, and sending the identity authentication result VC to a business service; the method comprises the steps that an access address and a signature verification public key are issued on a blockchain network by an identity authentication source, an identity authentication result VC comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on identity data and a first private key corresponding to an encryption public key, and the signature information is obtained by the identity authentication source based on a signature verification public key and a second private key; and receiving an authentication result VC sent by the service, and acquiring an authentication result of the user based on authentication result information in the authentication result VC.

Computer program code for carrying out operations of the present application may be written in one or more programming languages, including, but not limited to, an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules or units involved in the embodiments of the present application may be implemented in software or in hardware. Where the name of the module or unit does not constitute a limitation of the unit itself in some cases, for example, the first constraint acquisition module may also be described as "a module that acquires the first constraint".

The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a Complex Programmable Logic Device (CPLD), and the like.

In the context of the present application, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions such that the computer device performs:

It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.

The foregoing is only a partial embodiment of the present invention, and it should be noted that it will be apparent to those skilled in the art that modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims

1. An authentication method, comprising:

Acquiring an access address of an identity authentication interface of the identity authentication source through the identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending the identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result certificate fed back by the identity authentication source, and performing verification on the identity authentication result certificate based on a verification public key; the access address and the signature verification public key are issued on the blockchain network by the identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

and receiving the authentication result certificate sent by the authentication service, and acquiring the authentication result of the user based on the authentication result information in the authentication result certificate.

2. The method of claim 1, wherein the encrypted public key, the access address, and the public signature verification key are published on the blockchain network by the authentication source by registering an authentication source DID identity on a distributed identity DID service in the blockchain network.

3. The method according to claim 2, wherein the method further comprises:

acquiring a first DID document corresponding to the identification of the identity authentication source DID from the DID service;

and acquiring the signature verification public key based on the first DID document, and carrying out signature verification on the identity verification result certificate based on the signature verification public key.

4. The method of claim 2, wherein the authentication result credential is derived by the DID service in combination with the signature information based on content signed by the authentication result information.

5. The method according to claim 1, wherein the method further comprises:

6. The method of claim 5, wherein the method further comprises:

7. An authentication method, comprising:

transmitting identity data to a service on a blockchain network, and transmitting the identity data to an identity verification service on the blockchain network through the service; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

acquiring an access address of an identity authentication interface of the identity authentication source through the identity authentication service, calling the identity authentication interface of the identity authentication source based on the access address, sending the identity data to the identity authentication source through the identity authentication interface, receiving an identity authentication result certificate fed back by the identity authentication source, checking a signature of the identity authentication result certificate based on a signature checking public key, and sending the identity authentication result certificate to the service; the access address and the signature verification public key are issued on the blockchain network by the identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

And receiving the authentication result certificate sent by the service, and acquiring an authentication result of the user based on the authentication result information in the authentication result certificate.

8. The method of claim 7, wherein the encrypted public key, the access address, and the public signature verification key are published on the blockchain network by the authentication source by registering an authentication source DID identity on a distributed identity DID service in the blockchain network.

9. The method of claim 8, wherein the method further comprises:

and acquiring the encryption public key and the signature verification public key based on the first DID document, and carrying out signature verification on the identity verification result certificate based on the signature verification public key.

10. The method of claim 8, wherein the method further comprises:

registering a user DID identifier through the DID service, wherein a second DID document corresponding to the user DID identifier contains the identity verification mode indication information of the user.

11. An authentication apparatus, comprising:

The identity data receiving module is used for receiving the identity data of the user and sending the identity data to an identity verification service on the blockchain network; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

the first identity verification result credential acquisition module is used for acquiring an access address of an identity authentication interface of the identity authentication source through the identity verification service, calling the identity authentication interface of the identity authentication source based on the access address, transmitting the identity data to the identity authentication source through the identity authentication interface, receiving an identity verification result credential fed back by the identity authentication source, and performing signature verification on the identity verification result credential based on a signature verification public key; the access address and the signature verification public key are issued on the blockchain network by the identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

And the first authentication result acquisition module is used for receiving the authentication result certificate sent by the authentication service and acquiring the authentication result of the user based on the authentication result information in the authentication result certificate.

12. An authentication apparatus, comprising:

the identity data transmitting module is used for transmitting the identity data to a business service on the blockchain network, and transmitting the identity data to an identity verification service on the blockchain network through the business service; the identity data is encrypted by an encryption public key, and the encryption public key is issued on the blockchain network by an identity authentication source;

the second identity verification result credential acquisition module is used for acquiring an access address of an identity authentication interface of the identity authentication source through the identity verification service, calling the identity authentication interface of the identity authentication source based on the access address, transmitting the identity data to the identity authentication source through the identity authentication interface, receiving an identity verification result credential fed back by the identity authentication source, checking the identity verification result credential based on a signature verification public key, and transmitting the identity verification result credential to the service; the access address and the signature verification public key are issued on the blockchain network by the identity authentication source, the identity authentication result certificate comprises identity authentication result information and signature information, the identity authentication result information is obtained by the identity authentication source based on the identity data and a first private key corresponding to the encryption public key, and the signature information is obtained by the identity authentication source based on a second private key of the signature verification public key;

And the second identity verification result acquisition module is used for receiving the identity verification result certificate sent by the service and acquiring an identity verification result of the user based on the identity verification result information in the identity verification result certificate.

13. An electronic device comprising a memory and a processor;

the memory stores a computer program;

the processor for executing the computer program to implement the method of any one of claims 1 to 10.

14. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1 to 10.

15. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1 to 10.