CN116980156A - Data processing method, device, computer equipment and readable storage medium - Google Patents
Data processing method, device, computer equipment and readable storage medium Download PDFInfo
- Publication number
- CN116980156A CN116980156A CN202211390160.2A CN202211390160A CN116980156A CN 116980156 A CN116980156 A CN 116980156A CN 202211390160 A CN202211390160 A CN 202211390160A CN 116980156 A CN116980156 A CN 116980156A
- Authority
- CN
- China
- Prior art keywords
- level
- identity
- file
- target
- key information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 21
- 238000012795 verification Methods 0.000 claims abstract description 266
- 238000000034 method Methods 0.000 claims abstract description 65
- 238000012545 processing Methods 0.000 claims abstract description 49
- 238000004590 computer program Methods 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 20
- 238000004364 calculation method Methods 0.000 claims description 6
- 239000010410 layer Substances 0.000 description 50
- 230000007246 mechanism Effects 0.000 description 19
- 238000012797 qualification Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 9
- 238000011084 recovery Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002688 persistence Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 239000002355 dual-layer Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a data processing method, a data processing device, computer equipment and a readable storage medium, wherein the method comprises the following steps: acquiring a decentralised identity signature file of the target object from the blockchain through the decentralised identity information of the target object; traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set; acquiring public key information of an object at the highest level from a blockchain, and acquiring target public key information of the object at the i-1 level in a first verification object set based on the public key information of the object at the highest level and a de-centralized identity signature file associated with the first verification object set; and carrying out signature verification on the decentralized identity signature file of the target object through the target public key information, and carrying out service processing when the signature verification is successful. The application can improve the security of the attribute data in the off-center avatar part signature file.
Description
Technical Field
The present application relates to the field of blockchain technologies, and in particular, to a data processing method, apparatus, computer device, and readable storage medium.
Background
Current blockchain systems may determine an object (e.g., object Y) to sign an off-centered signature file of a target object, obtain off-centered avatar information for object Y, and further obtain a trusted identity list containing off-centered avatar information for one or more trusted authorities, and query the trusted identity list for the off-centered avatar information for object Y. If the decentralised identity information of the object Y is queried in the trusted identity list, directly acquiring public key information of a target trusted structure corresponding to the decentralised identity information of the object Y, and carrying out signature verification on the decentralised identity signature file of the target object through the public key information of the target trusted mechanism. However, current blockchain systems require the target trusted authority to issue a decentralized identity signature file for a large number of entity objects (e.g., target objects), such that the target trusted authority inevitably grasps the large amount of attribute data uploaded by the entity objects, thereby reducing the security of storing the attribute data in the decentralized identity signature file.
Disclosure of Invention
The embodiment of the application provides a data processing method, a data processing device, computer equipment and a readable storage medium, which can improve the security of attribute data in an off-center avatar signature file.
In one aspect, an embodiment of the present application provides a data processing method, including:
acquiring a decentralised identity signature file of the target object from the blockchain through the decentralised identity information of the target object; the target object refers to an object located at an ith level in a first relationship chain of the object hierarchy network; i is an integer greater than 1, i is an integer less than or equal to n; n is the total number of levels of the object hierarchy network; the decentered avatar signature file of the ith level of objects in the first relationship chain is generated based on private key information of the ith-1 level of objects in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, and the non-highest-level is a level except the highest level in the n levels; the public key information of the object at the highest level and the decentralised identity signature file of each object at the non-highest level are stored in the blockchain;
Traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set; the hierarchy of objects in the first set of verification objects includes an ith hierarchy sequentially to a highest hierarchy;
acquiring public key information of an object at the highest level from a blockchain, and acquiring public key information of the object at the i-1 level in a first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
and carrying out signature verification on the decentralised identity signature file of the target object through the target public key information, and carrying out service processing associated with the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification.
In one aspect, an embodiment of the present application provides a data processing apparatus, including:
the file acquisition module is used for acquiring the decentralized identity signature file of the target object from the blockchain through the decentralized identity information of the target object; the target object refers to an object located at an ith level in a first relationship chain of the object hierarchy network; i is an integer greater than 1, i is an integer less than or equal to n; n is the total number of levels of the object hierarchy network; the decentered avatar signature file of the ith level of objects in the first relationship chain is generated based on private key information of the ith-1 level of objects in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, and the non-highest-level is a level except the highest level in the n levels; the public key information of the object at the highest level and the decentralised identity signature file of each object at the non-highest level are stored in the blockchain;
The object traversing module is used for traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set; the hierarchy of objects in the first set of verification objects includes an ith hierarchy sequentially to a highest hierarchy;
the public key acquisition module is used for acquiring public key information of the object at the highest level from the blockchain, and acquiring public key information of the object at the i-1 level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
and the signature verification module is used for carrying out signature verification on the decentralised identity signature file of the target object through the target public key information, and carrying out service processing associated with the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification.
Wherein, the object traversing module comprises:
an information acquisition unit for determining an i-1 th-level object for signing the de-centralized identity signature file of the target object in the first relationship chain, and acquiring de-centralized identity information of the i-1 th-level object;
The first traversing unit is used for acquiring the de-centralized identity signature file of the i-1 th level object in the blockchain through the de-centralized identity information of the i-1 th level object if the de-centralized identity information of the i-1 th level object indicates that the i-1 th level is not the highest level, adding the target object and the i-1 th level object into the first verification object set, continuing traversing the i-2 objects from the i-1 th level object to the upper layer, and adding the traversed i-2 objects into the first verification object set;
and a second traversing unit, configured to add the target object and the object of the i-1 th hierarchy to the first verification object set if the de-centralized identity information of the object of the i-1 th hierarchy indicates that the i-1 th hierarchy is the highest hierarchy.
Wherein, public key acquisition module includes:
an object obtaining unit, configured to obtain public key information of an object at a highest level from the blockchain, and obtain an object at a next highest level of the first relation chain from the first verification object set; the decentralised avatar signature file of the next highest level object is generated based on the private key information of the highest level object;
a first determining unit, configured to determine that an object in the i-1 th hierarchy in the first verification object set is an object in the highest hierarchy if the object in the next highest hierarchy is a target object, and take public key information of the object in the highest hierarchy as target public key information;
And the second determining unit is used for carrying out signature verification on the decentralized identity signature file of the object of the next highest hierarchy through the public key information of the object of the highest hierarchy, acquiring the public key information of the object of the next highest hierarchy from the decentralized identity signature file of the object of the next highest hierarchy when the signature verification of the decentralized identity signature file of the object of the next highest hierarchy is successful, and continuing to carry out signature verification on the decentralized identity signature file of the object of the next hierarchy based on the public key information of the object of the next highest hierarchy until the public key information in the decentralized identity signature file of the object of the i-1 hierarchy in the first verification object set is acquired as target public key information.
The method comprises the steps that a decentralizing identity signature file of a next-highest-level object is generated by signing the decentralizing identity file of the next-highest-level object through private key information of the highest-level object;
the second determining unit is specifically configured to obtain an decentralized identity document of the second-highest-level object from the decentralized identity signature document of the second-highest-level object;
the second determining unit is specifically configured to obtain public key information of the object at the next highest level from the decentered avatar document of the object at the next highest level.
The file acquisition module is specifically used for receiving a file issuing request sent by a target object through a target service node and acquiring the decentralised avatar information of the target object according to the file issuing request; the decentralised identity information of the target object is obtained from a verifiable identity document of the target object; the verifiable identification document of the target object is carried by a document issuing request, or the verifiable identification document of the target object is acquired from a blockchain according to the document issuing request; the verifiable identification document of the target object is issued by the service node corresponding to the object of the i-1 level as the target object;
the file acquisition module is used for acquiring the decentralized identity signature file of the target object from the blockchain through the decentralized identity information of the target object.
The signature verification module is specifically configured to perform signature verification on the decentralised identity signature file of the target object through target public key information, and generate a hidden service statement file of the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification;
the signature verification module is specifically used for writing the concealable business statement file into the blockchain.
The file acquisition module is specifically used for receiving an identity authentication request sent by a target object through a target service node, and acquiring a hidden service expression signature file of the target object according to the identity authentication request; the hidden service expression signature file is carried by the identity authentication request, or the hidden service expression signature file is acquired from the blockchain according to the identity authentication request; the hidden service expression signature file is submitted to a blockchain after the signature processing is carried out on the hidden service expression file by a target service node corresponding to the target object; the hidden service expression file is obtained by performing data processing on the hidden service statement file by a target service node corresponding to the target object;
the file acquisition module is specifically used for determining a target object for signing the hidden service expression signature file, acquiring the decentralization identity information of the target object, and acquiring the decentralization identity signature file of the target object from the blockchain through the decentralization identity information of the target object.
The signature verification module is specifically configured to perform signature verification on the decentralized identity signature file of the target object through target public key information, and acquire public key information of the target object from the decentralized identity signature file of the target object when the signature verification of the decentralized identity signature file of the target object is successful;
The signature verification module is specifically used for carrying out signature verification on the hidden service expression signature file through public key information of the target object, and obtaining the hidden service expression file when the signature verification of the hidden service expression signature file is successful;
the signature verification module is specifically used for determining an authentication object used for signing the hidden service statement file, acquiring the decentralised identity information of the authentication object, and acquiring the decentralised identity signature file of the authentication object from the blockchain through the decentralised identity information of the authentication object;
the signature verification module is specifically configured to perform signature verification on the decentralised identity signature file of the authentication object, and when the decentralised identity signature file of the authentication object is successfully verified, determine validity of the hidden service statement file according to public key information of the authentication object in the decentralised identity signature file of the authentication object, and verify the hidden service expression file through the hidden service statement file with validity.
Wherein the authentication object refers to an object located at a j-th level in a second relation chain of the object hierarchy network; j is an integer greater than 1, j is an integer less than or equal to n; the decentered avatar signature file of the j-th level object in the second relationship chain is generated based on the private key information of the j-1 th level object in the second relationship chain; the j-1 th level is higher than the j-th level;
The signature verification module is specifically configured to traverse j-1 objects from the authentication object to an upper layer in the second relation chain, and take the authentication object and the traversed j-1 objects as a second verification object set; the hierarchy of objects in the second set of verification objects includes a j-th hierarchy sequentially to a highest hierarchy;
the signature verification module is specifically configured to obtain public key information of an object at a highest level from the blockchain, and obtain public key information of an object at a j-1 th level in the second verification object set as authentication public key information based on the public key information of the object at the highest level and each de-centralized identity signature file associated with the second verification object set;
the signature verification module is specifically used for carrying out signature verification on the decentralised identity signature file of the authentication object through the authentication public key information.
The signature verification module is specifically configured to decrypt the decentralized identity signature file of the target object through the target public key information to obtain an decentralized avatar part file of the target object and abstract information to be verified corresponding to the decentralized avatar part file of the target object;
the signature verification module is specifically used for carrying out hash calculation on the decentralised identity file of the target object to obtain target abstract information corresponding to the decentralised identity file of the target object;
The signature verification module is specifically used for comparing the abstract information to be verified with the target abstract information to obtain a signature verification result;
the signature verification module is specifically configured to, if the summary information to be verified is the same as the target summary information, indicate that the verification of the signature of the off-center avatar signature file of the target object is successful;
the signature verification module is specifically configured to, if the summary information to be verified and the target summary information are different, indicate that the verification of the de-centralized identity signature file signature of the target object fails.
Wherein the object hierarchy network comprises M relation chains, M being an integer greater than 1; the M relation chains comprise first relation chains; each level in a relationship chain includes an object; the method comprises the steps that an issue function and a label checking function are arranged between every two adjacent levels of objects in a relation chain, the issue function means that an object in a high level in the two adjacent levels has the authority to issue to an object in a low level, and the label checking function means that an object in the high level in the two adjacent levels has the authority to check labels to the object in the low level.
Wherein the M relation chains comprise relation chains S k K is a positive integer less than or equal to M; relation chain S k The system comprises a high-level object and a low-level object, wherein the two high-level objects and the low-level object are adjacent in a level, and the level of the high-level object is higher than that of the low-level object;the method comprises the steps that after a service node corresponding to a high-level object is indicated to perform identity verification on the low-level object, signature processing is performed on the decentralized identity file of the low-level object through private key information of the high-level object, so that a decentralized identity signature file of the low-level object is obtained, and the decentralized identity signature file of the low-level object is used for being written into a blockchain; the decentralised identity document of the low-level object is also used for indicating a service node corresponding to the high-level object to issue a verifiable identity document of the low-level object for the low-level object; the verifiable identification document of the low-level object carries the decentralised avatar information of the low-level object; the de-centralized identity signature file of the low-level object and the verifiable identity document of the low-level object are used together to instruct the service node corresponding to the high-level object to return an identity registration result to the service node corresponding to the low-level object; the identity registration result includes at least one of a de-centralized identity signature file of the low-level object or a verifiable identity document of the low-level object.
In one aspect, an embodiment of the present application provides a computer device, including: a processor and a memory;
the processor is connected to the memory, wherein the memory is configured to store a computer program, and when the computer program is executed by the processor, the computer device is caused to execute the method provided by the embodiment of the application.
In one aspect, the present application provides a computer readable storage medium storing a computer program adapted to be loaded and executed by a processor, so that a computer device having the processor performs the method provided by the embodiment of the present application.
In one aspect, embodiments of the present application provide a computer program product comprising a computer program stored on a computer readable storage medium. The processor of the computer device reads the computer program from the computer-readable storage medium, and the processor executes the computer program, so that the computer device performs the method provided by the embodiment of the present application.
Therefore, the embodiment of the application provides a multi-layer architecture-based decentralizing identity identification scheme, which can determine a first relation chain to which a target object belongs in an object hierarchy structure network, traverse the object on the first relation chain from the target object to the upper layer until traversing to the object at the highest layer in the first relation chain, further acquire public key information of the object at the highest layer from a blockchain, and perform signature verification on a decentralizing identity signature file of the object on the first relation chain to the lower layer step by step based on the public key information of the object at the highest layer until acquiring the public key information (namely the target public key information) of the object at the last layer of the target object. It can be understood that, because the decentralised identity signature file of the target object is obtained by performing signature processing based on the target private key information corresponding to the target public key information, the decentralised identity signature file of the target object can be subjected to signature verification through the target public key information, so that the decentralised identity signature file of the target object is subjected to signature verification through a mode of a multi-layer architecture.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
FIG. 1 is a schematic diagram of a blockchain network hierarchy provided by an embodiment of the present application;
FIG. 2 is a schematic diagram of a scenario for data interaction according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a data processing method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of a decentralizing issue and decentralizing verification provided by an embodiment of the present application;
FIG. 5 is a schematic flow chart of an embodiment of the present application for applying for decentralizing identity;
FIG. 6 is a schematic flow chart of a data processing method according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a scenario for decentralizing verification provided by an embodiment of the present application;
FIG. 8 is a flow chart of a data processing method according to an embodiment of the present application;
FIG. 9 is a schematic flow chart of a data processing method according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a blockchain network in accordance with an embodiment of the present application;
FIG. 11 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
A verifiable claim (Verifiable Claims, VC) is a file formed by endorsing the attributes of an issuer DID (Decentralized Identity, de-centralized identity) to certain DID (i.e., a holder DID); the verifiable expression (Verifiable Presentation, VP) is a file formed by signing the held VC by the holder DID to indicate its identity to the verifier DID so that the verifier DID verifies the correctness of the VP.
Specifically, referring to fig. 1, fig. 1 is a schematic diagram of a blockchain network hierarchy according to an embodiment of the present application. The blockchain network hierarchy as shown in fig. 1 may be applied to a blockchain system that may include a first blockchain system and a second blockchain system to form the blockchain network 2000 shown in fig. 1. Wherein the first and second blockchain systems may each include one or more nodes, the number of nodes in the first and second blockchain systems will not be limited herein. As shown in fig. 1, the first blockchain system may specifically include node 110a, node 110b, nodes 110c, …, and node 110n; the second blockchain system may specifically include node 120a, node 120b, nodes 120c, …, and node 120n.
The blockchain network corresponding to the first blockchain system may be referred to as a service network (i.e., witness network) 100a, and the nodes in the service network 100a may be referred to as service nodes, where the service nodes are mainly used for executing the transaction service to obtain the transaction data associated with the transaction service. It will be appreciated that the service node herein need not participate in billing consensus, but can obtain block header data and partially grant visible block data from the core consensus network by means of identity authentication. In order to ensure the information intercommunication in the first block chain system, information connection can exist between every two nodes in the first block chain system, and information transmission can be carried out between the nodes through the information connection.
Wherein the blockchain network corresponding to the second blockchain system may be referred to as a core consensus network (i.e., a consensus network) 100b, the nodes in the core consensus network 100b may be referred to as consensus nodes (i.e., billing nodes), where the consensus nodes may operate with a blockchain consensus protocol. In order to ensure the information intercommunication in the second block chain system, information connection can exist between every two nodes in the second block chain system, and information transmission can be carried out between the nodes through the information connection.
It will be appreciated that the connection of information in the first blockchain system and the second blockchain system is not limited to a connection manner, and may be directly or indirectly connected through a wired communication manner, may be directly or indirectly connected through a wireless communication manner, and may also be connected through other connection manners, which is not limited herein.
Optionally, the blockchain network 2000 may further include a routing proxy network for network isolation of the service network 100a and the core consensus network 100b, and the number of proxy nodes in the routing proxy network may be one or more, which is not limited in the present application. The proxy node can perform network layering on a Peer-To-Peer (P2P) network To form a layered structure (i.e., a dual-layer link structure) such as a service network-core consensus network, so that confidentiality and security of data on a blockchain can be improved.
It is understood that, in this embodiment of the present application, the proxy nodes in the routing proxy network, the service nodes in the service network 100a, and the consensus nodes in the core consensus network 100b may be collectively referred to as blockchain nodes in the blockchain network 2000. It is to be appreciated that the blockchain node can be a server that accesses the blockchain network 2000 or a terminal device that accesses the blockchain network 2000, and the particular form of the blockchain node is not limited herein.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), basic cloud computing services such as big data and artificial intelligent platforms, and the like. The terminal device may be a mobile phone, a tablet computer, a notebook computer, a palm computer, a smart sound, a mobile internet device (MID, mobile internet device), a POS (Point Of sale) device, a wearable device (e.g., a smart watch, a smart bracelet, etc.), etc.
It will be appreciated that some nodes in the blockchain network 2000 shown in fig. 1 store a complete blockchain database, and that such nodes containing all transaction data may be referred to as Full nodes (e.g., consensus nodes shown in fig. 1); other nodes store portions of the blockchain database, typically store only the blockhead and transaction data associated with their own nodes, but not the complete transaction data, which may be verified by way of "reduced transaction verification (Simplified Payment Verification, SPV for short)", which may be referred to as Lightweight nodes (Lightweight nodes) or SPV nodes (e.g., the service nodes shown in fig. 1).
It will be appreciated that the service network 100a and the core consensus network 100b shown in fig. 1 may be in different network environments, and in general, the service network 100a may be in a public network and the core consensus network 100b may be in a private network. Therefore, the service node is deployed in the service network 100a in the public network (i.e. public network), and the consensus node is deployed in the core consensus network 100b in the private network (i.e. private network), and both can directly perform data interaction according to the corresponding communication protocol, or indirectly perform data interaction through the routing proxy network in the case of introducing the routing proxy network.
It is to be appreciated that embodiments of the present application can bind a blockchain node for any role (e.g., physical object of a personal user, enterprise, organization, etc.) accessing blockchain network 2000. The blockchain nodes as shown in fig. 1 may have a one-to-one correspondence with corresponding roles (i.e., entity objects, abbreviated as objects in corresponding service scenarios) in the blockchain network 2000 to be accessed. The service scenarios applicable to the embodiment of the present application may include, but are not limited to, a medical scenario under a decentralised identity authentication system (i.e. DID system), a qualification checking scenario, a government service scenario, etc., and the service scenarios applicable to the embodiment of the present application will not be listed here one by one. At this time, the services in the corresponding service scenario may specifically include a medical record issuing service in the medical scenario, an insurance claim settlement service in the medical scenario, an academic proof issuing service in the qualification checking scenario, an academic checking service in the qualification checking scenario, a real estate certificate issuing service in the government scenario, a property registering service in the government scenario, and the like, where specific services in the corresponding service scenario will not be listed one by one.
Wherein it can be appreciated that the objects in the business scenario of the off-center avatar authentication system can form an object hierarchy network comprising M relationship chains, where M can be an integer greater than 1. Each level in one relation chain comprises an object, an issue function and a signature verification function are arranged between every two adjacent levels of objects in one relation chain, the issue function means that the high-level object in the two adjacent levels of objects has the authority to issue to the low-level object, and the signature verification function means that the high-level object in the two adjacent levels of objects has the authority to verify the signature to the low-level object. The total number of the levels of the object hierarchy network is n, where n may be an integer greater than 1, the M relation chains may respectively have the same total number of levels, or may respectively have different total numbers of levels, and the maximum total number of the levels respectively provided by the M relation chains is n. Wherein the public key information of the highest-level object and the decentralised identity signature file of each non-highest-level object are stored in the blockchain, in other words, the decentralised identity signature file of the highest-level object is stored in the blockchain.
For example, the object hierarchy network may include a first relationship chain and a second relationship chain, the first relationship chain may include a first object (for ease of understanding, the first object may be referred to as a target object) and a second object and a third object, the second relationship chain may include a fourth object, the first object and the second object are objects of adjacent two levels in the first relationship chain, the second object and the third object are objects of adjacent two levels in the first relationship chain, the third object has a higher level than the second object, the second object has a higher level than the first object, the de-centralized identity signature file of the second object is generated based on private key information of the third object, and the de-centralized identity signature file of the first object is generated based on private key information of the second object. For ease of understanding, the blockchain node corresponding to the first object may be referred to as a first service node (for ease of understanding, the first service node may be referred to as a target service node) in the embodiment of the present application, for example, the first service node may be a node 110a in the service network; in the embodiment of the present application, the blockchain node corresponding to the second object may be referred to as a second service node, for example, the second service node may be the node 110b in the service network; in the embodiment of the present application, the blockchain node corresponding to the third object may be referred to as a third service node, for example, the third service node may be the node 110c in the service network; the embodiment of the present application may refer to the blockchain node corresponding to the fourth object as a fourth service node, for example, the fourth service node may be the node 110d in the service network.
It will be appreciated that the first object may send a service request (e.g., a file issue request, an identity authentication request, etc.) to the fourth object, so that the fourth object may traverse from the first object to the upper layer in the first relationship chain, and take the target object and all traversed objects (including the second object and the third object) as a verification object set (i.e., a first verification object set), and for ease of understanding, the third object will be taken as an example of the object at the highest level in the first relationship chain. Therefore, the fourth object can acquire the public key information of the third object from the blockchain, perform signature verification on the centralized identity signature file of the second object acquired from the blockchain through the public key information of the third object, acquire the public key information of the second object from the decentralized identity signature file of the second object when the verification of the decentralized identity signature file of the second object is successful, and further perform signature verification on the centralized identity signature file of the first object acquired from the blockchain through the public key information of the second object, and perform service processing associated with the first object when the verification of the decentralized identity signature file of the first object is successful.
For example, under the medical record issuing business of the medical scene, the first pairSuch as may be the case for a patient going to a hospital visit (e.g., patient Y 1 ) The second object may be a patient Y 1 Trusted authorities (e.g., authorities B) that conduct identity authentication 1 ) The third object may be a counter mechanism B 1 Trusted authorities that perform identity authentication (e.g., authority C 1 ) The fourth object may be patient Y 1 Is a hospital (e.g., hospital D) 1 ). In particular, a first subject (e.g., patient Y 1 ) A fourth object (e.g., hospital D 1 ) A file issuance request (e.g., a medical records issuance request) is sent so that the fourth service node can rely on patient Y described in the medical system when the de-centralized identity signature file verification of the first object is successful 1 And electronic medical records corresponding to the medical record issuing request are generated.
For another example, under the insurance claim business of the medical scenario, the first object may be a patient (e.g., patient Y 2 ) The second object may be a patient Y 2 Trusted authorities (e.g., authorities B) that conduct identity authentication 2 ) The third object may be a counter mechanism B 2 Trusted authorities that perform identity authentication (e.g., authority C 2 ) The fourth object may be an insurance agency (e.g., agency D 2 ). In particular, a first subject (e.g., patient Y 2 ) May be directed to a fourth object (e.g., mechanism D 2 ) And sending an identity authentication request (such as an insurance claim settlement request), so that the fourth service node can generate a claim notice corresponding to the insurance claim settlement request according to the electronic medical record of the first object when the verification of the decentralised identity signature file of the first object is successful. Wherein when the mechanism D 2 After verification is passed, the patient Y may be notified 2 The preceding claim.
For another example, under the above-described certification issuing service of the qualification checking scenario, the first object may be a student applying for a certificate of the degree (e.g., student Y 3 ) The second object may be a student Y 3 Trusted authorities (e.g., authorities B) that conduct identity authentication 3 ) The third object may be a counter mechanism B 3 Trusted authorities that perform identity authentication (e.g., authority C 3 ) The fourth object may be a student Y 3 Schools where the issuing of the degree is performed (e.g., school D 3 ). In particular, the first object (e.g., student Y 3 ) May be directed to a fourth object (e.g., school D 3 ) A document issuance request (e.g., an academic proof issuing request) is sent so that the fourth service node can verify the first object's de-centralized identity signature document successfully according to the student Y recorded in the academic system 3 And (3) course score and score records and the like, and generating an electronic school proof corresponding to the school proof issuing request.
For another example, under the academic verification business of the qualification verification scenario described above, the first object may be a staff member (e.g., staff member Y 4 ) The second object may be a staff member Y 4 Trusted authorities (e.g., authorities B) that conduct identity authentication 4 ) The third object may be a counter mechanism B 4 Trusted authorities that perform identity authentication (e.g., authority C 4 ) The fourth object may be a staff member Y 4 An enterprise performing an academic audit (e.g., enterprise D 4 ). Specifically, a first object (e.g., staff member Y 4 ) A fourth object (e.g., enterprise D 4 ) And sending an identity authentication request (such as an academic verification request), so that when the de-centralized identity signature file of the first object is successfully verified, the fourth service node can generate a qualification verification result corresponding to the academic qualification verification according to the electronic academic evidence of the first object. Wherein, when enterprise D 4 After passing the verification, staff member Y may be notified 4 And (5) performing work before.
For another example, under the property certificate issuing service in the government scenario, the first object may be a buyer (e.g., buyer Y 5 ) The second object may be a buyer Y 5 Trusted authorities (e.g., authorities B) that conduct identity authentication 5 ) The third object may be a counter mechanism B 5 Trusted authorities that perform identity authentication (e.g., authority C 5 ) The fourth object may be a government agency (e.g., a machine) issuing an electronic real estate certificateStructure D 5 ). Specifically, a first object (e.g., buyer Y 5 ) May be directed to a fourth object (e.g., mechanism D 5 ) A file issuance request (e.g., a property certificate issuing request) is sent, so that the fourth service node may generate an electronic property certificate corresponding to the property certificate issuing request when the de-centralized identity signature file of the first object is successfully verified.
For another example, under the title registration business of the government scenario described above, the first object may be a buyer (e.g., buyer Y 6 ) The second object may be a buyer Y 6 Trusted authorities (e.g., authorities B) that conduct identity authentication 6 ) The third object may be a counter mechanism B 6 Trusted authorities that perform identity authentication (e.g., authority C 6 ) The fourth object may be a government agency (e.g., agency D 6 ). Specifically, a first object (e.g., buyer Y 6 ) May be directed to a fourth object (e.g., mechanism D 6 ) A file issuance request (e.g., a title registration request) is sent, so that the fourth service node may generate a title registration result corresponding to the title registration request according to the electronic real estate certificate of the first object when the verification of the decentralised identity signature file of the first object is successful. Wherein when the mechanism D 6 After passing the verification, the buyer Y can be notified 6 Title registration was previously performed.
For ease of understanding, fig. 2 is a schematic diagram of a scenario for performing data interaction according to an embodiment of the present application, where, as shown in fig. 2, service node 20a, service node 20b, service node 20c, and service node 20d may be any one node in service network 100a according to the embodiment of fig. 1. For ease of understanding, the embodiment of the present application uses the service node 20a as the first service node, the service node 20b as the second service node, the service node 20c as the third service node, and the service node 20d as the fourth service node, to illustrate a specific process of data interaction between the service node 20a, the service node 20b, the service node 20c, and the service node 20d shown in fig. 2. The object corresponding to the service node 20a may be a first object, the object corresponding to the service node 20b may be a second object, the object corresponding to the service node 20c may be a third object, and the object corresponding to the service node 20d may be a fourth object.
As shown in fig. 2, service node 20a may send an off-center identification document of the first object to service node 20b, such that service node 20b may issue a verifiable identification document for the first object, which is then written to the blockchain by a consensus node in the core consensus network (e.g., core consensus network 100 b). At the same time, the service node 20b may perform signature processing on the decentralized identity file of the first object to obtain an decentralized identity signature file of the first object, and further write the decentralized identity signature file of the first object to the blockchain through a consensus node in a core consensus network (e.g., the core consensus network 100 b). Alternatively, the service node 20b may return the decentralized identity signature file of the first object to the service node 20a, or may not need to return the decentralized identity signature file of the first object to the service node 20a; service node 20b may return the verifiable identification document of the first object to service node 20a or may not need to return the verifiable identification document of the first object to service node 20a.
For ease of understanding, the embodiment of the present application will be described by taking the second object corresponding to the service node 20b and the third object corresponding to the service node 20c as the objects of the adjacent hierarchy as examples. Similarly, service node 20b may send an off-center identification document of the second object to service node 20c, so that service node 20c may issue a verifiable identification document for the second object, and further write the verifiable identification document of the second object into the blockchain through a consensus node in the core consensus network. Meanwhile, the service node 20c may perform signature processing on the decentralized identity file of the second object to obtain an decentralized identity signature file of the second object, and further write the decentralized identity signature file of the second object into the blockchain through a consensus node in the core consensus network. Alternatively, the service node 20c may return the decentralized identity signature file of the second object to the service node 20b, or may not need to return the decentralized identity signature file of the second object to the service node 20b; service node 20c may return the verifiable identification document of the second object to service node 20b or may not need to return the verifiable identification document of the second object to service node 20b.
Further, service node 20a may send a service request (e.g., a file issuance request, an identity authentication request, etc.) to service node 20d, and service node 20d may obtain the decentralized identity information of the first object (i.e., the target object) according to the service request, and obtain the decentralized identity signature file of the first object (i.e., decentralized identity signature file 23 a) from the blockchain through the decentralized identity information of the first object. Further, the service node 20d may determine a second object (i.e., object 21 a) for signing the decentralized identity signature file 23a, obtain the decentralized identity information of the second object, and obtain the decentralized identity signature file of the second object (i.e., the decentralized identity signature file 23 b) from the blockchain through the decentralized identity information of the second object. Further, the service node 20d may determine a third object (i.e. the object 21 b) for signing the decentralised identity signature file 23b, obtain decentralised identity information of the third object, and obtain public key information (i.e. the public key information 23 c) of the third object from the blockchain through the decentralised identity information of the third object.
Among them, it is understood that a first object (i.e., a target object), a second object (i.e., object 21 a), and a third object (i.e., object 21 b) may be used to constitute the first set of verification objects, and the second object and the third object may be objects traversed from the first object to an upper layer. The first object may be an object of the ith hierarchy, the second object may be an object of the ith-1 hierarchy, the third object may be an object of the ith-2 hierarchy, herein, i is equal to 3 for example, so the first object may be an object of the 3 rd hierarchy, the second object may be an object of the 2 nd hierarchy, and the third object may be an object of the 1 st hierarchy.
As shown in fig. 2, the service node 20d may obtain public key information of the object at the i-1 th level in the first verification object set (i.e., public key information of the second object) based on the public key information of the object at the highest level (i.e., public key information 23 c) and each of the decentralized identity signature files (e.g., decentralized identity signature files 23 b) associated with the first verification object set. Specifically, the service node 20d may obtain the public key information 23c of the third object from the blockchain, perform signature verification on the decentralized identity signature file 23b of the second object through the public key information 23c, and obtain the public key information (i.e., the public key information 23 d) of the second object from the decentralized identity signature file 23b of the second object when the signature verification of the decentralized identity signature file 23b of the second object is successful. Here, the public key information 23d may be target public key information.
Further, as shown in fig. 2, the service node 20d may perform signature verification on the decentralized identity signature file 23a of the first object through the public key information 23d, and perform service processing associated with the target object when the signature verification of the decentralized identity signature file 23a of the first object is successful. Wherein the service processing performed by service node 20d is different depending on the service request sent by service node 20 a.
Therefore, the embodiment of the application can acquire the target public key information of the object for signing the decentralised identity signature file of the target object according to the decentralised identity signature file of the object between the target object and the object of the highest hierarchy and the public key information of the object of the highest hierarchy, and further perform signature verification on the decentralised identity signature file of the target object through the target public key information, so as to perform signature verification on the decentralised identity signature file of the target object in a multi-layer architecture mode, and correspondingly, the embodiment of the application can realize issuing of the decentralised identity signature file through a multi-layer architecture, thereby ensuring that the attribute data of the entity object (for example, the target object) are not all mastered by the same object (for example, the attribute data of the target object of the application are mastered by the object 21a, and the attribute data of the object 21a are mastered by the object 21 b), and further improving the security of the attribute data in the decentralised identity signature file.
Further, referring to fig. 3, fig. 3 is a flow chart of a data processing method according to an embodiment of the application. The method may be performed by a service node in a blockchain network, which may be a server accessed into the service network or a terminal device accessed into the service network, and the specific form of the service node is not limited herein. The service node may be any of the nodes in the service network 100a shown in fig. 1, e.g., the node 110a. Wherein, the data processing method may comprise the steps of:
Step S101, sending the decentralised avatar identification file of the low-level object to a service node corresponding to the high-level object;
wherein the object hierarchy network may include M relationship chains, where M may be an integer greater than 1; the M-relationship chain may include a relationship chain S k Where k may be a positive integer less than or equal to M. Wherein the relation chain S k Comprising two hierarchically adjacent high-level objects and low-level objects, the hierarchy of the high-level objects being higher than the hierarchy of the low-level objects, the high-level objects and the low-level objects being a relational chain S k Any two objects satisfying a hierarchical relationship. The smaller the value of the hierarchy of the present application, the higher the hierarchy, i.e., the higher the value of the hierarchy of the higher hierarchy object is smaller than the lower hierarchy object, and furthermore, the first hierarchy represents the highest hierarchy, e.g., the hierarchy of the i-1 th hierarchy object is higher than the hierarchy of the i-th hierarchy object.
It may be understood that the decentralized identity document of the low-level object is used to instruct the service node corresponding to the high-level object to sign the decentralized identity document of the low-level object through the private key information of the high-level object after the low-level object is authenticated (i.e., the decentralized identity document of the low-level object is signed through the decentralized identity document of the high-level object), so as to obtain the decentralized identity signature document of the low-level object, where the decentralized identity signature document of the low-level object is used to be written into the blockchain, in other words, after the service node corresponding to the high-level object generates the decentralized identity signature document of the low-level object, the decentralized identity signature document of the low-level object may be written into the blockchain. The private key information of each hierarchical object is stored by the corresponding service node.
Optionally, the off-center identity document of the low-level object is further used for indicating the service node corresponding to the high-level object to issue the verifiable identity document of the low-level object for the low-level object according to the off-center identity document of the low-level object, and the verifiable identity document of the low-level object is used for being written into the blockchain, in other words, after the service node corresponding to the high-level object generates the verifiable identity document of the low-level object, the verifiable identity document of the low-level object can be written into the blockchain, and the verifiable identity document of the low-level object indicates that the off-center identity signature document of the low-level object can be verified. The verifiable identification document of the low-level object carries the decentralised identity information of the low-level object, and the verifiable identification document is a VC document for proving the identity of the low-level object.
Therefore, the de-centralized identity signature file of the low-level object and the verifiable identity document of the low-level object are used together to instruct the service node corresponding to the high-level object to return an identity registration result to the service node corresponding to the low-level object; the identity registration result includes at least one of a de-centralized identity signature file of the low-level object or a verifiable identity document of the low-level object.
Wherein, it can be understood that the identity registration result can include a de-centralized identity signature file of the low-level object; alternatively, the identity registration result may include a de-centralized identity signature file of the low-level object and a verifiable identity document of the low-level object; alternatively, the identity registration result may include a verifiable identification document of the low-level object.
Step S102, receiving an identity registration result returned by the service node corresponding to the high-level object.
The service node corresponding to the low-level object may send the decentralized identity file of the low-level object to the service node corresponding to the high-level object, and the service node corresponding to the low-level object may receive an identity registration result returned by the service node corresponding to the high-level object (i.e., an identity registration result of the low-level object), where the identity registration result is used to indicate that the low-level object has the capability of issuing the decentralized identity file.
Similarly, if the low-level object is not the relationship chain S k The low-level object can be used as a new high-level object, the decentralised avatar document of the new low-level object sent by the new low-level object is received, and then an identity registration result corresponding to the new low-level object is returned to the service node corresponding to the new low-level object.
For ease of understanding, please refer to fig. 4, fig. 4 is a schematic flow chart of the decentralizing issue and the decentralizing verification according to an embodiment of the present application. The object hierarchy network as shown in fig. 4 may include M relationship chains, here illustrated by way of example with M equal to 3, and the 3 relationship chains may specifically include: a first relationship chain constituted by the object 43a, the object 41a, and the object 41b, a second relationship chain constituted by the object 43a, the object 40a, and the object 40b, and a third relationship chain constituted by the object 43a, the object 42a, and the object 42 b.
Wherein, the object 43a shown in fig. 4 may be the highest-level object in the first relationship chain, the object 43a may be the highest-level object in the second relationship chain, the object 43a may be the highest-level object in the third relationship chain, in other words, the object 43a is the highest-level object in the object hierarchy network, which indicates that the number of the highest-level objects may be one. Alternatively, the M relationship chains may also correspond to different objects of the highest hierarchy, respectively, which means that the number of objects of the highest hierarchy may be at least two. For ease of understanding, the embodiment of the present application will be described by taking the number of objects at the highest hierarchy as one example.
As shown in fig. 4, if the object 43a is a high-level object, the object 40a may be a low-level object; alternatively, if the object 43a is a high-level object, the object 41a may be a low-level object; alternatively, if the object 43a is a high-level object, the object 42a may be a low-level object. Similarly, if the object 40a is a high-level object, the object 40b may be a low-level object; if object 41a is a high-level object, object 41b may be a low-level object; if object 42a is a high-level object, object 42b may be a low-level object.
It is understood that, as shown in fig. 4, the object 40a and the object 40b may be the same type of object, as shown in fig. 4, the object 41a and the object 41b may be the same type of object, and as shown in fig. 4, the object 42a and the object 42b may be the same type of object. For example, object 40a may be an educational bureau and object 40b may be a university; object 41a may be an industrial and commercial office and object 42b may be an enterprise; object 41a may be a trusted authority and object 41b may be a user.
Therefore, in the embodiment of the present application, a trusted third party authority (for example, the object 43a in the embodiment corresponding to fig. 4 may also be referred to as a total trusted authority) needs to sign (i.e., issue the DID, in this case, the object may also be referred to as the DID) the DID documents (i.e., the DID files) of each large top-level DID user (for example, the object 40a, the object 41a, and the object 42a in the embodiment corresponding to fig. 4), and indicate the public key information (for example, the public key information of the signature key, the public key information of the recovery key) of the DID in the DID documents, so that the DID Document and the specific public key information may be bound to each other, and then the authenticated DID documents (i.e., the de-centralized identity signature file and the DID signature file) may be stored on the chain. Each big top-level organization signs the DID documents of the lower-level organization (e.g., the object 40b, the object 41b, and the object 42b in the embodiment corresponding to fig. 4) respectively (i.e., the DID certificates are issued sequentially downwards according to the issued DID), stores the authenticated DID documents (i.e., the de-centralized identity signature file and the DID signature file) in a uplink manner respectively, and issues the user DID identities sequentially from top to bottom according to the above manner, and transmits the trust chain. The public key information of the object at the highest level is trusted, so that the embodiment of the application can realize privacy protection in the process of data authorization and data transmission.
It should be appreciated that the same object may issue a decentralized identity document for multiple objects, e.g., an educational bureau may issue for multiple universities, an industrial and commercial bureau may issue for multiple enterprises, and a trusted authority may issue for multiple users. Therefore, the same object can be located in multiple relation chains of the object hierarchy network, multiple paths for traversing the object downwards can exist, and the path for traversing the object upwards is unique, namely, the decentralised identity file of one object cannot be issued by multiple objects.
For ease of understanding, a specific process of performing data interaction between a service node corresponding to a low-level object (for example, the object 41b shown in fig. 4) and a service node corresponding to a high-level object (for example, the object 41a shown in fig. 4) may refer to fig. 5, and fig. 5 is a schematic flow chart for applying for the de-centering identity according to an embodiment of the present application. The service node 50a shown in fig. 5 may be a service node corresponding to a low-level object, and the service node 50b shown in fig. 5 may be a service node corresponding to a high-level object.
As shown in fig. 5, the service node 50a may perform step S11, and transmit the off-center avatar file of the low-level object to the service node 50b through step S11, wherein the off-center avatar file of the low-level object may include basic identity information of the low-level object (i.e., object identity information of the low-level object), off-center avatar information associated with the basic identity information of the low-level object, and public key information of the low-level object.
As shown in fig. 5, after receiving the decentralized identity file of the low-level object, the service node 50b may perform step S12, verify the identity of the low-level object through step S12, and sign the decentralized identity information of the low-level object. At this time, the service node 50b may sign the decentralised identity signature file submitted by the low-level object using the private key information of the high-level object, resulting in a decentralised identity signature file of the low-level object. Wherein the service node 50b may verify the identity of the low-level object by means of off-line identity authentication or by means of on-line identity authentication.
The offline identity authentication herein refers to that a high-level object needs to notify a low-level object to perform offline identity comparison so as to confirm the reliability of the identity of the low-level object. For example, the service node 50b corresponding to the high-level object may send an offline authentication notification to the low-level object, so that the low-level object may perform manual comparison within a predetermined time according to the content recorded in the offline authentication notification, and further may verify the identity of the low-level object according to the result of the manual comparison. Optionally, in order to improve service processing efficiency, the embodiment of the application may also perform identity authentication on the low-level object by adopting an online identity authentication manner.
Optionally, the service node 50a may generate, according to the off-center identity file of the low-level object, a file registration request for submitting the file registration request to the service node 50b corresponding to the high-level object, and then may send the file registration request to the service node 50b, where the file registration request may carry the off-center identity file of the low-level object, and the file registration request may be used to instruct the service node 50b shown in fig. 5 to further execute step S12.
Further, as shown in fig. 5, the service node 50b may perform step S13, and send, through step S13, a uplink request to the consensus node located in the core consensus network shown in fig. 5, where the uplink request is intended to request that the consensus node shown in fig. 5 may store the decentralized identity file of the low-level object signed by the high-level object in the blockchain. Further, the service node 50b may perform step S14, and receive, through step S14, the blockchain storage result returned by the consensus node for the uplink request. It will be appreciated that the blockchain storage results herein may be used to characterize that consensus nodes in the core consensus network have successfully stored the low-level object's de-centralized identity signature file in the blockchain. At this time, the service node 50b may perform step S15, and return the identity registration result for the above-mentioned file registration request to the service node 50a through step S15.
Therefore, the embodiment of the application can send the decentralised identity document of the low-level object to the service node corresponding to the high-level object through the service node corresponding to the low-level object, so that the service node corresponding to the high-level object can sign the decentralised identity document of the low-level object to obtain the decentralised identity document of the low-level object after signature (namely the decentralised identity signature document of the low-level object), and meanwhile, the service node corresponding to the high-level object can generate the verifiable identity document of the low-level object, and further, based on the verifiable identity document of the low-level object and the decentralised identity signature document of the low-level object, the identity registration result is returned to the service node corresponding to the low-level object. Therefore, the embodiment of the application can combine the non-tamperability of the blockchain, link the DID public key information corresponding to the object (i.e., the public key information in the decentralized identity document), issue the identity of the object (or the DID) according to the hierarchy through the DID total key (i.e., the public key information of the object at the highest hierarchy) of the authoritative DID authentication mechanism (e.g., the object 43a in the embodiment corresponding to fig. 4), and then the issue mechanism sequentially performs the issue transfer process of the trust chain downwards, thereby implementing the de-centralized identity issue and implementing the autonomous identity control.
Further, referring to fig. 6, fig. 6 is a flow chart of a data processing method according to an embodiment of the application. The method may be performed by a service node (e.g., a fourth service node) in the blockchain network, which may be a server accessed into the service network or a terminal device accessed into the service network, and the specific form of the service node is not limited herein. The service node may be any of the nodes in the service network 100a shown in fig. 1, e.g., the node 110a. Wherein, the data processing method may comprise the steps of:
step S201, obtaining a decentralised identity signature file of a target object from a blockchain through decentralised identity information of the target object;
wherein the target object refers to an object at an ith level in a first relationship chain of the object hierarchy network; where i may be an integer greater than 1, where i may be an integer less than or equal to n; n is the total number of levels of the object hierarchy network, and the first relation chain may be any relation chain of M relation chains of the object hierarchy network. The decentered avatar signature file of the ith level of objects in the first relationship chain is generated based on private key information of the ith-1 level of objects in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, and the non-highest-level is a level except the highest level in the n levels; the public key information of the highest level object and the de-centralized identity signature file of each non-highest level object are stored in the blockchain.
The decentralizing identity information may be DID information, the DID information may be a readable string representing a user identity, the decentralizing identity information may also be referred to as a DID identifier, the DID identifier may be used to index a decentralizing identity signature file, one DID identifier may correspond to one DID file (DID Document), and one DID identifier may correspond to one decentralizing identity signature file.
Step S202, traversing i-1 objects from a target object to an upper layer in a first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set;
specifically, an i-1 level object used for signing the decentralised identity signature file of the target object is determined in the first relation chain, and decentralised identity information of the i-1 level object is obtained. Further, if the de-centralized identity information of the i-1 th level object indicates that the i-1 th level is not the highest level, acquiring a de-centralized identity signature file of the i-1 th level object in the blockchain through the de-centralized identity information of the i-1 th level object, adding the target object and the i-1 th level object to the first verification object set, continuing traversing the i-2 objects from the i-1 th level object to the upper layer, and adding the traversed i-2 objects to the first verification object set. Wherein the hierarchy of objects in the first set of verification objects comprises an ith hierarchy in turn to a highest hierarchy. For example, referring back to FIG. 4, if the target object is the object 40b, the object of the i-1 th hierarchy is the object 40a, i.e. the i-1 th hierarchy is the non-highest hierarchy.
Optionally, if the de-centralized identity information of the i-1 th hierarchical object indicates that the i-1 th hierarchical object is the highest hierarchical object, then the target object and the i-1 th hierarchical object are added to the first set of verification objects. Wherein the hierarchy of objects in the first set of verification objects comprises an ith hierarchy in turn to a highest hierarchy. For example, referring back to FIG. 4, if the target object is the object 40a, the object of the i-1 th hierarchy is the object 43a, i.e. the i-1 th hierarchy is the highest hierarchy.
For a specific process of traversing i-2 objects from the object of the i-1 th hierarchy to the upper layer, refer to the description of traversing i-1 objects from the target object, which will not be described herein.
Step S203, obtaining public key information of the object at the highest level from the blockchain, and obtaining public key information of the object at the i-1 level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
specifically, public key information of the object at the highest hierarchy is obtained from the blockchain, and the object at the next highest hierarchy of the first relation chain is obtained from the first verification object set. The public key information of the object of the highest hierarchy is obtained from the decentralised avatar part file of the object of the highest hierarchy, and the decentralised avatar part file of the object of the highest hierarchy is directly stored in the blockchain. Wherein the decentralised avatar signature file of the next highest level object is generated based on the private key information of the highest level object. Wherein the object of the next highest hierarchy and the object of the highest hierarchy are objects of adjacent hierarchy in the first relation chain, and the hierarchy of the object of the highest hierarchy is higher than the hierarchy of the object of the next highest hierarchy. Further, if the object at the next highest hierarchy is the target object, determining that the object at the i-1 th hierarchy in the first verification object set is the object at the highest hierarchy, and taking the public key information of the object at the highest hierarchy as target public key information.
Optionally, if the object at the next highest hierarchy is not the target object, performing signature verification on the decentralized identity signature file of the object at the next highest hierarchy through public key information of the object at the highest hierarchy, and when the signature verification of the decentralized identity signature file of the object at the next highest hierarchy is successful, acquiring public key information of the object at the next highest hierarchy from the decentralized identity signature file of the object at the next highest hierarchy, and continuing to perform signature verification on the decentralized identity signature file of the object at the next highest hierarchy based on the public key information of the object at the next highest hierarchy until the public key information in the decentralized identity signature file of the object at the i-1 hierarchy in the first verification object set is acquired as the target public key information.
The decentralized identity signature file of the object of the next highest level is generated by signing the decentralized identity file of the object of the next highest level through private key information of the object of the highest level. It should be appreciated that the specific process of obtaining public key information for a next-highest level object from its de-centralized identity signature file may be described as: the method comprises the steps of obtaining an decentralized avatar part file of a next-highest-level object from an decentralized identity signature file of the next-highest-level object, and further obtaining public key information of the next-highest-level object from the decentralized avatar part file of the next-highest-level object. The decentralizing identity signature file of the next-highest-level object is obtained by decrypting the decentralizing identity signature file of the next-highest-level object through public key information of the highest-level object, and the decentralizing identity signature file of the next-highest-level object can comprise public key information of the next-highest-level object and decentralizing identity information of the next-highest-level object.
The specific process of performing signature verification on the decentralized identity signature file of the next-level object (i.e., the object with the level lower than the second-level object in the first relationship chain) based on the public key information of the second-level object may refer to the description of performing signature verification on the decentralized identity signature file of the second-level object based on the public key information of the highest-level object, which will not be described herein.
Step S204, signature verification is carried out on the decentralised identity signature file of the target object through the target public key information, and business processing associated with the target object is carried out when the decentralised identity signature file of the target object is successfully verified.
Specifically, the decentralised identity signature file of the target object is decrypted through the target public key information, and the decentralised avatar part file of the target object and abstract information to be verified corresponding to the decentralised avatar part file of the target object are obtained. Further, hash calculation is carried out on the decentralised identity file of the target object, and target abstract information corresponding to the decentralised identity file of the target object is obtained. Further, comparing the abstract information to be verified with the target abstract information to obtain a signature verification result. Further, if the summary information to be verified is the same as the target summary information, the verification result indicates that the verification of the decentralised avatar signature file signature of the target object is successful (i.e. the identity of the target object is confirmed). Optionally, if the summary information to be verified and the target summary information are different, the signature verification result indicates that the de-centralized identity signature file of the target object fails to verify the signature (i.e. the identity of the target object is not confirmed). Further, when the verification of the off-center avatar signature file signature of the target object is successful, business processing associated with the target object is performed.
Correspondingly, the service node corresponding to the i-1 level object can sign the de-centralized identity file of the target object through the private key information of the i-1 level object: and carrying out hash calculation on the decentralised identity file of the target object to obtain abstract information to be verified, which corresponds to the decentralised identity file of the target object. Further, the decentralised identity signature file of the target object and the abstract information to be verified corresponding to the decentralised identity signature file of the target object are encrypted through private key information of the object in the i-1 level, so that the decentralised identity signature file of the target object is obtained.
Optionally, the decentralised identity signature file of the target object and the encrypted file corresponding to the decentralised identity signature file of the target object are obtained from the decentralised identity signature file of the target object. In other words, the off-center avatar signature file of the target object may include the off-center avatar file of the target object and an encrypted file corresponding to the off-center avatar file of the target object. Further, the encrypted file corresponding to the decentralised avatar part file of the target object is decrypted through the target public key information, and the abstract information to be verified corresponding to the decentralised avatar part file of the target object is obtained. Further, hash calculation is carried out on the decentralised identity file of the target object, and target abstract information corresponding to the decentralised identity file of the target object is obtained. Further, comparing the abstract information to be verified with the target abstract information to obtain a signature verification result. Further, if the summary information to be verified is the same as the target summary information, the signature verification result indicates that the verification of the decentralised avatar signature file signature of the target object is successful. Optionally, if the summary information to be verified and the target summary information are different, the signature verification result indicates that the verification of the decentralised identity signature file signature of the target object fails. Further, when the verification of the off-center avatar signature file signature of the target object is successful, business processing associated with the target object is performed.
Correspondingly, optionally, the service node corresponding to the i-1 th level object may sign the de-centralized identity file of the target object through private key information of the i-1 th level object: and carrying out hash calculation on the decentralised identity file of the target object to obtain abstract information to be verified, which corresponds to the decentralised identity file of the target object. Further, the private key information of the object in the i-1 level is used for carrying out encryption processing on the abstract information to be verified, which corresponds to the decentralised avatar file of the target object, so as to obtain an encrypted file which corresponds to the decentralised avatar file of the target object. Further, the decentralised identity signature file of the target object and the encrypted file corresponding to the decentralised identity signature file of the target object are used as the decentralised identity signature files of the target object.
For ease of understanding, please refer to fig. 7, fig. 7 is a schematic diagram of a scenario for decentralizing verification according to an embodiment of the present application. The object 70a shown in fig. 7 may be a target object, the object 70b may be an object of a previous hierarchy of the target object (i.e., an object of a hierarchy higher than the target object in the first relationship chain), the object 70c may be an object of a previous hierarchy of the object 70b, and the object 70d may be an object of a previous hierarchy of the object 70 c. For ease of understanding, embodiments of the present application will be described with reference to object 70d as the highest level object in the first relationship chain.
As shown in fig. 7, the service node may determine the decentralised identity information of the object 70a (i.e. the decentralised identity information 71 a), obtain the decentralised identity signature file of the object 70a (i.e. the decentralised identity signature file 71 b) from the blockchain via the decentralised identity information 71a of the object 70a, and further determine the object (i.e. the object 70 b) for signing the decentralised identity signature file 71b of the object 70 a. Further, the service node may determine the decentralised identity information of the object 70b (i.e. the decentralised identity information 72 a), obtain the decentralised identity signature file of the object 70b from the blockchain (i.e. the decentralised identity signature file 72 b) via the decentralised identity information 72a of the object 70b, and further determine the object (i.e. the object 70 c) for signing the decentralised identity signature file 72b of the object 70 b. Further, the service node may determine the decentralised identity information of the object 70c (i.e. the decentralised identity information 73 a), obtain the decentralised identity signature file of the object 70c (i.e. the decentralised identity signature file 73 b) from the blockchain via the decentralised identity information 73a of the object 70c, and further determine the object (i.e. the object 70 d) for signing the decentralised identity signature file 73b of the object 70 c.
Further, as shown in FIG. 7, the service node may determine the decentralised avatar information (i.e. decentralised identity information 74 a) of the object 70d, and since the object 70d is the highest level object in the first relationship chain, public key information (i.e. public key information 74 b) of the object 70d may be obtained from the blockchain by the decentralised avatar information 74a of the object 70 d. It will be appreciated that, since the decentralised identity signature file 73b of the object 70c is generated by performing a signature process based on the private key information of the object 70d, the decentralised identity signature file 73b of the object 70c can be subjected to signature verification (i.e. whether the decentralised identity signature file 73b is issued by the object 70d or not) by the public key information 74b of the object 70d, and when the signature verification of the decentralised identity signature file 73b of the object 70c is successful, the public key information (i.e. the public key information 73 c) of the object 70c can be obtained from the decentralised identity signature file 73b of the object 70 c.
Similarly, since the decentralised identity signature file 72b of the object 70b is generated by performing signature processing based on the private key information of the object 70c, the decentralised identity signature file 72b of the object 70b can be subjected to signature verification (i.e. whether the decentralised identity signature file 72b is issued by the object 70c or not is judged) by the public key information 73c of the object 70c, and when the signature verification of the decentralised identity signature file 72b of the object 70b is successful, the public key information (i.e. the public key information 72 c) of the object 70b can be obtained from the decentralised identity signature file 72b of the object 70 b. Similarly, since the decentralised identity signature file 71b of the object 70a is generated by performing signature processing based on the private key information of the object 70b, the decentralised identity signature file 71b of the object 70a can be subjected to signature verification (i.e. whether the decentralised identity signature file 71b is issued by the object 70b or not is judged) by the public key information 72c of the object 70b, and when the signature verification of the decentralised identity signature file 71b of the object 70a is successful, the business processing associated with the target object can be performed.
The verification of the DID identity of the object 70a may sequentially verify the correctness of the DID issuing mechanism on the chain from bottom to top according to the trust chain until the top DID identity (the DID total identity, i.e., the decentralised identity information 74 a) is verified. The DID issuing mechanism of the object 70a is first verified as the object 70b, the issuing mechanism of the DID document corresponding to the blockchain uplink query object 70b is then verified as the object 70c, and the issuing mechanism of the DID document corresponding to the blockchain uplink query object 70c is then verified as the object 70d, and the identity of the object 70d is trusted, so that the identities of all the objects on the chain can be verified to be trusted.
It should be understood that, in the off-center avatar authentication system provided by the embodiment of the present application, based on the off-center avatar signature file stored on the blockchain, the object may use the recovery key to modify the attribute values of the signing key of the on-chain identity and the related encryption algorithm, so that the upper layer mechanism is not required to re-authenticate the modified information. For example, when the signing key is lost, the recovery key may be used to sign a transaction to reset the signing key to obtain a new signing key, so that the new signing key is used to replace the original signing key, that is, a key recovery function is implemented, after the signing key is reset, the asset is operated by using the new signing key, and at the same time, the recovery key may be used to modify the relevant attribute in the DID file.
In addition, it should be understood that, in the embodiment of the present application, the public key information and the private key information refer to the public key information and the private key information of the signature key, and not refer to the public key information and the private key information of the recovery key. The signing key and the recovery key may correspond to two addresses, the signing key corresponds to an asset manipulation address, the recovery key corresponds to a key recovery address,
therefore, the embodiment of the application provides a multi-layer architecture-based decentralizing identity identification scheme, which can determine a first relation chain to which a target object belongs in an object hierarchy structure network, traverse the object on the first relation chain from the target object to the upper layer until traversing to the object at the highest layer in the first relation chain, further acquire public key information of the object at the highest layer from a blockchain, and perform signature verification on a decentralizing identity signature file of the object on the first relation chain to the lower layer step by step based on the public key information of the object at the highest layer until acquiring the public key information (namely the target public key information) of the object at the last layer of the target object. It can be understood that, because the decentralised identity signature file of the target object is obtained by performing signature processing based on the target private key information corresponding to the target public key information, the decentralised identity signature file of the target object can be subjected to signature verification through the target public key information, so that the decentralised identity signature file of the target object is subjected to signature verification through a mode of a multi-layer architecture.
When the blockchain is used in a commercial establishment and other scenes, information of each participant cannot be directly exposed on the chain due to the consideration of data security, and the decoenter identity recognition scheme based on the blockchain can not only effectively protect the problem of visibility of data of each participant while guaranteeing the non-tamper property of the data on the blockchain, but also can selectively authorize the data of each participant (namely, selectively authorize the information), thereby further improving the usability of the decoenter identity system while guaranteeing the privacy of user information.
Further, referring to fig. 8, fig. 8 is a flow chart of a data processing method according to an embodiment of the application. The method may be performed by a service node (e.g., a fourth service node) in the blockchain network, which may be a server accessed into the service network or a terminal device accessed into the service network, and the specific form of the service node is not limited herein. The service node may be any of the nodes in the service network 100a shown in fig. 1, e.g., the node 110a. Wherein, the data processing method may comprise the steps of:
Step S301, receiving a file issuing request sent by a target object through a target service node, and acquiring the decentralised avatar information of the target object according to the file issuing request;
the method comprises the steps that the decentralised identity information of a target object is obtained from a verifiable identity document of the target object, and a target service node can send a document issuing request for issuing a concealable service statement document through the decentralised identity information of the target object; the verifiable identification document of the target object is carried by a document issuing request, or the verifiable identification document of the target object is acquired from a blockchain according to the document issuing request; the verifiable identification document of the target object is issued by the service node corresponding to the object of the i-1 level in the first relation chain as the target object.
For a specific process of issuing a verifiable identification document for a target object by a service node corresponding to an i-1-th level object, reference may be made to the description of issuing a verifiable identification document for a low-level object by a service node corresponding to a high-level object in the embodiment corresponding to fig. 3, which will not be described herein.
Step S302, obtaining a decentralised identity signature file of a target object from a blockchain through decentralised identity information of the target object;
step S303, traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set;
wherein the hierarchy of objects in the first set of verification objects comprises an ith hierarchy in turn to a highest hierarchy. For a specific process of the service node obtaining the first verification object set, refer to the description of step S202 in the embodiment corresponding to fig. 6, which will not be repeated here.
Step S304, obtaining public key information of the object at the highest level from the blockchain, and obtaining public key information of the object at the i-1 level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
the specific process of determining the target public key information of the object at the i-1 th level by the service node based on the public key information of the object at the highest level and each de-centralized identity signature file associated with the first verification object set can be referred to the description of step S203 in the embodiment corresponding to fig. 6, which will not be described herein.
Step S305, carrying out signature verification on the decentralised identity signature file of the target object through the target public key information, and generating a hidden service statement file of the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification;
the specific process of signature verification on the de-centralized identity signature file of the target object through the target public key information can be referred to the description of step S204 in the embodiment corresponding to fig. 6, which will not be described herein.
It may be understood that, in the qualification checking scenario, the hidden service declaration file may be a proof file for proving the qualification of the target object, such as an electronic academic certificate, an electronic graduation certificate, an electronic skill certificate, and the like; under the medical scene, the concealable business statement file can be an electronic medical record, an electronic prescription and the like; in a government scenario, the concealable business statement file may be a government document, such as an electronic real estate certificate or the like.
It may be understood that the concealable service declaration file may include service attribute data of the target object and auxiliary service data associated with the service attribute data, where the auxiliary service data is generated by the service node according to the service attribute data, and the concealable service declaration file may be a verifiable declaration file with attribute concealing capability obtained by signing the service attribute data and the auxiliary service data by the service node through the de-centralized identity information. The business attribute data are obtained by carrying out attribute splitting on the object identity information of the target object.
It will be appreciated that in the present application, related data such as business attribute data (e.g. gender attribute, address attribute) in a business statement file may be hidden, and when the above embodiments of the present application are applied to specific products or technologies, the subject permission or consent needs to be obtained, and the collection, use and processing of related data needs to comply with relevant national laws and regulations and national standards of the country where the subject data is located. For example, the target service node may display a prompt message "whether the service node is authorized to obtain the object identity information of the target object", and after the target object corresponding to the target service node passes through authorization, the target service node may send the de-centered identity file carrying the object identity information of the target object to the service node, so that the service node generates the hidden service declaration file based on the object identity information of the target object.
Step S306, writing the hidden service declaration file into the blockchain.
The verifiable identity document and the hidden service declaration document in the embodiment of the application are both verifiable declaration documents.
It can be appreciated that the embodiment of the present application may directly return the hidden service announcement file to the target service node. Optionally, the embodiment of the application also needs not to return the hidden service declaration file to the target service node, writes the transaction corresponding to the hidden service declaration file into the blockchain through the common node, and returns the transaction uplink result for the hidden service declaration file to the target service node after writing the transaction corresponding to the hidden service declaration file into the blockchain. The node identification of the target service node is used for representing that the target object has the qualification of acquiring the hidden service statement file from the transaction, and other service nodes except the target service node cannot directly acquire the hidden service statement file associated with the identity of the target object, so that the target service node can directly acquire the hidden service statement file of the target object from the blockchain.
Referring to fig. 4 again, the embodiment of the present application is illustrated by taking the scenario corresponding to fig. 4 as a qualification checking scenario, for example, the object 40b may be a university (e.g. school D 3 ) Object 41b may be a user (e.g., student Y 3 Or staff member Y 4 ) Object 42b may be an enterprise (e.g., enterprise D 4 ) The concealable business statement file may be school D 3 Issued electronic academic certificates, student Y 3 The electronic calendar certificate may be held. Wherein the electronic calendar certificate is issued by a concealable business statement file. In other words, student Y 3 Can go to school D 3 Sending a file issuing request, school D 3 Can be used for students Y 3 After authentication of the identity of (c), a hidden service announcement file for the electronic calendar certificate is generated. Wherein school D 3 Can pass through a resolverQuery pair student Y in blockchain 3 The public key information of the highest-level object and the decentralised identity signature file required for identity authentication.
Therefore, after the file issuing request sent by the target object through the target service node is obtained, the embodiment of the application can obtain the decentralised identity signature file of the target object, so that signature verification is carried out on the decentralised identity signature file of the target object, and when the decentralised identity signature file signature verification of the target object is successful, the hidden service declaration file of the target object is generated. Therefore, the embodiment of the application provides a multi-layer architecture-based decentralizing avatar identification scheme, and the reliability of the DID identity is transferred by issuing the decentralizing identity through an authoritative DID participant in a multi-layer architecture mode, so that the security of attribute data in a decentralizing avatar signature file can be improved.
Further, referring to fig. 9, fig. 9 is a flow chart of a data processing method according to an embodiment of the application. The method may be performed by a service node (e.g., a fourth service node) in the blockchain network, which may be a server accessed into the service network or a terminal device accessed into the service network, and the specific form of the service node is not limited herein. The service node may be any of the nodes in the service network 100a shown in fig. 1, e.g., the node 110a. Wherein, the data processing method may comprise the steps of:
step S401, receiving an identity authentication request sent by a target object through a target service node, and acquiring a hidden service expression signature file of the target object according to the identity authentication request;
the hidden service expression signature file is carried by the identity authentication request, or the hidden service expression signature file is acquired from the blockchain according to the identity authentication request; the hidden service expression signature file is submitted to a blockchain after the signature processing is carried out on the hidden service expression file by a target service node corresponding to the target object; the hidden service expression file is obtained by data processing of the hidden service statement file by the target service node corresponding to the target object. Wherein the data processing means that the target service node can selectively reveal or hide the service attribute data in the hidden service announcement file.
It may be understood that the hidden service expression file is generated by the target service node according to hidden attribute data, revealed attribute data and auxiliary service data, the hidden attribute data and the revealed attribute data are determined by the target service node in service attribute data in the hidden service declaration file, the hidden attribute data are attribute data used for representing the identity of the target object in the service attribute data, and the revealed attribute data are attribute data except for the hidden attribute data in the service attribute data. Therefore, in the process of generating the hidden service expression file (i.e. the verifiable expression file with attribute hiding capability) through the hidden service statement file (i.e. the verifiable statement file with attribute hiding capability), the target service node can selectively disclose part of attribute data in the hidden service statement file, and further can realize minimized disclosure of the attribute data through the generated hidden service expression file, so that not only the security of certain attribute data of the target object can be ensured, but also the privacy of certain attribute data of the target object can be ensured to the greatest extent under the condition of selectively disclosing certain attribute data.
It will be appreciated that the target service node may send the hidden service expression file directly to the service node. Optionally, the target service node may not need to send the hidden service expression file to the service node, write the transaction corresponding to the hidden service expression file into the blockchain through the consensus node, and send an identity authentication request for the hidden service expression file to the service node after writing the transaction corresponding to the hidden service expression file into the blockchain. The transaction carries a node identifier of a service node, the node identifier of the service node is used for representing that an object corresponding to the service node has the qualification of acquiring a hidden service expression file from the transaction, and other service nodes except the service node cannot directly acquire the hidden service expression file associated with the identity of a target object, so that the service node can directly acquire the hidden service expression file from a blockchain.
Step S402, determining a target object for signing the hidden service expression signature file, acquiring the decentralization identity information of the target object, and acquiring the decentralization identity signature file of the target object from the blockchain through the decentralization identity information of the target object;
Step S403, traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set;
wherein the hierarchy of objects in the first set of verification objects comprises an ith hierarchy in turn to a highest hierarchy. For a specific process of the service node obtaining the first verification object set, refer to the description of step S202 in the embodiment corresponding to fig. 6, which will not be repeated here.
Step S404, obtaining public key information of the object at the highest level from the blockchain, and obtaining public key information of the object at the i-1 level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
the specific process of determining the target public key information of the object at the i-1 th level by the service node based on the public key information of the object at the highest level and each de-centralized identity signature file associated with the first verification object set can be referred to the description of step S203 in the embodiment corresponding to fig. 6, which will not be described herein.
Step S405, signature verification is carried out on the decentralised identity signature file of the target object through the target public key information, and when the decentralised identity signature file of the target object is successfully verified, the public key information of the target object is obtained from the decentralised identity signature file of the target object;
the specific process of signature verification on the de-centralized identity signature file of the target object through the target public key information can be referred to the description of step S204 in the embodiment corresponding to fig. 6, which will not be described herein.
Step S406, signature verification is carried out on the hidden service expression signature file through public key information of the target object, and when the signature verification of the hidden service expression signature file is successful, the hidden service expression file is obtained;
the hidden service expression file in the embodiment of the application is a verifiable expression file. When the signature verification of the hidden service expression signature file is successful, it can be determined that the hidden service expression file is submitted by the target object through the target service node.
The specific process of signature verification on the hidden service expression signature file through the public key information of the target object can be referred to the description of signature verification on the decentralized identity signature file of the target object through the target public key information, which will not be described herein.
Step S407, determining an authentication object for signing the hidden service statement file, obtaining the decentralised identity information of the authentication object, and obtaining the decentralised identity signature file of the authentication object from the blockchain through the decentralised identity information of the authentication object;
wherein the authentication object refers to an object located at a j-th level in a second relation chain of the object hierarchy network; where j may be an integer greater than 1, where j may be an integer less than or equal to n, and the second relationship chain may be any one of M relationship chains of the object hierarchy network, where the first relationship chain and the second relationship chain are different. The decentered avatar signature file of the j-th level object in the second relationship chain is generated based on the private key information of the j-1 th level object in the second relationship chain; the j-1 th level is higher than the j-th level.
The authentication service node corresponding to the authentication object may be a service node in the embodiment corresponding to fig. 8, where in this case, the object corresponding to the service node in the embodiment of the present application may be an object in a third relationship chain of the object hierarchy network. Referring to fig. 4 again, the target object may be the object 41b shown in fig. 4, the authentication object may be the object 40b shown in fig. 4, and the object corresponding to the service node in the embodiment of the present application may be the object 42b shown in fig. 4.
Step S408, signature verification is carried out on the decentralised identity signature file of the authentication object, when the decentralised identity signature file of the authentication object is successfully verified, the validity of the hidden service statement file is determined according to the public key information of the authentication object in the decentralised identity signature file of the authentication object, and the hidden service expression file is verified through the hidden service statement file with the validity.
Specifically, j-1 objects are traversed from the authentication object to the upper layer in the second relation chain, and the authentication object and the traversed j-1 objects are used as a second verification object set. Wherein the hierarchy of objects in the second set of verification objects comprises a j-th hierarchy sequentially to a highest hierarchy. Further, the public key information of the object at the highest level is obtained from the blockchain, and the public key information of the object at the j-1 th level in the second verification object set is obtained as authentication public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the second verification object set. Further, signature verification is carried out on the decentralised identity signature file of the authentication object through the authentication public key information, when the decentralised identity signature file of the authentication object is successfully verified, the validity of the hidden service statement file is determined according to the public key information of the authentication object in the decentralised identity signature file of the authentication object, and the hidden service expression file is verified through the hidden service statement file with the validity. Wherein upon successful signature verification of the off-center avatar signature file of the authentication object, it may be determined that the concealable business statement file was issued by the authentication object.
The specific process that the service node traverses j-1 objects from the authentication object to the upper layer to obtain the second verification object set may refer to the above description that traverses i-1 objects from the target object to the upper layer to obtain the first verification object set, which will not be described in detail herein. The specific process of the service node obtaining the authentication public key information based on the public key information of the object at the highest level and each decentralized identity signature file associated with the second verification object set may refer to the description of obtaining the target public key information based on the public key information of the object at the highest level and each decentralized identity signature file associated with the first verification object set, which will not be described herein.
For ease of understanding, the embodiment of the present application is described taking the authentication object as an example of a school, where the school's decentralizing identity signature file is issued by a superior trusted authority (e.g., education department) of the school through its decentralizing identity information, and it should be understood that the decentralizing identity signature file of the superior trusted authority of the school is issued by an even superior trusted authority through its decentralizing identity information, and so on until the trusted authority is the total trusted authority.
For ease of understanding, please refer to fig. 10, fig. 10 is a schematic diagram of a blockchain network according to an embodiment of the present application. As shown in FIG. 10, a blockchain network hierarchy of a blockchain-based decentralized avatar identification system may include an application layer, a service interface layer, and a persistence layer, the application layer may include an Issuer (Issuer), a Verifier (Verifier), and a Holder (Holder), the service interface layer may include a Resolver (Resolver), the persistence layer may include a blockchain and a decentralized store, and the decentralized store may be implemented by the blockchain. The Issuer may also be referred to as a DID Issuer (DID Issuer), the Verifier may also be referred to as a DID Verifier (DID Verifier), the Holder may also be referred to as a DID Holder (DID Holder), and the Resolver may also be referred to as a DID Resolver (DID Resolver).
The DID parser is a system component that performs a DID parsing function by taking a DID as an input and generating a desired DID file as an output. The DID parser assists the application layer in querying the DID file, the parser can parse the DID file according to different DID methods, and then the parsing result is returned to the application layer, so that the application layer does not need to be aware of details about file parsing.
For easy understanding, please refer to fig. 4 again, and the embodiment of the present application uses the scene corresponding to fig. 4For purposes of illustration of a qualification checking scenario, for example, the object 40b may be a university (e.g., school D 3 ) Object 41b may be a user (e.g., student Y 3 Or staff member Y 4 ) Object 42b may be an enterprise (e.g., enterprise D 4 ) The concealable business statement file may be school D 3 Issued electronic academic certificates, student Y 3 Can hold the electronic academic certificate, enterprise D 4 The electronic calendar certificate may be verified. Wherein the electronic calendar certificate is issued by a concealable business statement file. In other words, student Y 3 Can be directed to enterprise D 4 Sending identity authentication request, enterprise D 4 Can be used for students Y 3 And school D 3 After authentication of the identity of (2), authenticating a hidden service expression file generated for a hidden service statement file of an electronic calendar certificate. Wherein, enterprise D 4 Student Y can be queried in the blockchain through a parser 3 And school D 3 The public key information of the highest-level object and the decentralised identity signature file required for identity authentication.
Therefore, after the identity authentication request sent by the target object through the target service node is obtained, the embodiment of the application can obtain the decentralised identity signature file of the target object, so as to perform signature verification on the decentralised identity signature file of the target object, obtain the decentralised identity signature file of the authentication object when the decentralised identity signature file of the target object is successfully signed, so as to perform signature verification on the decentralised identity signature file of the authentication object, and determine the legitimacy of the hidden service statement file when the decentralised identity signature file of the authentication object is successfully signed. Therefore, the embodiment of the application provides a multi-layer architecture-based decentralizing avatar identification scheme, and the reliability of the DID identity is transferred by issuing the decentralizing identity through an authoritative DID participant in a multi-layer architecture mode, so that the security of attribute data in a decentralizing avatar signature file can be improved.
Further, referring to fig. 11, fig. 11 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application. The data processing apparatus 1 may be a computer program (comprising program code) running in a computer device, for example, the data processing apparatus 1 is an application software; the data processing device 1 may be adapted to perform the respective steps of the method provided by the embodiments of the application. As shown in fig. 11, the data processing apparatus 1 may be applied to a service node in a blockchain network. The data processing apparatus 1 may include: a file acquisition module 11, an object traversal module 12, a public key acquisition module 13, a signature verification module 14;
the file acquisition module 11 is used for acquiring the decentralized identity signature file of the target object from the blockchain through the decentralized identity information of the target object; the target object refers to an object located at an ith level in a first relationship chain of the object hierarchy network; i is an integer greater than 1, i is an integer less than or equal to n; n is the total number of levels of the object hierarchy network; the decentered avatar signature file of the ith level of objects in the first relationship chain is generated based on private key information of the ith-1 level of objects in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, and the non-highest-level is a level except the highest level in the n levels; the public key information of the object at the highest level and the decentralised identity signature file of each object at the non-highest level are stored in the blockchain;
The file acquisition module 11 is specifically configured to receive a file issuing request sent by a target object through a target service node, and acquire the decentralised avatar information of the target object according to the file issuing request; the decentralised identity information of the target object is obtained from a verifiable identity document of the target object; the verifiable identification document of the target object is carried by a document issuing request, or the verifiable identification document of the target object is acquired from a blockchain according to the document issuing request; the verifiable identification document of the target object is issued by the service node corresponding to the object of the i-1 level as the target object;
the file obtaining module 11 obtains the decentralized identity signature file of the target object from the blockchain specifically through the decentralized identity information of the target object.
The file acquisition module 11 is specifically configured to receive an identity authentication request sent by a target object through a target service node, and acquire a hidden service expression signature file of the target object according to the identity authentication request; the hidden service expression signature file is carried by the identity authentication request, or the hidden service expression signature file is acquired from the blockchain according to the identity authentication request; the hidden service expression signature file is submitted to a blockchain after the signature processing is carried out on the hidden service expression file by a target service node corresponding to the target object; the hidden service expression file is obtained by performing data processing on the hidden service statement file by a target service node corresponding to the target object;
The file obtaining module 11 is specifically configured to determine a target object for signing the hidden service expression signature file, obtain the decentralized identity information of the target object, and obtain the decentralized identity signature file of the target object from the blockchain through the decentralized identity information of the target object.
The object traversing module 12 is configured to traverse i-1 objects from the target object to an upper layer in the first relation chain, and use the target object and the traversed i-1 objects as a first verification object set; the hierarchy of objects in the first set of verification objects includes an ith hierarchy sequentially to a highest hierarchy;
wherein the object traversal module 12 comprises: an information acquisition unit 121, a first traversal unit 122, a second traversal unit 123;
an information acquisition unit 121 for determining an i-1 th-level object for signing the de-centralized identity signature file of the target object in the first relationship chain, and acquiring de-centralized avatar information of the i-1 th-level object;
a first traversing unit 122, configured to obtain, in the blockchain, a de-centralized identity signature file of the i-1 th level object through the de-centralized identity information of the i-1 th level object if the de-centralized identity information of the i-1 th level object indicates that the i-1 th level is not the highest level, add the target object and the i-1 th level object to the first verification object set, continue traversing the i-2 objects from the i-1 th level object to the upper layer, and add the traversed i-2 objects to the first verification object set;
The second traversing unit 123 is configured to add the target object and the object of the i-1 th hierarchy to the first verification object set if the de-centralized identity information of the object of the i-1 th hierarchy indicates that the i-1 th hierarchy is the highest hierarchy.
The specific implementation manner of the information obtaining unit 121, the first traversing unit 122 and the second traversing unit 123 may refer to the description of step S202 in the embodiment corresponding to fig. 6, and will not be repeated here.
The public key obtaining module 13 is configured to obtain public key information of an object at a highest level from the blockchain, and obtain public key information of an object at an i-1 th level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
wherein the public key acquisition module 13 comprises: an object acquisition unit 131, a first determination unit 132, a second determination unit 133;
an object obtaining unit 131, configured to obtain public key information of an object at a highest level from the blockchain, and obtain an object at a next highest level of the first relationship chain from the first verification object set; the decentralised avatar signature file of the next highest level object is generated based on the private key information of the highest level object;
A first determining unit 132, configured to determine that an object at the i-1 th hierarchy in the first verification object set is the object at the highest hierarchy if the object at the next highest hierarchy is the target object, and take public key information of the object at the highest hierarchy as target public key information;
the second determining unit 133 is configured to perform signature verification on the decentralized identity signature file of the next-highest-level object by using public key information of the next-highest-level object if the next-highest-level object is not the target object, and obtain public key information of the next-highest-level object from the decentralized identity signature file of the next-highest-level object when the signature verification of the decentralized identity signature file of the next-highest-level object is successful, and continuously perform signature verification on the decentralized identity signature file of the next-level object based on the public key information of the next-highest-level object until public key information in the decentralized identity signature file of the object in the i-1-th level in the first verification object set is obtained as the target public key information.
The method comprises the steps that a decentralizing identity signature file of a next-highest-level object is generated by signing the decentralizing identity file of the next-highest-level object through private key information of the highest-level object;
A second determining unit 133, configured to obtain an decentralized avatar document of the second-highest-level object from the decentralized identity signature document of the second-highest-level object;
the second determining unit 133 is specifically configured to obtain public key information of the object of the next highest hierarchy from the decentered avatar document of the object of the next highest hierarchy.
The specific implementation manner of the object obtaining unit 131, the first determining unit 132, and the second determining unit 133 may refer to the description of step S203 in the embodiment corresponding to fig. 6, which will not be described herein.
The signature verification module 14 is configured to perform signature verification on the decentralised identity signature file of the target object through the target public key information, and perform service processing associated with the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification.
The signature verification module 14 is specifically configured to perform signature verification on the de-centralized identity signature file of the target object through the target public key information, and generate a hidden service declaration file of the target object when the signature verification of the de-centralized identity signature file of the target object is successful;
the signature verification module 14 is specifically configured to write the concealable service declaration file into the blockchain.
The signature verification module 14 is specifically configured to perform signature verification on the decentralized identity signature file of the target object through the target public key information, and acquire public key information of the target object from the decentralized identity signature file of the target object when the signature verification of the decentralized identity signature file of the target object is successful;
the signature verification module 14 is specifically configured to perform signature verification on the hidden service expression signature file through public key information of the target object, and obtain the hidden service expression file when the signature verification of the hidden service expression signature file is successful;
the signature verification module 14 is specifically configured to determine an authentication object for signing the hidden service declaration file, obtain the decentralised identity information of the authentication object, and obtain the decentralised identity signature file of the authentication object from the blockchain through the decentralised identity information of the authentication object;
the signature verification module 14 is specifically configured to perform signature verification on the decentralised identity signature file of the authentication object, and when the decentralised identity signature file of the authentication object is successfully verified, determine the legitimacy of the hidden service statement file according to public key information of the authentication object in the decentralised identity signature file of the authentication object, and verify the hidden service expression file through the hidden service statement file with legitimacy.
Wherein the authentication object refers to an object located at a j-th level in a second relation chain of the object hierarchy network; j is an integer greater than 1, j is an integer less than or equal to n; the decentered avatar signature file of the j-th level object in the second relationship chain is generated based on the private key information of the j-1 th level object in the second relationship chain; the j-1 th level is higher than the j-th level;
the signature verification module 14 is specifically configured to traverse j-1 objects from the authentication object to an upper layer in the second relationship chain, and use the authentication object and the traversed j-1 objects as a second verification object set; the hierarchy of objects in the second set of verification objects includes a j-th hierarchy sequentially to a highest hierarchy;
the signature verification module 14 is specifically configured to obtain public key information of an object at a highest level from the blockchain, and obtain public key information of an object at a j-1 th level in the second verification object set as authentication public key information based on the public key information of the object at the highest level and each de-centralized identity signature file associated with the second verification object set;
the signature verification module 14 is specifically configured to perform signature verification on the de-centralized identity signature file of the authentication object through the authentication public key information.
The signature verification module 14 is specifically configured to decrypt the decentralized identity signature file of the target object through the target public key information to obtain an decentralized avatar part file of the target object and to-be-verified summary information corresponding to the decentralized avatar part file of the target object;
the signature verification module 14 is specifically configured to perform hash computation on the decentralized identity file of the target object to obtain target abstract information corresponding to the decentralized identity file of the target object;
the signature verification module 14 is specifically configured to compare the summary information to be verified with the target summary information to obtain a signature verification result;
the signature verification module 14 is specifically configured to, if the summary information to be verified is the same as the target summary information, indicate that the verification of the signature of the off-center avatar signature file of the target object is successful;
the signature verification module 14 is specifically configured to, if the summary information to be verified and the target summary information are different, indicate that the verification of the signature of the de-centralized identity signature file of the target object fails.
Wherein the object hierarchy network comprises M relation chains, M being an integer greater than 1; the M relation chains comprise first relation chains; each level in a relationship chain includes an object; the method comprises the steps that an issue function and a label checking function are arranged between every two adjacent levels of objects in a relation chain, the issue function means that an object in a high level in the two adjacent levels has the authority to issue to an object in a low level, and the label checking function means that an object in the high level in the two adjacent levels has the authority to check labels to the object in the low level.
Wherein the M relation chains comprise relation chains S k K is a positive integer less than or equal to M; relation chain S k The system comprises a high-level object and a low-level object, wherein the two high-level objects and the low-level object are adjacent in a level, and the level of the high-level object is higher than that of the low-level object; the method comprises the steps that after a service node corresponding to a high-level object is indicated to perform identity verification on the low-level object, signature processing is performed on the decentralized identity file of the low-level object through private key information of the high-level object, so that a decentralized identity signature file of the low-level object is obtained, and the decentralized identity signature file of the low-level object is used for being written into a blockchain; the decentralised identity document of the low-level object is also used for indicating a service node corresponding to the high-level object to issue a verifiable identity document of the low-level object for the low-level object; the verifiable identification document of the low-level object carries the decentralised avatar information of the low-level object; the de-centralized identity signature file of the low-level object and the verifiable identity document of the low-level object are used together to instruct the service node corresponding to the high-level object to return an identity registration result to the service node corresponding to the low-level object; the identity registration result includes at least one of a de-centralized identity signature file of the low-level object or a verifiable identity document of the low-level object.
The specific implementation manners of the file obtaining module 11, the object traversing module 12, the public key obtaining module 13 and the signature verifying module 14 may be referred to in the embodiment corresponding to fig. 3, and the description of the step S101 to the step S102, the step S201 to the step S204 in the embodiment corresponding to fig. 6, the step S301 to the step S306 in the embodiment corresponding to fig. 8, and the step S401 to the step S408 in the embodiment corresponding to fig. 9 will not be repeated here. In addition, the description of the beneficial effects of the same method is omitted.
Further, referring to fig. 12, fig. 12 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 12, the computer device 1000 may include: processor 1001, network interface 1004, and memory 1005, and in addition, the above-described computer device 1000 may further include: a user interface 1003, and at least one communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. In some embodiments, the user interface 1003 may include a Display (Display), a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface, among others. Alternatively, the network interface 1004 may include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory 1005 may also be at least one memory device located remotely from the aforementioned processor 1001. As shown in fig. 12, an operating system, a network communication module, a user interface module, and a device control application program may be included in the memory 1005, which is one type of computer-readable storage medium.
In the computer device 1000 shown in FIG. 12, the network interface 1004 may provide network communication functions; while user interface 1003 is primarily used as an interface for providing input to a user; and the processor 1001 may be used to invoke a device control application stored in the memory 1005 to implement:
acquiring a decentralised identity signature file of the target object from the blockchain through the decentralised identity information of the target object; the target object refers to an object located at an ith level in a first relationship chain of the object hierarchy network; i is an integer greater than 1, i is an integer less than or equal to n; n is the total number of levels of the object hierarchy network; the decentered avatar signature file of the ith level of objects in the first relationship chain is generated based on private key information of the ith-1 level of objects in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, and the non-highest-level is a level except the highest level in the n levels; the public key information of the object at the highest level and the decentralised identity signature file of each object at the non-highest level are stored in the blockchain;
Traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set; the hierarchy of objects in the first set of verification objects includes an ith hierarchy sequentially to a highest hierarchy;
acquiring public key information of an object at the highest level from a blockchain, and acquiring public key information of the object at the i-1 level in a first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
and carrying out signature verification on the decentralised identity signature file of the target object through the target public key information, and carrying out service processing associated with the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification.
It should be understood that the computer device 1000 described in the embodiments of the present application may perform the description of the data processing method in the embodiments corresponding to fig. 3, 6, 8 or 9, and may also perform the description of the data processing apparatus 1 in the embodiments corresponding to fig. 11, which are not described herein. In addition, the description of the beneficial effects of the same method is omitted.
Furthermore, it should be noted here that: the embodiment of the present application further provides a computer readable storage medium, in which the computer program executed by the aforementioned data processing apparatus 1 is stored, and when the processor executes the computer program, the description of the data processing method in the embodiment corresponding to fig. 3, 6, 8 or 9 can be executed, and therefore, will not be repeated herein. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application.
In addition, it should be noted that: embodiments of the present application also provide a computer program product, which may include a computer program, which may be stored in a computer readable storage medium. The processor of the computer device reads the computer program from the computer readable storage medium, and the processor may execute the computer program, so that the computer device performs the description of the data processing method in the embodiment corresponding to fig. 3, 6, 8 or 9, and thus, a detailed description thereof will not be provided herein. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer program product according to the present application, reference is made to the description of the method embodiments of the present application.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program stored in a computer-readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.
Claims (16)
1. A method of data processing, comprising:
acquiring a decentralised identity signature file of a target object from a blockchain through decentralised identity information of the target object; the target object refers to an object positioned at an ith level in a first relation chain of the object hierarchy network; the i is an integer greater than 1, and the i is an integer less than or equal to n; the n is the total number of levels of the object hierarchy network; the decentralised avatar signature file of the i-th hierarchical object in the first relationship chain is generated based on private key information of the i-1 th hierarchical object in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, and the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, wherein the non-highest-level is a level except the highest level in the n levels; the public key information of the object at the highest level and the decentralised identity signature file of each object at the non-highest level are stored in the blockchain;
Traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set; the hierarchy of objects in the first set of verification objects includes the ith hierarchy sequentially to the highest hierarchy;
acquiring public key information of the object at the highest level from the blockchain, and acquiring public key information of the object at the i-1 level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
and carrying out signature verification on the decentralised identity signature file of the target object through the target public key information, and carrying out service processing associated with the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification.
2. The method according to claim 1, wherein traversing i-1 objects from the target object to an upper layer in the first relation chain, taking the target object and the traversed i-1 objects as a first verification object set, comprises:
Determining an i-1 level object for signing the decentralised identity signature file of the target object in the first relation chain, and acquiring decentralised identity information of the i-1 level object;
if the decentralised identity information of the i-1 st level object indicates that the i-1 st level is the non-highest level, acquiring a decentralised avatar signature file of the i-1 st level object in the blockchain through the decentralised identity information of the i-1 st level object, adding the target object and the i-1 st level object to a first verification object set, continuing traversing i-2 objects from the i-1 st level object to the upper layer, and adding the traversed i-2 objects to the first verification object set;
if the de-centralized identity information of the i-1 th level object indicates that the i-1 th level is the highest level, adding the target object and the i-1 th level object to a first verification object set.
3. The method of claim 1, wherein the obtaining public key information of the highest-level object from the blockchain, based on the public key information of the highest-level object and each de-centralized identity signature file associated with the first set of verification objects, obtaining public key information of an object in the i-1 th level in the first set of verification objects as target public key information, comprises:
Obtaining public key information of the object of the highest level from the blockchain, and obtaining the object of the second highest level of the first relation chain from the first verification object set; the decentralised avatar signature file of the next-highest-level object is generated based on private key information of the highest-level object;
if the object at the next highest level is the target object, determining that the object at the i-1 th level in the first verification object set is the object at the highest level, and taking public key information of the object at the highest level as target public key information;
if the object of the next higher hierarchy is not the target object, performing signature verification on the decentralized identity signature file of the object of the next higher hierarchy through the public key information of the object of the highest hierarchy, acquiring the public key information of the object of the next higher hierarchy from the decentralized identity signature file of the object of the next higher hierarchy when the signature verification of the decentralized identity signature file of the object of the next higher hierarchy is successful, and continuing to perform signature verification on the decentralized identity signature file of the object of the next higher hierarchy based on the public key information of the object of the next higher hierarchy until the public key information in the decentralized identity signature file of the object of the i-1 hierarchy in the first verification object set is acquired as the target public key information.
4. A method according to claim 3, wherein the de-centralised identity document of the next-highest level object is generated by signing the de-centralised identity document of the next-highest level object with private key information of the highest level object;
the obtaining public key information of the second-highest-level object from the decentralised avatar signature file of the second-highest-level object includes:
acquiring an off-center avatar signature file of the next-highest-level object from the off-center avatar signature file of the next-highest-level object;
and obtaining public key information of the object of the second highest level from the decentered avatar document of the object of the second highest level.
5. The method of claim 1, wherein the obtaining the de-centralized identity signature file of the target object from the blockchain via the de-centralized identity information of the target object comprises:
receiving a file issuing request sent by a target object through a target service node, and acquiring the decentralised avatar information of the target object according to the file issuing request; the off-center identity information of the target object is obtained from a verifiable identity document of the target object; the verifiable identification document of the target object is carried by the document issuing request, or the verifiable identification document of the target object is acquired from a blockchain according to the document issuing request; the verifiable identification document of the target object is issued for the target object by a service node corresponding to the object of the i-1 level;
And acquiring the decentralized identity signature file of the target object from the blockchain through the decentralized identity information of the target object.
6. The method of claim 5, wherein said signing the de-centralized identity signature file of the target object with the target public key information, and performing business processes associated with the target object when the de-centralized identity signature file of the target object is successfully signed, comprises:
performing signature verification on the decentralised identity signature file of the target object through the target public key information, and generating a hidden service statement file of the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification;
writing the concealable service declaration file into the blockchain.
7. The method of claim 1, wherein the obtaining the de-centralized identity signature file of the target object from the blockchain via the de-centralized identity information of the target object comprises:
receiving an identity authentication request sent by a target object through a target service node, and acquiring a hidden service expression signature file of the target object according to the identity authentication request; the hidden service expression signature file is carried by the identity authentication request, or the hidden service expression signature file is acquired from a blockchain according to the identity authentication request; the hidden service expression signature file is submitted to the blockchain after the target service node corresponding to the target object performs signature processing on the hidden service expression file; the hidden service expression file is obtained by performing data processing on the hidden service statement file by the target service node corresponding to the target object;
And determining a target object for signing the hidden service expression signature file, acquiring the decentralization identity information of the target object, and acquiring the decentralization identity signature file of the target object from the blockchain through the decentralization identity information of the target object.
8. The method of claim 7, wherein said signing the de-centralized identity signature file of the target object with the target public key information, and performing business processes associated with the target object when the de-centralized identity signature file of the target object is successfully signed, comprises:
performing signature verification on the decentralised identity signature file of the target object through the target public key information, and acquiring the public key information of the target object from the decentralised identity signature file of the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification;
signature verification is carried out on the hidden service expression signature file through the public key information of the target object, and the hidden service expression file is obtained when the signature verification of the hidden service expression signature file is successful;
Determining an authentication object used for signing the hidden service statement file, acquiring the decentralization identity information of the authentication object, and acquiring the decentralization identity signature file of the authentication object from the blockchain through the decentralization identity information of the authentication object;
and carrying out signature verification on the decentralised identity signature file of the authentication object, when the decentralised identity signature file of the authentication object is successfully verified, determining the legitimacy of the hidden service statement file according to the public key information of the authentication object in the decentralised identity signature file of the authentication object, and verifying the hidden service expression file through the hidden service statement file with legitimacy.
9. The method of claim 8, wherein the authentication object refers to an object located at a j-th level in a second relationship chain of the object hierarchy network; the j is an integer greater than 1, and the j is an integer less than or equal to the n; the decentralised avatar signature file of the j-th level object in the second relationship chain is generated based on private key information of the j-1 th level object in the second relationship chain; the j-1 th level is higher than the j-th level;
The step of performing signature verification on the de-centralized identity signature file of the authentication object comprises the following steps:
traversing j-1 objects from the authentication object to the upper layer in the second relation chain, and taking the authentication object and the traversed j-1 objects as a second verification object set; the hierarchy of objects in the second set of verification objects includes the j-th hierarchy sequentially to the highest hierarchy;
acquiring public key information of the object at the highest level from the blockchain, and acquiring public key information of the object at the j-1 th level in the second verification object set as authentication public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the second verification object set;
and carrying out signature verification on the decentralised identity signature file of the authentication object through the authentication public key information.
10. The method of claim 1, wherein said signing the de-centralized identity signature file of the target object with the target public key information comprises:
decrypting the decentralised identity signature file of the target object through the target public key information to obtain the decentralised avatar part file of the target object and abstract information to be verified corresponding to the decentralised avatar part file of the target object;
Carrying out hash calculation on the decentralised identity file of the target object to obtain target abstract information corresponding to the decentralised identity file of the target object;
comparing the abstract information to be verified with the target abstract information to obtain a signature verification result;
if the summary information to be verified is the same as the target summary information, the signature verification result indicates that the verification of the off-center avatar signature file signature of the target object is successful;
if the summary information to be verified is different from the target summary information, the signature verification result indicates that the verification of the de-centralized identity signature file signature of the target object fails.
11. The method of claim 1, wherein the object hierarchy network comprises M relationship chains, M being an integer greater than 1; m of the relationship chains include the first relationship chain; each level in a relationship chain includes an object; the method comprises the steps that an issue function and a label checking function are arranged between every two adjacent levels of objects in a relation chain, the issue function means that an object in a high level in the two adjacent levels has the authority to issue to an object in a low level, and the label checking function means that an object in the high level in the two adjacent levels has the authority to check labels to the object in the low level.
12. The method of claim 11, wherein M of the relationship chains comprise relationship chains S k K is a positive integer less than or equal to M; the relation chain S k The method comprises the steps of including two high-level objects and low-level objects with adjacent levels, wherein the level of the high-level objects is higher than that of the low-level objects; the method comprises the steps that a service node corresponding to a low-level object is indicated to perform signature processing on the low-level object's de-centralized identity file through private key information of the high-level object after the low-level object is authenticated by the service node corresponding to the low-level object, so as to obtain the low-level object's de-centralized identity signature file, wherein the low-level object's de-centralized identity signature file is used for being written into the blockchain; the decentralised avatar document of the low-level object is further used for indicating the service node corresponding to the high-level object as the low-level objectThe level object issues a verifiable identification document of the low-level object; the verifiable identification document of the low-level object carries the decentralised avatar information of the low-level object; the de-centralized identity signature file of the low-level object and the verifiable identity document of the low-level object are used together to instruct the service node corresponding to the high-level object to return an identity registration result to the service node corresponding to the low-level object; the identity registration result includes at least one of a de-centralized identity signature file of the low-level object or a verifiable identity document of the low-level object.
13. A data processing apparatus, comprising:
the file acquisition module is used for acquiring the decentralized identity signature file of the target object from the blockchain through the decentralized identity information of the target object; the target object refers to an object positioned at an ith level in a first relation chain of the object hierarchy network; the i is an integer greater than 1, and the i is an integer less than or equal to n; the n is the total number of levels of the object hierarchy network; the decentralised avatar signature file of the i-th hierarchical object in the first relationship chain is generated based on private key information of the i-1 th hierarchical object in the first relationship chain; the i-1 th level is higher than the i-th level; each non-highest-level object is provided with a corresponding decentralised identity signature file, and the decentralised identity signature files of each non-highest-level object contain public key information belonging to the self, wherein the non-highest-level is a level except the highest level in the n levels; the public key information of the object at the highest level and the decentralised identity signature file of each object at the non-highest level are stored in the blockchain;
The object traversing module is used for traversing i-1 objects from the target object to the upper layer in the first relation chain, and taking the target object and the traversed i-1 objects as a first verification object set; the hierarchy of objects in the first set of verification objects includes the ith hierarchy sequentially to the highest hierarchy;
a public key obtaining module, configured to obtain public key information of the object at the highest level from the blockchain, and obtain public key information of the object at the i-1 th level in the first verification object set as target public key information based on the public key information of the object at the highest level and each decentralised identity signature file associated with the first verification object set;
and the signature verification module is used for carrying out signature verification on the decentralised identity signature file of the target object through the target public key information, and carrying out service processing associated with the target object when the decentralised identity signature file of the target object is successfully subjected to signature verification.
14. A computer device, comprising: a processor and a memory;
the processor is connected to the memory, wherein the memory is configured to store a computer program, and the processor is configured to invoke the computer program to cause the computer device to perform the method of any of claims 1-12.
15. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the method of any of claims 1-12.
16. A computer program product, characterized in that the computer program product comprises a computer program stored in a computer readable storage medium and adapted to be read and executed by a processor to cause a computer device with the processor to perform the method of any of claims 1-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211390160.2A CN116980156A (en) | 2022-11-08 | 2022-11-08 | Data processing method, device, computer equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211390160.2A CN116980156A (en) | 2022-11-08 | 2022-11-08 | Data processing method, device, computer equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116980156A true CN116980156A (en) | 2023-10-31 |
Family
ID=88480278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211390160.2A Pending CN116980156A (en) | 2022-11-08 | 2022-11-08 | Data processing method, device, computer equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116980156A (en) |
-
2022
- 2022-11-08 CN CN202211390160.2A patent/CN116980156A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Palma et al. | Blockchain and smart contracts for higher education registry in Brazil | |
| US11153096B2 (en) | Platform for generating authenticated data objects | |
| Nguyen et al. | Towards a blockchain-based certificate authentication system in Vietnam | |
| US11003771B2 (en) | Self-help for DID claims | |
| US11683175B2 (en) | Methods and systems for tracking and recovering assets stolen on distributed ledger-based networks | |
| CN109716707A (en) | Distributed electrical subrecord and transactions history | |
| Ali et al. | Blockchain and the future of the internet: A comprehensive review | |
| ul Hassan et al. | Blockchain and the future of the internet: a comprehensive review | |
| CN109858911A (en) | Qualification verification method, device, system, equipment and readable storage medium storing program for executing | |
| CN110674531B (en) | Residential information management method, device, server and medium based on block chain | |
| Li et al. | A decentralized and secure blockchain platform for open fair data trading | |
| Al-Aswad et al. | BZKP: Blockchain-based zero-knowledge proof model for enhancing healthcare security in Bahrain IoT smart cities and COVID-19 risk mitigation | |
| Kareem et al. | Verification Process of Academic Certificates Using Blockchain Technology. | |
| CN113779637B (en) | Attribute data processing method, attribute data processing device, attribute data processing equipment and attribute data processing medium | |
| Chase et al. | Credential transparency system | |
| Xiong et al. | BDIM: A Blockchain-Based Decentralized Identity Management Scheme for Large Scale Internet of Things | |
| CN116980156A (en) | Data processing method, device, computer equipment and readable storage medium | |
| Pujari et al. | A decentralized consensus application using blockchain ecosystem | |
| CN108141367A (en) | Code signing service | |
| Glauser | Self-Sovereign Identities in Cardossier | |
| Sadasiuvam | A critical review on using blockchain technology in education domain | |
| Sayyad et al. | Voting Using Blockchain Technology | |
| US20240005316A1 (en) | Method, apparatus, and computer-readable medium for authentication and authorization of networked data transactions | |
| US20230267457A1 (en) | Privacy preserving asset transfer between networks | |
| Kjørberg | An Overview of Blockchain-Based Identity Management Systems. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |