CN117040754A - Method and apparatus for generating, verifying, and decentralizing identity, and storage medium - Google Patents

Method and apparatus for generating, verifying, and decentralizing identity, and storage medium Download PDF

Info

Publication number
CN117040754A
CN117040754A CN202310980105.7A CN202310980105A CN117040754A CN 117040754 A CN117040754 A CN 117040754A CN 202310980105 A CN202310980105 A CN 202310980105A CN 117040754 A CN117040754 A CN 117040754A
Authority
CN
China
Prior art keywords
user
identity
key
document
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310980105.7A
Other languages
Chinese (zh)
Inventor
卢毅
梁伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Original Assignee
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Technology Innovation Center, China Telecom Corp Ltd filed Critical China Telecom Technology Innovation Center
Priority to CN202310980105.7A priority Critical patent/CN117040754A/en
Publication of CN117040754A publication Critical patent/CN117040754A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Abstract

The present disclosure provides methods and apparatus for generating, verifying, and decentralizing identities, and storage media. A method for generating a decentralised identity, comprising: generating a decentralised identity DID identifier for the user based on the real identity information of the user; issuing a private key for digital signature to the user; encrypting the private key using a first key and storing the encrypted private key, the first key being divided into a first number of parts and sent to a first number of key holders, respectively; and generating a DID document for the user, the DID document including the DID identifier and a list of the first number of key holders.

Description

Method and apparatus for generating, verifying, and decentralizing identity, and storage medium
Technical Field
The present disclosure relates generally to information technology, and more particularly, to methods and apparatus for generating, verifying, and decentralizing identities, and storage media.
Background
With the advent and popularity of the internet, traditional identities have another form of presentation, namely digital identities. It is generally recognized that the evolution of digital identities has undergone four phases, namely, centralized identity, federated identity, user-centric identity, and self-hosting identity, respectively. The de-centralized identity is an self-rightful identity that is fully controlled by the owner without any centralized third party involvement, meaning that any information about the identity of the owner is fully held in the owner's own hands without the owner's permission and cannot be obtained by anyone.
How to use the decentralized identity more securely is always a focus of attention.
Disclosure of Invention
The following presents a simplified summary of the disclosure in order to provide a basic understanding of some aspects of the disclosure. However, it should be understood that this summary is not an exhaustive overview of the disclosure. It is not intended to identify key or critical elements of the disclosure or to delineate the scope of the disclosure. Its purpose is to present some concepts related to the disclosure in a simplified form as a prelude to the more detailed description that is presented later.
The present disclosure proposes methods and apparatus, and storage media, for generating, verifying a decentralised identity, providing an efficient, secure decentralised identity solution.
According to one aspect of the present disclosure, there is provided a method for generating a decentralised identity, comprising: generating a decentralised identity DID identifier for the user based on the real identity information of the user; issuing a private key for digital signature to the user; encrypting the private key using a first key and storing the encrypted private key, wherein the first key is divided into a first number of parts and sent to a first number of key holders, respectively; and generating a DID document for the user, the DID document including the DID identifier and a list of the first number of key holders.
In an embodiment of the present disclosure, further comprising: obtaining a list of the first number of key holders from the DID document based on the DID identifier of the user in response to receiving a request from the user to recover the private key; recovering the first key from the first number of key holders; decrypting the encrypted private key by using the first key to obtain the private key; and issuing the decrypted private key to the user.
In an embodiment of the disclosure, said recovering the first key from the first number of key holders comprises: receiving a second number of portions of the first key from a second number of the key holders, wherein the second number is less than or equal to the first number; and recovering the first key based on the second number of portions of the first key in response to determining that the second number is greater than a preset value.
In an embodiment of the present disclosure, further comprising: verifying the true identity information of the user; and generating the DID identifier based again on the user's real identity information.
In an embodiment of the disclosure, the issuing a private key for digital signature to the user includes: writing the private key into a user identification device of the user, wherein the DID document further includes an identification code of the user identification device, and wherein the method further includes: and writing the DID identifier into the user identification device.
In an embodiment of the disclosure, the subscriber identity device comprises a subscriber identity module, SIM, card, and the identity of the subscriber identity device comprises an international mobile subscriber identity, imsi, of the SIM card.
In an embodiment of the present disclosure, further comprising: and storing the DID document in a blockchain, wherein the encrypted private key is stored in a server of an issuing authority.
In an embodiment of the present disclosure, the DID identifier includes a hash value of the true identity information of the user.
In an embodiment of the disclosure, the DID document further comprises a public key for performing the digital signature, wherein the public key is generated together with the private key, wherein the method further comprises: and storing the DID document in a blockchain.
According to another aspect of the present disclosure, there is provided a method for verifying a decentralised identity, comprising: receiving a digital signature based on a private key from a user; receiving a decentralised identity, DID, verification request from the user, the request comprising a decentralised identity, DID, identifier of the user, the DID identifier being generated based on the user's real identity information; acquiring a DID document of the user based on the DID identifier in the DID verification request; obtaining a public key of the user in the DID document; verifying the private key-based digital signature using the public key; and verifying the user's de-centralized identity based on the result of verifying the digital signature.
In an embodiment of the disclosure, the DID verification request further includes an identification code of a user identification device of the user, and the method further includes: acquiring an identification code in the DID document of the user; comparing the identification code in the DID verification request with the identification code in the DID document; wherein said verifying the user's off-center avatar based on the result of verifying the digital signature comprises: when the digital signature passes verification and the identification code in the DID verification request is the same as the identification code in the DID document, the user's de-centralized identity passes verification.
In an embodiment of the disclosure, the subscriber identity device is a subscriber identity module, SIM, card, and the identity code is an international mobile subscriber identity, imsi, of the SIM card.
In an embodiment of the present disclosure, the obtaining the DID document of the user includes obtaining the DID document from a blockchain.
According to one aspect of the present disclosure, there is provided a decentralised identity generation apparatus comprising: a memory having instructions stored thereon; and a processor configured to execute instructions stored on the memory to perform the method for generating a decentralised identity described above.
According to one aspect of the present disclosure, there is provided a decentralised authentication device comprising: a memory having instructions stored thereon; and a processor configured to execute instructions stored on the memory to perform the method for verifying a decentralised identity described above.
According to one aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the above-described method for generating a decentralized identity.
According to one aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the above-described method for verifying a decentralized identity.
In accordance with embodiments of the present disclosure, an efficient, secure, decentralized identity solution is provided.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
fig. 1 is an exemplary flowchart of a method for generating a decentralised identity according to an embodiment of the present disclosure.
FIG. 2 is a schematic diagram of a system for implementing decentralised identity.
Fig. 3 is an exemplary flowchart of further steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
Fig. 4 is an exemplary flowchart of sub-steps and other steps of a method for generating a decentralized identity according to an embodiment of the present disclosure.
Fig. 5 is a schematic diagram of generating a DID identifier based on real name information.
Fig. 6 is a SIM card based de-centralized identity DID document structure.
Fig. 7 is a schematic diagram of writing a DID identifier and a user private key to a SIM card.
Fig. 8 is an exemplary flowchart of further steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
Fig. 9 is an exemplary flowchart of sub-steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
Fig. 10 is an exemplary flowchart of further steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
Fig. 11 is a schematic diagram of a threshold-based private key recovery scheme.
Fig. 12 is an exemplary flowchart of a method for verifying a decentralised identity according to an embodiment of the present disclosure.
Fig. 13 is an exemplary flowchart of further steps and sub-steps of a method for verifying a decentralised identity according to an embodiment of the present disclosure.
Fig. 14 is an exemplary flowchart of sub-steps of a method for verifying a decentralised identity according to an embodiment of the present disclosure.
FIG. 15 illustrates an exemplary configuration of a computing device in which embodiments according to the present disclosure may be implemented.
Detailed Description
The following detailed description is made with reference to the accompanying drawings and is provided to assist in a comprehensive understanding of various example embodiments of the disclosure. The following description includes various details to aid in understanding, but these are to be considered merely examples and are not intended to limit the disclosure, which is defined by the appended claims and their equivalents. The words and phrases used in the following description are only intended to provide a clear and consistent understanding of the present disclosure. In addition, descriptions of well-known structures, functions and configurations may be omitted for clarity and conciseness. Those of ordinary skill in the art will recognize that various changes and modifications of the examples described herein can be made without departing from the spirit and scope of the present disclosure.
The traditional centralized user identities are various and have no mutual authentication and intercommunication, and the identity information is mastered in the Internet platform mechanism, so that privacy and safety are lacked. The decentralised identity has important technical value as a credential for a user to access the Web3.0 future Internet and the meta universe. Currently, there is also an integrated, unified need for user identity for different web3.0 applications.
The decentralised identity is controlled by the private key, the private key is mastered, the control right of the identity is provided, and if the private key is lost and stolen once, the identity cannot be recovered.
Example embodiments of the present disclosure provide solutions to improve the security of decentralized identities.
Fig. 1 is an exemplary flowchart of a method for generating a decentralised identity according to an embodiment of the present disclosure. The method for generating a decentralised identity of embodiments of the present disclosure may comprise steps S101-S104.
As shown in fig. 1, in step S101, a decentralised identity DID identifier is generated for the user based on the user' S real identity information. The manner of generating the DID identifier based on the user real identity information will be described later. In step S102, a private key for performing digital signature is issued to the user; in step S103, the private key is encrypted using a first key, and the encrypted private key is stored, the first key being divided into a first number of parts and sent to a first number of key holders, respectively. For example, the first key may be a security key used to encrypt the private key. The secure key is sent to a plurality of key holders in multiple shares, respectively. In step S104, a DID document is generated for the user, the DID document including a DID identifier and a list of a first number of key holders. The DID document structure will be described later. The DID document includes a DID identifier and a list of a plurality of key holders.
FIG. 2 is a schematic diagram of a system for implementing decentralised identity.
As an example, an operator may be used to generate and issue a decentralised identity, with SIM card provisioning and issuing capabilities. Such as, but not limited to, chinese telecommunications as an example of an operator.
The verifier is used for verifying the decentralised identity of the user, and corresponding services can be provided after the user passes the authentication. For example, but not limited to, a WEB3.0 game is an example of a service.
The user removes the center identity holder, and carries out real-name authentication to the operator to obtain the center identity; the identity is presented to the verifier to obtain the corresponding service.
The blockchain is used for trusted storage services to store decentralised avatar information such as DID identifiers and DID documents in a decentralised manner.
In some embodiments, the above method further comprises: step S106, the DID document is stored in the blockchain, and the encrypted private key is stored in a server of the issuing authority. Fig. 3 is an exemplary flowchart of further steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
In some embodiments, issuing a private key for digital signing to a user comprises: substep S1022, writing the private key into the user identification device of the user, where the DID document further includes an identification code of the user identification device, where the method further includes: step S108, the DID identifier is written into the user identification device. Fig. 4 is an exemplary flowchart of sub-steps and other steps of a method for generating a decentralized identity according to an embodiment of the present disclosure.
In some embodiments, the subscriber identity device comprises a subscriber identity module, SIM, and the identity of the subscriber identity device comprises the international mobile subscriber identity, imsi, of the SIM.
In some embodiments, the DID identifier includes a hash value of the user's real identity information.
In some embodiments, the DID document also includes a public key for digital signing, the public key being generated along with the private key.
The blockchain technique is a novel decentralizing information technique. The data or information stored in the blockchain has the characteristics of 'non-falsifiable', 'whole trace', 'traceable', 'transparent open', 'collective maintenance', and the like. Based on the characteristics, the blockchain technology lays a solid 'trust' foundation, creates a reliable 'cooperation' mechanism and has wide application prospect.
An intelligent contract is a computer protocol that aims to propagate, verify, or execute contracts in an informative manner. Smart contracts allow trusted transactions to be made without third parties, which transactions are traceable and irreversible. The purpose of smart contracts is to provide a security approach that is superior to traditional contracts and to reduce other transaction costs associated with the contracts. A blockchain smart contract is a piece of code written on the blockchain that automatically executes once some event triggers a term in the contract. That is, the condition is satisfied and the manual manipulation is not required.
And the operator performs real-name authentication on the user, generates public and private keys for the user after the authentication is passed, and generates a DID identifier based on the real-name information of the user. Fig. 5 is a schematic diagram of generating a DID identifier based on real name information.
As shown in fig. 5, the user real name information may include: name (Name), identification Number (ID Number), gender (Gender), date of birth (Birthdate), etc.
The DID identifier would be written to the SIM card.
The de-centralized identity DID of the present disclosure refers to the W3C standard, and the DID identifier format is as follows:
did:<did-method>:<method-specific-id>
for example, as specific examples of the DID identifier, the following identifier format can be cited.
did:chinatelecom-did:
0db04cb5add742332d8f143fb3ac98183c6683924500cf5bf188581ae299b7fd
Where < did-method > indicates a scheme name used by the did, for example, the present disclosure uses the child-did, but is not limited thereto.
And, the method-specific-id is calculated based on the user real name information. For example, the amount may be calculated using a hash. The hash algorithm SHA256 is employed, but is not limited thereto. I.e.
< method-specific-id > =sha256 (< personal information > < personal information >) which is real name information of the user, as shown in fig. 5.
According to the W3C standard, the present disclosure designs a decentralised identity DID document structure, as shown in fig. 6. Fig. 6 is a SIM card based de-centralized identity DID document structure. The DID document includes the unique identifier imsi of the SIM card, implementing a one-to-one correspondence of the decentralised identity and the SIM card.
Wherein, did is an identifier of the decentralised identity; imsi is the unique identification of the mobile phone SIM card; idType is a key algorithm, such as secp256k1; pubKey is a public key; the didcretter is a creator of the DID, for example, but not limited to, a business hall; createTime and updateTime are the creation and update times of DID; the guard ianlist is a list of user key holders, i.e. a list of key holders corresponding to the first number mentioned above.
Based on the designed DID document structure, the generation of the decentralised identity is completed: the previous step has completed the generation of the DID identifier and public and private key, and the step completes the generation confirmation of the rest fields in the DID document. The imsi is an identifier of the SIM card of the user mobile phone, and is written into the DID document, so that the binding of the SIM card and the decentralised identity is realized. And saving the DID document information into a blockchain to realize the decentralization storage.
Fig. 7 is a schematic diagram of writing a DID identifier and a user private key to a SIM card.
As shown in fig. 7: the private key is written into the SIM card, the security of the private key is ensured based on hardware storage, and operations such as digital signature and the like can be completed in the SIM card, so that the private key is safely stored and used. On the other hand, the encrypted private key is stored in the operator, and when the SIM card (private key) is lost, the key recovery can be performed.
The DID document structure designed as in the previous step, wherein, for example, guard ianlist is a user key holder list for decentralized management of user security keys. After the user generates the DID identity, the operator writes the private key into the SIM card and saves the private key encrypted using the user security key for recovery of the private key.
In some embodiments, the above method further comprises: step S110, in response to receiving a request for recovering the private key from the user, obtaining a list of a first number of key holders from the DID document based on the DID identifier of the user; step S112, recovering the first key from the first number of key holders; step S114, the encrypted private key is decrypted by using the first secret key to obtain the private key; and step S116, issuing the decrypted private key to the user. Fig. 8 is an exemplary flowchart of further steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
In some embodiments, recovering the first key from the first number of key holders comprises: substep S1122 of receiving a second number of portions of the first key from a second number of key holders, the second number being less than or equal to the first number; and substep S1124, responsive to determining that the second number is greater than the preset value, recovering the first key based on the second number of portions of the first key. Fig. 9 is an exemplary flowchart of sub-steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
In some embodiments, the above method further comprises: step S118, verifying the true identity information of the user; and step S120, generating the DID identifier based on the real identity information of the user again. Fig. 10 is an exemplary flowchart of further steps of a method for generating a decentralised identity according to an embodiment of the present disclosure.
As an (n, t) threshold scheme for decentralized management of user security keys, an original user security key is logically divided, and partial keys are saved by n users, and only when t (t is less than or equal to n) of the n users take out the partial keys of the user security key, the original key can be recovered. The guiian list is a user list for storing n partial keys, which can be friends, trusted individuals or organizations of the user, and when the DID identity is generated, the DID document is written into and stored in the blockchain.
N corresponds to the first number and t corresponds to the second number. And when the second number is greater than a preset value, the security key can be restored based on the t partial keys. For example, when t=8, the preset value is set to 6, but is not limited thereto.
Fig. 11 is a schematic diagram of a threshold-based private key recovery scheme.
As shown in fig. 11: when the SIM card (private key) of the user is lost, the operator firstly carries out real-name authentication on the user and verifies the real identity information of the user. By then generating the DID identifier again based on the user's real identity information. And recovering the user security key from the user of the guiian list of the DID document according to the DID identifier, decrypting to obtain the private key of the user, and writing the private key into a new SIM card. And synchronously updates the DID document (imsi field update, etc.).
Fig. 12 is an exemplary flowchart of a method for verifying a decentralised identity according to an embodiment of the present disclosure. The method for verifying a decentralised identity of an embodiment of the present disclosure may comprise steps S701-S706. In step S701, a digital signature based on a private key is received from a user. In step S702, a decentralised identity DID verification request is received from the user, the request containing a decentralised identity DID identifier of the user, the DID identifier being generated based on the real identity information of the user. In step S703, a DID document of the user is acquired based on the DID identifier in the DID verification request. In step S704, the public key of the user in the DID document is acquired. In step S705, a digital signature based on a private key is verified using a public key. In step S706, the user' S de-centralized identity is verified based on the result of verifying the digital signature.
In some embodiments, the DID verification request further includes an identification code of a user identification device of the user, and the method further includes: step S708, acquiring an identification code in the DID document of the user; step S710, comparing the identification code in the DID verification request with the identification code in the DID document; verifying the user's off-center avatar based on the result of verifying the digital signature includes: step S7062, when the digital signature passes the verification and the identification code in the DID verification request is the same as the identification code in the DID document, the user' S decentralised identity passes the verification. Fig. 13 is an exemplary flowchart of further steps and sub-steps of a method for verifying a decentralised identity according to an embodiment of the present disclosure.
In some embodiments, the subscriber identity device is a subscriber identity module, SIM, and the identity is the international mobile subscriber identity, imsi, of said SIM.
In some embodiments, obtaining the DID document for the user includes: sub-step S7032 acquires the DID document from the blockchain. Fig. 14 is an exemplary flowchart of sub-steps of a method for verifying a decentralised identity according to an embodiment of the present disclosure.
When the user performs WEB3.0 activities such as meta universe and the like, the user identity realizes double verification: (1) The verifier verifies the correctness of the DID identity of the user by verifying the digital signature of the user; (2) The user request carries the imsi information of the sender SIM card, and the verifier ensures that the request is really sent out by the user SIM card by verifying whether the imsi is consistent with the DID document, thereby ensuring the identity security under the condition that the private key is lost and stolen.
The process of generating, verifying, retrieving the decentralised identity of the present disclosure is illustrated below using a specific application example.
Identity generation comprises the following processes:
1. user A applies for generating a decentralised identity from an operator;
2. the operator carries out real-name authentication on the user A;
3. the authentication is passed, a public key and a private key are generated for the user A, and a DID identifier of the user A is calculated by adopting a specified hash algorithm based on a specified real-name information structure;
4. based on the designed DID document structure, completing the off-center avatar generation of the user A;
5. storing DID document information of the user A in a blockchain;
6. writing the DID identifier and the private key of the user A into the SIM card of the user A;
7. the operator generates a security key for the user A, encrypts a private key of the user A by using the key and stores the private key in an operator system;
8. logically dividing the security key, and delivering the security key to trusted persons set by N users for storage (the trusted persons information is stored in a guarianList field in the DID document);
9. the decentralization identity generation of the user A is completed.
The identity verification comprises the following steps:
1. the user A performs WEB3.0 activities and needs identity authentication;
2. the user A uses a private key to carry out digital signature in the SIM card, and the digital signature is sent to a verifier;
3. at the same time, the imsi of the SIM being used by the user A is read and contained in the authentication request;
4. the verifier obtains the public key information of the user A from the block chain and verifies the digital signature;
5. the verifier obtains the imsi information of the DID identity of the user A from the blockchain, and compares whether the imsi information is consistent with the imsi information in the step 3;
6. the digital signature passes verification, and imsi is consistent, then the identity verification passes. ( The digital signature can verify that the user really grasps the private key, and the identity authenticity is ensured; the imsi consistency can ensure that the identity authentication request is sent by the user himself, and the private key is prevented from being stolen )
The identity recovery comprises the following steps:
1. the SIM card of the user A is lost, and the centralized identity needs to be retrieved;
2. the user A performs real-name authentication (identity card checking and the like) to an operator;
3. the real name authentication is passed, and an operator acquires a trust list in the DID document of the user A from the blockchain;
4. initiating a request to a trusted party, and recovering a security key;
5. in the set (n, t), t (t is less than or equal to n) of n users take out the part of the secret key of the user, and the security secret key is recovered;
6. decrypting the encrypted private key by using the secure key to obtain a private key of the user A;
7. writing the DID identifier and the private key of the user A into a new SIM card;
and (5) completing the identity recovery.
In the present example comparison technique, user related identity information is stored through blockchain, identity is verified through private key digital signature, and user private key is stored through SIM. The present disclosure provides a decentralizing identity scheme combining with a SIM card, which combines SIM card information into a digital identity, combines with the SIM card to generate the digital identity, and uses a blockchain to store related information of the digital identity, thereby greatly improving the security of the digital identity. On the other hand, a retrieval method of the user private key based on a threshold scheme is designed, so that the security of the decentralised identity is further improved.
Namely, a method for generating an off-center avatar based on a SIM card is provided, the off-center avatar of a user is generated by using the SIM card, a private key is stored, and digital signature of the user is completed in the SIM card. The operator performs real-name authentication on the user, generates a DID identifier based on real-name information, designs a DID document structure containing SIM card information, and designs a method for generating a decentralised identity of the user based on the DID document structure. On the other hand, the invention designs a retrieval method of the user private key based on a threshold scheme, and the private key can be recovered under the condition of losing and being stolen, thereby ensuring the security of the decentralised identity.
Example embodiments of the present disclosure include at least the following advantages:
1. the identity is autonomously controllable: the identity of each user is controlled not by a trusted third party but by an owner thereof, the individual can independently manage the identity of the user, and the ownership of the identity is mastered by the user;
2. privacy protection: when participating in WEB3.0 activities such as meta universe and the like, the digital identity is used, so that privacy can not be leaked; meanwhile, the operator realizes real-name authentication, and the communication between the digital identity and the real identity is ensured.
3. High security: the method combines the SIM card to generate the decentralised identity, the identity information is based on blockchain storage, and the security of the decentralised identity is greatly improved by an identity double-verification mechanism in a software-hardware layer.
Example embodiments of the present disclosure include at least the following advances:
1. the decentralized identity DID document structure designed by the present disclosure is used as a basis for generating the decentralized identity, integrates SIM card information, is realized through a blockchain intelligent contract, and improves the security of the identity;
2. the dual verification mechanism of the design of the present disclosure verifies the correctness of the user identity through the digital signature; through the imsi information carried by the sender SIM card in the request, the verification request is truly sent by the SIM card of the user, and the dual-layer surface of software and hardware ensures the identity security;
3. a private key recovery method based on a threshold scheme is provided, a user sets a trusted person in advance, safe key storage is carried out, and the private key is recovered through decryption based on the threshold scheme, so that digital identity security is guaranteed.
The present disclosure also provides a decentralised identity generation apparatus comprising: a memory having instructions stored thereon; and a processor configured to execute instructions stored on the memory to perform the method for generating a decentralised identity described above.
The present disclosure also provides a decentralised authentication device comprising: a memory having instructions stored thereon; and a processor configured to execute instructions stored on the memory to perform the method for verifying a decentralised identity described above.
FIG. 15 illustrates an exemplary configuration of a computing device in which embodiments according to the present disclosure may be implemented.
Computing device 500 is an example of a hardware device that can employ the above aspects of the present disclosure. Computing device 500 may be any machine configured to perform processing and/or calculations. Computing device 500 may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, a Personal Data Assistant (PDA), a smart phone, an in-vehicle computer, or a combination thereof.
As shown in fig. 15, computing device 500 may include one or more elements that may be connected to or in communication with bus 502 via one or more interfaces. Bus 502 can include, but is not limited to, an industry standard architecture (Industry Standard Architecture, ISA) bus, a micro channel architecture (Micro Channel Architecture, MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus. Computing device 500 may include, for example, one or more processors 504, one or more input devices 506, and one or more output devices 508. The one or more processors 504 may be any kind of processor and may include, but are not limited to, one or more general purpose processors or special purpose processors (such as special purpose processing chips). The processor 502 may be configured to execute instructions stored on the memory to perform the method for generating a decentralised identity described above, or the method for verifying a decentralised identity described above, for example. Input device 506 may be any type of input device capable of inputting information to a computing device and may include, but is not limited to, a mouse, keyboard, touch screen, microphone, and/or remote controller. Output device 508 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, video/audio output terminals, vibrators, and/or printers.
Computing device 500 may also include or be connected to a non-transitory storage device 514, which non-transitory storage device 514 may be any storage device that is non-transitory and that may enable data storage, and may include, but is not limited to, disk drives, optical storage devices, solid state memory, floppy diskettes, flexible disks, hard disks, magnetic tape, or any other magnetic medium, compact disk or any other optical medium, cache memory, and/or any other memory chip or module, and/or any other medium from which a computer may read data, instructions, and/or code. Computing device 500 may also include Random Access Memory (RAM) 510 and Read Only Memory (ROM) 512. The ROM 512 may store programs, utilities or processes to be executed in a nonvolatile manner. The RAM510 may provide volatile data storage and stores instructions related to the operation of the computing device 500. Computing device 500 may also include a network/bus interface 516 that is coupled to a data link 518. The network/bus interface 516 can be any kind of device or system capable of enabling communication with external apparatuses and/or networks and can include, but is not limited to, modems, network cards, infrared communication devices, wireless communication devices, and/or chipsets (such as bluetooth (TM) devices, 802.11 devices, wiFi devices, wiMax devices, cellular communication facilities, etc.).
The present disclosure may be implemented as any combination of apparatuses, systems, integrated circuits, and computer programs on a non-transitory computer readable storage medium. One or more processors may be implemented as an Integrated Circuit (IC), application Specific Integrated Circuit (ASIC), or large scale integrated circuit (LSI), system LSI, super LSI, or ultra LSI assembly that performs some or all of the functions described in this disclosure.
The present disclosure includes the use of software, applications, computer programs, or algorithms. The software, application, computer program or algorithm may be stored on a non-transitory computer readable storage medium to cause a computer, such as one or more processors, to perform the steps described above and the steps depicted in the figures. For example, one or more memories may store software or algorithms in executable instructions and one or more processors may associate a set of instructions to execute the software or algorithms to provide various functions in accordance with the embodiments described in this disclosure.
The software and computer programs (which may also be referred to as programs, software applications, components, or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural, object-oriented, functional, logical, or assembly or machine language. The term "computer-readable storage medium" refers to any computer program product, apparatus or device, such as magnetic disks, optical disks, solid state memory devices, memory, and Programmable Logic Devices (PLDs), for providing machine instructions or data to a programmable data processor, including computer-readable storage media that receive machine instructions as a computer-readable signal.
By way of example, a computer-readable storage medium may comprise Dynamic Random Access Memory (DRAM), random Access Memory (RAM), read Only Memory (ROM), electrically erasable read only memory (EEPROM), compact disc read only memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired computer-readable program code in the form of instructions or data structures and that can be accessed by a general purpose or special purpose computer or general purpose or special purpose processor. Disk or disc, as used in this disclosure, includes Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of computer-readable storage media.
The subject matter of the present disclosure is provided as examples of methods, systems, and computer-readable storage media for performing the features described in the present disclosure. However, other features or variations are contemplated in addition to the features described above. It is contemplated that the implementation of the components and functions of the present disclosure may be accomplished with any emerging technology that may replace any of the above-described implementation technologies.
In addition, the foregoing description provides examples without limiting the scope, applicability, or configuration set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the spirit and scope of the disclosure. Various embodiments may omit, replace, or add various procedures or components as appropriate. For example, features described with respect to certain embodiments may be combined in other embodiments.
Similarly, although operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous.

Claims (17)

1. A method for generating a decentralised identity, comprising:
generating a decentralised identity DID identifier for the user based on the real identity information of the user;
issuing a private key for digital signature to the user;
encrypting the private key using a first key and storing the encrypted private key, wherein the first key is divided into a first number of parts and sent to a first number of key holders, respectively; and
a DID document is generated for the user, the DID document including the DID identifier and a list of the first number of key holders.
2. The method of claim 1, further comprising:
obtaining a list of the first number of key holders from the DID document based on the DID identifier of the user in response to receiving a request from the user to recover the private key;
recovering the first key from the first number of key holders;
decrypting the encrypted private key by using the first key to obtain the private key; and
and issuing the decrypted private key to the user.
3. The method of claim 2, wherein the recovering the first key from the first number of key holders comprises:
receiving a second number of portions of the first key from a second number of the key holders, wherein the second number is less than or equal to the first number; and
in response to determining that the second number is greater than a preset value, the first key is recovered based on the second number of portions of the first key.
4. The method of claim 2, further comprising:
verifying the true identity information of the user; and
the DID identifier is generated again based on the true identity information of the user.
5. The method of claim 1, wherein the issuing a private key for digital signing to a user comprises:
writing the private key into a user identification device of the user,
wherein the DID document further includes an identification code of the user identification device,
wherein the method further comprises: and writing the DID identifier into the user identification device.
6. The method of claim 5, wherein the subscriber identification device comprises a subscriber identity module, SIM, card, the identity of the subscriber identification device comprising an international mobile subscriber identity, imsi, of the SIM card.
7. The method of any of claims 1-6, further comprising:
the DID document is stored in the blockchain,
wherein the encrypted private key is stored to a server of an issuing authority.
8. The method of claim 1, wherein the DID identifier comprises a hash value of the user's real identity information.
9. The method of claim 1, wherein the DID document further comprises a public key for performing the digital signature, wherein the public key is generated along with the private key.
10. A method for verifying a decentralised identity, comprising:
receiving a digital signature based on a private key from a user;
receiving a decentralised identity, DID, verification request from the user, the request comprising a decentralised identity, DID, identifier of the user, the DID identifier being generated based on the user's real identity information;
acquiring a DID document of the user based on the DID identifier in the DID verification request;
obtaining a public key of the user in the DID document;
verifying a digital signature based on the private key using the public key; and
and verifying the decentralised identity of the user according to the result of verifying the digital signature.
11. The method of claim 10, wherein the DID authentication request further comprises an identification code of a user identification device of the user,
the method further comprises the steps of:
acquiring an identification code in the DID document of the user; and
comparing the identification code in the DID verification request with the identification code in the DID document;
wherein said verifying the user's off-center avatar based on the result of verifying the digital signature comprises:
when the digital signature passes verification and the identification code in the DID verification request is the same as the identification code in the DID document, the user's de-centralized identity passes verification.
12. The method of claim 11, wherein,
the subscriber identification means is a subscriber identification module SIM card,
the identification code is the international mobile subscriber identity imsi of the SIM card.
13. The method of claim 10 or 11, the obtaining the DID document of the user comprising obtaining the DID document from a blockchain.
14. A de-centralized identity generation apparatus, comprising:
a memory having instructions stored thereon; and
a processor configured to execute instructions stored on the memory to perform the method for generating a de-centralised identity according to any of claims 1 to 9.
15. A de-centralized authentication device, comprising:
a memory having instructions stored thereon; and
a processor configured to execute instructions stored on the memory to perform the method for verifying a decentralised identity according to any one of claims 10 to 13.
16. A computer-readable storage medium having stored thereon computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method for generating a de-centralized identity of any of claims 1 to 9.
17. A computer-readable storage medium having stored thereon computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method for verifying a de-centralized identity of any of claims 10 to 13.
CN202310980105.7A 2023-08-04 2023-08-04 Method and apparatus for generating, verifying, and decentralizing identity, and storage medium Pending CN117040754A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310980105.7A CN117040754A (en) 2023-08-04 2023-08-04 Method and apparatus for generating, verifying, and decentralizing identity, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310980105.7A CN117040754A (en) 2023-08-04 2023-08-04 Method and apparatus for generating, verifying, and decentralizing identity, and storage medium

Publications (1)

Publication Number Publication Date
CN117040754A true CN117040754A (en) 2023-11-10

Family

ID=88631030

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310980105.7A Pending CN117040754A (en) 2023-08-04 2023-08-04 Method and apparatus for generating, verifying, and decentralizing identity, and storage medium

Country Status (1)

Country Link
CN (1) CN117040754A (en)

Similar Documents

Publication Publication Date Title
US11683187B2 (en) User authentication with self-signed certificate and identity verification and migration
CN110417750B (en) Block chain technology-based file reading and storing method, terminal device and storage medium
US9118662B2 (en) Method and system for distributed off-line logon using one-time passwords
CN111787530B (en) Block chain digital identity management method based on SIM card
US10659226B2 (en) Data encryption method, decryption method, apparatus, and system
US10250613B2 (en) Data access method based on cloud computing platform, and user terminal
US20130159699A1 (en) Password Recovery Service
CN107196901B (en) Identity registration and authentication method and device
JP2016535902A (en) System for accessing data from multiple devices
CN110445840B (en) File storage and reading method based on block chain technology
CA3006893A1 (en) Digital identity network interface system
US20200272759A1 (en) Systems and methods for secure high speed data generation and access
CA3057398C (en) Securely performing cryptographic operations
CN112784311A (en) Deposit certificate system and block chain network
KR101792220B1 (en) Method, mobile terminal, device and program for providing user authentication service of combining biometric authentication
CN103458101B (en) The hardware encryption storage method of a kind of mobile phone privacy contact person and system
JP2020521341A (en) Cryptographic key management based on identification information
CN106778295B (en) File storage method, file display method, file storage device, file display device and terminal
US20230291565A1 (en) Data recovery for a computing device
US11620393B1 (en) System and method for facilitating distributed peer to peer storage of data
CN113055157B (en) Biological characteristic verification method and device, storage medium and electronic equipment
CN117040754A (en) Method and apparatus for generating, verifying, and decentralizing identity, and storage medium
CN106161365B (en) Data processing method and device and terminal
CN113904850A (en) Secure login method, generation method and system based on block chain private key keystore and electronic equipment
WO2020263938A1 (en) Document signing system for mobile devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination