CN117544314A - Distributed digital identity life cycle management system and method based on block chain - Google Patents
Distributed digital identity life cycle management system and method based on block chain Download PDFInfo
- Publication number
- CN117544314A CN117544314A CN202311563376.9A CN202311563376A CN117544314A CN 117544314 A CN117544314 A CN 117544314A CN 202311563376 A CN202311563376 A CN 202311563376A CN 117544314 A CN117544314 A CN 117544314A
- Authority
- CN
- China
- Prior art keywords
- blockchain
- certificate
- exp
- identity
- merkle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000007726 management method Methods 0.000 claims abstract description 52
- 238000005516 engineering process Methods 0.000 claims abstract description 10
- 230000007246 mechanism Effects 0.000 claims abstract description 7
- 238000012795 verification Methods 0.000 claims description 15
- 230000007774 longterm Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 230000002035 prolonged effect Effects 0.000 claims description 8
- 125000004122 cyclic group Chemical group 0.000 claims description 6
- 239000000654 additive Substances 0.000 claims description 4
- 230000000996 additive effect Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000000694 effects Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 230000002265 prevention Effects 0.000 claims 1
- 238000004364 calculation method Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 10
- 230000008520 organization Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002028 premature Effects 0.000 description 1
Abstract
The invention discloses a distributed digital identity life cycle management system and method based on a blockchain, wherein the system comprises a trusted authority center, a DID evidence issuing party, a DID evidence holding party, a DID verifying party and a alliance blockchain; the invention combines the digital signature technology based on identity, the addition homomorphic signature technology and the common knowledge mechanism of the blockchain, realizes the flexible control of the DID issuer on the early revocation, the expiration extension and the natural invalidation of the validity period of the distributed digital identity of the DID issuer, prevents the risk of identity impersonation caused by repeatedly issuing the DID certificate, realizes the cross-domain distributed identity authentication between entities, greatly reduces the calculation and communication expenditure of a trusted authority center and the DID issuer, greatly reduces the storage expenditure of the DID verifier, and maximally saves the on-chain storage resources of the alliance blockchain.
Description
Technical Field
The invention relates to the field of alliance block chain consensus mechanism and identity-based digital signature, in particular to a distributed digital identity life cycle management system and method based on block chains.
Background
In recent years, with the rapid development of fifth-generation mobile communication technology, big data, distributed machine learning, internet of things and other technologies, the development of each industry is increasingly dependent on the comprehensive analysis of multi-source data. Through data sharing, information in different fields can be mutually blended, innovation is accelerated, and complex problems are solved, so that information interaction among entities such as personnel, equipment and the like among organizations with dense data use is increasingly enhanced, collaboration among the organizations is realized, and data sharing requirements are increased. In a collaborative environment, authentication between people and devices is critical. The entities pass through reliable identity authentication, so that information security in the data sharing process is ensured, and risks such as identity impersonation are prevented. An efficient identity authentication system is established between institutions, so that the cooperation efficiency is improved, the privacy of individuals is protected, and the trust and transparency of cross-domain cooperation are promoted.
The traditional centralized identity management has single point of failure and privacy security risks, and firstly, once the centralized system is attacked or fails, the whole identity management system is crashed, so that serious management interruption is caused. Second, the centralized storage of large amounts of sensitive information, such as personal identity, finances, etc., once invaded by lawbreakers, may lead to massive privacy disclosure, causing serious damage to users and institutions. Finally, the lack of direct control over personal data by users, the privacy and security of users are potentially compromised by irregular use.
The distributed digital identity uses the characteristics of decentralization, non-falsification and the like of the blockchain to store the user identity information on a plurality of nodes in a scattered way, so that the safety is improved. In addition, the distributed digital identity can provide a more convenient and flexible identity verification mode for users, and the digital ecosystem is promoted to be more seamlessly interconnected. However, existing distributed digital authentication schemes have less discussion of how to implement flexible control of digital identity lifecycles. Lifecycle management of distributed digital identities is an essential link to ensure system security and compliance operation. By accurately controlling the creation, verification, updating, renewal and revocation of the identity, the mechanism can realize the real-time supervision of the digital identity information of the managed individuals, remove malicious users in time and prevent the security threat including identity theft. In addition, reasonable life cycle management improves the efficiency of the system, ensures the timeliness and accuracy of the identity information, and provides safer and more flexible digital identity use experience for users.
Disclosure of Invention
The invention aims at overcoming the defects of the prior art and provides a distributed digital identity life cycle management system and method based on a blockchain.
The invention aims at realizing the following technical scheme:
in a first aspect, the present invention provides a blockchain-based distributed digital identity lifecycle management system, comprising:
a trusted authority center for: initializing generation parameters of a distributed digital identity DID; initializing a alliance block chain; issuing the issuing authority of the DID certificate to a DID evidence issuing party by issuing the digital certificate;
DID evidence issuing side for: issuing a DID certificate containing a DID natural expiration date to a governed DID certificate holder by using an addition homomorphic digital signature technology; when the DID certificate of the DID evidence holder needs to be recovered in advance, issuing a DID early invalidation notice to the alliance block chain in the form of a transmission transaction so as to revoke the authority of the DID evidence holder in advance; when the validity period of the DID certificate holder needs to be prolonged, the DID renewal license is issued to the DID certificate holder by using an addition homomorphic digital signature technology, and the validity period of the original DID certificate is directly prolonged;
DID is handed evidence side, is used for: registering a local DID with the federated blockchain; initiating an access request with a digital signature to a DID verifier; realizing distributed identity verification through a DID certificate and a digital signature; prolonging the valid period of the original DID certificate according to the DID renewing license;
the DID verifier, typically the data owner, acts to: a DID early failure list maintained by a synchronous alliance block chain; comparing the DID advance revocation list to determine the validity of the DID prover certificate; verifying the digital signature of the DID licensee based on the distributed identity to determine the legitimacy of the DID licensee access request;
a federated blockchain for: providing a DID registration service to a DID issuer; recording a DID advanced failure list by using a Merkle dictionary tree structure, wherein the root of the Merkle dictionary tree of the DID advanced failure list is stored in a alliance blockchain, and the main body of the DID advanced failure list is stored locally at a node of the alliance blockchain; and carrying out consistency voting on root roots of Merkle dictionary trees in the new block by using a PBFT consensus mechanism, thereby ensuring the global consistency of the DID early failure list among all nodes of the alliance blockchain.
Further, the method for updating the DID advanced failure list comprises the following steps:
the DID issuer issues DID in advance to cancel the transaction in the alliance blockchain;
the alliance blockchain uses a Merkle dictionary tree structure to record an early failure DID and writes a root of the Merkle dictionary tree into a new blockhead;
the alliance blockchain brings the Merkle dictionary tree root into the PBFT consensus first-stage voting process or not;
the DID issuer and the DID verifier synchronize the DID advance revocation list.
Further, the DID issuer issues DID in advance to cancel the transaction in the alliance blockchain, specifically:
DID issuing party issues DID early revocation transaction tx qr = { DID, aoD, ts, htxQ, σ }, where DID is the DID identifier of the DID prover that was invalidated in advance by the validity period, aoD is the add-delete identifier, aod=0 indicates that the DID certificate of the DID prover was revoked in advance, aod=1 indicates that the DID certificate of the DID prover was restored for use, ts is the timestamp of the transaction, htxq=h (DID, aoD, ts) is the hash digest of the transaction content and is also used as the identifier of the transaction, σ=sig (htxQ) is the digital signature of the DID prover on the hash value of the transaction content.
Further, the alliance blockchain uses the Merkle dictionary tree structure to record the early invalidation DID, writes the Merkle dictionary tree root into the new blockhead, and writes the Merkle dictionary tree itself into the alliance blockchain node local, specifically:
the alliance blockchain node uses Merkle dictionary tree structure to record all DID certificate holders which are revoked in advance and revoke transaction tx in advance according to the DID contained in the new block qr To dynamically adjustThe original Merkle dictionary tree, and writing the root of the new Merkle dictionary tree into the head of the next block;
federated blockchain node verification tx qr Signing validity and checking an adding and deleting identifier, adding the corresponding DID certificate holder into the Merkle dictionary tree by the link point of the alliance block when AoD=0, realizing early revocation, and removing the corresponding DID certificate holder from the Merkle dictionary tree when AoD=1, so as to realize recovery use;
the alliance blockchain node periodically checks Merkle dictionary tree, and if the DID certificate is found to reach the DID evidence holder of the natural expiration date, a transaction tx with AoD=1 is issued qr And removing the tree from the Merkle dictionary tree, and releasing the local storage space.
Further, whether the root of the Merkle dictionary tree is incorporated into the first-stage voting process of the PBFT consensus by the alliance blockchain is specifically as follows:
the leader node of the federated blockchain will newly generate transaction tx qr Writing in the block body, writing the root of the corresponding updated Merkle dictionary tree into the head of the block, packaging the new block to be uplinked, and then sending the packaged new block to other following nodes for verification;
the following node of the alliance block chain is used for transacting tx according to the new area block to be uplink qr Updating a local Merkle dictionary tree and calculating a root of a new Merkle dictionary tree, when root=root, the following node approves the vote to the first stage, otherwise, the vote is not voted; the voting rules at other stages are consistent with the PBFT consensus voting rules.
Further, the DID issuer and the DID verifier synchronize the DID advance revocation list specifically as follows:
the DID evidence sender synchronizes the DID early failure list by participating in and completing PBFT consensus;
the DID verifier confirms and synchronizes the DID advanced revocation list by checking the DID advanced revocation transaction and the root of the Merkle dictionary tree in the new block of the alliance blockchain.
In a second aspect, the present invention provides a blockchain-based distributed digital identity lifecycle management method implemented using the blockchain-based distributed digital identity lifecycle management system described in the first aspect, the method comprising:
initializing a blockchain-based distributed digital identity lifecycle management system:
the trusted authority center generates long-term keys of a DID issuer, a DID issuer and a DID verifier;
the DID evidence-holding party obtains a DID certificate from the DID evidence-issuing party and registers a local DID in the alliance blockchain;
the DID certification party prolongs or shortens the valid period of the DID certificate for the managed DID certification party according to actual requirements;
the DID verifier directly verifies the access request of the DID prover by checking the validity of the DID certificate of the DID prover and the validity of the digital signature.
Further, the initialization of the blockchain-based distributed digital identity lifecycle management system is specifically as follows:
a large prime number q is configured, and a trusted authority center selects a bilinear pair e/G 1 ×G 1 →G T Wherein G is 1 Is an addition cyclic group with an order of q, G T Is a multiplication loop group with the order of q; the trusted authority center selects a secret valueA main private key serving as a trusted authority center and calculating P pub sP as the primary public key, where P is the cyclic group G 1 Is a generator of->Is an integer group, group elements ranging from 1 to q-1; selecting a Hash function:
H 1 :{0,1} * →{0,1} l wherein l represents the string length;
the common parameters for initializing a blockchain-based distributed digital identity lifecycle management system are:
param=(G 1 ,G T ,e,q,P,P pub ,H 0 ,H 1 );
the trusted authority center generates long-term keys of a DID issuer, a DID issuer and a DID verifier, which are specifically as follows:
uniformly marking a DID issuing party, a DID holding party and a DID verifying party as an end U, wherein the end U uses an identity identifier ID of the end U U The method comprises the steps of submitting a request to a trusted authority center through a secure channel to generate a corresponding private key; the trusted authority center based on the identity identifier ID U Calculate Q U =H 0 (ID U ),S U =sQ U The method comprises the steps of carrying out a first treatment on the surface of the The trusted authority center will have a long-term key S U Sending the message to the terminal U through a secure channel; the terminal U uses its own ID U Disclosing and using (Q) to other entities U ,S U ) To sign the message and verify the signature carried by the message.
Further, the DID-holding party obtains the DID certificate from the DID issuer and registers the local DID in the federation blockchain, specifically:
the DID issuer sends out the ID according to the self-identity identifier ID i DID issuer identity identifier ID h To generate the DID certificate cert= (ID) for the DID prover 0 ||ID 1 ||exp 0 ||exp 1 ,σ i ) Wherein ID 0 =DID=ID i ||ID h Is DID (digital identification) certificate holder distributed digital identity, ID (identity) of DID certificate holder 1 =null is a reserved empty field for identity theft protection, exp 0 Is the validity period of the distributed digital identity, exp 1 =null is a reserved null field, σ, that updates the validity period of the distributed digital identity i =Sig(ID 0 ||ID 1 ||exp 0 ||exp 1 ) Is a digital signature of the DID issuer to the DID certificate with addition homomorphic property; the DID-holding party receives the DID certificate and then sends did=id i ||ID h Registering to the alliance block chain to take effect;
the DID issuer generates a DID renewal license permission= (ID 'for the DID issuer according to the DID validity delay request of the DID issuer' 0 ||ID′ 1 ||exp′ 0 ||exp′ 1 ,σ i ) Wherein ID' 0 =-ID 0 And ID' 1 =ID 1 Commonly used for preventing identity theft, exp' 0 =-exp 0 And exp' 1 =exp new Distributed digital identity validity period, exp, commonly used for updating DID (digital information infrastructure) card-holding party new Is the valid period and sigma of the DID certificate newly specified by the DID certification party for the DID certification party i =Sig(ID′ 0 ||ID′ 1 ||exp′ 0 ||exp′ 1 ) Is a digital signature with addition homomorphic property of DID signing permission by a DID issuer; after receiving the DID renewal license, the DID licensor carries out homomorphic addition operation on Cert and permission to obtain Cert new =(ID 0 ||ID 1 ||exp 0 ||exp 1 ,σ i ) Wherein ID 0 =ID 0 -ID′ 0 Null is the identity theft protection reserved blank field required for the next update, ID 1 =ID 1 +ID′ 1 =ID i ||ID h Is DID evidence-holding party distributed digital identity, exp 0 =null is the reserved null field of the distributed digital identity required for the next update, exp 1 =exp′ 1 =exp new Is the new validity period of the distributed digital identity after the update, sigma i =Sig(ID 0 ||ID 1 ||exp 0 ||exp 1 ) Is DID certificate Cert of DID certification party for prolonging validity period new Is a digital signature with additive homomorphic properties; through repeated use of the method, the DID issuer and the DID licensor can prevent the DID licensor from abusing the DID renewal license and simultaneously realize multiple prolongation of the validity period of the original DID certificate.
Further, the DID verifier directly verifies the access request of the DID prover by checking the validity of the DID certificate of the DID prover and the validity of the digital signature, specifically:
the DID verification party firstly verifies the signature validity of the DID certificate of the DID evidence-holding party, and secondly inquires a alliance block chain to determine that the DID evidence-holding party is registered and is not on a DID early revocation list so as to determine the validity of the DID certificate of the DID evidence-holding party;
the DID verifier verifies the validity of the DID certificate of the DID prover according to the DID certificateDid=id of (d) i ||ID h And verifying the validity of the digital signature of the access request.
In a third aspect, the present invention provides a blockchain-based distributed digital identity lifecycle management apparatus, comprising a memory and one or more processors, the memory having executable code stored therein, which when executed by the processors, implements the blockchain-based distributed digital identity lifecycle management method as described in the first aspect.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a program which, when executed by a processor, implements a blockchain-based distributed digital identity lifecycle management method as described in the first aspect.
The beneficial effects of the invention are as follows: the invention provides a distributed digital identity life cycle management system and a distributed digital identity life cycle management method based on a blockchain, which can realize the early revocation, expiration extension and natural invalidation of the validity period of the distributed digital identity; the DID advanced revocation lists of all legal entities can be forced to keep consistent through a block chain consensus mechanism so as to resist malicious man-in-the-middle attacks; the direct identity mutual verification among entities governed by different institutions can be realized through DID-based digital signatures; because the trusted authority center and the proving party do not need to be involved in each verification, the communication cost and the calculation cost of the whole system can be reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a block diagram of a distributed digital identity lifecycle management system based on blockchain, provided by an embodiment of the present invention;
FIG. 2 is an interactive block diagram of a blockchain-based distributed digital identity lifecycle management system provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of DID certificate natural revocation, early revocation and expiration extension of a blockchain-based distributed digital identity lifecycle management system provided by an embodiment of the present invention;
FIG. 4 is a block diagram of a blockchain-based distributed digital identity lifecycle management apparatus, provided by an embodiment of the present invention.
Detailed Description
For a better understanding of the technical solutions of the present application, embodiments of the present application are described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, based on the embodiments herein, which would be apparent to one of ordinary skill in the art without making any inventive effort, are intended to be within the scope of the present application.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Example 1
The present embodiment provides a blockchain-based distributed digital identity (Decentralized Identity, DID) lifecycle management system, as shown in fig. 1-3, comprising:
a trusted authority center for: initializing generation parameters of a distributed digital identity DID; initializing a alliance block chain; issuing the issuing authority of the DID certificate to a DID evidence issuing party by issuing the digital certificate;
DID evidence issuing side for: issuing a DID certificate containing a DID natural expiration date to a governed DID certificate holder by using an addition homomorphic digital signature technology; when the DID certificate of the DID evidence holder needs to be recovered in advance, issuing a DID early invalidation notice to the alliance block chain in the form of a transmission transaction so as to revoke the authority of the DID evidence holder in advance; when the validity period of the DID certificate holder needs to be prolonged, the DID renewal license is issued to the DID certificate holder by using an addition homomorphic digital signature technology, and the validity period of the original DID certificate is directly prolonged;
DID is handed evidence side, is used for: registering a local DID with the federated blockchain; initiating an access request with a digital signature to a DID verifier; realizing distributed identity verification through a DID certificate and a digital signature; prolonging the valid period of the original DID certificate according to the DID renewing license;
the DID verifier, typically the data owner, acts to: a DID early failure list maintained by a synchronous alliance block chain; comparing the DID advance revocation list to determine the validity of the DID prover certificate; verifying the digital signature of the DID licensee based on the distributed identity to determine the legitimacy of the DID licensee access request;
a federated blockchain for: providing a DID registration service to a DID issuer; recording a DID advanced revocation list by using a Merkle dictionary tree structure, wherein a Merkle dictionary tree root (root) of the DID advanced revocation list is stored in a alliance blockchain, and a main body of the DID advanced revocation list is stored locally at an alliance blockchain node; and uniformly voting the Merkle dictionary tree root (root) in the new block by using a PBFT consensus mechanism, thereby ensuring the global consistency of the DID early failure list among all nodes of the alliance block chain.
Specifically, the method for updating the DID advanced failure list comprises the following steps:
(1) The DID issuer issues DID in advance to cancel the transaction in the alliance blockchain, and specifically comprises the following steps:
DID issuing party issues DID early revocation transaction tx qr = { DID, aoD, ts, htxQ, σ }, where DID is the DID identifier of the DID prover that was invalidated in advance by the validity period, aoD is the add-delete identifier, aod=0 indicates that the DID certificate of the DID prover was revoked in advance, aod=1 indicates that the DID certificate of the DID prover was restored for use, ts is the timestamp of the transaction, htxq=h (DID, aoD, ts) is the hash digest of the transaction content and is also used as the identifier of the transaction, σ=sig (htxQ) is the digital signature of the DID prover on the hash value of the transaction content.
(2) The alliance blockchain uses Merkle dictionary tree structure to record the premature invalidation DID, and writes the root of the Merkle dictionary tree into the new block head, and writes the Merkle dictionary tree itself into the local of the alliance blockchain node, specifically:
the alliance blockchain node is acted by an organization or unit participating in the distributed digital identity lifecycle management system; the alliance blockchain node uses Merkle dictionary tree structure to record all DID certificate holders which are revoked in advance and revoke transaction tx in advance according to the DID contained in the new block qr Dynamically adjusting the original Merkle dictionary tree, and writing the root of the new Merkle dictionary tree into the head of the next block;
federated blockchain node verification tx qr Signing validity and checking an add-delete identifier, adding the corresponding DID certificate holder into the Merkle dictionary tree (realizing early revocation) by the alliance block link point when AoD=0, and removing the corresponding DID certificate holder out of the Merkle dictionary tree (realizing recovery use) when AoD=1;
the alliance blockchain node periodically checks Merkle dictionary tree, and if the DID certificate is found to reach the DID evidence holder of the natural expiration date, a transaction tx with AoD=1 is issued qr It is moved out of the Merkle dictionary tree to reduce the Merkle dictionary tree.
(3) The alliance blockchain brings the Merkle dictionary tree root into the PBFT consensus first-stage voting process or not, specifically:
the leader node of the federated blockchain will newly generate transaction tx qr Writing in the block body, writing the root of the corresponding updated Merkle dictionary tree into the head of the block, packaging the new block to be uplinked, and then sending the packaged new block to other following nodes for verification;
the following node of the alliance block chain is used for transacting tx according to the new area block to be uplink qr Updating a local Merkle dictionary tree and calculating a root of a new Merkle dictionary tree, when root=root, the following node approves the vote to the first stage, otherwise, the vote is not voted; the voting rules at other stages are consistent with the PBFT consensus voting rules.
(4) The DID issuer and the DID verifier synchronize the DID advanced failure list, which is specifically:
the DID sponsor is typically a federated blockchain node that synchronizes the DID advance revocation list by participating in and completing PBFT consensus;
the DID verifier is typically an organization or entity administering device or person that validates and synchronizes the DID early revocation list by checking the root of the Merkle dictionary for early revocation transactions for the DID in the new block of the alliance blockchain.
Example 2
The embodiment provides a method for implementing a block chain-based distributed digital identity life cycle management of an organization to an employee and a cross-domain access request of the employee to the organization and other organizations using a distributed digital identity representative, wherein the method is implemented by using the block chain-based distributed digital identity life cycle management system disclosed in the embodiment 1, and the method comprises the following steps:
(1) Initializing a distributed digital identity life cycle management system based on a blockchain, which specifically comprises the following steps:
a large prime number q is configured, and a trusted authority center selects a bilinear pair e/G 1 ×G 1 →G T Wherein G is 1 Is an additive Gap Diffie-Hellman cyclic group with the order of q, G T Is a multiplication loop group with the order of q; the trusted authority center selects a secret valueA main private key serving as a trusted authority center and calculating P pub sP as the primary public key, where P is the cyclic group G 1 Is a generator of->Is an integer group, group elements ranging from 1 to q-1; selecting a Hash function:
H 1 :{0,1} * →{0,1} l wherein l represents the string length;
the common parameters for initializing a blockchain-based distributed digital identity lifecycle management system are:
param=(G 1 ,G T ,e,q,P,P pub ,H 0 ,H 1 )。
(2) The trusted authority center generates long-term keys of a DID issuer, a DID issuer and a DID verifier, which are specifically as follows:
the DID issuer, the DID holder, and the DID verifier are collectively referred to as end U without loss of generality. The terminal U uses its own ID U And submitting the request to a trusted authority center through a secure channel to generate a corresponding private key. The trusted authority center based on the identity identifier ID U Calculate Q U =H 0 (ID U ),S U =sQ U . The trusted authority center will have a long-term key S U Sending the message to the terminal U through a secure channel; the terminal U uses its own ID U Disclosing and using (Q) to other entities U ,S U ) To sign the message and verify the signature carried by the message.
(3) Staff members as DID sponsors acquire DID certificates from the local organization as DID sponsors and register local DID's in the federated blockchain, specifically:
the DID issuer sends out the ID according to the self-identity identifier ID i DID issuer identity identifier ID h To generate the DID certificate cert= (ID) for the DID prover 0 ||ID 1 ||exp 0 ||exp 1 ,σ i ) Wherein ID 0 =DID=ID i ||ID h Is DID (digital identification) certificate holder distributed digital identity, ID (identity) of DID certificate holder 1 =null is a reserved empty field for identity theft protection, exp 0 Is the validity period of the distributed digital identity, exp 1 =null is a reserved null field, σ, that updates the validity period of the distributed digital identity i =Sig(ID 0 ||ID 1 ||exp 0 ||exp 1 ) Is a digital signature of the DID issuer to the DID certificate with addition homomorphic property; the DID-holding party receives the DID certificate and then sends did=id i ||ID h Registering to the alliance block chain to take effect;
the DID issuer generates a DID renewal license permission= (ID 'for the DID issuer according to the DID validity delay request of the DID issuer' 0 ||ID′ 1 ||exp′ 0 ||exp′ 1 ,σ i ),Wherein ID' 0 =-ID 0 And ID' 1 =ID 1 Commonly used for preventing identity theft, exp' 0 =-exp 0 And exp' 1 =exp new Distributed digital identity validity period, exp, commonly used for updating DID (digital information infrastructure) card-holding party new Is the valid period and sigma of the DID certificate newly specified by the DID certification party for the DID certification party i =Sig(ID′ 0 ||ID′ 1 ||exp′ 0 ||exp′ 1 ) Is a digital signature with addition homomorphic property of DID signing permission by a DID issuer; after receiving the DID renewal license, the DID licensor carries out homomorphic addition operation on Cert and permission to obtain Cert new =(ID 0 ||ID 1 ||exp 0 ||exp 1 ,σ i ) Wherein ID 0 =ID 0 -ID′ 0 Null is the identity theft protection reserved blank field required for the next update, ID 1 =ID 1 +ID′ 1 =ID i ||ID h Is DID evidence-holding party distributed digital identity, exp 0 =null is the reserved null field of the distributed digital identity required for the next update, exp 1 =exp′ 1 =exp new Is the new validity period of the distributed digital identity after the update, sigma i =Sig(ID 0 ||ID 1 ||exp 0 ||exp 1 ) Is DID certificate Cert of DID certification party for prolonging validity period new Is a digital signature with additive homomorphic properties; through repeated use of the method, the DID issuer and the DID licensor can prevent the DID licensor from abusing the DID renewal license and simultaneously realize multiple prolongation of the validity period of the original DID certificate.
(4) The DID certification party prolongs or shortens the valid period of the DID certificate for the managed DID certification party according to actual requirements, and specifically comprises the following steps:
when the DID validity period needs to be prolonged, the DID issuing party issues a DID renewal license to the DID certificate holder, and the validity period of the DID certificate is prolonged;
and when the DID validity period needs to be terminated, the DID evidence issuing party terminates the validity period by using an updating method of the DID early failure list.
(5) The organization that is accessed as the DID verifier directly verifies the access request of the DID prover by checking the validity of the DID certificate of the DID prover and the validity of the digital signature, specifically:
the DID verification party firstly verifies the signature validity of the DID certificate of the DID evidence-holding party, and secondly inquires a alliance block chain to determine that the DID evidence-holding party is registered and is not on a DID early revocation list so as to determine the validity of the DID certificate of the DID evidence-holding party;
the DID verifier verifies that the DID certificate of the DID prover is valid based on did=id in the DID certificate i ||ID h And verifying the validity of the digital signature of the access request.
Example 3
Corresponding to the embodiment of the block chain-based distributed digital identity lifecycle management method, the invention further provides an embodiment of a block chain-based distributed digital identity lifecycle management device. Referring to fig. 4, the device for managing a distributed digital identity life cycle based on a blockchain provided by the embodiment of the invention includes a memory and one or more processors, wherein executable codes are stored in the memory, and the processors are used for realizing a distributed digital identity life cycle management method based on the blockchain when executing the executable codes.
The embodiment of the distributed digital identity life cycle management equipment based on the blockchain can be applied to any equipment with data processing capability, and the equipment with the data processing capability can be equipment or equipment such as a computer. The device embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions in a nonvolatile memory into a memory through a processor of any device with data processing capability. In terms of hardware, as shown in fig. 4, a hardware structure diagram of an arbitrary device with data processing capability where a distributed digital identity lifecycle management device based on blockchain provided by the present invention is shown in fig. 4, except for a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 4, the arbitrary device with data processing capability where the device is shown in the embodiment generally includes other hardware according to an actual function of the arbitrary device with data processing capability, which is not described herein again.
The implementation process of the functions and roles of each unit in the above-mentioned device is specifically detailed in the implementation process of the corresponding steps in the above-mentioned method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described embodiments of the apparatus are only illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present invention. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The embodiment of the invention also provides a computer readable storage medium, on which a program is stored, which when executed by a processor, implements a distributed digital identity lifecycle management method based on a blockchain in the above embodiment.
The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may be any external storage device that has data processing capability, such as a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), or the like, which are provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any data processing device. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
The above-described embodiments are intended to illustrate the present invention, not to limit it, and any modifications and variations made thereto are within the spirit of the invention and the scope of the appended claims.
Claims (10)
1. A blockchain-based distributed digital identity lifecycle management system, the blockchain-based distributed digital identity lifecycle management system comprising:
a trusted authority center for: initializing generation parameters of a distributed digital identity DID; initializing a alliance block chain; issuing the issuing authority of the DID certificate to a DID evidence issuing party by issuing the digital certificate;
DID evidence issuing side for: issuing a DID certificate containing a DID natural expiration date to a governed DID certificate holder by using an addition homomorphic digital signature technology; when the DID certificate of the DID evidence holder needs to be recovered in advance, issuing a DID early invalidation notice to the alliance block chain in the form of a transmission transaction so as to revoke the authority of the DID evidence holder in advance; when the validity period of the DID certificate holder needs to be prolonged, the DID renewal license is issued to the DID certificate holder by using an addition homomorphic digital signature technology, and the validity period of the original DID certificate is directly prolonged;
DID is handed evidence side, is used for: registering a local DID with the federated blockchain; initiating an access request with a digital signature to a DID verifier; realizing distributed identity verification through a DID certificate and a digital signature; prolonging the valid period of the original DID certificate according to the DID renewing license;
DID verifier for: a DID early failure list maintained by a synchronous alliance block chain; comparing the DID advance revocation list to determine the validity of the DID prover certificate; verifying the digital signature of the DID licensee based on the distributed identity to determine the legitimacy of the DID licensee access request;
a federated blockchain for: providing a DID registration service to a DID issuer; recording a DID advanced failure list by using a Merkle dictionary tree structure, wherein the Merkle dictionary tree root of the DID advanced failure list is stored in the alliance blockchain, and the main body of the DID advanced failure list is stored locally at the alliance blockchain node; and carrying out consistency voting on the Merkle dictionary tree roots in the new block by using a PBFT consensus mechanism, thereby ensuring the global consistency of the DID early failure list among all nodes of the alliance blockchain.
2. The blockchain-based distributed digital identity lifecycle management system of claim 1, wherein the method for updating the DID early revocation list comprises:
the DID issuer issues DID to cancel transactions in advance in the alliance blockchain;
the alliance blockchain uses a Merkle dictionary tree structure to record an early failure DID and writes the Merkle dictionary tree root into a new blockhead;
the alliance blockchain brings the Merkle dictionary tree root into the PBFT consensus first-stage voting process or not;
and the DID issuer and the DID verifier synchronize the DID early failure list.
3. The blockchain-based distributed digital identity lifecycle management system of claim 2, wherein the DID issuer issues a DID advance revocation transaction at the coalition blockchain, in particular:
DID issuer issues DID advanced revocation transaction tx qr = { DID, aoD, ts, htxQ, σ }, where DID is the DID identifier of the DID prover that was invalidated in advance by the validity period, aoD is the add-delete identifier, aod=0 indicates that the DID certificate of the DID prover was revoked in advance, aod=1 indicates that the DID certificate of the DID prover was restored for use, ts is the timestamp of the transaction, htxq=h (DID, aoD, ts) is the hash digest of the transaction content and is also used as the identifier of the transaction, σ=sig (htxQ) is the digital signature of the DID prover on the hash value of the transaction content.
4. The blockchain-based distributed digital identity lifecycle management system of claim 3, wherein the federated blockchain uses Merkle dictionary tree structure records to fail DID in advance, writes Merkle dictionary tree roots to new blockheads, writes Merkle dictionary trees themselves to the federated blockchain nodes locally, specifically:
the alliance blockchain node uses Merkle dictionary tree structure to record all DID certificate holders which are revoked in advance and revoke transaction tx in advance according to the DID contained in the new block qr Dynamically adjusting the original Merkle dictionary tree, and writing the new Merkle dictionary tree root into the head of the next block;
federated blockchain node verification tx qr Signing validity and checking an adding and deleting identifier, adding the corresponding DID certificate holder into the Merkle dictionary tree by the link point of the alliance block when AoD=0, realizing early revocation, and removing the corresponding DID certificate holder from the Merkle dictionary tree when AoD=1, so as to realize recovery use;
the alliance blockchain node periodically checks Merkle dictionary tree, and if the DID certificate is found to reach the DID evidence holder of the natural expiration date, a transaction tx with AoD=1 is issued qr And removing the tree from the Merkle dictionary tree, and releasing the local storage space.
5. The blockchain-based distributed digital identity lifecycle management system of claim 4, wherein the federated blockchain incorporates the root of the Merkle dictionary tree into the PBFT consensus first stage voting process in particular:
the leader node of the alliance blockchain will newly generate transaction tx qr Writing in the block body, writing the root of the corresponding updated Merkle dictionary tree into the head of the block, packaging the new block to be uplinked, and then sending the packaged new block to other following nodes for verification;
the following node of the alliance blockchain is used for transacting tx according to the new area block to be uplink qr Updating a local Merkle dictionary tree and calculating a root of a new Merkle dictionary tree, when root=root, the following node approves the vote to the first stage, otherwise, the vote is not voted; the voting rules at other stages are consistent with the PBFT consensus voting rules.
6. The blockchain-based distributed digital identity lifecycle management system of claim 5, wherein the DID issuer and the DID verifier synchronize a DID advance revocation list, specifically:
the DID evidence issuing party synchronizes a DID early failure list by participating in and completing PBFT consensus;
the DID verifier confirms and synchronizes the DID advanced revocation list by checking the DID advanced revocation transaction and the Merkle dictionary tree root in the alliance blockchain new block.
7. A blockchain-based distributed digital identity lifecycle management method implemented using the blockchain-based distributed digital identity lifecycle management system of any of claims 1-6, the blockchain-based distributed digital identity lifecycle management method comprising:
initializing a blockchain-based distributed digital identity lifecycle management system:
the trusted authority center generates a long-term key of a DID issuer, a DID issuer and a DID verifier;
the DID evidence holder acquires a DID certificate from a DID evidence issuer and registers a local DID in the alliance blockchain;
the DID certification party prolongs or shortens the valid period of the DID certificate for the managed DID certification party according to actual requirements;
the DID verifier directly verifies the access request of the DID prover by checking the validity of the DID certificate of the DID prover and the validity of the digital signature.
8. The blockchain-based distributed digital identity lifecycle management method of claim 7, wherein initializing the blockchain-based distributed digital identity lifecycle management system specifically comprises:
a large prime number q is configured, and a trusted authority center selects a bilinear pair e/G 1 ×G 1 →G T Wherein G is 1 Is an addition cyclic group with an order of q, G T Is a multiplication loop group with the order of q; trustedThe authority center selects a secret value s epsilon Z q * A main private key serving as a trusted authority center and calculating P pub sP as the primary public key, where P is the cyclic group G 1 Is a generator of (Z) q * Is an integer group, group elements ranging from 1 to q-1; selecting a Hash function:
H 0 :{0,1} * →Z q * ,
H 1 :{0,1} * →{0,1} l wherein l represents the string length;
the common parameters for initializing a blockchain-based distributed digital identity lifecycle management system are:
param=(G 1 ,G T ,e,q,P,P pub ,H 0 ,H 1 );
the trusted authority center generates long-term keys of a DID issuer, a DID issuer and a DID verifier, which are specifically as follows:
uniformly marking the DID issuing party, the DID holding party and the DID verifying party as an end U, wherein the end U uses the identity identifier ID of the end U U The method comprises the steps of submitting a request to a trusted authority center through a secure channel to generate a corresponding private key; the trusted authority center is based on the identity identifier ID U Calculate Q U =H 0 (ID U ),S U =sQ U The method comprises the steps of carrying out a first treatment on the surface of the The trusted authority center will have a long-term key S U Sending the message to the terminal U through a secure channel; the end U uses its own identity identifier ID U Disclosing and using (Q) to other entities U ,S U ) To sign the message and verify the signature carried by the message.
9. The blockchain-based distributed digital identity lifecycle management method of claim 8, wherein the DID-holding party obtains the DID certificate from the DID issuer and registers the local DID in the federated blockchain, specifically:
the DID issuer sends the ID according to the self-identity identifier i DID issuer identity identifier ID h To generate the DID certificate cert= (ID) for the DID prover 0 ||ID 1 ||exp 0 ||exp 1 ,σ i ) Wherein ID 0 =DID=ID i ||ID h Is DID (digital identification) certificate holder distributed digital identity, ID (identity) of DID certificate holder 1 =null is a reserved empty field for identity theft protection, exp 0 Is the validity period of the distributed digital identity, exp 1 =null is a reserved null field, σ, that updates the validity period of the distributed digital identity i =Sig(ID 0 ||ID 1 ||exp 0 ||exp 1 ) Is a digital signature of the DID issuer to the DID certificate with addition homomorphic property; the DID-holding party receives the DID certificate and then sends did=id i ||ID h Registering to the alliance block chain to take effect;
the DID issuer generates a DID renewal license permission= (ID) for the DID issuer according to the DID validity delay request of the DID issuer 0 ′||ID 1 ′||exp′ 0 ||exp′ 1 ,σ i ) Wherein ID 0 ′=-ID 0 And ID 1 ′=ID 1 Commonly used for preventing identity theft, exp' 0 =-exp 0 And exp 1 ′=exp new Distributed digital identity validity period, exp, commonly used for updating DID (digital information infrastructure) card-holding party new Is the valid period and sigma of the DID certificate newly specified by the DID certification party for the DID certification party i =Sig(ID 0 ′||ID 1 ′||exp′ 0 ||exp′ 1 ) Is a digital signature with addition homomorphic property of DID signing permission by a DID issuer; after receiving the DID renewal license, the DID licensor carries out homomorphic addition operation on Cert and permission to obtain Cert new =(ID 0 ||ID 1 ||exp 0 ||exp 1 ,σ i ) Wherein ID 0 =ID 0 -ID 0 ' null is the identity theft prevention reserved blank field required for the next update, ID 1 =ID 1 +ID 1 ′=ID i ||ID h Is DID evidence-holding party distributed digital identity, exp 0 =null is the reserved null field of the distributed digital identity required for the next update, exp 1 =exp 1 ′=exp new Is the new validity period of the distributed digital identity after the update, sigma i =Sig(ID 0 ||ID 1 ||exp 0 ||exp 1 ) Is DID certificate Cert of DID certification party for prolonging validity period new Is a digital signature having additive homomorphic properties.
10. The blockchain-based distributed digital identity lifecycle management method of claim 9, wherein the DID verifier verifies the access request of the DID prover directly by checking the validity of the DID certificate of the DID prover and the validity of the digital signature, specifically:
the DID verifier firstly verifies the validity of the certificate signature of the DID evidence holder, and then inquires a alliance block chain to determine that the DID evidence holder is registered and is not on a DID early revocation list so as to determine the validity of the DID certificate of the DID evidence holder;
the DID verifier verifies the validity of the DID certificate of the DID prover according to did=id in the DID certificate i ||ID h And verifying the validity of the digital signature of the access request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311563376.9A CN117544314A (en) | 2023-11-22 | 2023-11-22 | Distributed digital identity life cycle management system and method based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311563376.9A CN117544314A (en) | 2023-11-22 | 2023-11-22 | Distributed digital identity life cycle management system and method based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117544314A true CN117544314A (en) | 2024-02-09 |
Family
ID=89791430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311563376.9A Pending CN117544314A (en) | 2023-11-22 | 2023-11-22 | Distributed digital identity life cycle management system and method based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117544314A (en) |
-
2023
- 2023-11-22 CN CN202311563376.9A patent/CN117544314A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082221B2 (en) | Methods and systems for creating and recovering accounts using dynamic passwords | |
| US11139951B2 (en) | Blockchain system and data processing method for blockchain system | |
| CN108833081B (en) | Block chain-based equipment networking authentication method | |
| CN108418680B (en) | Block chain key recovery method and medium based on secure multi-party computing technology | |
| CN109196816B (en) | Public key infrastructure using blockchains | |
| CN106789090B (en) | Public key infrastructure system based on block chain and semi-random combined certificate signature method | |
| CN108647964B (en) | Block chain data processing method and device and computer readable storage medium | |
| CN111046352B (en) | Identity information security authorization system and method based on block chain | |
| CN106972931B (en) | Method for transparentizing certificate in PKI | |
| US20200005254A1 (en) | Blockchain-implemented method for control and distribution of digital content | |
| Huang et al. | Scalable and redactable blockchain with update and anonymity | |
| CN110288480B (en) | Private transaction method and device for blockchain | |
| JP2021512569A (en) | Blockchain data processing method, management side, client side, converter and medium | |
| CN109450843B (en) | SSL certificate management method and system based on block chain | |
| CN110569674A (en) | Block chain network-based authentication method and device | |
| CN111160909B (en) | Hidden static supervision system and method for blockchain supply chain transaction | |
| Abraham et al. | Revocable and offline-verifiable self-sovereign identities | |
| JP2023503607A (en) | Method and device for automatic digital certificate verification | |
| CN112396421A (en) | Identity authentication system and method based on block chaining-through card | |
| CN111444492A (en) | Digital identity verification method based on medical block chain | |
| CN112749417A (en) | Electronic academic certificate data protection and sharing system based on block chain | |
| CN114503508A (en) | Computer-implemented method and system for storing authenticated data on blockchains | |
| CN114760071B (en) | Zero-knowledge proof based cross-domain digital certificate management method, system and medium | |
| Gulati et al. | Self-sovereign dynamic digital identities based on blockchain technology | |
| Javed et al. | Secure message handling in vehicular energy networks using blockchain and artificially intelligent IPFS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |