KR102497440B1 - Method and system for providing user information management service based on decentralized identifiers - Google Patents

Abstract

A DID-based user information management service providing method and system are disclosed. A method for providing a DID-based user information management service according to the present invention is a service authentication input from a service server associated with the other service when a user terminal using the DID-based user information management service requests to use another service. The step of verifying the identity of the service server by verifying the information using the DID document of the service server loaded from the DID registry of the blockchain; Authenticating the identity of the user terminal by verifying using the DID document of the user terminal, and when the identity of the user terminal is authenticated, reading the user information of the user terminal from the storage and delivering it to the service server so that the user terminal can use the other service. It includes steps to

Description

Method and system for providing DID-based user information management service

The present invention is related to the provision of a DID-based robust user information management service (InfoDID) that reliably stores, updates, and provides other services for user information.

In general, in order to use a digital-based service, a user provides his/her information to each service and authenticates his or her identity through an individual subscription method of creating a service account. In this method, whenever a user uses a new service, it is inconvenient for the user to register as a member by providing his or her personal information to the service.

In addition, a federated identity authentication method that authenticates identity with an existing service account of Google or Facebook using underlying technologies such as OpenID and OAuth without creating a service account for each service is also widely used. It is difficult for the user to know whether the level of authentication is provided, and if the service of the identity provider is stopped, identity authentication becomes impossible.

Recently, as DID (Decentralized IDentifiers) technology using blockchain technology with characteristics such as integrity, decentralization, and high security has emerged as a next-generation identity authentication technology, various blockchain application services using this DID technology have emerged. developed and used.

As a prior art related to blockchain using DID technology, a Korean registration number that initiates a configuration in which a distributed ID is issued and stored as blockchain data, and when an identity verification request is received, the stored blockchain data is retrieved to perform identity authentication. 10-2139645, Korea Publication No. 10-2021-0020851, which supports blockchain network users to effectively manage, back up, and restore their private keys, and configuration for self-authentication through DID issued from the blockchain network. A technology for managing user information by utilizing a blockchain-based DID has been disclosed, such as Korean Registration No. 10-2201679.

However, by using blockchain-based DID, users' personal information is reliably controlled to provide only the user's information necessary for various other services that users want to use, and support convenient and stable identity authentication for users' use of various services. The technology to do so is still absent.

An embodiment of the present invention provides a robust user information management service (InfoDID) that reliably stores and updates user information through identity authentication using blockchain-based DID technology and reliably provides user information to other services that the user wants to use. By implementing, the purpose is to improve the convenience of the user's use of various services.

Embodiments of the present invention implement the provision of up-to-date user information through continuous provision of user information that is updated after providing user information to other services, thereby solving the inconvenience caused by user information modification and improving the user's convenience in using various services. It aims to further improve.

A method for providing a DID-based user information management service according to the present invention is a service authentication input from a service server associated with the other service when a user terminal using the DID-based user information management service requests to use another service. The step of verifying the identity of the service server by verifying the information using the DID document of the service server loaded from the DID registry of the blockchain; Authenticating the identity of the user terminal by verifying using the DID document of the user terminal, and when the identity of the user terminal is authenticated, reading the user information of the user terminal from the storage and delivering it to the service server so that the user terminal can use the other service. steps may be included.

In addition, in the DID-based user information management service providing system according to an embodiment of the present invention, as a user terminal using the DID-based user information management service generates a request for use of another service, a service server associated with the other service. A server authentication unit that authenticates the identity of the service server by verifying the service authentication information input from the blockchain using the DID document of the service server loaded from the DID registry of the blockchain; A user authentication unit that authenticates the user terminal by verifying the DID document of the user terminal loaded from the DID registry, and when the user terminal is authenticated, by reading the user information of the user terminal from the storage and forwarding it to the service server, It may include a delivery processing unit that allows the user terminal to use the other service.

According to the present invention, user information is reliably managed (stored/updated) through identity authentication using blockchain-based DID technology, while user information is reliably provided to the service server that provides the service the user wants to use. It is possible to implement a user information management service (InfoDID) that supports convenient use of various services and continuously provides up-to-date user information.

According to the present invention, the DID registry developed as a smart contract of the Ethereum blockchain is used for the DID identity authentication service to reliably control the user's personal information, and to provide only the user's information necessary for various other services that the user wants to use. In addition, it is possible to support the use of various services by users based on stable identity authentication without worrying about service suspension of existing identity verification providers.

1 is a block diagram showing the configuration of a DID-based user information management service providing system according to the present invention.
2 is a diagram illustrating a network including a DID-based user information management service providing system according to the present invention.
3 is a diagram illustrating a DID document recorded in an extended DID registry in the DID-based user information management service providing system according to the present invention.
4A and 4B are diagrams illustrating an identity authentication procedure using a DID document of a user terminal in the DID-based user information management service providing system according to the present invention.
5A is a diagram for explaining a process of providing a user information delivery service in the DID-based user information management service providing system according to the present invention.
5B is a diagram for explaining a process for providing up-to-date user information in the DID-based user information management service providing system according to the present invention.
6A and 6B are flowcharts illustrating a sequence of a method for providing a DID-based user information management service according to the present invention.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. However, since various changes can be made to the embodiments, the scope of the patent application is not limited or limited by these embodiments. It should be understood that all changes, equivalents or substitutes to the embodiments are included within the scope of rights.

Terms used in the examples are used only for descriptive purposes and should not be construed as limiting. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, terms such as "include" or "have" are intended to designate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by a person of ordinary skill in the art to which the embodiment belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the present application, they should not be interpreted in an ideal or excessively formal meaning. don't

In addition, in the description with reference to the accompanying drawings, the same reference numerals are given to the same components regardless of reference numerals, and overlapping descriptions thereof will be omitted. In describing the embodiment, if it is determined that a detailed description of a related known technology may unnecessarily obscure the gist of the embodiment, the detailed description will be omitted.

The user information management service providing system according to the present invention proposes a robust user information management service (InfoDID) that reliably stores and updates user information using blockchain DID technology and provides it as other services.

Here, DID is a decentralized identifier used for distributed digital identity authentication that independently verifies away from centralized identity providers, registries, certification authorities, etc. You have control over your information. A subject with a DID can always be identified on the blockchain by DID authentication (DID auth) using the DID document stored in the blockchain-based DID registry.

The user information management service providing system according to the present invention executes the user information management service (InfoDID) in the form of a DID-based blockchain application service to manage the storage and update of user information, and uses the DID authentication technique to User information can be easily transferred to other services to be used.

In addition, the user information management service providing system according to the present invention uses an extended DID registry managed by the Ethereum blockchain to store (update) user information, and the DID required for identity authentication of the user terminal. By managing documents, it is possible to prevent user information from being arbitrarily changed and used without user approval.

Here, the Ethereum blockchain is a blockchain platform that provides smart contract functions, which are electronic contracts, and can develop and operate decentralized blockchain applications. In the Ethereum blockchain, not only simple transactions based on smart contracts but also complex contract can be performed. All nodes connected to the Ethereum blockchain network execute all transactions through the Ethereum virtual machine that executes smart contracts, so all nodes perform the same calculations and have the same state. Here, a smart contract is a smart contract function that automatically executes a contract according to specific conditions in a block chain, breaking away from the existing face-to-face contract.

1 is a block diagram showing the configuration of a DID-based user information management service providing system according to the present invention.

Referring to FIG. 2, the DID-based user information management service providing system 100 according to the present invention includes a server authentication unit 110, an extraction unit 120, a user authentication unit 130, and a delivery processing unit 140. can be configured including Depending on the embodiment, the DID-based user information management service providing system 100 according to the present invention may be configured by adding a storage processing unit 150 and a storage 160, respectively.

The server authentication unit 110 receives input from the service server 102 associated with the other service when a request for use of another service is generated in the user terminal 101 using the DID-based user information management service (infoDID). The service authentication information is verified using the DID document of the service server 102 loaded from the DID registry 171 of the blockchain 170 to authenticate the identity of the service server 102.

For example, the user terminal 101 intending to use the other service may input its own user authentication information to the service server 102 that provides the other service. Then, the service server 102 may generate a request for transmission of the user information including its own service authentication information in order to acquire user information about the user terminal 101 having input the user authentication information.

Here, the service authentication information may include a DID of the service server 102 and a signature value obtained by encrypting the user authentication information input by the user terminal 101 with a private key of the service server 102 .

That is, as the user terminal generating the request for use of the other service inputs the user authentication information to the service server 102 of the other service, the user authentication information is transmitted from the service server 102 to the service server ( 102), if the service authentication information including the signature value encrypted with the private key and the DID of the service server 102 is input, the server authentication unit 110 uses the DID of the service server 102 in the service authentication information, The DID document of the service server 102 recorded in the DID registry 171 is loaded, and the public key symmetric to the private key of the service server 102 is generated from the public key ID written in the loaded DID document of the service server 102. It is possible to authenticate the identity of the service server 102 by generating, decrypting the signature value in the service authentication information with the public key, and verifying the validity of the signature value.

When the service server 102 is authenticated, the extraction unit 120 functions to extract user authentication information about the user terminal 101 included in the service authentication information from the service authentication information.

For example, the extractor 120 may extract the user authentication information from the decrypted signature value when the signature value in the service authentication information is decrypted with the public key and validity of the signature value is verified.

The user authentication unit 130 performs a function of authenticating the identity of the user terminal 101 by verifying the extracted user authentication information using the DID document of the user terminal 101 loaded from the DID registry 171 .

For example, the user authentication unit 130 loads the DID document of the user terminal 101 recorded in the DID registry 171 using the DID of the user terminal 101 included in the user authentication information, and The user terminal 101 decrypts the signature value of the user terminal 101 included in the user authentication information with the public key generated from the public key ID written in the DID document of the user terminal 101 to verify the validity of the signature value. can authenticate your identity.

When the user terminal 101 is authenticated, the transfer processing unit 140 reads user information about the user terminal 101 previously stored in the storage 160 from the storage 160 and delivers it to the service server 102, It functions to provide a reliable delivery service of the user information. After transferring the user information to the service server 102, the transfer processing unit 140 may create a transfer record of the user information to the service server 102 in the storage 160.

Prior to implementing the user information delivery service, the DID-based user information management service providing system 100 according to the present invention further includes a storage processing unit 150 for implementing the user information storage (update) service, can be configured.

The storage processing unit 150 provides a reliable storage service of user information by storing user information input from a user terminal generating an information storage request or updating pre-stored usage information before/after a request for use of the other service is generated. function to provide

Specifically, the user authentication unit 130 verifies the first user authentication information input from the user terminal generating the storage request using the DID document of the user terminal 101 loaded from the DID registry 171, When the terminal 101 is authenticated, and the identity of the user terminal 101 is authenticated, the extractor 120 converts user information to be stored in the user terminal 101 included in the first user authentication information to the first user. After extracting from the authentication information, the storage processing unit 150 may encrypt the extracted user information and store it in the storage 160 in association with the first user authentication information.

Here, the storage 160 may be implemented as a lightweight directory access protocol (LDAP)-based database capable of storing a large amount of user information.

That is, the storage processing unit 150 considers that it is difficult to store all large-capacity user information in the blockchain 170 due to the storage capacity limit and cost increase of the blockchain 170, and the user information management service providing system 100 ) User information can be stored and maintained by utilizing the storage 160 implemented inside or outside of.

The user information may be at least one data of the user's identifier, DID, user information management start time, user information last update time, user information expiration date, user's first and last name, profile picture, educational background list, and career history. .

After storing the user information, the storage processing unit 150 may issue a management certificate indicating completion of the storage to the user terminal 101 and store the management certificate issued to the user terminal 101 in the storage 160 .

At this time, the user terminal 101 can confirm that its user information is stored in the storage 160 without being falsified by verifying the signature value of the issued management certificate, and then, the issued management certificate can be stored in the DID registry 171 ) can be stored in the DID document recorded in The user terminal 101 may update the DID document of the user terminal 101 recorded in the DID registry 171 to include the issued management certificate.

That is, whenever the user terminal 101 stores (updates) its own user information, it can repeatedly update the DID document by storing the issued management certificate in the DID document recorded in the DID registry 171. In the present invention, the DID document has an extended form by adding privacy to the conventional document, and the management certificate can be stored in the personal item of the DID document.

Prior to transferring user information about the user terminal 101 to the service server 102, the transfer processing unit 140 has a procedure for checking whether there is an abnormal change in the user information stored in the storage 160 without the approval of the user terminal. As a result, it is possible to prevent incorrect user information from being provided to other services in advance.

Specifically, the delivery processing unit 140 transmits the user information about the user terminal 101 read from the storage 160 to the service server 102, the DID document of the user terminal recorded in the DID registry 171 can be loaded. At this time, the loaded DID document may be an updated DID document including the management certificate most recently issued by the user terminal.

The delivery processing unit 140 may compare whether the management certificate included in the loaded DID document matches the management certificate stored in the storage 160 after the user information is stored in the storage processing unit 150 . At this time, if there are several management certificates stored in the storage 160, the transfer processing unit 140 may compare the most recently issued and stored management certificate with the management certificate in the loaded DID document.

When both management certificates match, the transfer processing unit 140 may transmit the user information stored in the storage 160 to the service server 102 after confirming that there is no change.

If both management certificates do not match, the transfer processing unit 140 confirms that an abnormal change has occurred in the user information stored in the storage 160 without approval of the user terminal, and the service server 102 through the storage processing unit 150. ), user information to be transmitted can be stored (updated) first.

When the user information stored in the storage 160 is transmitted to the service server 102 by the delivery processing unit 140, the service server 102 uses the transmitted user information to allow the user terminal to use other services requested by the user terminal. can make it

At this time, the service server 102 continuously checks whether update conditions are met in the delivered user information even while providing other services to the user terminal using the user information delivered by the delivery processing unit 140, and stores the storage 160 When the user information stored in ) is updated and the renewal condition is satisfied, the latest user information may be obtained by requesting the storage 160 to transfer the updated user information.

Specifically, the service server 102 loads the DID document of the user terminal 101 from the DID registry 171 at the time of receiving the user information about the user terminal 101, and stores the loaded DID document. The included management certificate is stored in the database together with the provided user information, and the management certificate included in the DID document of the user terminal 101 reloaded in the DID registry 171 at regular intervals is different from the management certificate stored in the database. It compares whether or not they match, and if they do not match, it is determined that the update condition is satisfied for the user information stored in the database (updating of the user information stored in the storage 160 occurs), and service authentication for the service server 102 is performed. Including the information, a transfer request of updated user information of the user terminal 101 may be generated.

Accordingly, when the server authentication unit 110 authenticates the identity of the service server 102 that generated the delivery request using the service authentication information, the delivery processing unit 140 delivers the updated user information to the corresponding service server 102 Up-to-date user information can be continuously provided.

When the service server 102 requests a delivery service of the user information according to the establishment of the update condition, the delivery processing unit 140 stores the delivery record for the service server 102 that generated the delivery service request. It is checked whether it is created in 160, and if the delivery record is created, it is possible to read updated user information about the user terminal from the storage 160 and deliver it to the service server 102.

That is, the delivery processing unit 140 authenticates the service by the server authentication unit 110 if the delivery record is left for the service server 102 that generated the request for the delivery service of the user information according to the establishment of the update condition. By omitting the information verification process, the latest user information updated more rapidly can be provided to the service server 102 .

As another example, whenever user information is updated by a user terminal in the storage processing unit 150, the delivery processing unit 140 stores the service server 102 in which the delivery record of the user information is created in the storage 160. By identifying all of them and delivering the updated user information at one time, the updated user information on the user terminal may be continuously delivered without a separate request for the latest user information from the service server 102 .

In this way, the delivery processing unit 140 always provides the latest user information to the service server 102 used by the user terminal, so that the user terminal directly accesses the service server 102 and does not have the hassle of modifying its own information. The other services based on the user information of can be used. Meanwhile, according to an embodiment, provision of the latest user information may be omitted for some service servers 102 in which updated user information is unnecessary.

2 is a diagram illustrating a network including a DID-based user information management service providing system according to the present invention.

A DID-based user information management service (InfoDID) providing system according to the present invention may be implemented by the InfoDID server 210 shown in FIG. 2 .

Referring to FIG. 2 , the network 200 may include an InfoDID server 210, an Ethereum public blockchain 220, a DID registry 230, and a user terminal 240.

The InfoDID server 210 stores and manages user information in an LDAP-based database due to the storage capacity and cost limitations of the Ethereum blockchain 220 itself, and expands the DID registry distributed on the Ethereum blockchain 220 230 and interact with the database to provide a user information management service (infoDID) to the user terminal 240 .

The user information stored in the database is, as shown in [Table 1], the user's distributed identifier (DID), the management start time of the user information (createdTime), the last updated time of the user information (updatedTime), the validity period of the user information ( validTime), user's last name (sn) and first name (cn), gender (gender), date of birth (brith), country of residence (country), address (address), current job (job), Email, phone number (contact), Profile pictures, hobbies, education, career, etc. are stored.

Such user information can be stored or updated through DID-based user requests. The process of storing (updating) user information in the InfoDID server 210 is as follows.

First, the user terminal 240 sends its own information to be stored (updated) in the InfoDID server 210 and user authentication information for proving its own identity (① in FIG. 2).

Here, the user authentication information includes the DID of the user terminal 240, a signature value created by signing user information with a private key that is a symmetric key of a public key stored in the DID document, and a signature value that can decrypt the signature value. The public key ID for the public key of the user DID document is included.

Next, the InfoDID server 210 retrieves the DID document corresponding to the DID in the user authentication information received from the user terminal 240 from the DID registry 230 (② in FIG. 2). This DID document may be prepared in advance by the user terminal 240 including privacy.

Next, the InfoDID server 210 extracts the public key using the public key ID of the user authentication information from the imported DID document of the user terminal 240, and then decrypts the symmetric key encryption to obtain a signature value of the user authentication information. Validate whether it is valid (3 in Fig. 2). Through this process, the InfoDID server 210 performs identity authentication of the user terminal 240 that has requested storage of user information, and confirms whether the user information has been forged or tampered with in the process of being transmitted from the user terminal 240. there is.

If the signature value of the user authentication information is valid, the InfoDID server 210 encrypts the user information received from the user terminal 240 by a selected encryption technique and stores (updates) it in the connected database (④ in FIG. 2). .

Thereafter, the InfoDID server 210 issues a management certificate to the user terminal 240 to ensure that the user information has been stored (updated) without forgery or alteration (⑤ in FIG. 2). In addition, the InfoDID server 210 also stores the management certificate issued to the user terminal 240 in the database, and when forwarding the user information stored in the database to other services later, checks whether the stored user information has been abnormally changed management certificate is available.

Here, the management certificate issued to the user terminal 240 includes the user's DID, the signature value of the user authentication information sent by the user (User signature), the latest processing type of user information (save or update), all currently stored user information ( Information), the DID of the InfoDID server 210, the public key ID of the DID document that can decrypt the signature value of the management certificate issued by the InfoDID server 210, the certificate creation time (Created time), and all items described above It is composed of a signature value signed with the secret key of the InfoDID server 210.

The user terminal 240 retrieves the DID document of the InfoDID server 210 from the DID registry 230 and verifies the validity of the signature value of the management certificate issued (⑥ in FIG. 2). Through this, the user terminal 240 can confirm that the user information in the InfoDID server 210 has been stored (updated) as the original without being arbitrarily changed.

After that, the user terminal 240 encrypts the issued management certificate with the first public key registered in its own DID document, hashes the encrypted value through the hash function Keccak-256, and It is saved and stored in the item (Privacy) (⑦ in Fig. 2). The value of the personal item stored in the DID document of the user terminal 240 can be decrypted only by the user's private key.

In summary, the user authentication information (user DID, signature value for signing user information, public key ID) and user information to be stored/updated are stored in the user terminal 240 to the InfoDID server ( 210), the InfoDID server 210 extracts the public key from the user DID document obtained from the DID registry 230 using the user DID, and then decrypts the signature value of the user authentication information sent by the user with the public key to verify validity. and, through this, if it is confirmed that the user information is not forged/falsified in the course of user identity authentication and transmission, the user information can be stored/updated in the database, and the storage (update) of the user information without forgery/falsification is guaranteed. At the same time as issuing the management certificate to the user terminal 240, the issued management certificate is also stored in the database connected to the InfoDID server 210, and later when the user information stored in the database is transmitted to other services, whether there is an abnormal change Management certificates can be used for verification.

3 is a diagram illustrating a DID document recorded in an extended DID registry in the DID-based user information management service providing system according to the present invention.

Referring to FIG. 3, the user information management service providing system according to the present invention records the DID document 340 created by the user terminal 310 in the extended DID registry 330 managed by the Ethereum blockchain. Then, when the user terminal 310 wants to store (update) user information, the InfoDID server 320 uses the DID document 340 of the user terminal 310 retrieved from the DID registry 330 to access the user terminal 310. ) can perform identity authentication.

Since the user information management service (InfoDID) provided by the InfoDID server 320 operates based on DID (Distributed Identifier), the InfoDID server 320 provides W3C's information to prevent forgery and alteration of user information. A DID registry 330 extending the DID standard is used.

The DID document 340 of the user terminal 310 stored in the expanded DID registry 330 includes a distributed identifier (DID) of the subject of the document, a list of controllers (Controller List) that is a subject having editing rights for the corresponding DID document, and an identity A public key list of asymmetric encryption used for proof (Public Key List), a service list (Service List) that interacts with the corresponding DID document subject, and a personal item (Privacy ) 350, including a temporary value (Nonce).

Here, the personal item 350 is an item added to the conventional DID document and can be used to store the management certificate issued by the user.

In addition, in the DID document 340, the temporary value (Nonce) is a value used when the document subject proceeds with the editing operation of the document through the signature value, and each time the editing operation is completed in the document, the temporary value of the document is sequentially It increases.

In the DID document 340, the user terminal 310, which is the subject of the document, can directly use its own signature value to create/edit items on the document, or transmit its signature value to someone other than the document subject to create a document. You can also proceed to create/edit items for.

4A and 4B are diagrams illustrating an identity authentication (DID authentication) procedure using a DID document of a user terminal in the DID-based user information management service providing system according to the present invention.

According to the DID authentication procedure shown in FIG. 4A, first, in order to receive the infoDID service, a DID user stores his or her DID through a personal mobile terminal or browser in which a private key of an asymmetric encryption method is stored. A user request is sent to the service (step 1 in FIG. 4A).

Upon receiving the user request, the infoDID server retrieves the user public key from the user DID document stored in the DID registry using the user DID (step 2 in FIG. 4a), encrypts the value required for identity authentication, and sends it to the user (DID authentication). : Challenge) (step 3 in Fig. 4a).

The DID user who receives the encrypted value from the infoDID server decrypts the value using his/her private key and sends it back to the service to respond to the identity authentication request (DID authentication: Response) (step 4 in FIG. 4A).

Then, the infoDID server checks whether the decrypted authentication value sent by the user is valid, completes authentication of the user, and provides the service to the user by creating a channel for providing the service (step 5 in FIG. 4A).

In the DID authentication procedure of FIG. 4a described above, the infoDID server encrypts the value required for identity authentication and sends it to the user, and the DID user receives the value decrypted through his or her private key to authenticate the identity. Response While DID authentication is performed by (step 4), in the DID authentication procedure of FIG. 4B described later, these two steps are omitted and simplified DID authentication is performed.

Specifically, in the DID authentication procedure of FIG. 4b, when a DID user sends a user request containing his or her DID to the service (step 1 in FIG. 4b), the infoDID server that receives the user request uses the user DID A user public key is obtained from the user DID document stored in the DID registry (step 2 in FIG. 4a), and a public key that is symmetrical to the private key used when the user terminal generates a signature value is obtained from the public key ID written in the DID document of the user terminal. Extract and directly verify the signature value of the user authentication information sent by the DID user (step 3 in FIG. 4b), and when the identity authentication for the user is completed as the signature value is verified, a channel is created to provide the service to the user. Provides (step 5 in FIG. 4B).

That is, according to the simplified DID authentication procedure of FIG. 4B, the infoDID server signs with the public key extracted from the public key ID of the DID document without the need to send the value taken from the DID document to the user and receive the decrypted value with the user's private key. Since the validity of the value can be directly verified, the processing speed of identity authentication can be improved.

5A and 5B illustrate an example in which the DID-based user information management service providing system according to the present invention is implemented by the infoDID server 510.

5A is a diagram for explaining a process of providing a user information delivery service in the DID-based user information management service providing system according to the present invention.

In FIG. 5A, when a user terminal wants to use other services (eg, 'banking service') in addition to the user information management service (infoDID), the user information required by the service server 520 providing other services is sent to the infoDID server ( In 510), the process of delivery is shown.

Referring to FIG. 5A, when a user terminal sends its own user authentication information to the service server 520 of another service to be used (① in FIG. 5A), the service server 520 sends its own service authentication information to the user. It is generated by including the user authentication information received from the terminal, and sent to the infoDID server 510 to request delivery of user information stored on the user terminal (2 in FIG. 5A).

Here, the user authentication information for the user terminal includes the user DID, the DID of the service server 520 to receive the user information, the user information, the valid time of the user information, a signature value obtained by signing all the items described above with the secret key, and the signature. A public key ID of a user DID document whose value can be decrypted may be included.

In addition, the service authentication information for the service server 520 includes the DID of the service server 520, the user authentication information received from the user terminal, a signature value obtained by signing the above two values with the private key of the service server 520, and a signature. A public key ID of the service server 520 for decrypting a value may be included.

The infoDID server 510, which has received a request for delivery of user information from the service server 520, uses the DID of each subject to store the DID document of the service server 520 and the DID document of the user terminal in the DID registry 530, respectively. Bring (③ in Fig. 5a)

The infoDID server 510 verifies the validity of the signature value of the service server 520 in the service authentication information using the DID document of the service server 520, and uses the DID document of the user terminal in the verified service authentication information. The validity of the signature value in the extracted user authentication information can be verified (④ in FIG. 5A).

[Table 2] is a code example illustrating a procedure for processing service authentication information received from the service server 520 in the infoDID server 510. When the infoDID server 510 receives the service authentication information received from the service server 520, according to lines 1 to 6 in [Table 2], the service server that provides identity authentication and 'bank service' for the user terminal 520), it is possible to check whether the user approves the function of reading user information from the service server 520.

When all verification of the service server 520 and the user terminal is completed by the above process, the infoDID server 510 transfers the user information stored in the database to the user terminal, and records the user information provided to the service server 520 to the database. (⑤ in Fig. 5a).

At this time, the infoDID server 510 compares whether the management certificate stored in the DID document of the user terminal matches the management certificate stored in the database before transferring the user information stored in the database to the user terminal. It can be checked that there are no abnormal changes without approval. For example, the InfoDID server can encrypt the last issued management certificate to the corresponding user with the first public key of the user's DID document and compare whether the value hashed with Keccak-256 is the same as the value of the Privacy item stored in the user's DID document. If it is confirmed that there is no change in the user information through this, the infoDID server 510 may deliver the user information.

When the service server 520 stores the user information transmitted by the infoDID server 510, it retrieves the management certificate stored in the privacy of the user's DID documents recorded in the DID registry, and periodically thereafter. The management certificate retrieved from the user's DID document recorded in the DID registry is compared with the management certificate brought back to confirm whether the user information renewal condition is met (⑥ in FIG. 5A).

If both management certificates do not match, the service server 520 considers that the user information stored in the database managed by the infoDID server 510 has been updated, and requests the infoDID server 510 to update the user information. 5B shows a process for providing up-to-date user information.

5B is a diagram for explaining a process for providing up-to-date user information in the DID-based user information management service providing system according to the present invention.

Referring to FIG. 5B, the service server 520 retrieves the Privacy item value (management certificate) from the user DID document at the current time using the DID of the user terminal, and when user information is transmitted by the infoDID server 510, the user Compare it with the Privacy item value (management certificate) brought from the DID document, and check whether the two management certificates match (① in Fig. 5b).

If the two management certificates match, the service server 520 may determine that the latest user information for the current user is held.

If the two management certificates are different, the service server 520 determines that user information needs to be updated, sends its own service authentication information to the infoDID server 510, and requests delivery of the updated user information (2 in FIG. 5B). ).

The infoDID server 510 retrieves the DID document of the service server 520 from the DID registry and verifies the validity of the signature value in the service authentication information sent from the service server 520 (③ in FIG. 5B), and the DID document of the user terminal. from the DID registry to verify the validity of the signature value in the user authentication information extracted from the service authentication information (④ in FIG. ⑤ in Fig. 5b).

Thereafter, the infoDID server 510 transmits user information updated in the database to the service server 520 and creates a delivery record of the updated user information in the database (⑥ in FIG. 5B).

Through this process, the service server 520 can always provide useful services to the user based on the latest user information, and the user terminal needs to visit the various service servers 520 that it is using and correct the user information. there will be no

6A and 6B are flowcharts illustrating a sequence of a method for providing a DID-based user information management service according to the present invention.

The DID-based user information management service providing method according to the present embodiments may be performed by the user information management service providing system 100 described in FIG. 1, and the above-described user information management service providing system 100, It can be implemented by the infoDID server 510 described in FIGS. 5A and 5B.

FIG. 6A shows a process of reliable storage/update of user information, and FIG. 6B shows a process of delivering other services of stored/updated user information.

First, referring to FIG. 6A , in step 601, the user information management service providing system 100 checks whether an information storage request occurs in a user terminal using the infoDID service.

According to the occurrence of the information storage request, in step 602, the user information management service providing system 100 loads the DID document of the user terminal recorded in the DID registry of the blockchain to verify the user authentication information.

When the identity of the user terminal is authenticated by verifying the user authentication information, in step 603, the user information management service providing system 100 extracts user information to be stored in the user terminal from the verified user authentication information.

In step 604, the user information management service providing system 100 stores/updates the extracted user information in storage (provides user information storage service). Here, the storage in which the user information is maintained may be implemented as an LDAP-based database managed by the infoDID server 510, for example.

After the user information is stored, in step 605, the user information management service providing system 100 issues a management certificate to the user terminal to ensure that the user information sent from the user terminal is stored as it is without forgery or alteration, and issuance A management certificate is kept in storage.

Thereafter, the user information management service providing system 100 ensures that whenever the user information stored in the storage is updated at the request of the user terminal, the user information sent from the user terminal is stored and updated as it is without forgery or falsification. The management certificate may be reissued to the user terminal, and the reissued management certificate may be stored in storage along with updated user information.

In step 606, the user terminal stores the issued management certificate in the privacy of the DID document recorded in the DID registry, so that it is used later when transferring user information to other services.

In step 607, the user information management service providing system 100 stores the user information about the user terminal in the storage, then checks whether an information update request occurs from the user terminal, and when the information update request occurs, the above-mentioned By repeating the process of steps 602 to 606, the user information stored in the storage is updated.

Referring to FIG. 6B , in step 608, the user information management service providing system 100 checks whether a request for use of another service (eg, 'bank service') occurs in the user terminal.

When a request for use of another service occurs in the user terminal, in step 609, the user information management service providing system 100 retrieves the DID document of the service server associated with the other service from the DID registry and verifies the service authentication information, Authenticate the identity of the service server.

When the identity of the service server is authenticated, in steps 610 and 611, the user information management service providing system 100 extracts user authentication information included in the service authentication information, and converts the extracted user authentication information to the DID document of the user terminal. By verifying using , the identity of the user terminal is authenticated.

If the identity of the user terminal is authenticated, in step 612, the user information management service providing system 100 reads the user information from the storage and delivers it to the service server (providing a user information delivery service).

At this time, the service server that received the user information loads the user's DID document from the blockchain's DID registry, and transfers the management certificate (hereinafter referred to as the first management certificate) stored in the personal item of the loaded DID document to the delivered user. It is stored along with information in the database managed by the service server. The first management certificate may be used as a criterion for determining whether an update of user information has occurred in the storage and whether a condition for updating user information is satisfied.

In step 613, each service server to which the user information is delivered periodically reloads the user's DID document in the DID registry of the blockchain, and the management certificate stored in the personal item of the reloaded DID document (hereinafter, the second management certificate) is compared with the first management certificate, and it is confirmed whether a condition for updating user information is met.

That is, if the second management certificate periodically retrieved matches the first management certificate, the service server confirms that the user information currently stored in the database is the latest user information (No in step 613).

On the other hand, if the second management certificate periodically retrieved does not match the first management certificate, the service server determines that the second management certificate has been reissued as the user information is updated in the storage, and the user information currently stored in the database It is confirmed that renewal is necessary (Yes in step 613).

In this way, when the two management certificates are different from each other and the renewal condition of the user information currently stored in the database is met, the service server generates a transmission request for the updated user information, and in response to the transmission request, the user information management service providing system (100 ) transfers the latest user information updated to the storage to the service server (providing the latest user information) (step 614).

As described above, according to the present invention, by executing the user information management service (InfoDID), by performing the steps 601 to 614 described in FIGS. 6A and 6B, it is possible to implement the storage, update, and provision of user information to other services. can

Therefore, in the present invention, it is utilized for the DID identity authentication service through linkage with the DID registry developed as a smart contract of the Ethereum blockchain to reliably manage the user's information and allow the user to transfer his or her information to other services in a convenient form. be able to provide

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program commands recorded on the medium may be specially designed and configured for the embodiment or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. - includes hardware devices specially configured to store and execute program instructions, such as magneto-optical media, and ROM, RAM, flash memory, and the like. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Software may include a computer program, code, instructions, or a combination of one or more of the foregoing, which configures a processing device to operate as desired or processes independently or collectively. The device can be commanded. Software and/or data may be any tangible machine, component, physical device, virtual equipment, computer storage medium or device, intended to be interpreted by or provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed on networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

As described above, although the embodiments have been described with limited drawings, those skilled in the art can apply various technical modifications and variations based on the above. For example, the described techniques may be performed in an order different from the method described, and/or the components of the described system, structure, device, circuit, etc. may be combined or combined in a different form than the method described, or other components may be used. Or even if it is replaced or substituted by equivalents, appropriate results can be achieved.

Therefore, other implementations, other embodiments, and equivalents of the claims are within the scope of the following claims.

200: User information management service providing system
210: InfoDID server
220: Ethereum public blockchain
230: DID registry
240: user terminal

Claims (16)

As a user terminal using the DID-based user information management service generates a request for use of other services,
verifying the service authentication information input from the service server related to the other service using the DID document of the service server loaded from the DID registry of the blockchain, thereby authenticating the identity of the service server;
if the service server is authenticated, verifying user authentication information about the user terminal using the DID document of the user terminal loaded from the DID registry, thereby authenticating the identity of the user terminal; and
When the user terminal is authenticated, reading user information of the user terminal from storage and transmitting the user information to the service server, so that the user terminal uses the other service.
DID-based user information management service providing method comprising a. According to claim 1,
The service authentication information,
A signature value obtained by encrypting the user authentication information with a private key of the service server and a DID of the service server;
The step of authenticating the identity of the service server,
loading the DID document of the service server recorded in the DID registry using the DID of the service server;
generating a public key symmetrical to the private key of the service server from the public key ID written in the loaded DID document of the service server; and
Decrypting the signature value in the service authentication information with the generated public key of the service server
DID-based user information management service providing method comprising a. According to claim 2,
When the user authentication information is extracted from the decrypted signature value,
The step of authenticating the identity of the user terminal,
loading the DID document of the user terminal recorded in the DID registry by using the DID of the user terminal included in the user authentication information;
generating a public key symmetrical to the private key of the user terminal from the public key ID described in the loaded DID document of the user terminal; and
Decrypting the signature value of the user terminal included in the user authentication information with the generated public key of the user terminal.
DID-based user information management service providing method comprising a. According to claim 1,
As the information storage request occurs in the user terminal,
verifying first user authentication information input from the user terminal using the DID document of the user terminal loaded from the DID registry, thereby authenticating the identity of the user terminal;
extracting user information related to the information storage request from the first user authentication information when the user terminal is authenticated; and
Providing a storage service of the user information by encrypting the extracted user information and storing the extracted user information in the storage in association with the first user authentication information.
DID-based user information management service providing method further comprising a. According to claim 4,
After storing the user information, issuing a management certificate indicating storage completion to the user terminal and storing it in the storage
Including more,
The user terminal,
Updating the DID document of the user terminal recorded in the DID registry to include the issued management certificate
DID-based user information management service provision method. According to claim 5,
According to the update of the DID document of the user terminal,
loading a DID document updated by the user terminal from the DID registry;
comparing whether a management certificate included in the loaded DID document matches a management certificate stored in the storage after storing the user information; and
If they match, confirming the user information stored in the storage as 'no change' and forwarding it to the service server
DID-based user information management service providing method further comprising a. According to claim 5,
According to the update of the DID document of the user terminal,
In the service server, when storing the transmitted user information in a database provided in the service server, the DID document updated by the user terminal is loaded in the DID registry, and the management certificate included in the loaded DID document is stored in the DID registry. storing them together in a database;
comparing, in the service server, whether a management certificate included in the DID document of the user terminal reloaded from the DID registry at regular intervals matches a management certificate stored in the database; and
If they do not match,
In the service server, determining that an update condition is satisfied for the user information stored in the database, and generating a request for a delivery service of user information about the user terminal, including the service authentication information.
DID-based user information management service providing method further comprising a. According to claim 7,
After transferring the user information to the service server, generating a transfer record of the user information to the service server in the storage;
When the service server requests a delivery service of the user information according to the establishment of the update condition,
confirming, with respect to the service server that generated the delivery service request, whether the delivery record is created in the storage; and
If the delivery record is generated, reading updated user information about the user terminal from the storage and delivering the updated user information to the service server.
DID-based user information management service providing method further comprising a. As a user terminal using the DID-based user information management service generates a request for use of other services,
a server authentication unit that authenticates the identity of the service server by verifying the service authentication information input from the service server associated with the other service using the DID document of the service server loaded from the DID registry of the blockchain;
When the service server is authenticated, a user authentication unit verifying the user authentication information on the user terminal using the DID document of the user terminal loaded from the DID registry to authenticate the identity of the user terminal; and
When the user terminal is authenticated, the delivery processing unit reads the user information of the user terminal from the storage and transmits the user information to the service server so that the user terminal uses the other service.
DID-based user information management service providing system comprising a. According to claim 9,
The service authentication information,
A signature value obtained by encrypting the user authentication information with a private key of the service server and a DID of the service server;
The server authentication unit,
Loading the DID document of the service server recorded in the DID registry using the DID of the service server;
generating a public key symmetrical to the private key of the service server from the public key ID described in the loaded DID document of the service server;
Decrypting the signature value in the service authentication information with the generated public key of the service server
DID-based user information management service provision system. According to claim 10,
Extraction unit for extracting the user authentication information from the decrypted signature value
Including more,
The user authentication unit,
Loading the DID document of the user terminal recorded in the DID registry using the DID of the user terminal included in the user authentication information;
generating a public key symmetrical to the private key of the user terminal from the public key ID described in the loaded DID document of the user terminal;
Decrypting the signature value of the user terminal included in the user authentication information with the generated public key of the user terminal
DID-based user information management service provision system. According to claim 9,
A storage processor providing a storage service of the user information when an information storage request is generated from the user terminal.
Including more,
The user authentication unit,
First user authentication information input from the user terminal is verified using the DID document of the user terminal loaded in the DID registry to authenticate the identity of the user terminal,
When the user terminal is authenticated,
The storage processing unit,
Extracting, by an extractor, user information to be stored in the user terminal included in the first user authentication information from the first user authentication information;
Encrypting the extracted user information and storing it in the storage in association with the first user authentication information
DID-based user information management service provision system. According to claim 12,
The storage processing unit,
After storing the user information, a management certificate indicating completion of storage is issued to the user terminal and stored in the storage;
The user terminal,
Updating the DID document of the user terminal recorded in the DID registry to include the issued management certificate
DID-based user information management service provision system. According to claim 13,
According to the update of the DID document of the user terminal,
The transfer processing unit,
loading a DID document updated by the user terminal from the DID registry;
Compare whether the management certificate included in the loaded DID document matches the management certificate stored in the storage after storing the user information;
If they match, confirming the user information stored in the storage as 'no change' and forwarding it to the service server
DID-based user information management service provision system. According to claim 13,
According to the update of the DID document of the user terminal,
The service server,
When the transmitted user information is stored in the database provided in the service server, the DID document updated by the user terminal is loaded in the DID registry, and the management certificate included in the loaded DID document is stored in the database together. ,
Comparing whether the management certificate included in the DID document of the user terminal reloaded from the DID registry at regular intervals matches the management certificate stored in the database;
If they do not match, it is determined that the update condition is met for the user information stored in the database, and a request for a delivery service of user information about the user terminal is generated, including the service authentication information.
DID-based user information management service provision system. According to claim 15,
The transfer processing unit,
After transferring the user information to the service server, creating a transfer record of the user information to the service server in the storage;
When the service server requests a delivery service of the user information according to the establishment of the update condition,
For the service server that generated the delivery service request, check whether the delivery record is created in the storage;
If the delivery record is created, reading the updated user information about the user terminal from the storage and delivering it to the service server
DID-based user information management service provision system.

Images