KR20200133881A - Authentication method in a distributed circumstance - Google Patents

Abstract

Disclosed is an identification method in a distributed environment, which performs identification by a plurality of nodes. According to one embodiment of the present invention for achieving described tasks, a computer program recorded in a computer-readable recording medium includes commands for allowing a processor of an authentication node to execute steps for identification. The steps comprises the following steps: transmitting a cooperation request signal to at least one cooperating node to execute identification on an entity to be identified; when an acceptance signal for the cooperation request signal is received from the at least one cooperating node, transmitting first information to the entity to be identified or the at least one cooperating node to allow the entity to be identified or the at least one cooperating node to execute identification, wherein the first information includes information related to identification of the entity to be identified; and when receiving a completion signal for the identification from the node to be identified or the at least one cooperating node, transmitting identification information of the entity to be identified to at least one node forming a blockchain network to allow a plurality of nodes to record the identification information through a consensus algorithm.

Description

Identity authentication method in a distributed environment {AUTHENTICATION METHOD IN A DISTRIBUTED CIRCUMSTANCE}

The present disclosure is directed to providing an identity authentication method in a distributed environment, and more particularly, to a method of performing identity authentication by a plurality of nodes.

As financial services expand, the demand for KYC (Know Your Customer) is increasing. Although the current identity authentication system centered on a centralized authentication authority has the advantage of high processing speed, there is a problem that KYC is difficult in an environment where there is no central authentication authority that can supply stable trust.

To solve this problem, interest in technology for performing KYC (Know Your Customer) through identity authentication in a distributed environment is rapidly increasing.

US Patent Publication No. 2018-0288022 discloses a method of authenticating a digital ID on a blockchain network, and Korean Patent Publication No. 2017-0172235 discloses a game item purchase method and apparatus using a smart contract.

The present disclosure was devised in response to the above-described background technology, and is to provide a method for performing identity authentication in a distributed environment.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems that are not mentioned will be clearly understood by those skilled in the art from the following description.

A computer program stored in a computer-readable storage medium according to an embodiment of the present disclosure for realizing the above-described problem is disclosed. The computer program includes instructions for causing the processor of the authentication node to perform the following steps, the steps:

Transmitting a cooperation request signal to at least one cooperating node to perform identity authentication for the authenticated entity; When an acceptance signal for the cooperation request signal is received from the at least one cooperating node, the first information is transmitted to the authenticated node or the at least one cooperating node, and the authenticated node and the at least one cooperating node Causing identity authentication to be performed, the first information including information related to the identity of the authenticated entity; And when the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, by transmitting the identification information of the authenticated entity to at least one node constituting the blockchain network, a plurality of nodes Causing the identification information to be recorded through a consensus algorithm; It may include.

In addition, the number of the at least one cooperative node may be determined by multiplying the number of nodes included in the blockchain network by a preset ratio.

In addition, the identification information may be compatible with a standard format for a distributed digital ID.

Also, the identification information may be information encrypted with the public key of the authentication entity of the authentication node based on an asymmetric encryption algorithm.

In addition, when the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, transmitting the identification information of the authenticated entity to at least one node constituting a blockchain network, Recognizing second information included in the completion signal for the identity authentication; And when the second information matches information previously stored in the memory of the authentication node, transmitting the identification information of the authenticated entity to at least one node constituting a blockchain network. Including, the second information may include a plain text or an encrypted text generated by a preset protocol.

In addition, in order to perform identity authentication for the authenticated entity, transmitting the cooperation request signal to at least one cooperating node includes a first private key and a first public key of a first wallet owned by the authenticated entity. Generating; And transmitting a second public key and the first public key of a second wallet owned by the authentication entity of the authentication node to at least one cooperative node. It may include.

In addition, the first private key and the first public key may be generated based on a hierarchical deterministic wallet protocol.

In addition, when the acceptance signal for the cooperation request signal is received from the at least one cooperating node, transmitting the first information to the authenticated node or the at least one cooperating node includes generating at least one encryption key. step; Generating first data by encrypting the first private key by using the at least one encryption key; Generating second data by encrypting the at least one encryption key; Generating third data by signing the first public key with a second private key of the second wallet to prove that the first private key has been generated by an authentication entity; And transmitting the first information to the authenticated node or the at least one cooperative node, and transmits the first data, the second data, and the third data to the authenticated node or the at least one cooperative node. Transferring to; It may include.

In addition, generating first data obtained by encrypting the first private key using the at least one encryption key may include generating a combination encryption key based on the at least one encryption key; And encrypting the first private key with the combination encryption key. It may include.

In addition, each of the at least one encryption key corresponds to the at least one cooperating node, and the step of generating the second data by encrypting the at least one encryption key includes a public key from each of the at least one cooperating node. Receiving; And encrypting each of the at least one encryption key with a public key of a corresponding cooperative node. It may include.

In addition, when the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, transmitting the identification information of the authenticated entity to at least one node constituting a blockchain network, Recognizing the signature generated with the first private key included in the completion signal for the identity authentication; Verifying the signature generated with the first private key with the first public key; And when verification of the signature generated by the first private key is completed, transmitting the identification information of the authenticated entity to at least one node constituting a blockchain network. Including, the signature generated with the first private key may be related to a plain text or a cipher text generated by a preset protocol.

In addition, the steps may include: receiving transaction information including a first digital signature signed with the private key of the entity to be authenticated from the node to be authenticated; Verifying the first digital signature with the public key of the entity to be authenticated corresponding to the private key of the entity to be authenticated; Generating a multiple digital signature by adding a second digital signature generated using the private key of the authentication entity of the authentication node to the first digital signature; And transmitting the multiple digital signatures to the authenticated node. It may further include.

A computer program stored in a computer-readable storage medium according to an embodiment of the present disclosure for realizing the above-described problem is disclosed. The computer program includes instructions for causing the processor of the node to be authenticated to perform the following steps, the steps:

When the first information related to identity authentication is received from the authentication node, the at least one cooperating node performs the identity authentication by transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperating node. Causing to perform; And when a signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting a completion signal for the identity authentication to the authentication node. It may include.

In addition, when first information related to identity authentication is received from the authentication node, transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperative node corresponds to the first information. Receiving from the at least one cooperative node a request signal for the proof data to be processed; And transmitting the authentication data obtained from the authenticated entity to the at least one cooperative node. Including, the proof data may include at least one of data related to identification information or data required for zero-knowledge proof.

In addition, when first information related to identity authentication is received from the authentication node, transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperative node includes at least one encryption key. In the first data encrypted with the first private key of the wallet owned by the authenticated entity, the second data encrypted with the at least one encryption key generated to encrypt the first private key, and the first private key Receiving, from the authentication node, a corresponding first public key with the second private key of a wallet owned by the authentication entity of the authentication node, together with the first information; And transmitting the second data and the third data to the at least one cooperative node. It may include.

In addition, when the signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting the completion signal for the identity authentication to the authentication node, when the at least one cooperative node completes the identity authentication And receiving the at least one encryption key extracted by decrypting the second data; And extracting the first private key from the first data by decrypting the first data using the encryption key when an encryption key is received from a cooperative node equal to or greater than a preset number. It may include.

In addition, when the signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting the completion signal for the identity authentication to the authentication node may include a preset protocol in order to prove that the identity authentication has been completed. Generating second information that is plain text or cipher text generated by; And generating third information by signing the second information with the first private key. It may further include.

A computer program stored in a computer-readable storage medium according to an embodiment of the present disclosure for realizing the above-described problem is disclosed. The computer program includes instructions for causing the processor of the cooperative node to perform the following steps, the steps:

When receiving a cooperation request signal from the authentication node, transmitting a cooperation consent signal for performing identity authentication to the authenticated entity to the authentication node; And performing the identity authentication for the authenticated entity based on at least one of an image comparison scheme and a zero-knowledge authentication scheme when receiving an identity authentication request signal from the authenticated node. Including, the identity authentication request signal may include first information related to the identity of the authenticated entity.

In addition, the cooperative consent signal for performing identity authentication for the authenticated entity includes a public key of the cooperative node. A computer program stored in a computer-readable storage medium.

In addition, the identity authentication request signal includes second data obtained by encrypting at least one encryption key generated to encrypt a first private key of a wallet owned by the authenticated entity and a second data of a wallet owned by the authenticated entity. 1 When the public key further includes third data signed with the second private key of the wallet owned by the authentication entity, and when an identity authentication request signal is received from the node to be authenticated, the image comparison method or zero-knowledge authentication method is used. The performing of the identity authentication for the authenticated entity may include verifying a signature included in the third data with the public key of the authentication entity and the public key of the authenticated entity; Generating fourth data obtained by decrypting one of at least one encryption key included in the second data using the private key of the cooperative node when verification of the signature included in the third data is completed; And transmitting the fourth data to the node to be authenticated. It may include.

Disclosed is a computing device that provides identity authentication in a distributed environment according to an embodiment of the present disclosure for realizing the above-described problem. The computing device is an authentication node,

Processor; Memory; And a communication unit; Including, the processor, in order to perform identity authentication for the authenticated entity, transmits a cooperation request signal to at least one cooperating node, and receives an acceptance signal for the cooperation request signal from the at least one cooperating node In one case, the first information is transmitted to the authenticated node or the at least one cooperating node to cause the identity authentication to be performed in the authenticated node and the at least one cooperating node.- The first information is the Including information related to the identity of the entity-, when the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, the identification information of the authenticated entity is at least configured to form a blockchain network. By sending to one node, it is possible to cause a plurality of nodes to record the identification information through a consensus algorithm.

Disclosed is a computing device that provides identity authentication in a distributed environment according to an embodiment of the present disclosure for realizing the above-described problem. The computing device is an authenticated node,

Processor; Memory; And a communication unit; Including, the processor, when receiving the first information related to the identity authentication from the authentication node, by transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperative node When a cooperative node of is caused to perform the identity authentication and a signal indicating that the identity authentication has been performed is received from the at least one cooperative node, a completion signal for the identity authentication may be transmitted to the authentication node.

Disclosed is a computing device that provides identity authentication in a distributed environment according to an embodiment of the present disclosure for realizing the above-described problem. The computing device is a cooperative node,

Processor; Memory; And a communication unit; Including, the processor, when receiving a cooperation request signal from the authentication node, transmits a cooperation consent signal for performing identity authentication for the authenticated entity to the authentication node, and receives an identity authentication request signal from the authentication node In one case, the identity authentication is performed for the authenticated entity based on at least one of an image comparison scheme or a zero-knowledge authentication scheme, and the identity authentication request signal includes first information related to the identity of the authenticated entity. can do.

The present disclosure is intended to provide a method for performing identity authentication in a distributed environment.

The effects obtainable in the present disclosure are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those of ordinary skill in the art from the following description. .

In order that the features of the present disclosure mentioned above may be understood in detail, in a more specific description, with reference to the following embodiments, some of the embodiments are shown in the accompanying drawings. In addition, like reference numbers in the drawings are intended to refer to the same or similar functions over several aspects. However, the accompanying drawings are merely illustrative of specific exemplary embodiments of the present disclosure, and are not considered to limit the scope of the present disclosure, and other embodiments having the same effect may be sufficiently recognized. Be careful.
1 is a diagram illustrating an example of a system for performing identity authentication in a distributed environment according to some embodiments of the present disclosure.
2 is a diagram illustrating an example of an authentication node, an authentication target node, and a cooperative node according to some embodiments of the present disclosure.
3 is a signal flow diagram illustrating an example of performing identity authentication in a distributed environment according to some embodiments of the present disclosure.
4 is a flowchart illustrating an example in which a processor of an authentication node verifies a completion signal received from an authenticated node and determines whether to transmit identification information to a blockchain network.
5 is a signal flow diagram showing an example in which a transaction of an authenticated entity is approved by performing KYC of an authenticated entity using identity information recorded in a blockchain network.
6 is a flowchart illustrating an example in which an authenticated node transmits authentication data necessary for performing identity authentication to a cooperative node.
7 is a signal flow diagram showing an example of a system for generating a private key and a public key of a wallet owned by an authenticated entity, transferring it to an authenticated node, and recording it in a blockchain network.
8 is a flowchart illustrating an example in which a processor of an authentication node encrypts a first private key using a key envelope algorithm to generate first data.
9 is a diagram illustrating an example in which a processor of an authentication node generates second data by encrypting at least one encryption key.
10 shows a simplified and general schematic diagram of an exemplary computing environment in which some embodiments of the present disclosure may be implemented.

Various embodiments will now be described with reference to the drawings, and like reference numbers are used throughout the drawings to indicate like elements. In this specification, various descriptions are presented to provide an understanding of the present disclosure. However, it is clear that these embodiments may be implemented without such detailed description. In other examples, well-known structures and devices are provided in block diagram form to facilitate description of the embodiments.

Hereinafter, the same or similar components are assigned the same reference numerals regardless of the reference numerals, and redundant descriptions thereof will be omitted. In addition, in describing the embodiments disclosed in the present specification, when it is determined that detailed descriptions of related known technologies may obscure the subject matter of the embodiments disclosed in the present specification, detailed descriptions thereof will be omitted. In addition, the accompanying drawings are for easy understanding of the embodiments disclosed in the present specification, and the technical spirit disclosed in the present specification is not limited by the accompanying drawings.

Although the first, second, etc. are used to describe various devices or components, it is a matter of course that these devices or components are not limited by these terms. These terms are only used to distinguish one device or component from another device or component. Therefore, it goes without saying that the first device or component mentioned below may be a second device or component within the technical idea of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in the present specification may be used as meanings that can be commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not interpreted ideally or excessively unless explicitly defined specifically.

The terms "component", "module", "system" and the like as used in the present disclosure refer to hardware, firmware, software, a combination of software and hardware, or execution of software. For example, a component may be, but is not limited to, a process executed on a processor, a processor, an object, an execution thread, a program, and/or a computer. For example, both an application running on a computing device and a computing device may be components. One or more components may reside within a processor and/or thread of execution, and a component may be localized within one computer, or may be distributed between two or more computers. In addition, these components can execute from a variety of computer readable media having various data structures stored therein. Components are, for example, signals with one or more data packets (e.g., data from one component interacting with another component in a local system, a distributed system, and/or data via a signal over another system and a network such as the Internet. ) To communicate via local and/or remote processes.

As used herein, “an embodiment,” “example,” “aspect,” “example,” and the like may not be construed as having any aspect or design described as being better or advantageous than other aspects or designs.

In addition, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or”. That is, unless specified otherwise or is not clear from the context, "X employs A or B" is intended to mean one of the natural inclusive substitutions. That is, X uses A; X uses B; Or, when X uses both A and B, “X uses A or B” can be applied to either of these cases. In addition, the term "and/or" as used herein should be understood to refer to and include all possible combinations of one or more of the listed related items.

In addition, the terms "comprising" and/or "comprising" mean that the corresponding feature and/or element is present, but excludes the presence or addition of one or more other features, elements and/or groups thereof. It should be understood as not. In addition, unless otherwise specified or when the context is not clear as indicating a singular form, the singular in the specification and claims should be interpreted as meaning "one or more" in general.

However, the present disclosure is not limited to the embodiments disclosed below, and may be implemented in various different forms. The present embodiments are provided only to make the present disclosure complete, and to completely inform the scope of the disclosure to those of ordinary skill in the art to which the present disclosure belongs, and the present disclosure is only defined by the scope of the claims. . Therefore, the definition should be made based on the contents throughout this specification.

Description of the presented embodiments is provided so that those of ordinary skill in the art of the present disclosure can use or implement the present disclosure. Various modifications to these embodiments will be apparent to those of ordinary skill in the art, and general principles defined herein may be applied to other embodiments without departing from the scope of the present disclosure. Thus, the present disclosure is not limited to the embodiments presented herein, but is to be interpreted in the widest scope consistent with the principles and novel features presented herein.

1 is a diagram illustrating an example of a system for performing identity authentication in a distributed environment according to some embodiments of the present disclosure.

As shown in FIG. 1, the system for performing identity authentication includes an authentication node 100, an authenticated node 200, a cooperative node 300, a blockchain network 400, and a communication network 500. can do. Components illustrated in FIG. 1 are exemplary, and additional components may exist or some of the components illustrated in FIG. 1 may be omitted.

Although not shown in FIG. 1, the authentication node 100, the authentication target node 200, and the cooperative node 300 may include a memory, a communication unit, and a processor. The authentication node 100, the authenticated node 200, and the cooperative node 300 may be nodes included in the blockchain network 400.

For convenience of explanation, it is assumed that the node 200 to be authenticated is a separate subject from the blockchain network 400. However, in the present disclosure, it can be interpreted that all steps performed by a node included in the blockchain network 400 may also be performed by the authenticated node 200.

The authentication node 100, the authentication target node 200, and the cooperative node 300 have a mechanism for communicating with at least one other node included in the blockchain network 400 through the communication network 500, and the identity It may mean any type of node in a system for performing authentication. For example, the authentication node 100, the authenticated node 200, and the cooperating node 300 are a microprocessor, a mainframe computer, a digital processor, a portable device, a personal computer (PC), a laptop computer, a workstation, and/or It may include any electronic device with network connectivity. In addition, the authentication node 100, the authenticated node 200, and the cooperating node 300 may be implemented by at least one of an agent, an application programming interface (API), and a plug-in. It can also include a server. In addition, the authentication node 100, the authentication target node 200, and the cooperative node 300 may include an application source and/or a client application.

The authentication node 100, the authenticated node 200, and the cooperative node 300 include a processor, a memory, and a communication unit, and a computing device included in an arbitrary blockchain network 400 capable of processing and storing arbitrary data. Can be

The authentication node 100 and the cooperating node 300 in FIG. 1 may be related to a trust subject that has already been authenticated by an existing external authentication authority (eg, a trust issuing subject such as a government agency or a bank). . In particular, the authentication node 100 may be related to an authentication entity that first authenticates the identity of the entity to be authenticated related to the node 200 to be authenticated.

The authentication node 100 and the cooperating node 300 may be associated with an authentication entity and a cooperating entity that wants to access the blockchain network 400. The authenticated node 200 receives an identity from the authentication node 100 and the cooperative node 300, and may be associated with an authenticated entity that intends to record identification information related to its own identity on the blockchain network 400. have.

The cooperative node 300 may perform identity authentication for an authenticated entity related to the authenticated node 200 in response to a request from the authentication node 100. The cooperative node 300 may be one or a plurality of nodes.

In some embodiments of the present disclosure, the blockchain network 400 may mean a plurality of nodes operating based on blockchain technology. Here, the blockchain technology is a distributed storage technology that stores data to be managed in a plurality of nodes included in the blockchain network by using a storage structure in which blocks are connected in a chain form.

The blockchain network 400 may store the transaction transmitted from the authentication node 100 in a block form based on a predetermined consensus algorithm. Data stored in a block form may be shared by a plurality of nodes included in the blockchain network 400.

The blockchain network 400 may include a public blockchain network in which arbitrary nodes can perform consensus operations or a private blockchain network in which only predetermined nodes can perform consensus operations, depending on the implementation form. .

Consensus algorithms performed in the blockchain network 400 according to some embodiments of the present disclosure include: PoW (Proof of Work) algorithm, PoS (Proof of Stake) algorithm, DPoS (Delegated Proof of Stage) algorithm, PBFT (Practical Byzantine Fault Tolerance) algorithm, Delegated Byzantine Fault Tolerance (DBFT) algorithm, Redundant Byzantine Fault Tolerance (RBFT) algorithm, Sieve algorithm, Tendermint algorithm, Paxos algorithm, Raft algorithm, PoA (Proof of Authority) algorithm and/or PoET (Proof of Elapsed Time) algorithm may be included.

In some exemplary embodiments of the present disclosure, nodes in the blockchain network 400 may operate by a blockchain core package according to a hierarchical structure. The hierarchical structure is: a data layer that defines the structure of data handled by the blockchain network 400 and manages the data, a fee paid to the miners during the mining process, performing mining to verify the validity of blocks and generating blocks A consensus layer in charge of processing of, an execution layer that processes and executes smart contracts, a common layer that implements and manages P2P network protocols, hash functions, digital signatures, encoding and common storage, and various applications are created, processed and managed. It can include an application layer.

In some embodiments of the present disclosure, the blockchain network 400 may record identification information of entities for which identity authentication has been performed or information for accessing identification information. The identification information will be described in detail later in FIG. 3.

The authentication node 100, the authenticated node 200, and one or more cooperative nodes 300 may be nodes included in the blockchain network 400. In this example, the authentication node 100, the authenticated node 200, and the cooperating node 300 implement at least one of a wallet function, a minor function, and a storage function of full blockchain data. I can.

The authentication node 100, the authenticated node 200, and the cooperating node 300 may issue a query or a transaction to the blockchain network 400. The query in the present disclosure may be used to inquire identification information of a recipient registered on the blockchain network 400. The transaction in the present disclosure may be used to perform an update (modification/change/delete/add) on data recorded on the blockchain network 400.

The authentication node 100, the authentication target node 200, and the cooperative node 300 may transmit and receive an application source written in a programming language. For example, the authentication node 100, the authentication target node 200, and the cooperating node 300 may generate a client application by compiling an application source. For example, the generated client application may be delivered to at least one of the management blockchain networks 400 and then executed.

Communication network 500 according to an embodiment of the present disclosure is a public switched telephone network (PSTN), x Digital Subscriber Line (xDSL), Rate Adaptive DSL (RADSL), Multi Rate DSL (MDSL), VDSL. Various wired communication systems such as (Very High Speed DSL), Universal Asymmetric DSL (UADSL), High Bit Rate DSL (HDSL), and local area network (LAN) can be used.

In addition, the communication network 500 presented in the present disclosure includes Code Division Multi Access (CDMA), Time Division Multi Access (TDMA), Frequency Division Multi Access (FDMA), Orthogonal Frequency Division Multi Access (OFDMA), and SC-FDMA. Various wireless communication systems such as (Single Carrier-FDMA) and other systems can be used. The techniques described in this disclosure may be used not only in the networks mentioned above, but also in any type of other communication networks.

2 is a diagram illustrating an example of an authentication node, an authentication target node, and a cooperative node according to some embodiments of the present disclosure.

As shown in FIG. 2, the authentication node 100, the authenticated node 200, and the cooperative node 300 include processors 110, 210, 310, memories 120, 220, 320, and communication units 130, 230. , 330).

The processors 110, 210, 310 may be composed of one or more cores, and a central processing unit (CPU), a general purpose graphics processing unit (GPGPU), and a tensor processing unit ( It may include an arbitrary type of processor for performing identity authentication by executing instructions stored in memory, such as TPU: tensor processing unit). The processor may perform identity authentication according to some embodiments of the present disclosure by reading a computer program stored in the memory. The processor may control overall operations of components of the authentication node, the node to be authenticated, and the cooperative nodes 100, 200, and 300 in order to perform the identity authentication process.

The authentication node 100, the authentication target node 200, and the cooperative node 300 may include memories 120, 220, and 320. The memory may store a program for the operation of the processors 110, 210, and 310, and may temporarily or permanently store input/output data. Memory is a flash memory type, hard disk type, multimedia card micro type, card type memory (for example, SD or XD memory), RAM (Random Access). Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, magnetic disk, optical disk At least one type of storage medium may be included. This memory can be operated under control of the processor. Further, in the present disclosure, the memory and the storage unit may be used interchangeably with each other.

The communication units 130, 230, and 330 may include wired/wireless Internet modules for network access. The communication unit (130, 230, 330) communicates with at least one of the authentication node 100, the authenticated node 200, the cooperative node 300, the blockchain network 400, and a node included in another blockchain network. Can be done. As a wireless Internet technology, WLAN (Wireless LAN) (Wi-Fi), Wibro (Wireless broadband) Wimax (World Interoperability for Microwave Access), HSDPA (High Speed Downlink Packet Access), and the like may be used. As a wired Internet technology, XDSL (Digital Subscriber Line), FTTH (Fibers to the Home), PLC (Power Line Communication), etc. may be used.

The above-described components are exemplary, and the scope of the present disclosure is not limited to the above-described components. That is, additional components may be included or some of the above-described components may be omitted according to implementation aspects of the embodiments of the present disclosure.

3 is a signal flow diagram illustrating an example of performing identity authentication in a distributed environment according to some embodiments of the present disclosure.

Referring to FIG. 3, the processor 110 of the authentication node 100 may transmit a cooperation request signal to at least one cooperating node in order to perform identity authentication for an authenticated entity (S100).

In the present disclosure, an entity may include an individual, a corporation (organization, corporate institution, etc.), and objects (cell phone, automobile, IoT device, etc.) in reality. In the present disclosure, the authentication entity is a trusted subject that has already authenticated its identity from an existing external certification authority, and intends to perform identity authentication of the authenticated entity and register the identification information of the authenticated entity on the blockchain network 400. It can be an individual, a corporation, or an object.

In addition, the authenticated entity may be an individual, corporation, or thing that wishes to record its own identification information in the blockchain network 400.

Specifically, in the present disclosure, the authenticated entity may include a minor, an individual whose identity is not registered with an external authentication authority (a government institution or a financial institution such as a bank).

Identity authentication may refer to a process of verifying whether a subject related to the identity information of the authenticated entity matches the authenticated entity.

For example, the identity authentication may be to determine whether the information described in an image such as a resident registration card or license obtained from the authenticated entity matches information stored in a node related to the entity performing identity authentication. As another example, identity authentication may be to determine whether an answer to a question related to information (eg, matters related to family or relatives) that only the authenticated entity can know is correct. Details related to a specific method of performing identity authentication will be described later.

The cooperation request signal may be a signal that requests the cooperating node 300a, 300b, 300 to cooperate with the identity authentication with respect to the authenticated entity that has first performed the identity authentication procedure in the processor 110.

In an identity authentication method based on a distributed environment such as the method presented in this disclosure, there is no centralized authentication subject. Accordingly, in order to secure the reliability of the identity authentication result of a specific authenticated entity, it may be necessary to accumulate the identity authentication results of multiple nodes. That is, the identity of the authenticated entity can obtain sufficient reliability by accumulating the results of identity authentication performed by several nodes, and the identity of the authenticated entity that has obtained such reliability is stored in the blockchain network 400 in the form of identification information. Can be recorded.

Specifically, the cooperation request signal may be made by one or several cooperating nodes. In FIG. 3, only the first cooperative node and the second cooperative node are shown, but the number of nodes for which cooperation requests are made may vary according to a specific implementation environment such as a field to which the method proposed in the present disclosure is applied, an infrastructure level, etc. . Some embodiments related to the number of cooperative nodes are described below.

In the present disclosure, the cooperating node 300 may perform identity authentication of the authenticated entity related to the authenticated node 200 in response to a cooperation request from the authentication node 100. Additional identity authentication by the cooperative node 300 may be required to secure trust in the identity of the authenticated entity in a distributed environment in which a centralized authentication authority does not exist.

According to some embodiments of the present disclosure, the number of cooperative nodes 300 may be determined by multiplying the number of nodes included in the blockchain network 400 by a preset ratio.

However, as described above, the number of cooperative nodes 300 is not limited thereto, and may vary according to a specific implementation environment.

As the processor 310 of the cooperative node (300a, 300b; 300) receives the cooperative request signal from the authentication node in step S100, the cooperative consent signal for performing identity authentication for the authenticated entity is transmitted to the authentication node. Can be transmitted (S200).

The cooperation consent signal may mean a response to the cooperation request signal received from the authentication node 100. The processor 310 may receive input from a user related to the cooperating node 300 whether to consent to cooperation, and accordingly, may determine whether to transmit a cooperation consent signal.

When the processor 110 of the authentication node 100 receives the cooperation agreement signal from the cooperating node 300 in step S200 through the communication unit 130, the first information is transmitted to the authenticated node or at least one cooperating node. Can be (S300). The processor 110 may allow the authentication target node 200 and the cooperative node 300 to perform identity authentication through step S300.

Here, the first information may include information related to the identity of the authenticated entity.

Specifically, the information related to the identity of the entity to be authenticated refers to the social security number, social security number, license number, address, contact information, photo, voice, and serial number that can identify the object if the entity to be authenticated is an object. It may be information such as. Information related to the identity of the authenticated entity is not limited to the above-described example, and may include any information capable of identifying the authenticated entity.

For convenience, in the present disclosure, a description will be made based on the content of the processor 110 transmitting the first information to the node 200 to be authenticated through the communication unit 130. However, the processor 110 may transmit the first information to the cooperating node 300 through the communication unit 130 or may transmit the first information to both the authenticated node 200 and the cooperating node 300.

When the processor 210 of the authenticated node 200 receives the first information from the authentication node 100 through step S300, it cooperates with at least one signal requesting to perform identity authentication for the authenticated entity. It can be transmitted to the node 300 (S400).

When the processor 310 of the cooperative node (300a, 300b; 300) receives a signal requesting to perform identity authentication for the authenticated entity in step (S400), at least one of the image comparison technique or the zero-knowledge proof technique Identity authentication for the authenticated entity may be performed on the basis of (S500).

Here, the identity authentication request signal may include first information related to the identity of the entity to be authenticated.

The image comparison technique may be a method of determining whether an object included in two images is the same subject.

Specifically, the image comparison technique may perform image comparison based on a neural network function including two or more dimensional reduction layers and two or more dimensional expansion layers. Also, the image comparison technique may include an image comparison technique based on U-Net.

However, the image comparison technique is not limited to the above-described example, and may include all image comparison techniques that are easy for a person skilled in the art. The processor 310 may determine the identity of the identity-related image included in the first information and the image included in the authentication data obtained from the authenticated node using an image comparison technique, and thereby perform identity authentication. .

The processor 310 may also perform identity authentication of the authenticated entity based on a zero-knowledge proof.

Zero-knowledge proof can be defined as a system that proves to the verifier that the prover knows the knowledge without revealing the knowledge and information he knows. Here, the prover is a subject proving that he/she knows the corresponding knowledge, and in some embodiments of the present disclosure, it may be an authenticated entity or a related authenticated node 200. The verifier is a subject that verifies the fact that the prover knows the knowledge, and may be the cooperative node 300 in some embodiments of the present disclosure.

In order to perform identity authentication based on zero-knowledge proof, the processor 310 may request and receive proof data from the node 200 to be authenticated through the communication unit 330. By using the zero-knowledge authentication technique, it is possible to perform identity authentication for the authenticated node without direct exposure to the identity information of the authenticated entity. Accordingly, privacy protection of the authenticated entity can be achieved.

The proof data is information of the same kind corresponding to information used for identity authentication among information included in the first information, and means information that is required to be the same as the first information. Details of the proof data will be described later in FIG. 6.

When the processor 210 of the node to be authenticated 200 receives a signal indicating that identity authentication has been performed from the cooperative node 300, it may transmit a completion signal for identity authentication to the authentication node (S600).

The processor 110 of the authentication node 100 configures the blockchain network 400 with identification information of the authenticated entity when receiving a completion signal for identity authentication from the authenticated node 200 or the cooperative node 300 It can be transmitted to at least one node (S700). Through this, it is possible to cause a plurality of nodes constituting the blockchain network 400 to record identification information through a consensus algorithm.

Here, the identification information is information including information (attribute) about the identity of the entity to be authenticated, and may be information generated by the authentication node.

For example, the identification information may be Verifiable Claims. Verifiable details can be stored and transmitted in data units, and can be verified by any entity. The verifiable details may consist of metadata, contents, and signature of the issuer (in this disclosure, an authentication entity).

In some embodiments of the present disclosure, the identification information may be compatible with a standard format for distributed digital ID. The digital ID may mean information that enables personal identification in cyberspace such as various IDs, resident numbers, e-mail addresses, credit card numbers, and addresses. In addition, distributed digital IDs (Distributed Identifiers) may refer to IDs that a user creates, owns, and controls independently of an organization or government. An example of a distributed digital ID may be a globally unique identifier linked to Decentralized Public Key Infrastructure (DPKI) metadata consisting of a JSON document including public key material, authentication descriptor, and service endpoint.

When the identification information according to some embodiments of the present disclosure is configured to be compatible with the standard for digital ID, the identification information according to the present disclosure may be later transplanted to another blockchain network related to the digital ID. Accordingly, identification information authenticated in the present disclosure can be used for various services without an additional authentication procedure.

In some other embodiments of the present disclosure, identification information may be encrypted with a public key associated with a wallet owned by the authentication entity of the authentication node based on an asymmetric encryption algorithm.

The asymmetric encryption algorithm may be an encryption method in which an encryption key used to encrypt information and a decryption key used to restore encrypted information are different from each other.

Here, the public key of the authentication entity may be related to a wallet owned by the authentication entity when the authentication entity is a participant participating in the blockchain network 400.

When the identification information of the authenticated entity is recorded in the blockchain network 400 without a protection means, information related to the identity of the authenticated entity is disclosed to all entities participating in the blockchain network 400. In this case, a problem regarding the privacy of the authenticated entity may occur. Accordingly, as described above, when the identification information is encrypted with the public key of the authentication entity, it can be decrypted only with the private key of the authentication entity, thereby protecting the privacy of the authenticated entity.

When a plurality of nodes constituting the blockchain network 400 receives identification information of an authenticated entity from the authentication node 100, the identification information may be recorded in the blockchain network 400 through a consensus algorithm (S800). ).

As described above through steps S100 to S800, authentication for the identity of a specific entity can be performed through the accumulation of trust of multiple nodes without relying on a centralized certification authority, and the result is transmitted to the blockchain. It can be recorded in the form of identification information. The identity information of the authenticated entity (included in the identification information) recorded in the blockchain is disclosed to all participants of the blockchain network 400, and the information once recorded in the blockchain is difficult to forge and alter. Therefore, according to the present disclosure, KYC (Know Your Customer) can be performed smoothly even if there is no centralized certification authority.

4 is a flowchart illustrating an example in which a processor of an authentication node verifies a completion signal received from an authenticated node and determines whether to transmit identification information to a blockchain network.

Referring to FIG. 4, the processor 110 of the authentication node 100 may recognize second information included in the completion signal for identity authentication (S710).

Here, the second information may mean a plain text or an encrypted text generated by a preset protocol.

For example, when the identity authentication method according to the present disclosure is set to include the sentence "PEN PINEAPPLE APPLE PEN" or "PPAP" which encrypts the sentence when transmitting a completion signal for identity authentication, the second information is " PEN PINEAPPLE APPLE PEN" or "PPAP" may mean.

However, the second information is not limited thereto, and may include any information that allows the authentication node to recognize that identity authentication has been completed.

As described above, when pre-set information is included in the authentication completion signal, it is possible to check whether identity authentication is complete. In addition, when it is encrypted and transmitted, it is possible to prevent forgery and alteration of the authentication signal by a third party.

When the processor 110 recognizes the second information in step S710, the processor 110 determines whether the information previously stored in the memory 120 matches the second information, and if they do match, the identification information of the entity to be authenticated is sent to the blockchain network. It may be transmitted to at least one configuring node (S720).

Specifically, when the second information is plain text, the processor 110 may compare the information previously stored in the memory with the second information. When the second information is an encrypted text, information obtained by decoding the second information may be compared with information previously stored in the memory. In addition, information previously stored in the memory 120 may be encrypted and compared with the encrypted second information.

5 is a signal flow diagram showing an example in which a transaction of an authenticated entity is approved by performing KYC of an authenticated entity using identity information recorded in a blockchain network.

Referring to FIG. 5, the processor 210 of the node to be authenticated 200 may access the private key of the entity to be authenticated (S910).

Although not shown in the drawing, a login using ID/PW, a login using biometric authentication, or the like may be used to access the private key of the entity to be authenticated.

After the processor 210 accesses the private key of the entity to be authenticated in step S910, the processor 210 may generate transaction information including the first digital signature signed with the private key of the entity to be authenticated (S920).

The digital signature may be a type of electronic signature using an asymmetric encryption algorithm (public key cryptography). Through the first digital signature, the entity to be authenticated can prove that it has created transaction information and that the created content has not been forged or altered during the transmission/reception process.

Here, the private key may be a private key used in secret without being disclosed among asymmetric key pairs used in an asymmetric encryption algorithm (public key encryption method). The public key may be a public key among asymmetric key pairs.

The transaction information may include the contents of a contract made by an entity to be authenticated with another subject. For example, when an authenticated entity that is a minor enters into a sales contract for a passenger car with a third party, the sales contract or specific details of the sales contract may be transaction information.

The processor 210 may transmit the generated transaction information to the authentication node 100 through the communication unit 230 (S930).

The processor 110 of the authentication node 100 may verify the first digital signature included in the received transaction information with the public key of the entity to be authenticated (S940). Here, the public key of the entity to be authenticated may correspond to the private key of the entity to be authenticated. Since the details of the verification of the digital signature are self-evident to a person skilled in the art, detailed descriptions will be omitted.

When the processor 110 completes the verification of the first digital signature, a second digital signature generated using the private key of the authentication entity is added to the first digital signature to generate a multiple digital signature. I can.

Specifically, the multi-digital signature may include a method of adding a second digital signature to transaction information including the first digital signature. The method of generating multiple digital signatures is not limited thereto, and may include both methods for verifying the authenticity of transaction information using both the public key of the authenticated entity and the public key of the authentication entity.

By generating the above-described multiple digital signatures, the authentication entity can first verify whether transaction information is created by the entity to be authenticated. The authentication entity may guarantee the validity of transaction information to a plurality of nodes included in the blockchain network 400 by adding its own signature after verifying that the transaction information has not been forged or altered.

The processor 110 may transmit the generated multiple digital signatures to the node to be authenticated through the communication unit 130 (S960).

The processor 210 of the node to be authenticated 200 may transmit the received multiple digital signature to at least one node constituting the blockchain network through the communication unit 230 (S970).

A plurality of nodes constituting the blockchain network 400 may verify multiple digital signatures, and if the verification is successful, may approve the transaction.

Verification of multiple digital signatures may include both verification of the second digital signature of the authenticating entity and verification of the first digital signature of the authenticated entity.

In FIG. 5, when the verification of multiple digital signatures is successful, it is disclosed that the transaction is approved, but whether the transaction is approved and whether the digital signature is verified may occur independently. That is, a plurality of nodes constituting the blockchain network 400 may recognize identification information of the entity to be authenticated corresponding to the digital signature of the entity to be authenticated when the digital signature is successfully verified. Through this, KYC (Know Your Customer) can be performed.

Here, KYC may be to confirm the identity of a customer, whether a person is an actual party, and the purpose of a transaction, so that services of a financial institution are not used for illegal activities such as money laundering.

For example, a plurality of nodes constituting the blockchain network 400 are not used for illegal activities such as money laundering based on the identity included in the identification information of the authenticated entity recorded in the blockchain and the received transaction information. You can check whether or not. However, a specific method of performing KYC on the authenticated entity is not limited to the above-described example.

6 is a flowchart illustrating an example in which an authenticated node transmits authentication data necessary for performing identity authentication to a cooperative node.

Referring to FIG. 6, the processor 210 of the node to be authenticated 200 may receive a request signal for authentication data corresponding to the first information from the at least one cooperative node 300 through the communication unit 230. (S410).

Here, the first information is information related to the identity authentication of the entity to be authenticated described above in FIG. 3 and may include a resident registration number or the like.

The proof data may include at least one of data related to identification information or data required for zero-knowledge proof.

Specifically, when the proof data is data related to identification, for example, if the first information is a resident registration number or a license number, the proof data may be an image of a resident registration card or driver's license.

As another example, when the first information is a picture or voice of the authenticated entity, the proof data may be a picture of the authenticated entity or a voice recorded of the voice of the authenticated entity.

Examples of the proof data are not limited to those described above, and may vary according to the type of first information.

When identity authentication at the cooperative node 300 is performed based on a zero-knowledge proof technique, if the first information is information about a question in zero-knowledge proof, the proof data includes an answer to the question included in the first information. It can be data.

In an embodiment related to zero-knowledge proof, the zero-knowledge proof technique may include a technique based on identity information, a technique using discrete algebra, and a technique using an asymmetric encryption system. Accordingly, questions and answers may not be limited to content based on the identity information.

The processor 210 may transmit the authentication data obtained from the authenticated entity to at least one cooperative node (S420).

In order to obtain proof data from the authenticated entity, the processor 210 allows the authenticated entity to capture an image, record a voice, answer a question, etc. at the terminal associated with the node 200 to be authenticated. 200) can be controlled.

By transmitting the proof data to the cooperative node 300 as described above, identity authentication by at least one of an image comparison technique or a zero-knowledge proof technique may be performed by the cooperative node 300. However, a specific technique for performing identity authentication is not limited to the above-described example.

The system for identity authentication according to some embodiments of the present disclosure may generate a private key and a public key of a cryptocurrency wallet for an entity to be authenticated. The system for identity authentication may deliver the private key and public key of the wallet owned by the authenticated entity in the process of performing identity authentication. In addition, the system for identity authentication may include the private key and public key generated for the authenticated entity for which identity authentication has been completed in the digital ID and record it in the blockchain network 400.

Hereinafter, an identity authentication system for generating a private key and a public key of a wallet owned by an authenticated entity and transmitting it to a node to be authenticated will be described with reference to the drawings.

7 is a signal flow diagram showing an example of a system for generating a private key and a public key of a wallet owned by an authenticated entity, transferring it to an authenticated node, and recording it in a blockchain network.

Referring to FIG. 7, the processor 110 of the authentication node 100 may generate a first private key and a first public key of a first wallet owned by an entity to be authenticated (S110).

A wallet according to some embodiments of the present disclosure may mean a database storing a private key and a public key in the blockchain network 400 or a software managing a private key and a public key.

As another example, the first private key and the first public key may be generated by a deterministic wallet protocol and a non-deterministic wallet protocol.

In some embodiments of the present disclosure, the first private key and the first public key may be generated by a Hierarchical Deterministic Wallet protocol.

When generating the first private key and the first public key based on the hierarchical deterministic wallet protocol, there is an advantage that the authentication entity can track the usage history of the first wallet of the authenticated entity. Accordingly, when the authenticated entity is a subordinate entity of the authentication entity such as a minor or an agency, it may be easier for the authentication entity to manage transactions of the authenticated entity.

The processor 110 may transmit the second public key and the first public key of the second wallet owned by the authentication entity to the at least one cooperative node 300 through the communication unit 130 (S120).

When the cooperative nodes 300a, 300b; 300 receive the second public key and the first public key included in the cooperative request signal from the authentication node 100, a cooperative consent signal for performing identity authentication for the authenticated entity May be transmitted to the authentication node 100 through the communication unit 330 (S210).

The cooperation agreement signal according to some embodiments of the present disclosure may include a public key related to the cooperation node 300 in an embodiment related to a cryptocurrency wallet.

The processor 110 of the authentication node 100 may generate at least one encryption key when receiving a cooperation consent signal from the cooperation node 300 (S310).

In some embodiments according to the present disclosure, the number of at least one encryption key may be the same as the number of cooperative nodes 300. That is, when there are N cooperative nodes 300, the processor 110 may generate N encryption keys.

Further, when the number of cooperative nodes 300 and the number of generated encryption keys are the same, each of the encryption keys and each of the cooperative nodes may correspond on a one-to-one basis. That is, the encryption key KeyA may correspond to the first cooperating node 300a, and the encryption key KeyB may correspond to the second cooperating node 300b.

The processor 110 may generate first data by encrypting the first private key using at least one generated encryption key (S320). A specific method of generating the first data will be described later in FIG. 8.

The first data may be generated so that the node to be authenticated 200 can obtain the first private key after completing identity authentication in the cooperative node 300. This will be described in detail below.

After generating the first data, the processor 110 may generate second data by encrypting at least one generated encryption key (S330).

A specific method of generating the second data will be described later in FIG. 9.

The second data may be data including all of the data obtained by encrypting KeyA and KeyB described above. The second data may be used by the cooperative node 300 to complete the identity authentication, so that the authenticated node 200 extracts the first private key later. This will be described in detail below.

The processor 110 may generate third data by signing the first public key with the second private key of the second wallet in order to prove that the first private key has been generated by the authentication entity (S340).

As the first data, the second data, and the third data are generated, the processor 110 avoids the first data, the second data, and the third data through the communication unit 130 in conjunction with transmitting the first information. It may be transmitted to an authentication node or a cooperative node (S350).

In FIG. 7, the first to third data is shown to be transmitted to the node 200 to be authenticated, but the present disclosure is not limited thereto, and the first to third data may be transmitted to the cooperative node 300, It may be transmitted to both the cooperative node 300 and the authenticated node 200.

By the above-described steps (S310) to (S350), the authenticated node 200 cannot obtain the first private key until it receives the encryption key obtained by decrypting the second data from the cooperative node 300. Accordingly, in addition to identity authentication in a distributed environment by cooperation of a plurality of nodes to be achieved in the present disclosure, transmission of the private key to the wallet of the authenticated entity can be securely performed.

The processor 210 of the node to be authenticated 200 may receive the first data to the third data and the first information generated through the steps S310 to S330 through the communication unit 230 (S430). ).

The processor 210 may transmit the second data and the third data to at least one cooperative node (S440).

When the processor 310 of the cooperative node (300a, 300b; 300) receives an identity authentication request signal from the authenticated node, the signature included in the third data is verified with the public key of the authentication entity and the public key of the authenticated entity. It can be done (S510).

In some embodiments of the present disclosure, the identity authentication request signal is a second data that encrypts at least one encryption key generated to encrypt a first private key of a wallet owned by the authenticated entity and the second data owned by the authenticated entity. The first public key of the wallet may further include third data signed with the second private key of the wallet owned by the authentication entity.

Here, since verification of the signature included in the third data is self-evident to a person skilled in the art, a detailed description will be omitted.

By verifying the signature included in the third data, the processor 310 can recognize that the first private key and the first public key related to the entity to be authenticated have been properly generated by the authentication node 100.

When the verification of the signature included in the third data is completed, the processor 310 of each of the cooperative nodes 300a and 300b decrypts one of the at least one encryption key included in the second data with its own private key. Data can be created.

Specifically, when the first cooperating node corresponds to the above-described encryption key KeyA, the first cooperating node may recognize eKeyA included in the second data. Here, eKeyA may be data encrypted with KeyA.

In some embodiments of the present disclosure, eKeyA may be data obtained by encrypting KeyA with the public key of the first cooperative node. The processor 310 may extract KeyA by decrypting eKeyA with the private key of the first cooperative node. In this case, the fourth data may include KeyA.

In this way, when KeyA is encrypted with the public key of the first cooperating node, decryption of eKeyA is possible only by using the private key of the first cooperating node. Accordingly, when the eKeyA is decrypted, it can be determined that KeyA has been extracted by the first cooperative node, so that trust in the generation of KeyA can be achieved.

As described above, it is possible to generate the fourth data in the second to the Nth cooperative node. However, the generation of the fourth data is not limited to the above-described example.

The processor 310 may transmit the fourth data generated through the communication unit 330 to the authenticated node 200 (S530).

The processor 210 of the node to be authenticated 200 receives the encryption key from the cooperating node 300 when identity authentication is completed in the cooperating node 300, and uses the encryption key received from the cooperating node to provide first data. The first private key may be extracted from the first data by decrypting (S610).

Here, the encryption key received from the cooperative node 300 may be included in the fourth data. The fourth data may include an encryption key extracted by decrypting the second data transmitted to the cooperative node 300 through step S440 in step S520.

For example, when the processor 210 receives encryption keys from all of the cooperative nodes 300, the processor 210 may decrypt the first data using all the received encryption keys. The processor 210 may extract the first private key from the decrypted first data.

As another example, when extracting the first private key from the first data, threshold cryptography may be used.

The threshold encryption technique may be an encryption technique in which N subjects share a portion of an encryption key for a specific ciphertext, and when a predetermined portion of K or more cipher keys are collected, the ciphertext can be decrypted. Accordingly, in the case of using the threshold encryption technique, it is possible to extract the first private key even if the encryption key is not received from all cooperative nodes.

In a distributed environment to which some embodiments of the present disclosure are applied, since all cooperative nodes may not always be able to participate in authentication, if the threshold encryption method is used, private key transmission to the authenticated node is performed only with cooperation of only a part of the cooperative nodes. It can be possible.

The method of extracting the first private key is not limited to the above-described example.

When the processor 210 extracts the first private key in step S610, the processor 210 generates second information, which is a plain text or cipher text generated by a preset protocol to prove that identity authentication has been completed, and sends it to the authentication node 100. Can be transmitted (S620).

As described above with reference to FIG. 4, an example of the second information is when it is set to include the sentence “PEN PINEAPPLE APPLE PEN” or the “PPAP” encrypted with the sentence, the second information is “PEN PINEAPPLE APPLE PEN”. Or it may mean "PPAP".

However, the second information is not limited thereto, and may include any information that allows the authentication node to recognize that identity authentication has been completed.

After generating the second information, the processor 210 may sign the second information with the first private key and transmit it to the authentication node (S620).

As described above, when the second information is signed with the first private key and transmitted to the authentication node, it can be proved that the second information has not been forged or altered. Therefore, it can be guaranteed that the private key delivery process is complete.

The processor 110 of the authentication node 100 may recognize the signature generated with the first private key included in the completion signal for identity authentication (S730).

Here, the signature generated by the first private key may be related to the plaintext or the ciphertext generated by a preset protocol.

The processor 110 may verify the signature generated with the first private key recognized in step S730 with the first public key (S740). Here, the first public key may correspond to the first private key and may be a public key of a wallet owned by the authentication entity.

When the verification of the signature generated by the first private key is completed, the processor 110 may transmit identification information of the authenticated entity to at least one node constituting the blockchain network (S750).

The identification information according to some embodiments of the present disclosure may include a first private key of a wallet owned by the authenticated entity or a second private key of a wallet owned by the authentication entity.

Through this, as described in FIG. 5, when the identification information of the entity to be authenticated is recorded on the blockchain network, the identification information of the entity to be authenticated is determined using the private key or public key information of the entity to be authenticated and the entity to be authenticated. I can access it.

When the blockchain network 400 receives identification information of the authenticated entity from the authentication node 100, it may be recorded in the blockchain based on a consensus algorithm.

As shown in FIG. 7, since the authenticated node 200 cannot extract the first private key until the encryption key obtained by the cooperative node 300 is completed, only the authenticated entity for which identity authentication has been completed is provided. 1 Can issue private keys.

8 is a flowchart illustrating an example in which a processor of an authentication node encrypts a first private key using a key envelope algorithm to generate first data.

The key wrapping algorithm is a kind of symmetric key algorithm, and can be defined as a method of encrypting a specific key with another encryption key.

Referring to FIG. 8, the processor 110 of the authentication node 100 may generate a combination encryption key using at least one encryption key (S321 ).

The processor 110 may encrypt the first private key with the combination encryption key generated in step S321 (S322).

When the above-described steps (S321) and (S322) are performed, the first private key may be encrypted using a key envelope algorithm. The key enveloping algorithm can be mainly used to deliver a specific key through a network that is not reliable. In most cases, each node participating in a distributed environment to which the present disclosure is applied has insufficient reliability compared to an external certification authority. Therefore, when the key envelope algorithm is used, the first private key can be more securely encrypted.

9 is a diagram illustrating an example in which a processor of an authentication node generates second data by encrypting at least one encryption key.

Here, each of the at least one encryption key may correspond to each of the at least one cooperative node 300.

The processor 110 of the authentication node 100 may receive the public key from each of the at least one cooperative node 300 through the communication unit 130 (S331).

The processor 110 may encrypt each of the at least one encryption key with a public key of a corresponding cooperative node (S332).

It may be determined whether authentication has been performed in each of the cooperative nodes through the above-described steps S331 and S332.

10 shows a simplified and general schematic diagram of an exemplary computing environment in which some embodiments of the present disclosure may be implemented.

The computer 1102 illustrated in FIG. 10 may correspond to at least one of an authentication node 100, an authentication target node 200, a cooperative node 300, and a computing device included in the blockchain network 400.

While the present disclosure has generally been described above with respect to computer-executable instructions that may be executed on one or more computers, those skilled in the art will appreciate that the present disclosure may be implemented in combination with other program modules and/or as a combination of hardware and software. I will know.

In general, modules herein include routines, procedures, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Further, to those skilled in the art, the method of the present disclosure is not limited to single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, handheld computing devices, microprocessor-based or programmable household appliances, and the like (each of which It will be appreciated that it may be implemented with other computer system configurations, including one or more associated devices).

The described embodiments of the present disclosure may also be practiced in a distributed computing environment where certain tasks are performed by remote processing devices that are connected through a communication network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer-readable media. A computer-accessible medium includes volatile and non-volatile media, transitory and non-transitory media, and removable and non-removable media. By way of example, and not limitation, computer-readable media may include computer-readable storage media and computer-readable transmission media.

Computer-readable storage media include volatile and nonvolatile media, transitory and non-transitory media, removable and non-removable media implemented in any method or technology for storing information such as computer-readable instructions, data structures, program modules or other data. Includes the medium. Computer-readable storage media include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassette, magnetic tape, magnetic disk storage, or other magnetic storage. Devices, or any other medium that can be accessed by a computer and used to store desired information.

Computer-readable transmission media typically implement computer-readable instructions, data structures, program modules or other data on a modulated data signal such as a carrier wave or other transport mechanism. Includes all information delivery media. The term modulated data signal refers to a signal in which one or more of the characteristics of the signal is set or changed to encode information in the signal. By way of example, and not limitation, computer-readable transmission media include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above-described media are also intended to be included within the scope of computer-readable transmission media.

An exemplary environment 1100 is shown that implements various aspects of the present disclosure including a computer 1102, which includes a processing device 1104, a system memory 1106, and a system bus 1108. do. System bus 1108 couples system components, including but not limited to, system memory 1106 to processing device 1104. The processing unit 1104 may be any of a variety of commercially available processors. Dual processors and other multiprocessor architectures may also be used as processing unit 1104.

The system bus 1108 may be any of several types of bus structures that may be additionally interconnected to a memory bus, a peripheral bus, and a local bus using any of a variety of commercial bus architectures. System memory 1106 includes read-only memory (ROM) 1110 and random access memory (RAM) 1112. The basic input/output system (BIOS) is stored in non-volatile memory 1110 such as ROM, EPROM, EEPROM, etc. This BIOS is a basic input/output system that helps transfer information between components in the computer 1102, such as during startup. Includes routines. RAM 1112 may also include high speed RAM such as static RAM for caching data.

Computer 1102 also includes internal hard disk drive (HDD) 1114 (e.g., EIDE, SATA)-This internal hard disk drive 1114 can also be configured for external use within a suitable chassis (not shown). Yes--, magnetic floppy disk drive (FDD) 1116 (for example, to read from or write to removable diskette 1118), and optical disk drive 1120 (e.g., CD-ROM For reading the disk 1122 or reading from or writing to other high-capacity optical media such as DVD). The hard disk drive 1114, magnetic disk drive 1116, and optical disk drive 1120 are each connected to the system bus 1108 by a hard disk drive interface 1124, a magnetic disk drive interface 1126, and an optical drive interface 1128. ) Can be connected. The interface 1124 for implementing an external drive includes, for example, at least one or both of USB (Universal Serial Bus) and IEEE 1394 interface technologies.

These drives and their associated computer readable media provide non-volatile storage of data, data structures, computer executable instructions, and the like. In the case of computer 1102, drives and media correspond to storing any data in a suitable digital format. Although the description of the computer-readable storage medium above refers to a removable optical medium such as a HDD, a removable magnetic disk, and a CD or DVD, those skilled in the art may include a zip drive, a magnetic cassette, a flash memory card, a cartridge, It will be appreciated that other types of computer-readable storage media, such as etc., may also be used in the exemplary operating environment and that any such media may contain computer-executable instructions for performing the methods of the present disclosure. .

A number of program modules, including the operating system 1130, one or more application programs 1132, other program modules 1134, and program data 1136, may be stored in the drive and RAM 1112. All or part of the operating system, applications, modules, and/or data may also be cached in RAM 1112. It will be appreciated that the present disclosure may be implemented on a number of commercially available operating systems or combinations of operating systems.

A user may input commands and information to the computer 1102 through one or more wired/wireless input devices, for example, a pointing device such as a keyboard 1138 and a mouse 1140. Other input devices (not shown) may include a microphone, IR remote control, joystick, game pad, stylus pen, touch screen, and the like. These and other input devices are often connected to the processing unit 1104 through the input device interface 1142, which is connected to the system bus 1108, but the parallel port, IEEE 1394 serial port, game port, USB port, IR interface, It can be connected by other interfaces such as etc.

A monitor 1144 or other type of display device is also connected to the system bus 1108 through an interface such as a video adapter 1146. In addition to the monitor 1144, the computer generally includes other peripheral output devices (not shown) such as speakers, printers, etc.

Computer 1102 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1148 via wired and/or wireless communication. The remote computer(s) 1148 may be a workstation, server computer, router, personal computer, portable computer, microprocessor-based entertainment device, peer device, or other common network node, and is generally referred to as a computer 1102. It includes many or all of the described components, but for brevity, only memory storage device 1150 is shown. The logical connections shown include wired/wireless connections to a local area network (LAN) 1152 and/or to a larger network, eg, a wide area network (WAN) 1154. Such LAN and WAN networking environments are common in offices and companies, and facilitate an enterprise-wide computer network such as an intranet, all of which can be connected to a worldwide computer network, for example the Internet.

When used in a LAN networking environment, the computer 1102 is connected to the local network 1152 via a wired and/or wireless communication network interface or adapter 1156. Adapter 1156 may facilitate wired or wireless communication to LAN 1152, which also includes a wireless access point installed therein to communicate with wireless adapter 1156. When used in a WAN networking environment, the computer 1102 may include a modem 1158, connected to a communication server on the WAN 1154, or through the Internet, etc. to establish communication through the WAN 1154 Have means. The modem 1158, which may be an internal or external and a wired or wireless device, is connected to the system bus 1108 through a serial port interface 1142. In a networked environment, program modules described for the computer 1102 or portions thereof may be stored in the remote memory/storage device 1150. It will be appreciated that the network connections shown are exemplary and other means of establishing communication links between computers may be used.

Computer 1102 is associated with any wireless device or entity deployed and operated in wireless communication, e.g., a printer, scanner, desktop and/or portable computer, portable data assistant (PDA), communication satellite, wireless detectable tag. It operates to communicate with any device or place and phone. This includes at least Wi-Fi and Bluetooth wireless technologies. Thus, the communication may be a predefined structure as in a conventional network or may simply be ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) allows you to connect to the Internet, etc. without wires. Wi-Fi is a wireless technology such as a cell phone that allows such devices, for example computers, to transmit and receive data indoors and outdoors, ie anywhere within the coverage area of a base station. Wi-Fi networks use a wireless technology called IEEE 802.11 (a,b,g, etc.) to provide a secure, reliable and high-speed wireless connection. Wi-Fi can be used to connect computers to each other, to the Internet, and to a wired network (using IEEE 802.3 or Ethernet). Wi-Fi networks can operate in unlicensed 2.4 and 5 GHz radio bands, for example at 11 Mbps (802.11a) or 54 Mbps (802.11b) data rates, or in products that include both bands (dual band). have.

A person of ordinary skill in the art of the present disclosure includes various exemplary logical blocks, modules, processors, means, circuits and algorithm steps described in connection with the embodiments disclosed herein, electronic hardware, (convenience). For the sake of clarity, it will be appreciated that it may be implemented by various forms of program or design code or a combination of both (referred to herein as "software"). To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the particular application and design constraints imposed on the overall system. A person of ordinary skill in the art of the present disclosure may implement the described functions in various ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

The various embodiments presented herein may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term “article of manufacture” includes a computer program, carrier, or media accessible from any computer-readable device. For example, computer-readable storage media include magnetic storage devices (e.g., hard disks, floppy disks, magnetic strips, etc.), optical disks (e.g., CD, DVD, etc.), smart cards, and flash Memory devices (eg, EEPROM, cards, sticks, key drives, etc.), but are not limited thereto. The term “machine-readable medium” includes, but is not limited to, wireless channels and various other media capable of storing, holding, and/or transmitting instruction(s) and/or data.

It is to be understood that the specific order or hierarchy of steps in the presented processes is an example of exemplary approaches. Based on the design priorities, it is to be understood that within the scope of the present disclosure a specific order or hierarchy of steps in processes may be rearranged. The appended method claims provide elements of the various steps in a sample order, but are not meant to be limited to the specific order or hierarchy presented.

The description of the presented embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be apparent to those of ordinary skill in the art, and general principles defined herein may be applied to other embodiments without departing from the scope of the present disclosure. Thus, the present disclosure is not limited to the embodiments presented herein, but is to be interpreted in the widest scope consistent with the principles and novel features presented herein.

The scope of the rights to the method in the claims of the present disclosure is generated by the functions and features described in each step, and unless the precedence of the order is specified in each step constituting the method, the claims It is not affected by the order of description of each step in For example, in the claims described in a method including steps A and B, even if step A is described before step B, the scope of rights is not limited to that step A must precede step B.

Claims (23)

A computer program stored on a computer-readable storage medium, the computer program comprising instructions for causing a processor of an authentication node to perform the following steps, the steps:
Transmitting a cooperation request signal to at least one cooperating node to perform identity authentication for the authenticated entity;
When an acceptance signal for the cooperation request signal is received from the at least one cooperating node, the first information is transmitted to the authenticated node or the at least one cooperating node, and the authenticated node and the at least one cooperating node Causing identity authentication to be performed, the first information including information related to the identity of the authenticated entity; And
When the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, by transmitting the identification information of the authenticated entity to at least one node constituting the blockchain network, a plurality of nodes Causing to record the identification information through a consensus algorithm;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The number of the at least one cooperative node is,
It is determined by multiplying the number of nodes included in the blockchain network by a preset ratio,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The identification information,
Compatible with the standard format for distributed digital ID,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The identification information,
Information encrypted with the public key of the authentication entity of the authentication node based on an asymmetric encryption algorithm,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
When the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, transmitting the identification information of the authenticated entity to at least one node constituting a blockchain network,
Recognizing second information included in the completion signal for the identity authentication; And
When the second information matches information previously stored in the memory of the authentication node, transmitting identification information of the authenticated entity to at least one node constituting a blockchain network;
Including,
The second information,
Including plain text or cipher text generated by a preset protocol,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
In order to perform identity authentication for the authenticated entity, transmitting a cooperation request signal to at least one cooperating node,
Generating a first private key and a first public key of a first wallet owned by the authenticated entity; And
Transmitting a second public key and the first public key of a second wallet owned by the authentication entity of the authentication node to at least one cooperative node;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 6,
The first private key and the first public key,
Created based on the layered deterministic wallet protocol,
A computer program stored on a computer-readable storage medium.
The method of claim 6,
When receiving an acceptance signal for the cooperation request signal from the at least one cooperating node, transmitting the first information to the authenticated node or the at least one cooperating node,
Generating at least one encryption key;
Generating first data by encrypting the first private key by using the at least one encryption key;
Generating second data by encrypting the at least one encryption key;
Generating third data by signing the first public key with a second private key of the second wallet to prove that the first private key has been generated by an authentication entity; And
In conjunction with transmitting the first information to the authenticated node or the at least one cooperative node, the first data, the second data, and the third data are transferred to the authenticated node or the at least one cooperative node. Transmitting;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 8,
Generating the first data by encrypting the first private key using the at least one encryption key,
Generating a combination encryption key based on the at least one encryption key; And
Encrypting the first private key with the combination encryption key;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 8,
Each of the at least one encryption key,
Corresponding to the at least one cooperative node,
Generating the second data by encrypting the at least one encryption key,
Receiving a public key from each of the at least one cooperative node; And
Encrypting each of the at least one encryption key with a public key of a corresponding cooperative node;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 6,
When the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, transmitting the identification information of the authenticated entity to at least one node constituting a blockchain network,
Recognizing a signature generated with the first private key included in the completion signal for the identity authentication;
Verifying the signature generated with the first private key with the first public key; And
When verification of the signature generated by the first private key is completed, transmitting identification information of the authenticated entity to at least one node constituting a blockchain network;
Including
The signature generated with the first private key,
Related to plaintext or ciphertext generated by a preset protocol,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The above steps are:
Receiving transaction information including a first digital signature signed with the private key of the entity to be authenticated from the node to be authenticated;
Verifying the first digital signature with the public key of the entity to be authenticated corresponding to the private key of the entity to be authenticated;
Generating a multiple digital signature by adding a second digital signature generated using the private key of the authentication entity of the authentication node to the first digital signature; And
Transmitting the multiple digital signatures to the authenticated node;
Further comprising,
A computer program stored on a computer-readable storage medium.
A computer program stored in a computer-readable storage medium, the computer program comprising instructions for causing a processor of a node to be authenticated to perform the following steps, the steps:
When the first information related to identity authentication is received from the authentication node, the at least one cooperating node performs the identity authentication by transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperating node. Causing to perform; And
When a signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting a completion signal for the identity authentication to an authentication node;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 13,
When first information related to identity authentication is received from an authentication node, transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperative node,
Receiving a request signal for proof data corresponding to the first information from the at least one cooperative node; And
Transmitting the proof data obtained from the authenticated entity to the at least one cooperative node;
Including,
The proof data,
Containing at least one of data related to identification information or data required for proof of zero knowledge,
A computer program stored on a computer-readable storage medium.
The method of claim 13,
When first information related to identity authentication is received from the authentication node, transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperative node,
First data obtained by encrypting the first private key of the wallet owned by the authenticated entity using at least one encryption key, second data obtained by encrypting the at least one encryption key generated to encrypt the first private key, and Receiving a first public key corresponding to the first private key with a second private key of a wallet owned by the authentication entity of the authentication node from the authentication node along with the first information; And
Transmitting the second data and the third data to the at least one cooperative node;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 15,
When a signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting a completion signal for the identity authentication to the authentication node,
Receiving the at least one encryption key extracted by decrypting the second data when identity authentication is completed by the at least one cooperative node; And
Extracting the first private key from the first data by decrypting the first data using the encryption key when an encryption key is received from a cooperative node equal to or greater than a preset number;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 16,
When a signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting a completion signal for the identity authentication to the authentication node,
Generating second information, which is a plain text or a cipher text generated by a preset protocol to prove that the identity authentication has been completed; And
Generating third information by signing the second information with the first private key;
Further comprising,
A computer program stored on a computer-readable storage medium.
A computer program stored in a computer-readable storage medium, the computer program comprising instructions for causing a processor of a cooperative node to perform the following steps, the steps:
When receiving a cooperation request signal from the authentication node, transmitting a cooperation consent signal for performing identity authentication to the authenticated entity to the authentication node; And
When receiving an identity authentication request signal from an authenticated node, performing the identity authentication for the authenticated entity based on at least one of an image comparison scheme and a zero-knowledge authentication scheme;
Including,
The identity authentication request signal,
Comprising first information related to the identity of the authenticated entity,
A computer program stored on a computer-readable storage medium.
The method of claim 18,
A cooperative consent signal for performing identity authentication for the authenticated entity,
Including the public key of the cooperative node,
A computer program stored on a computer-readable storage medium.
The method of claim 18,
The identity authentication request signal,
The authentication entity owns the second data encrypted with at least one encryption key generated to encrypt the first private key of the wallet owned by the authenticated entity and the first public key of the wallet owned by the authenticated entity. Further comprising third data signed with the second private key of the wallet,
When receiving an identity authentication request signal from an authenticated node, performing the identity authentication for the authenticated entity based on an image comparison scheme or a zero-knowledge authentication scheme,
Verifying the signature included in the third data with the public key of the authentication entity and the public key of the authenticated entity;
Generating fourth data obtained by decrypting one of at least one encryption key included in the second data using the private key of the cooperative node when verification of the signature included in the third data is completed; And
Transmitting the fourth data to the node to be authenticated;
Containing,
A computer program stored on a computer-readable storage medium.
As an authentication node,
Processor;
Memory; And
Communication department;
Including,
The processor,
In order to perform identity authentication for the authenticated entity, when a cooperation request signal is transmitted to at least one cooperating node and an acceptance signal for the cooperation request signal is received from the at least one cooperating node, the first information is avoided. Transmits to the authentication node or the at least one cooperating node to cause the authentication to be performed at the authenticated node and the at least one cooperating node-The first information includes information related to the identity of the authenticated entity -, when the completion signal for the identity authentication is received from the authenticated node or the at least one cooperative node, by transmitting the identification information of the authenticated entity to at least one node constituting the blockchain network, a plurality of Causing the node of to record the identification information through a consensus algorithm,
A computing device that provides identity authentication in a distributed environment.
As an authenticated node,
Processor;
Memory; And
Communication department;
Including,
The processor,
When the first information related to identity authentication is received from the authentication node, the at least one cooperating node performs the identity authentication by transmitting a signal requesting to perform the identity authentication for the authenticated entity to at least one cooperating node. And when a signal indicating that the identity authentication has been performed is received from the at least one cooperative node, transmitting a completion signal for the identity authentication to an authentication node,
A computing device that provides identity authentication in a distributed environment.
As a cooperative node,
Processor;
Memory; And
Communication department;
Including,
The processor,
When a cooperation request signal is received from the authentication node, a cooperation agreement signal for performing identity authentication for the authenticated entity is transmitted to the authentication node, and when an identity authentication request signal is received from the authenticated node, an image comparison method or zero Performing the identity authentication for the authenticated entity based on at least one of knowledge proof techniques,
The identity authentication request signal,
Comprising first information related to the identity of the authenticated entity,
A computing device that provides identity authentication in a distributed environment.

Images