KR20220160210A - method and apparatus for user registration and authentication using Decentralized Identity - Google Patents

Abstract

A user registration method using a decentralized identification (DID) according to an embodiment of the present invention comprises: a step of receiving a user registration request message including a first DID from a user terminal; a step of transmitting the registration request message to a legacy system; a step of requesting verification information from a first DID domain on the basis of a verification information request from the legacy system; a step of transmitting the verification information of the first DID domain to the legacy system; a step of receiving a validation result for the verification information and a first update request message of a first DID document from the legacy system; and a step of transmitting the first update request message to the user terminal. According to the present invention, user registration and verification services can be provided by matching an issued decentralized identification with an ID and password of a legacy system. In addition, according to the present invention, user registration and verification services can be provided between multiple blockchain domain services on the basis of an issued decentralized identification.

Description

Method and apparatus for user registration and authentication using decentralized identity {method and apparatus for user registration and authentication using Decentralized Identity}

The present invention relates to a technology for registering a user in a system using a decentralized identification (DID) and verifying the user in the system.

In particular, the present invention relates to a technique for registering and verifying a user in a legacy system using an ID and password using a DID.

In particular, the present invention relates to a technology for registering and verifying a user in a multi-blockchain environment using DID.

Recently, decentralized identity (DID) technology is attracting attention as a technology to replace the existing centralized identity certification system. DID is a structure in which individuals manage their own data directly, rather than a central institution, and unlike the existing method, it is not necessary to provide all personal information in the process of using the service.

Microsoft has released a preview version of the Bitcoin blockchain-based decentralized identity project Aion (Identity Overlay Network, ION) as an open source. He suggested that he would innovate in the right direction. DID development projects are also actively underway in Korea.

There are many systems currently being developed for linkage between existing decentralized identity verification systems and block chains, but the DID system between multiple blocks is not linked. In addition, although a service for verifying the user's identity is being used through the DID system, a matching system for ID and password of the conventional legacy system does not currently exist. For this reason, there is an urgent need for a matching system with the conventional legacy system and a DID system between multiple blockchains.

Korean Registered Patent Publication No. 10-2248237 (Title of Invention: DID system using browser-based security PIN authentication and its control method)

The purpose of the present invention is to provide user registration and verification services by matching the issued decentralized ID (DID) with the ID and password of the legacy system.

In addition, an object of the present invention is to provide user registration and verification services between multi-blockchain domain services based on the issued decentralized ID (DID).

A user registration method using a decentralized identification (DID) according to an embodiment of the present invention for achieving the above object includes receiving a user registration request message including a first DID (Decentralized Identity) from a user terminal; Transmitting the registration request message to the legacy system, requesting verification information from a first DID domain based on the legacy system's request for verification information, forwarding verification information of the first DID domain to the legacy system Receiving a validation result of the verification information and a first update request message of a first DID document from the legacy system, and transmitting the first update request message to the user terminal. .

At this time, the method of registering a user using the DID according to the embodiment may be performed by a user verification support device.

At this time, the user registration method using DID according to an embodiment of the present invention includes the steps of transmitting a second update request message of the user terminal to the first DID domain, and sending an update completion message of the first DID domain to the user. The step of delivering to the terminal may be further included.

At this time, the registration request message may further include an ID and password corresponding to the legacy system.

At this time, the first update request message includes a first message authentication code generated using a first hash value for the user's ID and the first DID, and a first signature value for the first message authentication code. can do.

In this case, the second update request message may include the first signature value, the first message authentication code, a second hash value, and a second signature value for the second hash value.

In this case, the first hash value may be generated using the user's password and a first variable.

In this case, the second hash value may be generated using a difference between the first variable and the second integer and the password of the user.

At this time, the update completion message of the first domain includes a second message authentication code generated using a signature verification result of the second signature value, a third hash value for the ID of the user and the first DID, and the first DID. 1 May be delivered if the verification result of the message authentication code is true.

In this case, the third hash value may be generated using the second integer and the second hash value.

At this time, the verification information received from the first DID domain may include a first DID document and metadata for the first DID document.

In this case, the first update request message may be received based on a validation result of the first DID using the metadata.

In addition, a user verification method using a decentralized identification card according to an embodiment of the present invention for achieving the above object includes the steps of receiving a user verification request message including a signature value and a first DID from a user terminal; Transmitting a verification request message to the legacy system, requesting verification information from a first DID domain corresponding to a first DID based on the legacy system's request for verification information, and receiving verification information from the first DID domain. It may include transmitting to the legacy system, and receiving a validation result for the verification information from the legacy system.

At this time, the verification information received from the first DID domain may include a first DID document and metadata for the first DID document.

In this case, a validation result of the validation information may correspond to a validation result of the first DID using the metadata and a validation result of a legacy system ID in the first DID document.

A user registration method using a decentralized ID according to another embodiment of the present invention for achieving the above object includes receiving a user registration request message including a first DID (Decentralized Identity) from a user terminal, the registration request Transmitting a message to a first DID domain corresponding to the first DID, verifying the second DID domain based on a request for verification information for a second DID corresponding to the second DID domain of the first DID domain. Requesting information, transferring verification information of the second DID domain to the first DID domain, and verifying validity of the verification information of the second DID domain from the first DID domain and updating the first DID document. It may include receiving a result.

At this time, the method of registering a user using a decentralized identification card according to an embodiment may be performed in a user verification supporting device.

At this time, the registration request message may further include a second DID, a first signature value corresponding to the first DID, and a second signature value corresponding to the second DID.

At this time, the verification information request for the second DID may be requested based on a result of verifying the signature of the first signature value and verifying the validity of the first DID.

At this time, the verification information received from the second DID domain may include a second DID document and metadata about the second DID document.

In this case, the validity verification of the verification information of the second DID domain may include signature verification of the second signature value and validity verification of the second DID.

In this case, the update result of the first DID document may include whether information of the second DID is updated in the first DID document.

In this case, when the information of the second DID is updated in the first DID document, an update completion message may be delivered to the user terminal.

A user verification method using a decentralized identification card according to another embodiment of the present invention for achieving the above object includes receiving an authentication request message including a first signature value and a first DID from a user terminal, the authentication Transmitting a request message to a service channel capable of user verification through the second DID domain, requesting first verification information from a first DID domain corresponding to a first DID based on a request for verification information of the service channel , transmitting the first verification information received from the first DID domain to the service channel, and receiving a validation result for the second verification information from the service channel.

In this case, the verification information received from the first DID domain may include a first DID document, a second DID, and metadata for the first DID document.

At this time, validation of the second validation information may be performed when a validation result using the first validation information in the service channel is true.

In this case, the second verification information may be transferred from the second DID domain to the service channel based on the verification information request of the service channel.

In this case, the second verification information may include a second DID document and metadata about the second DID document.

In this case, the validation result of the second verification information may correspond to the validation result of the second DID using the metadata of the second DID document.

According to the present invention, a user registration and verification service can be provided by matching the issued decentralized identification card with the ID and password of the legacy system.

In addition, according to the present invention, it is possible to provide user registration and verification services between multiple blockchain domain services based on the issued decentralized ID.

1 is a block diagram showing the configuration of a user verification system using a decentralized identification card according to an embodiment of the present invention.
2 is a flowchart illustrating a user registration method using a decentralized identification card according to an embodiment of the present invention.
3 is a flowchart illustrating a user verification method using a decentralized identification card according to an embodiment of the present invention.
4 is a flowchart illustrating a user registration method using a decentralized identification card according to another embodiment of the present invention.
5 is a flowchart illustrating a user verification method using a decentralized identification card according to another embodiment of the present invention.
6 is a ladder diagram illustrating a process of registering a user in a legacy system using a decentralized ID card.
FIG. 7 is a ladder diagram illustrating a method of verifying a user after registering authentication for a DID in a legacy system through the method of FIG. 6 .
8 is a ladder diagram illustrating a DID registration method for receiving an identity authentication service of another DID domain using an issued DID.
9 is a ladder diagram illustrating a method of verifying a user in another DID domain service after authentication registration for another DID domain through the method of FIG. 8 .
10 is a diagram showing the configuration of a computer system according to an embodiment.

Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in various different forms, only these embodiments make the disclosure of the present invention complete, and common knowledge in the art to which the present invention belongs. It is provided to fully inform the holder of the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numbers designate like elements throughout the specification.

Although "first" or "second" is used to describe various elements, these elements are not limited by the above terms. Such terms may only be used to distinguish one component from another. Therefore, the first component mentioned below may also be the second component within the technical spirit of the present invention.

Terms used in this specification are for describing embodiments and are not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. As used herein, "comprises" or "comprising" implies that a stated component or step does not preclude the presence or addition of one or more other components or steps.

Unless otherwise defined, all terms used herein may be interpreted as meanings commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, and when describing with reference to the drawings, the same or corresponding components are given the same reference numerals, and overlapping descriptions thereof will be omitted. .

An embodiment of the present invention includes a process of proving a user's identity using a single decentralized ID (DID) in multiple blockchains, and a process of updating the DID document when linking the decentralized ID with a legacy system. includes In addition, through the existing certification authority, the user includes the process of holding the DID.

In addition, a user terminal according to an embodiment of the present invention may execute a service application capable of verifying an identity in a user's mobile device. An embodiment of the present invention is a process in which a user proves and receives a user's identity from an identity authentication authority, a process of updating authentication information of a legacy system and authentication information of multiple blockchain services in a user's DID document, and other blockchain services. It can include a mobile application that allows users to manage decentralized identification, such as a process of requesting authentication for use.

In addition, the embodiment of the present invention uses a decentralized ID (DID) to match the user authentication of the legacy system with the web, app, and system service that authenticated the user's identity using an ID and password. DID) and the process of matching the user of the legacy system and the process of processing data updated in the DID document.

Hereinafter, a user registration and verification method using a decentralized identification card according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 to 10 .

1 is a block diagram showing the configuration of a user verification system using a decentralized identification card according to an embodiment of the present invention.

Referring to Figure 1, the user verification system using a decentralized ID (DID) according to an embodiment of the present invention is a user terminal 101 in which the decentralized ID (DID) is stored, digital identity information is distributed Blockchain DID domain (A) (401), DID document (402), a document in which user identity information is stored, service that requires user authentication within another blockchain DID using DID (A) (303), DID document (B) may be included.

In addition, a broker between the legacy system 301 using ID and password, the user terminal 101, the legacy system 301, the blockchain DID domain (A) 401 and the blockchain DID domain (B) 302 It may include an agent 401 that plays a role.

In this specification, a user terminal may correspond to a wallet capable of storing a user's decentralized identification (DID).

For example, the user terminal includes a cellular phone, a personal communication system (PCS), a personal data assistant (PDA), an international mobile telecommunication-2000 (IMT-2000) terminal, and a smart phone. It is meant to include all of a smart phone, a notebook, a personal computer (PC), and a tablet personal computer (tablet PC).

The following embodiment will explain how to connect legacy systems and multi-blockchain DID services through one decentralized ID, but it can be applied to all intra-blockchain services and legacy system services.

2 is a flowchart illustrating a user registration method using a decentralized identification card according to an embodiment of the present invention.

Referring to FIG. 2 , in the user registration method according to an embodiment of the present invention, a user registration request message including a first decentralized identity (DID) is received from a user terminal (S210).

At this time, the registration request message may further include an ID and password corresponding to the legacy system.

Next, the user verification support device transmits the user registration request message including the first DID to the legacy system using the ID and password (S220).

At this time, the legacy system receiving the registration request message can check the ID and password included in the registration request message. After verifying the ID and password, the legacy system may request verification information of the first DID from the user verification support device.

Next, the user verification support device requests verification information from the first DID domain based on the verification information request of the legacy system (S230).

The first DID domain that has received a request for verification information on the first DID domain from the user verification supporting apparatus may collect and transmit the verification information to the user verification supporting apparatus.

Next, the user verification support device may transmit the verification information received from the first DID domain to the legacy system (S240).

Next, the user verification support device may receive a validity verification result for the verification information and a first update request message of the first DID document from the legacy system (S250).

At this time, the verification information received from the 1st DID domain includes a 1st DID document and metadata for the 1st DID document, and the 1st update request message is the validity of the 1st DID using the metadata. It may be received based on the verification result.

Next, the user verification support device may transmit the first update request message to the user terminal based on the validation result (S260).

At this time, although not shown in FIG. 2, the user registration method according to an embodiment of the present invention transmits the second update request message of the user terminal to the first update request message after performing the step (S260) of transmitting the first update request message. It is delivered to the DID domain, and the update completion message of the first DID domain may be delivered to the user terminal again.

At this time, the first update request message includes a first message authentication code generated using a first hash value for the user's ID and the first DID, and a first signature value for the first message authentication code. can do.

In this case, the first hash value may be generated using the user's password and the first variable.

In this case, the first hash value, the first message authentication code, and the first signature value may be generated in the legacy system.

In this case, the second update request message may include the first signature value, the first message authentication code, a second hash value, and a second signature value for the second hash value.

In this case, the second hash value may be generated using a difference between the first variable and the second integer and the password of the user.

At this time, the second hash value and the second signature value may be generated in the user terminal.

At this time, the update completion message of the first DID domain includes the second message authentication code generated using the signature verification result of the second signature value, the user's ID and the third hash value for the first DID, and the first DID. 1 It can be delivered based on the verification result of the message authentication code.

In this case, the third hash value may be generated using the second integer and the second hash value.

In this case, the third hash value and the second message authentication code may be generated in the first DID domain.

3 is a flowchart illustrating a user verification method using a decentralized identification card according to an embodiment of the present invention.

Referring to FIG. 3 , the user verification method performed by the user verification support device may receive a user verification request message including a signature value and a first DID from a user terminal (S310).

Next, the user verification support device may transmit the verification request message to the legacy system (S320).

Next, the user verification support device may request verification information from the first DID domain corresponding to the first DID based on the verification information request of the legacy system (S330).

Next, the user verification support device may transmit the verification information received from the first DID domain to the legacy system (S340).

At this time, the verification information received from the first DID domain includes a first DID document and metadata for the first DID document, and the validation result for the verification information is the first DID document using the metadata. It may correspond to a validation result of the DID and a validation result of the legacy system ID in the first DID document.

At this time, validation of the validation information may be performed in the legacy system. Upon completion of validating the verification information, the legacy system may transmit whether ID authentication has succeeded (failed) to the user verification support device.

The user verification support device may receive a validity verification result for the verification information from the legacy system (S350).

Although not shown in FIG. 3 , the user verification support device may deliver the validation result received from the legacy system to the user terminal.

In addition, the user verification method using the decentralized ID (DID) of FIG. 3 may be registered by the user registration method of FIG. 2 and then performed based on the registration result.

4 is a flowchart illustrating a user registration method using a decentralized ID (DID) according to another embodiment of the present invention.

Referring to FIG. 4 , in a user registration method according to another embodiment of the present invention, a user registration request message including a first decentralized identity (DID) is received from a user terminal (S410).

At this time, the user registration request message may further include a second DID, a first signature value corresponding to the first DID, and a second signature value corresponding to the second DID.

Next, the user verification support device may transmit the registration request message to the first DID domain corresponding to the first DID (S420).

At this time, the first DID domain may perform signature verification on the first signature value and validity verification on the first DID. When the signature verification for the first signature value and the validity verification for the first DID are completed, verification information for the second DID may be requested from the user verification support device.

Next, the device for supporting user verification may request verification information from the second DID domain based on the request for verification information for the second DID corresponding to the second DID domain of the first DID domain (S430).

In this case, the request for verification information for the second DID may be requested based on a result of verifying the signature of the first signature value and verifying the validity of the first DID.

Next, the device for supporting user verification may transmit verification information of the second DID domain to the first DID domain (S440).

At this time, the verification information received from the second DID domain includes a second DID document and metadata for the second DID document, and the validity verification for the verification information of the second DID domain includes the second DID document. It may include verifying the signature of the signature value and verifying the validity of the second DID.

At this time, validation of the verification information of the second DID domain may be performed in the first DID domain. The first DID domain may update the first DID document and transmit the update result when the validation result of the verification information of the second DID domain is true.

Next, the device for supporting user verification may receive a result of validating the verification information of the second DID domain and updating the first DID document from the first DID domain (S450).

In this case, the update result of the first DID document may include whether or not the second DID information is updated in the first DID document.

In this case, although not shown in FIG. 4 , when the information of the second DID is updated in the first DID document, the user verification support device may transmit an update completion message to the user terminal.

5 is a flowchart illustrating a user verification method using a decentralized ID (DID) according to another embodiment of the present invention.

Referring to FIG. 5 , the apparatus for supporting user verification may receive an authentication request message including a first signature value and a first DID from the user terminal (S510).

Next, the user verification support device may transmit the authentication request message to a service channel capable of user verification through the second DID domain (S520).

Next, the device for supporting user verification may request first verification information from the first DID domain corresponding to the first DID based on the request for verification information of the service channel (S530).

Upon receiving the first verification information request message, the first DID domain may collect and transmit the verification information to the user verification support device.

Next, the user verification supporting device may transmit the first verification information received from the first DID domain to the service channel (S540).

In this case, the verification information received from the first DID domain may include a first DID document, a second DID, and metadata for the first DID document.

At this time, the service channel receiving the verification information received from the first DID domain may perform validity verification and signature verification for the first DID. In addition, in order to verify the validity of the second DID, the second verification information may be requested from the second DID domain.

Upon receiving the second verification information request message, the second DID domain may collect second verification information and deliver the second verification information to the service channel.

The service channel may perform validity verification on the second DID based on the second verification information transmitted from the second DID domain.

Next, the user verification support device may receive a validity verification result for the second verification information from the service channel (S550).

At this time, validation of the second validation information may be performed when a validation result using the first validation information in the service channel is true.

Also, the second verification information may be transferred from the second DID domain to the service channel based on a request for verification information of the service channel.

In this case, the second verification information may include a second DID document and metadata for the second DID document, and the validation result for the second verification information may be obtained using the metadata for the second DID document. It may correspond to the validation result of the second DID.

In addition, the user verification method using the decentralized ID (DID) of FIG. 5 may be performed based on the registration result after being registered by the user registration method of FIG. 4 .

6 is a ladder diagram illustrating a process of registering a user in a legacy system using a decentralized ID (DID).

In this case, the legacy system 301 may correspond to a legacy system that verifies a user using an ID and a password.

At this time, the legacy system 301 may correspond to a system that receives and stores a separate decentralized identification (DID) or uses an X.509 certificate.

The user terminal 101 transfers the ID, password, and DID(A) to the agent in order to register the DID(A) in the legacy system 301 (S602).

In this case, the agent 201 may correspond to a user verification supporting device that supports a legacy system using an ID and password to verify a user using a decentralized identification card.

The agent 201 receiving the user's ID, password, and DID (A) transfers them to the legacy system 301 (S604).

The legacy system 301 confirms the usage information by checking the ID and password of the received message (S606).

After verifying user information, the legacy system 301 requests DID (A) verification information from the DID domain (A) 401 using an agent (S608 and S610).

At this time, the verification information request of the legacy system 301 may correspond to the verification information request for DID(A).

The DID domain (A) 401 requested for the verification information collects the information of the DID(A) and delivers the verification information (DID Doc(A), Metadata) for the DID(A) to the agent 201 ( S612).

The legacy system 301 receives verification information for DID(A) through the agent 201 (S614), and confirms the validity of DID(A) through metadata in the received DID(A) verification information (S616). ).

If the validity of DID(A) is verified, the legacy system 301 generates a hash-based message authentication code (HMAC) and a signature value (S618).

More specifically, the legacy system 301 converts the user's password into a hash function to generate a hash value (HV), and uses the HV to generate a DID (A) and a message authentication code value for the ID (hash-based message authentication code, HMAC) to create an MV. The legacy system 301 generates a signature value (SV) by signing the MV (S618).

While transmitting the SV and MV generated by the legacy system 301 to the user terminal 101, an update request is made to DID Doc(A) (S620 and S622).

At this time, the transmission and update request of the SV and MV generated by the legacy system 301 may be performed through the agent 201 (S620 and S622).

When receiving an update request for DID Doc(A) from the legacy system 301, the user terminal 101 may generate a hash value and a signature value (S624).

In more detail, the user terminal 101 may generate the hash value HV' using an integer (n - α) obtained by subtracting α from the variable n used when generating the hash value HV using the user's password (S624 ).

In addition, the user terminal 101 generates a signature value SV' using the DID private key for HV' (S624).

The user terminal 101 requests an update for DID Doc(A) to the DID domain (A) 401 (S626).

At this time, an update request for the DID domain (A) 401 of the user terminal 101 may be performed through the agent 201 .

At this time, the user terminal 101 may transmit {ID, DID(A)}, {SV, MV}, {α, HV', SV'} values to the DID domain (A) 401 .

The DID domain (A) 401 may perform DID document inquiry and signature verification on the signature value based on the received message (S628).

In more detail, the DID domain (A) 401 searches DID Doc (A) for the DID based on the received message, and verifies the SV' signature using the public key of the searched Doc (A). Proceed (S628).

When the DID document search and verification of the signature value SV' are completed, the DID domain (A) 401 searches the legacy DID Doc (Public Key) or certificate to verify the information related to the legacy system within the information sent by the user. Verification of the SV signature (Secret Key) is performed (S630).

In addition, the DID domain (A) 401 may generate a message authentication code value MV for verification and check whether it matches the MV (S632).

More specifically, the DID domain (A) 401 generates an HV″ value using the received α value and HV′ value, and uses the HV″ (Secret Key) for final verification to generate the DID (A) value. , HMAC value MV'' using ID can be derived (S632). Next, whether the HMAC value and MV'' match is verified.

If the above verification result is true, the DID domain (A) 401 may update the DID DOC (S634) and notify the update result (S636).

At this time, notification of the update result to the user terminal 101 may be performed through the agent 201 (S636).

FIG. 7 is a ladder diagram illustrating a method of verifying a user after registering authentication for a DID in a legacy system through the method of FIG. 6 .

The user terminal 101 transfers the signature value and DID(A) to the agent 201 for user authentication request (S702).

Upon receiving the authentication request message, the agent 201 transfers the received authentication request message (signature value, DID(A)) to the legacy system 301 (S704).

In order to verify the DID information in the received message, the legacy system 301 transmits a request message requesting delivery of the DID (A) verification information to the agent 201 (S706).

The agent 201 receives the corresponding message and forwards it to the DID domain (A) (708).

Upon receiving the verification information request message, the DID domain (A) 401 collects the DID Doc (A) 402 and delivers the DID (A) verification information (DID Doc (ID), Metadata) to the agent 201. (S710).

The agent 201 receiving the verification information delivers the verification information to the legacy system 301 (S712).

Upon receiving the verification information message, the legacy system 301 performs validity verification on DID (A) (S714), and transmits the resultant value for determining the success (failure) of authentication for ID in DID Doc (A) ( S716, S718).

8 is a ladder diagram illustrating a DID registration method for receiving an identity authentication service of another DID domain using an issued DID.

In this embodiment, one DID is taken as an example, but it can be equally applied to a plurality of other domains.

Referring to FIG. 8 , a method for utilizing authentication services in another domain (B) 302 by using a DID (A) issued by a DID domain (A) 301 for which a user terminal 101 has been prepaid can be seen. can

The user terminal 101 uses the agent 201 to store the identity verification information in the DID domain (B) 302 in the DID (A) document. Information of the signature value (B) may be transmitted to the agent 201 (S802).

The agent 201 forwards the received message to the DID domain (A) 401 (S804), and the DID domain (A) 401 receiving the message signs (A) using the information of the DID Doc (A). ) and verify the validity of the DID (A) (S806).

After completing the signature verification and validity verification of DID(A), the DID domain (A) 401 requests verification information of DID(B) from the agent 201 (S808).

Agent 201 requests verification information of DID (B) from DID domain (B) 302 based on the request for verification information of DID (A) (S810).

The DID domain (B) 302 collects the DID Doc (B) and transmits the response value (DID Doc (B), Metadata) to the verification information request to the agent 201 (S812).

The agent 201 transfers the DID (B) verification information received from the DID domain (B) 302 to the DID domain (A) 401 (S814), and the DID domain (A) 401 receiving the message ) verifies the signature (B) verification and the validity of the DID (B) (S816).

Although not shown in FIG. 8 , the DID domain (A) 401 updates DID (B) information in DID Doc (A) when the above signature verification and validity verification are successfully completed.

When the update is completed, the user terminal 101 is notified that the DID Doc(A) has been updated (S818).

At this time, the step of notifying the user terminal 101 of the update completion of DID Doc(A) may be performed through the agent 201.

9 is a ladder diagram illustrating a method of verifying a user in another DID domain service after authentication registration for another DID domain through the method of FIG. 8 .

The user terminal 101 transfers the signature value and VC (DID (A)) to the blockchain DID domain (B) service 303 through the agent (S902).

Upon receiving the DID information, the agent 201 forwards the authentication request message to the DID domain (B) service system 303 (S904).

The service system 303 requests identity authentication information for DID(A) from the agent 201 to check DID(A) information (S904).

The agent 201 forwards the received authentication information request to the blockchain DID domain (A) 401 (S906), collects DID (A) document information, and delivers it to the DID domain (B) service 303 (S906). S908).

The DID domain (B) service 303 performs signature verification transmitted by the user through the received message and verifies the validity of the DID (A) (S912).

DID Domain (B) service collects DID Doc (B) in DID Domain (B) 302 to verify the validity of DID (B) in DID Doc (A) when verification of DID (A) is completed. (S914, S916).

The validity of the DID (B) is verified within the DID domain (B) service 303 (S918), and authentication success (failure) is transmitted to the user terminal 101 according to the result (S920).

At this time, the step of conveying the authentication success or failure to the user terminal 101 (S920) may be performed through the agent 201.

10 is a diagram showing the configuration of a computer system according to an embodiment.

A user registration and verification device using a decentralized ID (DID) according to an embodiment may be implemented in the computer system 1000 such as a computer-readable recording medium.

Computer system 1000 may include one or more processors 1010, memory 1030, user interface input devices 1040, user interface output devices 1050, and storage 1060 that communicate with each other via a bus 1020. can In addition, computer system 1000 may further include a network interface 1070 coupled to network 1080 . The processor 1010 may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory 1030 or the storage 1060 . The memory 1030 and the storage 1060 may be storage media including at least one of volatile media, nonvolatile media, removable media, non-removable media, communication media, and information delivery media. For example, memory 1030 may include ROM 1031 or RAM 1032 .

The specific implementations described herein are examples and do not limit the scope of the invention in any way. For brevity of the specification, description of conventional electronic components, control systems, software, and other functional aspects of the systems may be omitted. In addition, the connection of lines or connecting members between the components shown in the drawings represent functional connections and / or physical or circuit connections by way of example, and in actual devices, various functional connections that are replaceable or additional, physical connection, or circuit connections. In addition, if there is no specific reference such as “essential” or “important”, it may not be a component necessarily required for the application of the present invention.

Therefore, the spirit of the present invention should not be limited to the above-described embodiments and should not be determined, and all scopes equivalent to or equivalently changed from the claims as well as the claims to be described later are within the scope of the spirit of the present invention. will be said to belong to

101: user terminal
201: User Verification Support Device (Agent)
301: legacy system
401: DID domain (A)

Claims (18)

A method for registering a user using a decentralized ID (DID) in a legacy system using an ID and password performed in a user verification device,
Receiving a user registration request message including a first decentralized identity (DID) from a user terminal;
transmitting the registration request message to the legacy system;
requesting verification information from a first DID domain based on a request for verification information from the legacy system;
transmitting verification information of the first DID domain to the legacy system;
Receiving a validity verification result of the verification information and a first update request message of a first DID document from the legacy system; and
Transmitting the first update request message to the user terminal;
A user registration method using a decentralized identification (DID) comprising a. The method of claim 1,
transmitting a second update request message of the user terminal to the first DID domain; and
transmitting an update completion message of the first DID domain to the user terminal;
A user registration method using a decentralized identification (DID), characterized in that it further comprises. The method of claim 2,
The registration request message further includes an ID and password corresponding to the legacy system,
The first update request message includes a first message authentication code generated using a first hash value for the user's ID and the first DID, and a first signature value for the first message authentication code,
The second update request message includes the ID of the user, the first signature value, the first message authentication code, a second hash value, and a second signature value for the second hash value. User registration method using centralized identification (DID). The method of claim 3,
The first hash value is
It is generated using the user's password and a first variable,
The second hash value is generated using a difference between the first variable and the second integer and the password of the user. The method of claim 4,
The update completion message of the first DID domain
When the signature verification result of the second signature value and the verification result of the second message authentication code generated using the third hash value for the user's ID and the first DID and the first message authentication code are true, , including whether the user's ID information is updated,
The third hash value is a user registration method using a decentralized identification (DID), characterized in that generated using the second integer and the second hash value. The method of claim 1,
The verification information received from the first DID domain includes a first DID document and metadata for the first DID document,
The first update request message is received based on a validation result of the first DID using the metadata. In the method of verifying the user after registering the user by the method of claim 1,
Receiving a user verification request message including a signature value and a first DID from a user terminal;
transmitting the verification request message to the legacy system;
requesting verification information from a first DID domain corresponding to a first DID based on a request for verification information from the legacy system;
forwarding verification information received from the first DID domain to the legacy system; and
Receiving a validation result for the validation information from the legacy system;
A user verification method using a decentralized identification (DID) comprising a. The method of claim 7,
The verification information received from the first DID domain includes a first DID document and metadata for the first DID document,
The validation result of the validation information includes a validation result of the first DID using the metadata and a validation result of the legacy system ID in the first DID document. User verification method used. A method for registering a user using a decentralized ID (DID) in a second DID domain performed in a user verification device,
Receiving a user registration request message including a first decentralized identity (DID) from a user terminal;
forwarding the registration request message to a first DID domain corresponding to the first DID;
requesting verification information from the second DID domain based on a request for verification information for a second DID corresponding to the second DID domain of the first DID domain;
transmitting verification information of the second DID domain to the first DID domain; and
receiving a result of validating the verification information of the second DID domain and updating the first DID document from the first DID domain;
A user registration method using a decentralized identification (DID) comprising a. The method of claim 9,
The registration request message further includes a second DID, a first signature value corresponding to the first DID, and a second signature value corresponding to the second DID,
The user registration method using a decentralized identification (DID), characterized in that the request for verification information for the second DID is requested based on a result of verifying the signature for the first signature value and verifying the validity of the first DID. The method of claim 10,
The verification information received from the second DID domain includes a second DID document and metadata about the second DID document,
The user registration method using a decentralized identification (DID), characterized in that the validity verification of the verification information of the second DID domain includes signature verification for the second signature value and validity verification of the second DID. The method of claim 11,
The user registration method using a decentralized identification (DID), characterized in that the update result of the first DID document includes whether information of the second DID is updated in the first DID document. The method of claim 12,
When the information of the second DID is updated in the first DID document, a user registration method using a decentralized identification (DID), characterized in that for transmitting an update completion message to the user terminal. In the method of verifying the user after registering the user by the method of claim 9,
Receiving an authentication request message including a first signature value and a first DID from a user terminal;
transmitting the authentication request message to a service channel capable of verifying a user through the second DID domain;
requesting first verification information from a first DID domain corresponding to a first DID based on a request for verification information of the service channel;
transmitting first verification information received from the first DID domain to the service channel; and
Receiving a validity verification result for second verification information from the service channel;
A user verification method using a decentralized identification (DID) comprising a. The method of claim 14,
The verification information received from the first DID domain includes a first DID document, a second DID, and metadata for the first DID document,
Validation of the second verification information is performed when a validity verification result using the first verification information in the service channel is true,
The second verification information is transmitted from the second DID domain to the service channel based on the verification information request of the service channel. The method of claim 15
The second verification information includes a second DID document and metadata about the second DID document,
The user verification method using a decentralized identification (DID), characterized in that the validation result of the second verification information corresponds to the validation result of the second DID using the metadata for the second DID document. a memory in which at least one program is recorded; and
Processor running the program
Including,
said program
Receiving a user registration request message including a first DID from a user terminal;
Transmitting the registration request message to a legacy system using ID and password;
requesting verification information from a first DID domain based on a request for verification information from the legacy system;
transmitting verification information of the first DID domain to the legacy system;
Receiving a validity verification result of the verification information and a first update request message of a first DID document from the legacy system; and
Transmitting the first update request message to the user terminal;
A user verification device using a decentralized identification (DID), characterized in that it includes instructions for the execution of. a memory in which at least one program is recorded; and
Processor running the program
Including,
said program
Receiving a user registration request message including a first decentralized identity (DID) from a user terminal;
forwarding the registration request message to a first DID domain corresponding to the first DID;
requesting verification information from a second DID domain corresponding to the second DID based on the verification information request for the second DID of the first DID domain;
transmitting verification information of the second DID domain to the first DID domain; and
receiving a result of validating the verification information of the second DID domain and updating the first DID document from the first DID domain;
A user verification device using a decentralized identification (DID), characterized in that it includes instructions for the execution of.

Images