TWI661331B - System and method for identity verification and privacy protection in public blockchain - Google Patents

System and method for identity verification and privacy protection in public blockchain Download PDF

Info

Publication number
TWI661331B
TWI661331B TW106123596A TW106123596A TWI661331B TW I661331 B TWI661331 B TW I661331B TW 106123596 A TW106123596 A TW 106123596A TW 106123596 A TW106123596 A TW 106123596A TW I661331 B TWI661331 B TW I661331B
Authority
TW
Taiwan
Prior art keywords
blockchain
certificate
identity
smart contract
registration information
Prior art date
Application number
TW106123596A
Other languages
Chinese (zh)
Other versions
TW201909013A (en
Inventor
張明哲
張明信
江彬榮
徐克華
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW106123596A priority Critical patent/TWI661331B/en
Publication of TW201909013A publication Critical patent/TW201909013A/en
Application granted granted Critical
Publication of TWI661331B publication Critical patent/TWI661331B/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

本發明提出一種基於憑證信任架構之驗證區塊鏈身份及保護隱私的系統及方法。客戶端設備發送註冊資訊。此註冊資訊包括憑證及區塊鏈位址,且憑證紀錄身份資訊及公開金鑰。身份註冊伺服器驗證註冊資訊,並透過公開金鑰憑證機構驗證此憑證的狀態是否為正常。若正常,身份註冊伺服器將註冊資訊對區塊鏈智能合約註冊以發佈到公開區塊鏈。藉此,區塊鏈智能合約基於憑證及區塊鏈位址驗證身份,既可保持區塊鏈交易資訊的公開與匿名特性,在必要時也能關聯到使用者的真實身份,以防止類似比特幣支付所衍生的金融監管問題。The invention proposes a system and method for verifying the identity of a blockchain and protecting privacy based on a credential trust architecture. The client device sends registration information. This registration information includes the certificate and the blockchain address, and the certificate records the identity information and the public key. The identity registration server verifies the registration information and verifies that the status of this certificate is normal through a public key certificate authority. If normal, the identity registration server registers the registration information with the blockchain smart contract to publish it to the public blockchain. In this way, the blockchain smart contract verifies the identity based on the voucher and the blockchain address, which can maintain the open and anonymous characteristics of the blockchain transaction information, and can also be associated with the user's real identity when necessary to prevent similar bits Financial regulatory issues arising from currency payments.

Description

在公開匿名環境驗證身份及保護隱私的系統與方法System and method for verifying identity and protecting privacy in public anonymous environment

本發明是有關於一種身份驗證技術,且特別是有關於一種在公開匿名環境驗證身份及保護隱私的系統與方法。The present invention relates to an identity verification technology, and more particularly, to a system and method for verifying identity and protecting privacy in a publicly anonymous environment.

習用於區塊鏈系統中的身份驗證與隱私防護技術,大多係在網路架構上採取權限管制的方式,即建置私有或聯盟區塊鏈,並僅允許特定權限的節點進行連接、交易、驗證或採礦等作業。封閉型的鏈結架構可保護系統用戶的隱私資訊,也可追蹤使用者的身份以達到若干法規的要求,因此目前各國的金融業者傾向於應用私有或聯盟鏈的架構。然而,這種限制存取權限的網路架構不僅犧牲了區塊鏈的公開透明特性,系統也不易擴張其應用範圍,更不能防止用戶的隱私與機密資訊被鏈內的使用者洩漏出去,所以並非完善的處理方式。The authentication and privacy protection technologies used in blockchain systems are mostly based on the authority control method on the network architecture, that is, the establishment of private or alliance blockchains, and only nodes with specific permissions are allowed to connect, trade, Verification or mining operations. The closed chain structure can protect the privacy information of system users, and can also track the user's identity to meet the requirements of several regulations. Therefore, the financial industry in various countries tend to apply the structure of private or alliance chains. However, such a network structure that restricts access permissions not only sacrifices the open and transparent nature of the blockchain, but also makes it difficult for the system to expand its application range, and it cannot prevent users' privacy and confidential information from being leaked out by users in the chain. Not perfect.

美國專利公告號US9298806 B1『System and method for analyzing transactions in a distributed ledger』係用於解決公開區塊鏈當中的身份驗證問題。此專利案係應用資料挖礦的方式,並於公開區塊鏈的所有交易紀錄當中進行使用者身份的大數據分析,藉由用戶位址在各項交易行為當中的關聯性建立起群組類別,進而推導出使用者的可能身份以達成驗證的功能。然而,這個方法除了需要耗費大量的運算資源進行各個位址的交易行為分析,其所能達成的身份驗證也屬於機率上的推測,難以確認使用者的真實身份。US Patent Bulletin No. US9298806 B1 "System and method for analyzing transactions in a distributed ledger" is used to solve the problem of identity verification in public blockchains. This patent case applies the method of data mining and analyzes the big data of the user's identity in all the transaction records of the open blockchain. The group category is established by the correlation of the user address in various transaction behaviors. , And infer the user ’s possible identity to achieve verification. However, in addition to consuming a large amount of computing resources to analyze the transaction behavior of each address, the identity verification it can achieve is also a speculation of probability, and it is difficult to confirm the user's true identity.

而美國專利公告號US9436923 B1『Tracking unitization occurring in a supply chain』利用非對稱式加密演算法的金鑰對進行區塊鏈用戶之身份驗證,並延伸應用數位簽章及資料加密至供應鏈的資源管理,以便在分散式的網路環境中達到保護隱私資訊與認證身份的功能。然而,此專利案難以聯結到使用者的真實身份,在公開區塊鏈的匿名環境中仍未能完善地處理身份驗證的問題。And U.S. Patent Publication No. US9436923 B1 "Tracking unitization occurring in a supply chain" uses the key pair of asymmetric encryption algorithm to verify the identity of the blockchain user, and extends the application of digital signatures and data encryption to the resources of the supply chain Management to protect private information and authenticate identity in a decentralized network environment. However, this patent case is difficult to link to the true identity of the user, and the problem of identity verification has not been fully handled in the anonymous environment of the open blockchain.

由此可見,上述習用技術仍有諸多缺失,實非一良善之設計者,而亟待加以改良。It can be seen that there are still many shortcomings in the above-mentioned conventional techniques, and they are not a good designer, and need to be improved.

有鑑於此,本發明提供一種在公開匿名環境驗證身份及保護隱私的系統與方法,既可維持區塊鏈的公開及匿名特性,亦能驗證使用者的真實身份。In view of this, the present invention provides a system and method for verifying identity and protecting privacy in a publicly anonymous environment, which can maintain the open and anonymous characteristics of the blockchain and also verify the user's true identity.

為達成上述發明目的,本發明提出一種在公開匿名環境驗證身份及保護隱私的方法,其適用於公開區塊鏈之環境。此方法包括下列步驟。取得註冊資訊,並驗證該註冊資訊。註冊資訊包括憑證及區塊鏈位址,且憑證紀錄身份資訊及公開金鑰。確認憑證的狀態是否為正常。若此憑證之狀態為正常,則將此註冊資訊對區塊鏈智能合約註冊以發佈到公開區塊鏈。In order to achieve the above-mentioned object of the invention, the present invention proposes a method for verifying identity and protecting privacy in a public anonymous environment, which is suitable for an environment where a blockchain is public. This method includes the following steps. Obtain registration information and verify it. The registration information includes the certificate and the blockchain address, and the certificate records the identity information and the public key. Confirm whether the status of the voucher is normal. If the status of this certificate is normal, then this registration information is registered with the blockchain smart contract to be published to the public blockchain.

另一方面,本發明提出一種在公開匿名環境驗證身份及保護隱私的系統,其適用於公開區塊鏈之環境中驗證身份。此系統包括客戶端設備、公開金鑰憑證機構、區塊鏈智能合約及身份註冊伺服器。客戶端設備發送註冊資訊。此註冊資訊包括憑證及區塊鏈位址,且憑證紀錄身份資訊及公開金鑰。公開金鑰憑證機構提供憑證狀態資訊。身份註冊伺服器驗證註冊資訊,透過公開金鑰憑證機構驗證憑證的狀態是否為正常。若憑證之狀態為正常,則身份註冊伺服器將註冊資訊對區塊鏈智能合約註冊以發佈到公開區塊鏈。On the other hand, the present invention proposes a system for verifying identity and protecting privacy in a publicly anonymous environment, which is suitable for verifying identity in an environment of public blockchain. This system includes client devices, public key certificate authorities, blockchain smart contracts, and identity registration servers. The client device sends registration information. This registration information includes the certificate and the blockchain address, and the certificate records the identity information and the public key. Public key certificate authority provides certificate status information. The identity registration server verifies the registration information and verifies that the status of the certificate is normal through a public key certificate authority. If the status of the certificate is normal, the identity registration server registers the registration information with the blockchain smart contract to publish it to the public blockchain.

藉此,在應用階段中,應用系統可藉由本發明實施例在公開區塊鏈所提供的查詢驗證服務,來確認某一用戶的真實身份。因此,在公開區塊鏈的匿名環境中,本發明實施例能完善地處理身份驗證的問題。In this way, in the application phase, the application system can confirm the true identity of a user by using the query verification service provided by the embodiment of the invention in the open blockchain. Therefore, in an anonymous environment where the blockchain is disclosed, the embodiments of the present invention can perfectly handle the issue of identity verification.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above features and advantages of the present invention more comprehensible, embodiments are hereinafter described in detail with reference to the accompanying drawings.

圖1所示係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的系統之架構示意圖。此身份驗證系統1包括一或更多個客戶端設備100、公開金鑰憑證機構200、身份註冊伺服器300、區塊鏈應用系統400及區塊鏈智能合約503。FIG. 1 is a schematic diagram illustrating a system for verifying identity and protecting privacy in a public anonymous environment according to an embodiment of the present invention. The identity verification system 1 includes one or more client devices 100, a public key certificate authority 200, an identity registration server 300, a blockchain application system 400, and a blockchain smart contract 503.

客戶端設備100可以係桌上型電腦、筆記型電腦、智慧型手機、平板電腦等各類型可連網之電子裝置。客戶端設備100紀錄有身份註冊客戶端模組104程式、憑證501、共享金鑰等相關檔案或資訊。The client device 100 may be various types of networkable electronic devices such as a desktop computer, a notebook computer, a smart phone, and a tablet computer. The client device 100 records related files or information such as an identity registration client module 104 program, a certificate 501, and a shared key.

公開金鑰憑證機構200係發行並驗證憑證的組織。憑證狀態檢查模組322係利用公開金鑰基礎建設架構(Public Key Infrastructure,PKI)所提供的線上憑證狀態協定(Online Certificate Status Protocol,OCSP)或憑證廢止清冊(Certificate revocation list,CRL)來作為憑證狀態之檢查作業。公開金鑰憑證機構200所簽發及公告的憑證501,其中的公開金鑰與個人身份資訊連結(即,憑證501紀錄身份資訊及公開金鑰)。The public key certificate authority 200 is an organization that issues and verifies certificates. The certificate status check module 322 uses online certificate status protocol (OCSP) or certificate revocation list (CRL) provided by the public key infrastructure (PKI) as the certificate Status check operation. The public key certificate authority 200 issues and advertises the certificate 501, in which the public key is linked to the personal identification information (ie, the certificate 501 records the identity information and the public key).

身份註冊伺服器300可以係伺服器、工作站、桌上型電腦、筆記型電腦、等各類型可連網之電子裝置。身份註冊伺服器300包括身份註冊伺服端模組321、憑證狀態檢查模組322、區塊鏈介接模組323、定時更新狀態模組324等程式、憑證註冊資料、共享金鑰、區塊鏈帳戶資訊等相關檔案或資訊。需說明的是,各模組的運作待後續實施例詳細說明。The identity registration server 300 may be a server, a workstation, a desktop computer, a notebook computer, or any other type of networkable electronic device. The identity registration server 300 includes programs such as an identity registration server-side module 321, a certificate status check module 322, a blockchain interface module 323, a regularly updated status module 324, certificate registration data, a shared key, and a blockchain Account information and other related files or information. It should be noted that the operation of each module will be described in detail in the subsequent embodiments.

區塊鏈應用系統400屬於一應用分散式區塊鏈網路之系統,而公開區塊鏈502係指所有參與者終端都可存取所有資料並發出交易。本發明實施例係藉由區塊鏈智能合約503而在公開區塊鏈502提供身分註冊、狀態更新及身份驗證等功能。The blockchain application system 400 belongs to a system using a decentralized blockchain network, and the public blockchain 502 means that all participant terminals can access all data and issue transactions. The embodiment of the present invention provides functions such as identity registration, status update, and identity verification on the open blockchain 502 through the blockchain smart contract 503.

為了方便理解本發明實施例的操作流程,以下將舉諸多實施例詳細說明本發明實施例中於公開區塊鏈502之環境中驗證身份之方法。圖2是依據本發明一實施例說明一種註冊階段之流程圖。請參照圖2,本實施例的方法適用於圖1中身份驗證系統1中的各裝置。下文中,將搭配客戶端設備100及身份註冊伺服器300的各項元件及模組說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to facilitate the understanding of the operation flow of the embodiments of the present invention, a number of embodiments will be described in detail below to describe the method of verifying identity in an environment where the blockchain 502 is disclosed in the embodiments of the present invention. FIG. 2 is a flowchart illustrating a registration phase according to an embodiment of the present invention. Referring to FIG. 2, the method in this embodiment is applicable to each device in the identity verification system 1 in FIG. 1. In the following, the method according to the embodiment of the present invention will be described with the components and modules of the client device 100 and the identity registration server 300. Each process of the method can be adjusted according to the implementation situation, and is not limited to this.

客戶端設備100之身份註冊客戶端模組104先以欲註冊的區塊鏈位址組成註冊請求所需資訊,然後經由網際網路504傳送註冊請求到身份註冊伺服器300(步驟S201)。此身份註冊客戶端模組104需包括可信賴的網路元件,例如適當簽署過的Java applet或ActiveX元件。註冊時,身份註冊伺服端模組321與身份註冊客戶端模組104進行挑戰-回應協定(Challenge-response protocol)的相關程序。身份註冊伺服端模組321接收到這個註冊請求之後(步驟S202),產生隨機亂數(碼)R 並計算伺服端回應碼(步驟S203),然後回應註冊請求(此回應包括伺服端回應碼)(步驟S204)。伺服端回應碼SR 的計算法為:SR = Hash ( Address, Key) ,身份註冊伺服端模組321係利用收到的區塊鏈位址Address 加上共享金鑰Key 進行雜湊演算而得,Key 值係身份註冊伺服端與客戶端模組321, 104所內建的共享金鑰。The identity registration client module 104 of the client device 100 first forms the information required for the registration request with the blockchain address to be registered, and then transmits the registration request to the identity registration server 300 via the Internet 504 (step S201). The identity registration client module 104 needs to include a trusted network element, such as a properly signed Java applet or ActiveX element. During registration, the identity registration server module 321 and the identity registration client module 104 perform related procedures of the Challenge-response protocol. After the identity registration server module 321 receives this registration request (step S202), it generates a random random number (code) R and calculates the server response code (step S203), and then responds to the registration request (this response includes the server response code) (Step S204). The calculation method of the server response code SR is: SR = Hash (Address, Key) . The identity registration server module 321 is obtained by performing a hash calculation using the received blockchain address Address plus the shared key Key . Key The value is a shared key built in the identity registration server and the client modules 321, 104.

身份註冊客戶端模組104獲得回應之後需驗證回應資訊(步驟S205),其係計算伺服端回應碼SR是否等於Hash ( Address, Key) 以驗證伺服端回應碼。伺服端回應碼通過驗證之後,則讓使用者選取欲註冊的憑證501(例如,符合X.509標準)並啟用其私密金鑰(步驟S206),接著組裝憑證501的註冊資訊及進行數位簽章(步驟S207)。此憑證501的註冊資訊至少包括但不僅限於:區塊鏈位址、憑證501、客戶端回應碼、數位簽章。而客戶端回應碼CR 的算法為:CR = Hash ( R, Key) ,利用收到的隨機亂數R 加上共享金鑰進行雜湊演算而得。客戶端設備100接著傳送憑證501之註冊資訊到身份註冊伺服器300。身份註冊伺服端模組321接收到憑證501的註冊資訊後,需驗證註冊資訊裡的客戶端回應碼及數位簽章(步驟S209)(例如,客戶端回應碼CR必須等於Hash ( R, Key) ),而數位簽章則以憑證501裡的公開金鑰進行驗證。這兩項檢驗都通過以後再進入憑證狀態的檢驗流程(步驟S210),否則傳回錯誤訊息(至客戶端設備100)並結束註冊程序(步驟S213)。憑證狀態檢查模組322連線至公開金鑰憑證機構200以確認此憑證501的狀態是否為正常。After the identity registration client module 104 obtains the response, it needs to verify the response information (step S205). It calculates whether the server-side response code SR is equal to Hash (Address, Key) to verify the server-side response code. After the server response code is verified, the user is allowed to select the certificate 501 to be registered (for example, conforming to the X.509 standard) and activate his private key (step S206), then assemble the registration information of the certificate 501 and perform digital signature (Step S207). The registration information of this certificate 501 includes, but is not limited to, a blockchain address, a certificate 501, a client response code, and a digital signature. The algorithm of the client response code CR is: CR = Hash (R, Key) , which is obtained by using the random random number R received plus the shared key for hash calculation. The client device 100 then transmits the registration information of the certificate 501 to the identity registration server 300. After the identity registration server module 321 receives the registration information of the certificate 501, it needs to verify the client response code and digital signature in the registration information (step S209) (for example, the client response code CR must be equal to Hash (R, Key) ), And the digital signature is verified with the public key in certificate 501. Both of these checks pass the verification process of entering the voucher status later (step S210), otherwise an error message is returned (to the client device 100) and the registration process is ended (step S213). The certificate status check module 322 is connected to the public key certificate authority 200 to confirm whether the status of the certificate 501 is normal.

若數位簽章通過檢驗且憑證501之狀態正常,則身份註冊伺服端模組321記錄憑證501之註冊資訊(包括憑證雜湊訊息鑑別碼、憑證簽發者、憑證到期日、憑證狀態及相對應的用戶位址等資訊)並透過區塊鏈介接模組323呼叫智能合約503而將註冊資訊註冊到公開區塊鏈502。身份註冊伺服端模組321係先解析憑證501並記錄相關的註冊資訊到資料庫,再將諸如憑證501的訊息鑑別碼、憑證簽發者、憑證到期日、憑證狀態及相對應的用戶位址等註冊資訊當作輸入參數,透過區塊鏈介接模組323呼叫區塊鏈智能合約503的註冊功能。此處憑證雜湊訊息鑑別碼係為了進一步保護用戶的隱私權,採用金鑰雜湊訊息鑑別碼(Keyed-hash message authentication code,HMAC)以防止憑證501之註冊資訊在區塊鏈智能合約503的查詢功能中被用來暴力搜尋相關的憑證。區塊鏈智能合約503的註冊功能接收到這個註冊資訊時,則以憑證501的雜湊訊息鑑別碼、憑證簽發者、憑證到期日、憑證狀態、用戶位址等作為註冊資訊發佈到公開區塊鏈502。同時,區塊鏈智能合約503也需要建立以用戶之區塊鏈位址對應到憑證資訊的對應關係(例如,檢索鍵),及以憑證雜湊訊息鑑別碼對應到用戶之區塊鏈位址的檢索鍵。若憑證501之狀態檢驗(步驟S210)不通過或以區塊鏈智能合約503註冊到公開區塊鏈502的作業(步驟S211)失敗,則傳回錯誤訊息並結束註冊程序(步驟S213)。身份註冊伺服器300等待區塊鏈智能合約503的註冊交易在公開區塊鏈502上被挖礦確認之後,再傳回註冊成功之訊息(步驟S212)至客戶端設備100。客戶端設備100則可透過顯示單元(例如,LCD、LED等顯示螢幕)顯示註冊結果訊息並結束註冊程序(步驟S214)。If the digital signature passes the inspection and the status of the certificate 501 is normal, the identity registration server module 321 records the registration information of the certificate 501 (including the certificate hash message authentication code, the certificate issuer, the certificate expiration date, the certificate status, and the corresponding User address and other information) and call the smart contract 503 through the blockchain interface module 323 to register the registration information to the public blockchain 502. The identity registration server module 321 first analyzes the certificate 501 and records the relevant registration information to the database, and then sends the message authentication code such as the certificate 501, the certificate issuer, the certificate expiration date, the certificate status and the corresponding user address When the registration information is used as an input parameter, the registration function of the blockchain smart contract 503 is called through the blockchain interface module 323. Here, in order to further protect the privacy of the user, the certificate hash message authentication code uses a keyed-hash message authentication code (HMAC) to prevent the query function of the registration information of the certificate 501 on the blockchain smart contract 503. Is used to brute force searches for related credentials. When the registration function of the blockchain smart contract 503 receives this registration information, it uses the hash message authentication code of the certificate 501, the certificate issuer, the certificate expiration date, the certificate status, the user address, etc. as registration information and publishes it to the public block. Chain 502. At the same time, the blockchain smart contract 503 also needs to establish a correspondence (e.g., a search key) corresponding to the user's blockchain address and the credential information, and a certificate hash code corresponding to the user's blockchain address. Search key. If the status check of the certificate 501 (step S210) fails or the operation of registering to the open blockchain 502 with the blockchain smart contract 503 fails (step S211), an error message is returned and the registration process is ended (step S213). The identity registration server 300 waits for the registration transaction of the blockchain smart contract 503 to be confirmed by mining on the open blockchain 502, and then returns a successful registration message (step S212) to the client device 100. The client device 100 may display the registration result message through a display unit (for example, a display screen such as an LCD, an LED, etc.) and end the registration process (step S214).

而若註冊資訊中的簽章未能通過檢驗或是憑證501的狀態為已廢止或過期等不可用的情形,則身分註冊伺服端模組321傳回註冊失敗的訊息至客戶端設備100而結束註冊程序(步驟S213)。If the signature in the registration information fails the verification or the status of the certificate 501 is invalid or expired, the identity registration server module 321 returns a registration failure message to the client device 100 and ends. Registration procedure (step S213).

另一方面,身份註冊伺服器300之定時更新狀態模組324定時執行更新憑證狀態程序,其於系統設定的時間連線到公開金鑰憑證機構200查詢已註冊之憑證501的最新狀態,此查詢及確認憑證501之狀態的作業係利用公開金鑰憑證架構所提供的憑證狀態協定(OCSP)或憑證廢止清冊(CRL)來達成。當偵測到已註冊的憑證501之狀態有所改變時,憑證狀態檢查模組322透過區塊鏈介接模組323利用區塊鏈智能合約503將憑證501的狀態資訊更新到公開區塊鏈502當中。On the other hand, the timing update status module 324 of the identity registration server 300 regularly executes the procedure of updating the certificate status, which connects to the public key certificate authority 200 at the time set by the system to query the latest status of the registered certificate 501. This query The operation of confirming the status of the certificate 501 is achieved by using a certificate status agreement (OCSP) or a certificate revocation list (CRL) provided by the public key certificate structure. When a change in the status of the registered certificate 501 is detected, the certificate status check module 322 updates the status information of the certificate 501 to the public blockchain through the blockchain interface module 323 and the blockchain smart contract 503. Among 502.

成功完成註冊程序後,區塊鏈位址與憑證即產生關聯,使後續應用中可供交易雙方驗證真實身份。例如,透過區塊鏈智能合約503之身份驗證功能,回應於以一區塊鏈位址為參數之查詢作業請求(例如,交易、投票等應用),驗證此區塊鏈位址所註冊之憑證501。After the registration process is successfully completed, the blockchain address is associated with the voucher, making it possible for both parties to verify the true identity in subsequent applications. For example, through the identity verification function of the blockchain smart contract 503, in response to a query operation request (e.g., application such as transaction, voting, etc.) that takes a blockchain address as a parameter, the certificate registered at this blockchain address is verified 501.

舉例而言,圖3係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的應用例流程圖。假設一情境為公開區塊鏈502的電子投票系統(亦即,區塊鏈應用系統400),投票者透過客戶端設備100與區塊鏈應用系統400呼叫處理選票的區塊鏈智能合約503進行投票作業,投票的區塊鏈智能合約503接受投票請求(步驟S301),然後以投票者的區塊鏈位址103呼叫身份的區塊鏈智能合約503。身份的區塊鏈智能合約503則以此區塊鏈位址103查詢已註冊的憑證501相關資訊並傳回查詢結果(步驟S303)。投票的區塊鏈智能合約503收到回傳結果後檢查憑證501的註冊資訊(步驟S304),區塊鏈應用系統400驗證此憑證501的簽發者、到期日、狀態等資訊符合投票系統對身份驗證的要求(例如,簽發者是否正確、有無超過憑證501的到期日、憑證501之狀態是否正常可用等程序),註冊資訊的驗證通過之後,檢查投票者的憑證雜湊訊息鑑別碼以確認此憑證501是否已投票(步驟S305),可避免多位址灌票的情形。之後,投票的區塊鏈智能合約503紀錄此憑證501的金鑰雜湊訊息鑑別碼(HMAC)值(步驟S306)並登記投票數(步驟S307),再傳回成功訊息即能完成投票作業。反之,若註冊資訊的檢驗不通過或是此憑證501已投過票,就傳回錯誤訊息並結束投票程序(步驟S308)。For example, FIG. 3 is a flowchart illustrating an application example of verifying identity and protecting privacy in a public anonymous environment according to an embodiment of the present invention. Suppose a scenario is an electronic voting system (i.e., a blockchain application system 400) that discloses the blockchain 502. Voters call the blockchain smart contract 503 for processing votes through the client device 100 and the blockchain application system 400. In the voting operation, the voting smart contract 503 accepts the voting request (step S301), and then calls the identity of the blockchain smart contract 503 with the voter's blockchain address 103. The identity blockchain smart contract 503 uses this blockchain address 103 to query the related information of the registered certificate 501 and returns the query result (step S303). After receiving the returned result, the voting smart contract 503 checks the registration information of the certificate 501 (step S304), and the blockchain application system 400 verifies that the information such as the issuer, expiration date, and status of the certificate 501 meets the requirements of the voting system. Identity verification requirements (for example, whether the issuer is correct, whether it has exceeded the expiration date of the certificate 501, whether the status of the certificate 501 is normally available, etc.), after the verification of the registration information is passed, check the voter's certificate hash message authentication code to confirm Whether or not the voucher 501 has been voted (step S305) can avoid the situation of multi-address invoicing. Afterwards, the voting smart contract 503 records the key hash message authentication code (HMAC) value of this certificate 501 (step S306) and registers the number of votes (step S307), and then returns a success message to complete the voting operation. On the contrary, if the verification of the registration information fails or the voucher 501 has been voted, an error message is returned and the voting process is ended (step S308).

又例如區塊鏈應用系統400在公開區塊鏈502進行金融交易時,可利用區塊鏈智能合約503之查詢服務來驗證交易雙方具有憑證501所代表的真實身分,從而達到金融業認識您的客戶(KYC)確認客戶身分的要求。此外本發明實施例也可於交易雙方使用其他管道互換憑證501之後提供驗證服務,輸入憑證501的雜湊值並由區塊鏈智能合約503查出相對應的用戶區塊鏈位址,讓區塊鏈應用系統400能夠在公開區塊鏈502中結合數位簽章及信封等密碼技術進行更安全的網路交易。For another example, when the blockchain application system 400 discloses financial transactions on the blockchain 502, it can use the query service of the blockchain smart contract 503 to verify that both parties to the transaction have the true identity represented by the certificate 501, so that the financial industry knows your Customer (KYC) requirements to confirm customer identity. In addition, the embodiment of the present invention can also provide verification services after the two parties of the transaction exchange the voucher 501 using other channels. Enter the hash value of the voucher 501 and the corresponding blockchain address of the user can be found out by the blockchain smart contract 503. The chain application system 400 can combine cryptographic technologies such as digital signatures and envelopes in the open blockchain 502 for more secure online transactions.

需說明的是,本發明實施例中所註冊的憑證501與區塊鏈位址103,兩者屬於多對多的關係,即一個憑證可註冊多個區塊鏈位址,而一個區塊鏈位址也可以註冊多個不同簽發體系的憑證。身份驗證系統1則需設定可註冊的位址或憑證對應數目之上限,於記錄憑證註冊資訊(步驟S211)的流程中加以檢查及限制。It should be noted that the certificate 501 and the blockchain address 103 registered in the embodiment of the present invention belong to a many-to-many relationship, that is, one certificate can register multiple blockchain addresses, and one blockchain Addresses can also register multiple certificates for different issuing systems. The identity verification system 1 needs to set an upper limit of the number of registrable addresses or certificates, which is checked and restricted in the process of recording certificate registration information (step S211).

而關於區塊鏈智能合約503的設計,其權限管理機制須確保註冊與更新憑證狀態的功能僅由合約的管理者來執行,但查詢功能則無需限制。註冊時區塊鏈智能合約503建立憑證501之註冊資訊與用戶區塊鏈位址的對應關係,並建立憑證雜湊訊息鑑別碼與用戶區塊鏈位址的對應關係。區塊鏈智能合約503的依憑證雜湊值查詢用戶區塊鏈位址功能,在收到憑證雜湊值的輸入參數時,先以此雜湊值計算出憑證的金鑰雜湊訊息鑑別碼(HMAC),係採用與身份註冊伺服端同樣的HMAC計算方式,然後再透過註冊時建立的檢索鍵查出相對應的區塊鏈位址。而為了避免區塊鏈智能合約503中以憑證雜湊值查詢位址的功能,被以暴力搜尋方式不當查詢所有憑證的相對應位址,而可能損及區塊鏈用戶的隱私權,區塊鏈智能合約503的這項查詢功能應加上限制條件,例如:查詢者的位址必須已通過憑證註冊程序、一定時間內允許查詢的次數等,以防止上述不當查詢的情形。Regarding the design of the blockchain smart contract 503, its authority management mechanism must ensure that the functions of registering and updating the voucher status are only performed by the contract manager, but the query function does not need to be restricted. When registering, the blockchain smart contract 503 establishes the correspondence between the registration information of the certificate 501 and the user's blockchain address, and establishes the correspondence between the certificate hash message identification code and the user's blockchain address. The blockchain smart contract 503 queries the user's blockchain address function based on the hash value of the voucher. When receiving the input parameters of the hash value of the voucher, it first calculates the key hash message authentication code (HMAC) of the voucher based on the hash value. It uses the same HMAC calculation method as the identity registration server, and then finds the corresponding blockchain address through the search key established during registration. In order to avoid the function of querying the address by the hash value of the certificate in the blockchain smart contract 503, the corresponding addresses of all the certificates are improperly queried by brute force search, which may damage the privacy of the blockchain user. The blockchain This query function of the smart contract 503 should be added with restrictions, such as: the address of the searcher must have passed the certificate registration process, the number of times that the query is allowed within a certain period of time, etc. to prevent the above-mentioned inappropriate query situation.

特點及功效Features and effects

本發明實施例所提供之在公開匿名環境驗證身份及保護隱私的系統與方法,與其他習用技術相互比較時,更具有下列之優點:Compared with other conventional technologies, the system and method for verifying identity and protecting privacy in a public anonymous environment provided by the embodiments of the present invention have the following advantages:

習用技術常在網路架構採取權限管制以建置私有或聯盟區塊鏈,如此便犧牲了區塊鏈的公開透明及匿名等特性,系統較不易擴張其應用範圍,也不能防止用戶的隱私與機密資訊被鏈內的使用者洩漏出去。反觀本發明實施例,可在維持區塊鏈的公開及匿名特性下驗證真實身份及保護機密。Conventional technology often adopts permission control in the network architecture to build private or alliance blockchains. This sacrifices the openness, transparency, and anonymity of the blockchain. The system is not easy to expand its application scope, and it cannot prevent users' privacy and privacy. Confidential information was leaked by users in the chain. In contrast, the embodiments of the present invention can verify the true identity and protect confidentiality while maintaining the open and anonymous characteristics of the blockchain.

相較於採用大數據分析來推導用戶可能身份的技術,本發明實施例不需耗費大量的運算資源進行交易的分析,且能夠確認使用者的真實身份。Compared with the technology that uses big data analysis to derive the possible identity of the user, the embodiment of the present invention does not need to consume a large amount of computing resources for transaction analysis, and can confirm the user's true identity.

本發明實施例利用公開金鑰基礎建設的憑證信任架構,可驗證使用者的真實身份,讓應用系統能夠在公開區塊鏈中結合數位簽章及信封等密碼技術進行更安全的網路交易。The embodiment of the present invention utilizes a credential trust architecture based on the public key infrastructure to verify the user's true identity, and allows the application system to combine cryptographic technologies such as digital signatures and envelopes in the public blockchain for more secure network transactions.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed as above with the examples, it is not intended to limit the present invention. Any person with ordinary knowledge in the technical field can make some modifications and retouching without departing from the spirit and scope of the present invention. The protection scope of the present invention shall be determined by the scope of the attached patent application.

1‧‧‧身份驗證系統1‧‧‧ Identity Verification System

100‧‧‧客戶端設備100‧‧‧client device

104‧‧‧身份註冊客戶端模組104‧‧‧Identity Registration Client Module

200‧‧‧公開金鑰憑證機構200‧‧‧ Public Key Certificate Authority

300‧‧‧身份註冊伺服器300‧‧‧ Identity Registration Server

321‧‧‧身份註冊伺服端模組321‧‧‧ Identity Registration Server Module

322‧‧‧憑證狀態檢查模組322‧‧‧Voucher status check module

323‧‧‧區塊鏈介接模組323‧‧‧blockchain interface module

324‧‧‧定時更新狀態模組324‧‧‧Timely update status module

400‧‧‧區塊鏈應用系統400‧‧‧blockchain application system

501‧‧‧憑證501‧‧‧Voucher

502‧‧‧公開區塊鏈502‧‧‧Open Blockchain

503‧‧‧區塊鏈智能合約503‧‧‧blockchain smart contract

504‧‧‧網際網路504‧‧‧Internet

S201~S214、S301~S308‧‧‧步驟S201 ~ S214, S301 ~ S308‧‧‧step

圖1係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的系統之架構示意圖; 圖2係依據本發明一實施例說明一種註冊階段之流程圖; 圖3係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的應用例流程圖。FIG. 1 is a schematic diagram illustrating a system for verifying identity and protecting privacy in a public anonymous environment according to an embodiment of the present invention; FIG. 2 is a flowchart illustrating a registration phase according to an embodiment of the present invention; FIG. 3 is an implementation according to an embodiment of the present invention The example illustrates a flow chart of an example application for verifying identity and protecting privacy in a public and anonymous environment.

Claims (10)

一種在公開匿名環境利用基於公開金鑰基礎建設的憑證信任架構驗證身份及保護隱私的方法,適用於公開區塊鏈之環境,該方法包括:取得一註冊資訊,並驗證該註冊資訊,其中該註冊資訊包括一憑證及一區塊鏈位址,且該憑證紀錄一身份資訊及一公開金鑰;向一公開金鑰憑證機構確認該憑證的狀態是否為正常;以及若該憑證之狀態為正常,則將該註冊資訊對一區塊鏈智能合約註冊以發佈到一公開區塊鏈。A method for verifying identity and protecting privacy using a public key infrastructure-based credential trust structure in a public and anonymous environment, applicable to the environment of a public blockchain, the method includes: obtaining a registration information and verifying the registration information, wherein the The registration information includes a certificate and a blockchain address, and the certificate records an identity information and a public key; confirm with a public key certificate authority whether the status of the certificate is normal; and if the status of the certificate is normal , The registration information is registered with a blockchain smart contract to be published to a public blockchain. 如申請專利範圍第1項所述之方法,其中將該註冊資訊對該區塊鏈智能合約註冊以發佈到該公開區塊鏈的步驟之後,更包括:當偵測到該憑證之狀態異動時,利用該區塊鏈智能合約將該憑證之狀態更新到該公開區塊鏈。The method according to item 1 of the scope of patent application, wherein after the step of registering the registration information to the blockchain smart contract for publishing to the public blockchain, the method further includes: when a status change of the certificate is detected , Using the blockchain smart contract to update the status of the voucher to the public blockchain. 如申請專利範圍第1項所述之方法,其中將該註冊資訊對該區塊鏈智能合約註冊以發佈到該公開區塊鏈的步驟之後,更包括:該區塊鏈智能合約建立該註冊資訊與該區塊鏈位址的對應關係;以及回應於以該區塊鏈位址之查詢作業請求,驗證該區塊鏈位址所註冊之憑證。The method according to item 1 of the scope of patent application, wherein after the step of registering the registration information with the blockchain smart contract for publishing to the open blockchain, the method further includes: the blockchain smart contract establishing the registration information A correspondence relationship with the blockchain address; and in response to a query operation request using the blockchain address, verifying a certificate registered with the blockchain address. 如申請專利範圍第1項所述之方法,其中將該註冊資訊對該區塊鏈智能合約註冊以發佈到該公開區塊鏈的步驟之後,更包括:該區塊鏈智能合約建立已註冊之該憑證之金鑰雜湊訊息鑑別碼與該區塊鏈位址的對應關係;以及回應於以該憑證之雜湊值之查詢作業請求,驗證該憑證所註冊之區塊鏈位址。The method according to item 1 of the scope of patent application, wherein after the step of registering the registration information to the blockchain smart contract for publishing to the open blockchain, the method further includes: establishing the registered smart contract The correspondence between the key hash message authentication code of the certificate and the blockchain address; and in response to a query operation request using the hash value of the certificate, verifying the blockchain address registered in the certificate. 如申請專利範圍第1項所述之方法,其中將該註冊資訊對該區塊鏈智能合約註冊以發佈到該公開區塊鏈的步驟之後,更包括:檢查該區塊鏈位址所註冊的憑證相關資訊是否符合身份驗證的要求,該要求係關於該憑證的簽發者、到期日及憑證狀態;若符合該要求,則繼續交易或服務流程;以及若不符合該要求,則傳回錯誤訊息。The method according to item 1 of the scope of patent application, wherein after the step of registering the registration information with the blockchain smart contract for publishing to the open blockchain, it further comprises: checking the registered address of the blockchain address Whether the certificate-related information meets the requirements for identity verification, the request is about the issuer, expiration date, and status of the certificate; if the requirement is met, the transaction or service process continues; and if the requirement is not met, an error is returned message. 一種在公開匿名環境利用基於公開金鑰基礎建設的憑證信任架構驗證身份及保護隱私的系統,適用於公開區塊鏈之環境中驗證身份,該系統包括:一客戶端設備,發送一註冊資訊,其中該註冊資訊包括一憑證及一區塊鏈位址,且該憑證紀錄一身份資訊及一公開金鑰;一公開金鑰憑證機構,用於檢查該憑證;一區塊鏈智能合約;以及一身份註冊伺服器,驗證該註冊資訊,並透過該公開金鑰憑證機構提供之狀態資訊驗證憑證的狀態是否為正常,若該憑證之狀態為正常,則將該註冊資訊對該區塊鏈智能合約註冊以發佈到一公開區塊鏈。A system for verifying identity and protecting privacy in a public and anonymous environment using a credential trust structure based on a public key infrastructure. The system is suitable for verifying identity in a public blockchain environment. The system includes: a client device, sending registration information, The registration information includes a certificate and a blockchain address, and the certificate records an identity information and a public key; a public key certificate authority for checking the certificate; a blockchain smart contract; and a The identity registration server verifies the registration information and verifies whether the status of the certificate is normal through the status information provided by the public key certificate authority. If the status of the certificate is normal, the registration information is for the blockchain smart contract. Register to post to a public blockchain. 如申請專利範圍第6項所述之系統,其中該身份註冊伺服器透過一定時更新狀態模組定時檢查該公開金鑰憑證機構所提供的狀態資訊,當偵測到已註冊之該憑證之狀態異動時,利用該區塊鏈智能合約將該憑證之狀態更新到該公開區塊鏈。The system described in item 6 of the scope of patent application, wherein the identity registration server periodically checks the status information provided by the public key certificate authority through a certain time update status module, and detects the status of the registered certificate When the transaction is changed, the status of the voucher is updated to the open blockchain using the blockchain smart contract. 如申請專利範圍第6項所述之系統,其中該區塊鏈智能合約建立該註冊資訊與該區塊鏈位址的對應關係,並回應於以該區塊鏈位址之查詢作業請求,驗證該區塊鏈位址所註冊之憑證。The system described in item 6 of the scope of patent application, wherein the blockchain smart contract establishes a correspondence between the registration information and the blockchain address, and responds to a query operation request with the blockchain address to verify The certificate registered with the blockchain address. 如申請專利範圍第6項所述之系統,其中該區塊鏈智能合約建立已註冊之該憑證之金鑰雜湊訊息鑑別碼與該區塊鏈位址的對應關係,並回應於以該憑證之雜湊值之查詢作業請求,驗證該憑證所註冊之區塊鏈位址。The system described in item 6 of the scope of patent application, wherein the blockchain smart contract establishes a correspondence between the key hash message authentication code of the certificate and the blockchain address, and responds with the certificate The query operation request of the hash value verifies the blockchain address registered in the certificate. 如申請專利範圍第6項所述之系統,更包括:一區塊鏈應用系統,檢查該區塊鏈位址所註冊的憑證相關資訊是否符合身份驗證的要求,該要求係關於該憑證的簽發者、到期日及憑證狀態;若符合該要求,則繼續交易或服務流程;若不符合該要求,則傳回錯誤訊息。The system described in item 6 of the scope of patent application, further includes: a blockchain application system that checks whether the information related to the certificate registered at the blockchain address meets the requirements for identity verification, which is related to the issue of the certificate If the requirements are met, the transaction or service process is continued; if the requirements are not met, an error message is returned.
TW106123596A 2017-07-14 2017-07-14 System and method for identity verification and privacy protection in public blockchain TWI661331B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106123596A TWI661331B (en) 2017-07-14 2017-07-14 System and method for identity verification and privacy protection in public blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106123596A TWI661331B (en) 2017-07-14 2017-07-14 System and method for identity verification and privacy protection in public blockchain

Publications (2)

Publication Number Publication Date
TW201909013A TW201909013A (en) 2019-03-01
TWI661331B true TWI661331B (en) 2019-06-01

Family

ID=66590047

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106123596A TWI661331B (en) 2017-07-14 2017-07-14 System and method for identity verification and privacy protection in public blockchain

Country Status (1)

Country Link
TW (1) TWI661331B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI695608B (en) * 2019-06-21 2020-06-01 中華電信股份有限公司 Mobile network address based verification system and method thereof
CN110598416B (en) * 2019-08-30 2020-12-04 创新先进技术有限公司 Transaction scheduling method and device
CN110958253A (en) * 2019-12-05 2020-04-03 全链通有限公司 Electronic voting method, device and storage medium based on block chain
CN111683083B (en) * 2020-06-05 2022-07-08 成都质数斯达克科技有限公司 Block chain user identity authentication method, device, equipment and medium
TWI755210B (en) * 2020-12-22 2022-02-11 天宿智能科技股份有限公司 Anonymous disclosure and many-to-many recognition system based on blockchain and allowing identity confirmation and method thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160321434A1 (en) * 2015-05-01 2016-11-03 Monegraph, Inc. Digital content rights transactions using block chain systems
CN106533696A (en) * 2016-11-18 2017-03-22 江苏通付盾科技有限公司 Block chain-based identity authentication methods, authentication server and user terminal
TWM543413U (en) * 2016-12-05 2017-06-11 Taiwan United Financial Technology Co Ltd Web lending platform using technology of blockchain for deal
CN106934619A (en) * 2017-03-13 2017-07-07 杭州复杂美科技有限公司 A kind of method and system of transaction record

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160321434A1 (en) * 2015-05-01 2016-11-03 Monegraph, Inc. Digital content rights transactions using block chain systems
CN106533696A (en) * 2016-11-18 2017-03-22 江苏通付盾科技有限公司 Block chain-based identity authentication methods, authentication server and user terminal
TWM543413U (en) * 2016-12-05 2017-06-11 Taiwan United Financial Technology Co Ltd Web lending platform using technology of blockchain for deal
CN106934619A (en) * 2017-03-13 2017-07-07 杭州复杂美科技有限公司 A kind of method and system of transaction record

Also Published As

Publication number Publication date
TW201909013A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
US10848325B1 (en) Systems and methods for notary agent for public key infrastructure names
US11539685B2 (en) Federated identity management with decentralized computing platforms
TWI661331B (en) System and method for identity verification and privacy protection in public blockchain
US11757643B2 (en) System and method for authenticating user identity
US10862892B2 (en) Certificate system for verifying authorized and unauthorized secure sessions
US10361852B2 (en) Secure verification system
US20190095835A1 (en) Use of identity and access management for service provisioning
US10432595B2 (en) Secure session creation system utililizing multiple keys
US10374808B2 (en) Verification system for creating a secure link
TWI648679B (en) License management system and method using blockchain
Li et al. Decentralized public key infrastructures atop blockchain
Abraham et al. Qualified eID derivation into a distributed ledger based IdM system
Heiss et al. Non-disclosing credential on-chaining for blockchain-based decentralized applications
EP3286894A1 (en) Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key
KR20200016506A (en) Method for Establishing Anonymous Digital Identity
Kinkelin et al. Hardening x. 509 certificate issuance using distributed ledger technology
US11283623B1 (en) Systems and methods of using group functions certificate extension
Kyriakidou et al. Decentralized Identity With Applications to Security and Privacy for the Internet of Things
EP3883204B1 (en) System and method for secure generation, exchange and management of a user identity data using a blockchain
US20210258172A1 (en) Method for monitoring digital certificates
Belsky et al. Personal data exchange protocol: X
Gergely et al. BlockCACert–A Blockchain-Based Novel Concept for Automatic Deployment of X. 509 Digital Certificates
Van Alsenoy et al. Delegation and digital mandates: legal requirements and security objectives