WO2021114872A1 - Verifiable claim-based service processing method, apparatus, and device - Google Patents

Verifiable claim-based service processing method, apparatus, and device Download PDF

Info

Publication number
WO2021114872A1
WO2021114872A1 PCT/CN2020/121874 CN2020121874W WO2021114872A1 WO 2021114872 A1 WO2021114872 A1 WO 2021114872A1 CN 2020121874 W CN2020121874 W CN 2020121874W WO 2021114872 A1 WO2021114872 A1 WO 2021114872A1
Authority
WO
WIPO (PCT)
Prior art keywords
statement
business
verifiable
verifiable statement
field
Prior art date
Application number
PCT/CN2020/121874
Other languages
French (fr)
Chinese (zh)
Inventor
杨仁慧
刘佳伟
孙善禄
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021114872A1 publication Critical patent/WO2021114872A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • This specification relates to the field of computer technology, and in particular to a business processing method, device and equipment based on verifiable claims.
  • the unique identity verification method of digital identity can be used, but under this identity verification method, it can only be carried out in the same scene or specified scene, and consensus and mutual recognition are often not possible in different scenes. This is the application and management of identity verification. All have brought great inconvenience. Therefore, it is necessary to provide a technical solution that can effectively ensure that user information is stored safely, users can manage their user information, and can controllably present user information to relevant third parties.
  • the purpose of the embodiments of this specification is to provide a business processing method, device, and equipment based on verifiable claims, so as to provide a method that can effectively guarantee that user information is stored safely, that users can manage their user information, and that user information can be controlled.
  • the embodiment of this specification provides a business processing method based on a verifiable statement, the method includes: receiving a business processing request of a target business, wherein the target business is processed based on the verifiable statement, and the business processing request includes The verifiable statement processed by the first data processing rule; in the verifiable statement processed by the first data processing rule, the field value of the statement field required by the target business is plain text, and at least one of the remaining statement fields The field value of the declared field is the ciphertext encrypted based on the specified hash algorithm. The validity of the verifiable statement is verified. If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
  • the embodiment of this specification provides a business processing method based on a verifiable statement, the method includes: determining the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement;
  • the target statement field is at least one statement field in the verifiable statement.
  • the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement from the verifiable statement
  • the field value of at least one of the declaration fields other than the field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm. Based on the verifiable statement after data processing, the business processing corresponding to the target business is performed.
  • the embodiment of this specification provides a service processing device based on a verifiable statement.
  • the device includes a request receiving module that receives a service processing request of a target service.
  • the target service is processed based on the verifiable claim.
  • the processing request includes the verifiable statement processed by the first data processing rule; in the verifiable statement processed by the first data processing rule, the value of the statement field required by the target business is plain text, and the remaining statement fields
  • the field value of at least one declaration field in the ciphertext is encrypted based on a specified hash algorithm.
  • the verification module verifies the validity of the verifiable statement.
  • the business processing module if the verification result is valid, execute the business processing corresponding to the target business based on the field value of the statement field required by the target business in the verifiable statement.
  • the embodiment of this specification provides a business processing device based on a verifiable statement
  • the device includes: a field determination module, which determines the target required by the target business according to the target business to be processed of the user holding the verifiable statement Statement field; the target statement field is at least one statement field in the verifiable statement.
  • the data processing module performs data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and excluding the verifiable statement
  • the field value of at least one of the declaration fields other than the target declaration field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm.
  • the business processing module performs business processing corresponding to the target business based on the verifiable statement after data processing.
  • An embodiment of this specification provides a business processing device based on a verifiable statement.
  • the business processing device based on a verifiable statement includes: a processor; and a memory arranged to store computer-executable instructions, where the executable instructions are When executed, the processor is caused to receive a service processing request of a target service, wherein the target service is processed based on a verifiable statement, and the service processing request includes the verifiable statement processed by the first data processing rule;
  • the field value of the statement field required by the target business is plain text, and the field value of at least one of the remaining statement fields is encrypted based on a specified hash algorithm The processed ciphertext.
  • the validity of the verifiable statement is verified. If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
  • An embodiment of this specification provides a business processing device based on a verifiable statement.
  • the business processing device based on a verifiable statement includes: a processor; and a memory arranged to store computer-executable instructions, where the executable instructions are When executed, the processor is caused to: determine the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement; the target statement field is at least one of the verifiable claims A declaration field.
  • the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement from the verifiable statement
  • the field value of at least one of the declaration fields other than the field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm.
  • the business processing corresponding to the target business is performed.
  • Figure 1 is an embodiment of a business processing method based on verifiable claims in this specification
  • Figure 2 is another embodiment of the business processing method based on verifiable claims in this specification
  • Figure 3 is another embodiment of a business processing method based on verifiable claims in this specification.
  • Figure 4 is an embodiment of a business processing device based on verifiable claims in this specification
  • Figure 5 is another embodiment of a business processing device based on verifiable claims in this specification.
  • Figure 6 is an embodiment of a business processing device based on verifiable claims in this specification.
  • Figure 7 is another embodiment of a business processing device based on verifiable claims in this specification.
  • the embodiments of this specification provide a business processing method, device and equipment based on verifiable claims.
  • the embodiment of this specification provides a business processing method based on verifiable claims.
  • the execution subject of the method can be a server, where the server can be an independent server or can be composed of multiple servers. Server clusters, etc.
  • the server may be a server on the side of the claiming user or a server of an agent that performs encryption processing for the claim of the claiming user.
  • the method may specifically include steps S102 to S106.
  • step S102 according to the target business to be processed of the user holding the verifiable claim, a target statement field required by the target business is determined, where the target statement field is at least one statement field in the verifiable statement.
  • a verifiable statement can be a kind of normative information used to describe certain attributes of entities such as individuals, organizations, etc.
  • a verifiable statement can realize evidence-based trust, and a verifiable statement can prove to other entities that the current Information about certain attributes of the entity is credible.
  • the target business needs can be the business needs of the target business, etc.
  • the business needs can be the requirements needed to perform a certain business.
  • the business needs can be a bachelor's degree or above, or an age of 18 or older. Different businesses can have different business requirements, which can be set according to actual conditions.
  • the target declaration field can be one or more declaration fields contained in the verifiable declaration.
  • the verifiable declaration contains declaration fields such as name, ID number, date of birth, and academic information.
  • the target declaration field can be any of the above declaration fields.
  • a declaration field such as the declaration field of the date of birth, etc.
  • the target declaration field may also be multiple declaration fields of the above declaration fields, such as two declaration fields of the date of birth and education information.
  • the unique identity verification method of digital identity can be used, but under this identity verification method, it can only be carried out in the same scene or specified scene, and consensus and mutual recognition are often not possible in different scenes. This is the application and management of identity verification. All have brought great inconvenience. Therefore, it is necessary to provide a technical solution that can effectively ensure that user information is stored safely, users can manage their user information, and can controllably present user information to relevant third parties.
  • the embodiment of this specification provides a feasible technical solution, which may specifically include the following content:
  • the verifiable statement may include Information related to the properties of the.
  • the business processor or business provider
  • the business processor can set the processing mechanism of the aforementioned business according to the actual needs of the one or more businesses, that is, the business processor can set a verifiable basis
  • a statement performs business processing.
  • the business processing requester (which can be a user requesting a certain business service) can send a business processing request to the business processing party.
  • the business processing requester can include multiple types, such as a user who holds a verifiable statement. , It can also be a claim holder or an agent that encrypts the verifiable claim of the claim holder, etc.
  • the business processing requester is an example of a user.
  • the user who can verify the claim can start the corresponding application through the terminal device.
  • the relevant information of different services can be set.
  • the terminal device can obtain the relevant information of the service (such as the identification of the service, etc.) and send it to the server.
  • the server can according to the relevant information of the service.
  • the information determines the target business and the business requirements of the target business, etc.
  • Different services can have different business requirements, and different business requirements may correspond to different attribute information (that is, corresponding to different declaration fields), and different services (or business requirements) and declaration fields can be preset in the server
  • the server can search for the declaration field corresponding to the target business from the above correspondence, and can determine the found declaration field as the target declaration field required to execute the target business.
  • the relevant information about the target business performed by the user can be input into a predetermined model (such as a classification model, etc.) for analysis to output the corresponding result (ie target statement field).
  • the target business that the user needs to perform needs to meet If you have a bachelor’s degree or above, you can determine that the target declaration field corresponding to the above target business is an academic information field based on a predetermined classification model.
  • the business requirements that the user needs to perform the target business need to meet include a bachelor’s degree or above , And the age is over 18 years old, based on the predetermined classification model, it is determined that the target declaration fields required by the above target business are two declaration fields such as academic information and date of birth.
  • step S104 data processing is performed on the verifiable statement based on the first data processing rule.
  • the first rule includes: keeping the field value of the target statement field as plain text, and checking the statement fields other than the target statement field in the verifiable statement.
  • Encryption processing is performed on the field value of at least one of the declared fields, and the encryption processing is an encryption processing based on a specified hash algorithm.
  • the verifiable statement can include the statement field and the corresponding field value.
  • the statement field can be information indicating the common characteristics of the corresponding field value, such as name, date of birth, education information, etc., and the field value can be corresponding to the statement field
  • the specified hash algorithm can be any hash algorithm, such as SHA-1 algorithm, SHA-224 algorithm, SHA-256 algorithm, etc.
  • the specific hash algorithm to be used as the specified hash algorithm can be set according to the actual situation The embodiments of this specification do not limit this.
  • different business requirements may correspond to different declaration fields.
  • other declaration fields except the target declaration field corresponding to the business requirement are not necessary in the business processing process corresponding to the business requirement.
  • the verifiable statement contains all the statement fields and their field values, which will cause the field values of some statement fields to be leaked.
  • the verifiable statement Processing rules that is, the first data processing rules
  • the specified field values in the verifiable statement can be encrypted, and some field values can be kept in plaintext, etc., specifically, according to user needs
  • the target business executed determines the target declaration field required to execute the target business
  • the field value of the target declaration field needs to be used in the business processing corresponding to the target business
  • the field value of the target declaration field in the verifiable declaration can be maintained
  • the plain text does not change, and at the same time, other declaration fields except the target declaration field in the verifiable declaration can be obtained, and the field value of at least one of the other declaration fields can be encrypted through a specified hash algorithm.
  • the verifiable statement processed based on the first data processing rule may be stored in the server for subsequent execution of the business processing of the target business.
  • the specified hash algorithm used for the field values of multiple different declaration fields should be the same A kind of hashing algorithm, for example, use the SHA-256 algorithm to encrypt the field value of each of the above declaration fields or use MD5 (Message-Digest Algorithm 5, the fifth message digest algorithm) to perform the field value of each of the above declaration fields Encryption processing, etc.
  • MD5 Message-Digest Algorithm 5, the fifth message digest algorithm
  • step S106 the business processing corresponding to the target business is performed based on the verifiable statement after the data processing.
  • a verifiable statement based on data processing can be implemented in a variety of ways to perform business processing corresponding to the target business.
  • the server on the side of the statement holding the user directly sends the target business to the server of the business processor
  • the service processing request which triggers the service processing party’s server to perform business processing on the target service according to the service processing request, or (declaring that it holds the user’s side) the server receives the request from the user to the service processing party’s server
  • the notification message or prompt information can be sent to the user whose statement can be verified, and the user can send the service processing request of the target service to the server of the service processor through the terminal device.
  • the corresponding verifiable statement after data processing and the service processing request can be sent to the server of the service processor to trigger the server of the service processor to perform service processing on the target service according to the service processing request.
  • the specific method by which the business processing corresponding to the target business needs to be performed can be set according to the actual situation, which is not limited in the embodiment of this specification.
  • the embodiment of this specification provides a business processing method based on a verifiable statement.
  • data processing is performed on the verifiable statement, that is, the field of the statement field required by the target business
  • the value is plain text
  • the field value of at least one of the remaining claim fields is the cipher text that has been encrypted based on the specified hash algorithm, and then the validity of the verifiable claim is verified, and when the verification result is valid, based on the target
  • the field value of the statement field required by the business executes the business processing corresponding to the target business, so that by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information is effectively guaranteed.
  • the embodiment of this specification provides a business processing method based on verifiable claims.
  • the execution subject of the method can be a server, where the server can be an independent server or can be composed of multiple servers. Server clusters, etc.
  • the server may be a server of a party that processes one or more services based on a verifiable statement.
  • the method may specifically include steps S202 to S206.
  • step S202 a business processing request of the target business is received, wherein the target business is processed based on a verifiable statement, and the business processing request includes the verifiable statement processed by the first data processing rule; the business processing request processed by the first data processing rule In the verifiable statement, the field value of the statement field required by the target business is plain text, and the field value of at least one statement field in the remaining statement fields is cipher text that has been encrypted based on a specified hash algorithm.
  • the service processing request may be a message requesting the execution of a certain service processing.
  • the service processing request may also include the identifier of the service (such as the service name or code, etc.) and the identifier of the service processing requester (such as the account of the service processing requester). , Name or IMSI code, IP address, MAC address, communication number, etc. of the terminal equipment used by the requesting party for service processing.
  • the business can be any business, and the specific business can be set according to the actual situation.
  • the target business may be the target business required to be performed by the holder user that can be verified and declared in the first embodiment. As described in the first embodiment above, in the process of encrypting the field values of multiple statement fields in the remaining statement fields through a specified hash algorithm, the specified hash algorithm used for the field values of multiple different statement fields should be It is the same hash algorithm.
  • the service processing requester can start the corresponding application program through the terminal device.
  • the application program can be set up with different service processing trigger mechanisms.
  • the terminal device can obtain information such as business Identification, business processing requester identification and other relevant information, and obtain the verifiable statement required to perform the business processing corresponding to the target business, where the obtained verifiable statement may be the verifiable statement that has been processed by the first data processing rule , That is, the field value of the statement field required by the target business in the verifiable statement is plain text, and the field value of at least one of the other statement fields is cipher text that has been encrypted based on the specified hash algorithm.
  • the service processing request can be generated from the acquired information, and the terminal device can send the service processing request to the server, so that the server can receive the service processing request.
  • the requirements in the process of business processing may be different.
  • the required declaration fields and field values will also be different.
  • the insurance business a certain insurance is only for the specified work
  • the user’s "work location" declaration field is required; for another example, in the information recommendation business, a piece of information to be recommended It is necessary to recommend to users with a bachelor’s degree and a bachelor’s degree or above.
  • the user’s "Educational Information" statement field value is required.
  • the field values of the aforementioned declaration fields can be encrypted, and the field values of the aforementioned declaration fields required by the target business need to be kept in plain text for subsequent business processing.
  • step S204 the validity of the verifiable statement is verified.
  • the server after the server receives a business processing request based on a verifiable statement, it can first verify the verifiable statement to determine whether the verifiable statement is valid, and if it is determined that the verifiable statement is valid, then based on the verifiable statement Perform business processing to further ensure the security of business processing. Specifically, after the server receives the business processing request, it can extract the verifiable statement processed by the first data processing rule contained therein from the business processing request, and then can perform the verification of the verifiable statement processed by the first data processing rule. authenticating. Among them, the verification of the verifiable statement can include multiple methods.
  • the encryption method used for the ciphertext in the verifiable statement or the related information of the specified hash algorithm can be obtained, and then the obtained encryption method or specified hash can be obtained.
  • the field value of the plaintext included in the verifiable statement is encrypted, so that the field value of the statement field included in the verifiable statement can be made ciphertext.
  • the calculation is performed through a predetermined algorithm to obtain the final calculation result.
  • the verifiable statement also includes the benchmark value of the above calculation results. The calculated result can be compared with the benchmark value in the verifiable statement. If the two are the same, the verification is passed and the statement is valid. If the two are not the same , The verification fails and the verification statement is invalid.
  • the verifiable statement may include the verification value of the verifiable statement processed by the first data, and the server obtains the verifiable statement processed by the first data processing rule. After verifying the statement, the verification value of the verifiable statement can be determined by a predetermined verification algorithm, and then the calculated verification value can be compared with the verification value in the verifiable statement. If the two are the same, the verification is passed , You can verify that the statement is valid, if the two are not the same, the verification fails, you can verify that the statement is invalid, etc.
  • the method of verifying the validity of the verifiable statement not only includes the above two methods, but also includes other multiple achievable methods, which can be specifically set according to the actual situation. The embodiment of this specification does not include this. Make a limit.
  • step S206 if the verification result is valid, the business processing corresponding to the business processing request is executed based on the field value of the statement field corresponding to the business requirement in the verifiable statement.
  • the business processing process corresponding to the target business only the target business location in the verifiable statement needs to be used.
  • the field value of the required statement field, and the field value is plain text, therefore, the business processing corresponding to the above business processing request can be performed directly based on the field value of the statement field required by the target business in the verifiable statement.
  • the business requirement corresponding to the information to be recommended is to recommend to users with a bachelor’s degree or above. You can verify that the declared field required for the information recommendation business in the statement is academic information. If the corresponding field value is For undergraduates, based on the field value, it can be determined that the service processing corresponding to the above information recommendation service can be performed. At this time, the server can send the information to be recommended to the user, etc.
  • the embodiment of this specification provides a business processing method based on a verifiable statement.
  • the target business to be processed by the user determines the required target statement field, keeps the field value of the target statement field as plain text, and removes the target statement from the verifiable statement.
  • the field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted.
  • the field value is leaked, which can effectively ensure that user information is stored safely, and users can manage their user information (that is, information that can be encrypted), and can control and show user information to relevant third parties without worrying Some data leaks.
  • the embodiment of this specification provides a business processing method based on verifiable claims.
  • the execution subject of the method can be a first server and a second server, where the first server can be a claim holder or a
  • the first server may be an independent server, or a server cluster composed of multiple servers.
  • the second server may also be an independent server, or a server cluster composed of multiple servers.
  • the method may specifically include steps S302 to S314.
  • step S302 the first server determines the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement, and the target statement field is at least one statement field in the verifiable statement.
  • the verifiable statement of the user can be as follows before data processing:
  • the declaration fields can be the above-mentioned "name”, “ID number”, “gender”, “date of birth”, “telephone number”, “educational background”, etc.
  • the target declaration field required by the target business can be the above declaration field One or more of.
  • step S304 the first server performs data processing on the verifiable statement based on the first data processing rule;
  • the first data processing rule includes: keeping the field value of the target statement field as plain text, and for the verifiable statement except for the target statement field
  • the field value of at least one of the other declaration fields of is subjected to encryption processing, and the encryption processing is an encryption processing based on a specified hash algorithm.
  • the verifiable statement obtained after data processing of the verifiable statement based on the first data processing rule may be as follows:
  • the target statement fields required by the target business are located in the "Education Information” item, which includes the statement fields of "Education”, “Graduation College” and “Professional”, among which "Item1"
  • the field value corresponding to the declaration field of "Item2” and “Item3” corresponds to the field value of the ciphertext (that is, the hash value), and the field value corresponding to the declaration field in "Item2” and “Item3” is also the ciphertext (that is, the hash value), where “Item1" is the above step
  • the "Basic Information” item in the example of S3022 is the corresponding items such as “Education”, “Graduation College”, “Major”, and “Date of Graduation” in the example of step S302 above, and “Item3” is the above
  • the verifiable statement of the user or the verifiable statement processed by the first data processing rule can be stored in the blockchain to ensure the accuracy of the verifiable statement.
  • the specified hash algorithm is the same as the algorithm used in the hash processing in the specified block chain, and the specified block chain stores the hash value of the verifiable claim.
  • the algorithm used in the hash processing in the specified blockchain should be the same as the specified hash algorithm.
  • the column algorithm is the same.
  • the business processor can perform corresponding business processing based on the verifiable statement of the user, which can be specifically See the processing of step S306 to step S314 below.
  • step S306 the first server sends a service processing request of the target service to the second server (that is, the server of the service processor of the target service), and the service processing request includes a verifiable statement after data processing; so that the second server Perform business processing on the target business based on the verifiable statement after data processing.
  • the second server that is, the server of the service processor of the target service
  • the corresponding user can be notified to prepare a verifiable statement.
  • the user can send the target service that the user needs to perform to the first server through the terminal device.
  • the server may execute the processing of step S302 and step S304 above to process the verifiable statement to obtain a verifiable statement processed based on the first data processing rule.
  • the processed verifiable claims may be different for different business requirements.
  • the first server may store verifiable claims of the same original content of the same user after being processed by different data processing rules.
  • the first server can obtain the verifiable statement and other information after the data processing to generate the business processing request of the target business , And send the service processing request to the second server, and the second server can receive the service processing request of the target service based on the verifiable statement.
  • the service processing request of the target service can be triggered in a variety of ways. In addition to the above-mentioned methods, it can also be implemented in the following ways, which can specifically include the following content: the first server receives the indication information of the service processor; the indication information It is used to instruct the holder of the verifiable claim to send the service processing request of the target service to the service processor.
  • the first server may receive the instruction information of the service processor (second server) to instruct the holder of the verifiable claim to send the service processing request of the target service to the service processor (second server).
  • the user can obtain the above verifiable statement from the first server through the terminal device, and can generate the service processing request of the target service based on the terminal device.
  • the terminal device sends the service processing request of the target service to the second server, or the first server sends the The instruction information and the above verifiable statement are sent to the user's terminal device, and the user's terminal device can generate a service processing request for the target service, and send the service processing request to the second server.
  • the second server may first verify the validity of the verifiable statement in the service processing request to ensure the security of the service processing. For details, refer to the processing of the following steps S308 to S312.
  • step S308 the second server encrypts the field value of the plaintext contained in the verifiable statement based on the specified hash algorithm.
  • the verifiable statement contains plaintext and ciphertext
  • the ciphertext is encrypted by a specified hash algorithm
  • the verifiable statement can be verified in the manner of, specifically, the ciphertext in the verifiable statement can be kept unchanged, and the plain text in the verifiable statement can be processed, that is, the display of each statement field in the verifiable statement can be displayed as plain text
  • the field value of is encrypted.
  • the encryption processing and the above-mentioned encryption algorithm used in the process of processing the verifiable statement based on the first data processing rule should be Same, that is, the encryption algorithm is a designated hash algorithm.
  • the second server can encrypt the field values of the plaintext contained in the verifiable statement based on the specified hash algorithm, so that all the field values in the verifiable statement have been adjusted to ciphertext.
  • the specific processing of the above step S308 can be various. In addition to the above processing methods, it can also include other methods.
  • the following provides an optional processing method, that is, in practical applications, the statement can be verified It is impossible to determine whether the field value in is plaintext or ciphertext. In this case, the following steps A2 to A6 can be included.
  • Step A2 The second server obtains the field value of the statement field contained in the verifiable statement.
  • the second server can analyze the content of the verifiable statement to determine the statement fields contained in the verifiable statement, where the determined statement field can be all the statement fields contained in the verifiable statement, or it can be a verifiable statement.
  • Some specified declaration fields in the verification statement such as the declaration fields related to user information in the verification statement (such as name, date of birth, ID card number, and other declaration fields), etc.
  • all the statement fields in the verifiable statement can be taken as an example for description.
  • Step A4 If the above field value includes a field value that meets a predetermined composition rule, the second server obtains the statement index information corresponding to the verifiable statement, and the statement index information records that the field value is plain text or the field value is cipher text.
  • the predetermined composition rule may be a ciphertext composition rule obtained by encrypting the original field value based on a specified hash algorithm, etc.
  • the predetermined composition rule may be determined according to actual conditions, which is not limited in the embodiment of this specification.
  • the declared index information can be information used to record the value of a certain field in plaintext or ciphertext.
  • the declared index information can have multiple presentation forms. For example, the declared index information can be presented in the form of a Claim index field, and it can pass "0" or The "1" mode records whether each field value is plaintext or ciphertext, or the field value of the ciphertext can also be recorded by marking "hash" (as the example in step S304 above), and the remaining field values are plaintext.
  • the verifiable statement it may not be able to accurately distinguish which field value is plain text and which field value is cipher text.
  • a user’s ID number is a string of numbers, and the user’s ID number is encrypted. After it is still a string of numbers, it may not be possible to determine whether the ID number is ciphertext or plaintext. For this reason, the first server can generate the statement index information corresponding to the verifiable statement while generating the verifiable statement.
  • the second server After the second server obtains the field value of the statement field contained in the verifiable statement, it can analyze each field value to determine whether each field value meets the predetermined composition rule, and if one or more of the field values meet the predetermined In order to determine which fields are in plaintext and which fields are in ciphertext, so that the corresponding field values can be processed later, the verifiable statement can be obtained from the first server. Verify the statement index information corresponding to the statement. The information recorded in the statement index information can determine which fields in the verifiable statement are in plaintext and which fields are in ciphertext.
  • Step A6 The second server encrypts the field value of the plain text contained in the verifiable statement based on the specified hash algorithm according to the statement index information.
  • the field values of the plain text can be found from the verifiable declaration, and
  • the field value of the plaintext contained in the verifiable statement is encrypted based on the specified hash algorithm to obtain the ciphertext of the field value.
  • the specified hash algorithm can be the MD5 algorithm, and the MD5 algorithm can be used to calculate the field value of each plaintext separately to obtain the MD5 value corresponding to each field value.
  • the column algorithm ie, the MD5 algorithm
  • the field value of the ciphertext contained in the verifiable statement is also the corresponding MD5 value. In this way, the field value of the statement field contained in the verifiable statement is all the MD5 value.
  • step S310 the second server determines the Merkel root corresponding to the ciphertext in the verifiable statement based on the ciphertext in the verifiable statement.
  • the Kerr tree method verifies the validity of the verifiable statement.
  • the Merkle tree ie Merkle tree
  • the construction of a complete Merkle tree requires recursively The node pairs are hashed, and the newly generated hash node is inserted into the Merkle tree until there is only one node left (this node is the root node of the Merkle tree).
  • the value corresponding to the root node of the Merkle tree is calculated, and the value corresponding to the root node can be regarded as the Merkle root.
  • the field values of the statement fields included in the statement are all MD5 values
  • the corresponding Merkel tree can be constructed from the above MD5 values to obtain a Merkel tree composed of MD5 values.
  • the Merkel tree will contain a root node, and the MD5 value of the root node can be calculated based on the above MD5 value, and the obtained MD5 value of the root node can be used as the Merkel root corresponding to the ciphertext in the verifiable statement.
  • step S310 can be various. In addition to the above methods, it can also be implemented in other ways.
  • the following provides an optional processing method, but it does not specifically include the following steps B2 to B6. .
  • step B2 the second server constructs a binary tree based on the cipher text corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement.
  • the binary tree may have a tree structure in which each node has at most two subtrees.
  • the second server can determine the order in which the various statement fields in the verifiable statement appear in the verifiable statement. For example, the verifiable statement records from front to back: "Name”: “Zhang San”, “Gender”: “Male”, “Date of birth”: "19880102", the order in which the statement fields in the verifiable statement appear in the verifiable statement is: name-gender-date of birth, or it can be the statement in the verifiable statement. The order of the fields from back to front, etc., in practical applications, may also be in other order, which is not limited in the embodiment of this specification.
  • the second server can obtain the order of the declared fields in the verifiable statement.
  • the second server can construct a binary tree based on the ciphertext corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement. .
  • a node can be constructed based on the ciphertext corresponding to the name, and a node can be constructed based on the ciphertext corresponding to the gender, and then a new node can be generated through the above two nodes.
  • a node can be constructed based on the ciphertext corresponding to the date of birth, and then a second new node can be generated by constructing a node based on the ciphertext corresponding to the date of birth and the new node generated to form a complete binary tree.
  • Step B4 The second server determines the check value of the root node in the above binary tree according to the Merkel algorithm.
  • a binary tree can be constructed by the method in step B2 above.
  • the binary tree includes multiple nodes (including leaf nodes and root nodes, etc.).
  • the nodes in the binary tree can be calculated step by step according to the Merkel algorithm to obtain each
  • the check value of each node is used to obtain the check value of the root node in the binary tree.
  • the ciphertext corresponding to the name and the ciphertext corresponding to the gender can be combined into a piece of information, and the hash value of the piece of information can be calculated by a specified hash algorithm, and then the calculated hash value corresponding to the date of birth
  • the ciphertext is combined into a piece of information, and the hash value of the piece of information is calculated through the specified hash algorithm again, and the finally calculated hash value can be used as the check value of the root node in the binary tree.
  • Step B6 The second server determines the check value of the root node in the above binary tree as the Merkel root corresponding to the ciphertext in the verifiable statement.
  • step S312 the second server verifies the validity of the verifiable statement based on the verification information in the above-mentioned Merkel root and verifiable statement.
  • the verification information in the verifiable statement can include the Merkel root corresponding to the cipher text in the verifiable statement.
  • the calculated Merkel root can be combined with the verification information in the verifiable statement. Merkel root makes a comparison. If the two are the same, it indicates that the verifiable claim is valid. If the two are different, it indicates that the verifiable claim is invalid. At this time, the same notification message can be sent to the business processing requester.
  • step S312 can be processed in a variety of ways. In addition to the above-mentioned methods, it can also be implemented in many other ways.
  • the following provides an optional processing method, which can specifically include the following steps C2 to C6 Processing.
  • Step C2 The second server obtains the verification information in the verifiable statement and the key corresponding to the verifiable statement.
  • the verification information in the verifiable statement may be the signature information obtained after signing the Merkel root corresponding to the ciphertext in the verifiable statement, where the Merkel root corresponding to the ciphertext in the verifiable statement
  • the signature processing can be a process of using a key to encrypt the Merkel root corresponding to the ciphertext in the verifiable statement.
  • the Merkel root corresponding to the ciphertext in the verifiable statement is signed and processed. It may be processed in other ways, which is not limited in the embodiment of this specification.
  • the process of encrypting the Merkel root corresponding to the ciphertext in the verifiable statement using a key is taken as an example for description.
  • the key can be the public key of the provider of the verifiable claim, etc.
  • the second server can find the verification information from the verifiable statement, and can extract the verifiable information therefrom.
  • the key (such as a public key, etc.) of the verifiable claim can also be obtained from the provider of the verifiable claim.
  • the signature information can be obtained by the provider of the verifiable claim through the private key of the encryption process, and the Merkel root corresponding to the signature information can be obtained through the public key of the provider of the verifiable claim.
  • Step C4 The second server verifies the verification information in the verifiable statement based on the key to obtain the reference Merkel root corresponding to the verification information in the verifiable statement.
  • the key corresponding to the verifiable statement (such as the public key of the provider of the verifiable statement) can be used to verify the verification information in the verifiable statement (that is, the process of verifying the signature information), if the verification is successful , You can get the benchmark Merkel root corresponding to the verification information in the verifiable statement. If the verification fails, it indicates that the verifiable statement may be at risk.
  • Step C6 The second server determines that the verifiable statement is valid if the aforementioned Merkel root matches the reference Merkel root.
  • An optional processing method is provided below, which may specifically include the following content: the verification of the verifiable statement based on the above specified hash algorithm
  • the field value of the plaintext contained in is encrypted, where the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain, and the specified blockchain stores the hash value of the verifiable claim.
  • the hash value of the verifiable statement corresponding to the statement identifier can be obtained from the specified blockchain above, and then, based on the specified block
  • the hash value corresponding to the field value of each field contained in the verification statement can be obtained by matching the hash value corresponding to the field value of each field with the hash value or ciphertext of the above plaintext. If each field of both parties If the hash values corresponding to the field values of all match, the claim can be verified as valid, otherwise, the claim can be verified as invalid.
  • step S314 if the verification result is valid, the second server executes the business processing corresponding to the business processing request based on the field value of the statement field corresponding to the business requirement in the verifiable statement.
  • the second server is based on the verifiable statement corresponding to the above business requirements
  • the business processing For example, in the information recommendation business, a piece of information to be recommended needs to be recommended to users with a bachelor’s degree or above. In the business process, it is necessary to determine whether the user has a bachelor’s degree or a bachelor’s degree or above. For this, the user’s The field value of the "Education Information" declaration field.
  • the first server can keep the field value of the user's "Education Information" declaration field in plaintext, and the field values of other declaration fields are encrypted, and then the second server is executing
  • the processed verifiable statement can be validated based on the above processing process.
  • the second server can use the field value of the "educational information" statement field to determine whether the user is The requirements for information recommendation are met. If they are met, the corresponding information can be pushed to the user. If they are not met, the next user can be acquired to continue the above processing process to push the corresponding information to the corresponding user.
  • the embodiment of this specification provides a business processing method based on a verifiable statement. Based on the target business to be processed, the required target statement field is determined, and the field value of the target statement field is kept in plain text.
  • the field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted.
  • the field value is leaked, which can effectively ensure that user information is stored safely, and users can manage their user information (that is, information that can be encrypted), and can control and show user information to relevant third parties without worrying Some data leaks.
  • data processing is performed on the verifiable statement, that is, the field value of the statement field required by the target business is plain text, and the value of at least one of the other statement fields is
  • the field value is the ciphertext encrypted based on the specified hash algorithm, and then the validity of the verifiable statement is verified, and when the verification result is valid, based on the field value of the statement field required by the target business, execute the target business correspondence
  • the safe storage of user information is further ensured.
  • the above embodiment of this specification provides a business processing method based on a verifiable statement. Based on the same idea, the embodiment of this specification also provides a service processing device based on a verifiable statement, as shown in FIG. 4.
  • the service processing device based on a verifiable statement includes: a request receiving module 401, a verification module 402, and a service processing module 403.
  • the request receiving module 401 receives a service processing request for a target service, wherein the target service is based on a verifiable claim Processing, the business processing request includes the verifiable statement processed by the first data processing rule; in the verifiable statement processed by the first data processing rule, the field value of the statement field required by the target business It is plain text, and the field value of at least one of the remaining statement fields is the cipher text that has been encrypted based on the specified hash algorithm; the verification module 402 verifies the validity of the verifiable statement; the business processing module 403, if If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
  • the verification module 402 includes: an encryption unit that encrypts the field value of the plaintext contained in the verifiable statement based on the specified hash algorithm; the Merkel root determination unit is based on the specified hash algorithm; The ciphertext in the verifiable statement determines the Merkel root corresponding to the ciphertext in the verifiable statement; the verification unit, based on the Merkel root and the verification information in the verifiable statement, The validity of the verification statement can be verified.
  • the encryption unit obtains the field value of the statement field contained in the verifiable statement; if the field value includes a field value that satisfies a predetermined composition rule, obtains the corresponding verifiable statement
  • the statement index information it is recorded that the field value is plaintext or the field value is ciphertext; according to the statement index information, based on the specified hash algorithm, the verifiable statement contains The field value of the plaintext is encrypted.
  • the Merkel root determination unit constructs a binary tree based on the ciphertext corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement; according to the Merkel algorithm , Determine the check value of the root node in the binary tree; determine the check value of the root node in the binary tree as the Merkel root corresponding to the ciphertext in the verifiable statement.
  • the verification information in the verifiable statement is signature information
  • the verification unit obtains the verification information in the verifiable statement and the key corresponding to the verifiable statement; based on the key Perform signature verification processing on the verification information in the verifiable statement to obtain the reference Merkel root corresponding to the verification information in the verifiable statement; if the Merkel root matches the reference Merkel root , It is determined that the verifiable statement is valid.
  • the embodiment of this specification provides a business processing device based on a verifiable statement.
  • data processing is performed on the verifiable statement, that is, the field of the statement field required by the target business
  • the value is plain text
  • the field value of at least one of the remaining claim fields is the cipher text that has been encrypted based on the specified hash algorithm, and then the validity of the verifiable claim is verified, and when the verification result is valid, based on the target
  • the field value of the statement field required by the business executes the business processing corresponding to the target business, so that by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information can be effectively guaranteed.
  • the embodiment of this specification also provides a service processing device based on a verifiable statement, as shown in FIG. 5.
  • the business processing device based on the verifiable statement includes: a field determination module 501, a data processing module 502, and a business processing module 503.
  • the field determination module 501 determines the target business to be processed according to the verifiable statement holding the user’s target business.
  • the first data processing rule includes: keeping the field value of the target statement field as plain text, and encrypting the field value of at least one of the statement fields other than the target statement field in the verifiable statement Processing, the encryption processing is encryption processing based on a specified hash algorithm; the business processing module 503 performs business processing corresponding to the target business based on the verifiable statement after data processing.
  • the service processing module 503 sends a service processing request of the target service to the service processor of the target service, and the service processing request includes the verifiable statement after the data processing;
  • the business processor is enabled to perform business processing on the target business based on the verifiable statement after the data processing.
  • the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain; the specified blockchain stores the hash value of the verifiable statement.
  • it further includes: an instruction information receiving module to receive instruction information of the service processor; the instruction information is used to instruct the user holding the verifiable claim to send the target service to the service processor Business processing request.
  • the embodiment of this specification provides a business processing device based on a verifiable statement.
  • the target business to be processed by the user determines the required target statement field, keeps the field value of the target statement field in plain text, and removes the target statement from the verifiable statement.
  • the field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted. The field value is leaked, which can effectively ensure that user information is stored safely.
  • the service processing device based on verifiable claims provided in the above embodiments of this specification, based on the same idea, the embodiments of this specification also provide a service processing device based on verifiable claims, as shown in FIG. 6.
  • the service processing device based on the verifiable statement may be the second server provided in the foregoing embodiment, and the second server may be a server of the party that processes one or more services based on the verifiable statement.
  • Business processing equipment based on verifiable claims may have relatively large differences due to different configurations or performances, and may include one or more processors 601 and a memory 602, and the memory 602 may store one or more storage applications or data .
  • the memory 602 may be short-term storage or persistent storage.
  • the application program stored in the memory 602 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for a business processing device based on a verifiable statement.
  • the processor 601 may be configured to communicate with the memory 602, and execute a series of computer-executable instructions in the memory 602 on a service processing device based on a verifiable statement.
  • the service processing equipment based on the verifiable statement may also include one or more power sources 603, one or more wired or wireless network interfaces 604, one or more input and output interfaces 605, and one or more keyboards 606.
  • the business processing device based on verifiable claims includes a memory and one or more programs.
  • One or more programs are stored in the memory, and one or more programs may include one or more programs.
  • Modules, and each module may include a series of computer-executable instructions in a business processing device based on verifiable claims, and is configured to be executed by one or more processors.
  • the one or more programs include a computer for performing the following Executable instruction: receiving a business processing request of a target business, wherein the target business is processed based on a verifiable statement, and the business processing request includes the verifiable statement processed by the first data processing rule;
  • the field value of the statement field required by the target business is plaintext, and the field value of at least one statement field in the remaining statement fields is ciphertext encrypted based on a specified hash algorithm;
  • the validity of the verifiable statement is verified; if the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
  • the verification of the validity of the verifiable statement includes: encrypting the field value of the plain text contained in the verifiable statement based on the specified hash algorithm; and based on the verifiable statement; Verify the ciphertext in the statement to determine the Merkel root corresponding to the ciphertext in the verifiable statement; based on the Merkel root and the verification information in the verifiable statement, the validity of the verifiable statement Verification.
  • the encrypting the field value of the plain text contained in the verifiable statement based on the specified hash algorithm includes: obtaining the field value of the statement field contained in the verifiable statement; if If the field value includes a field value that satisfies a predetermined composition rule, the statement index information corresponding to the verifiable statement is obtained, and the statement index information records that the field value is plain text or the field value is cipher text According to the statement index information, the field value of the plaintext contained in the verifiable statement is encrypted based on the specified hash algorithm.
  • the determining the Merkel root corresponding to the ciphertext in the verifiable statement based on the ciphertext in the verifiable statement includes: in accordance with the order of the statement fields in the verifiable statement, Construct a binary tree based on the ciphertext corresponding to the statement field contained in the verifiable statement; determine the check value of the root node in the binary tree according to the Merkel algorithm; determine the check value of the root node in the binary tree as the verifiable statement
  • the ciphertext in the verification statement corresponds to the Merkel root.
  • the verification information in the verifiable statement is signature information, and the validity of the verifiable statement is verified based on the Merkel root and the verification information in the verifiable statement , Including: obtaining the verification information in the verifiable statement and the key corresponding to the verifiable statement; performing verification processing on the verification information in the verifiable statement based on the key to obtain the verifiable statement The verification information in the corresponding reference Merkel root; if the Merkel root matches the reference Merkel root, it is determined that the verifiable statement is valid.
  • the embodiment of this specification provides a business processing device based on a verifiable statement.
  • data processing is performed on the verifiable statement, that is, the field of the statement field required by the target business
  • the value is plain text
  • the field value of at least one of the remaining claim fields is the cipher text that has been encrypted based on the specified hash algorithm, and then the validity of the verifiable claim is verified, and when the verification result is valid, based on the target
  • the field value of the statement field required by the business executes the business processing corresponding to the target business, so that by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information can be effectively guaranteed.
  • the embodiment of this specification also provides a service processing device based on a verifiable statement, as shown in FIG. 7.
  • the service processing device based on the verifiable statement may be the first server provided in the above-mentioned embodiment, and the first server may be a server on the side of the statement holding user or a server of the agent that performs encryption processing for the statement holding the user’s statement .
  • Business processing equipment based on verifiable claims may have relatively large differences due to different configurations or performances, and may include one or more processors 701 and a memory 702, and the memory 702 may store one or more storage applications or data .
  • the memory 702 may be short-term storage or persistent storage.
  • the application program stored in the memory 702 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for a business processing device based on verifiable claims.
  • the processor 701 may be configured to communicate with the memory 702, and execute a series of computer-executable instructions in the memory 702 on a service processing device based on a verifiable statement.
  • the service processing device based on the verifiable statement may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input and output interfaces 705, and one or more keyboards 706.
  • the business processing device based on verifiable claims includes a memory and one or more programs.
  • One or more programs are stored in the memory, and one or more programs may include one or more programs.
  • Modules, and each module may include a series of computer-executable instructions in a business processing device based on verifiable claims, and is configured to be executed by one or more processors.
  • the one or more programs include a computer for performing the following Executable instruction: according to the target business to be processed of the user holding the verifiable claim, determine the target statement field required by the target business; the target statement field is at least one statement field in the verifiable statement; based on The first data processing rule performs data processing on the verifiable statement; the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement field from the verifiable statement The field value of at least one of the other statement fields is encrypted, and the encryption is based on a specified hash algorithm; based on the verifiable statement after data processing, the business processing corresponding to the target business is performed .
  • the performing the business processing corresponding to the target business based on the verifiable statement after data processing includes: sending the business processing request of the target business to the business processing party of the target business, the The business processing request includes the verifiable statement after the data processing; so that the business processor performs business processing on the target business based on the verifiable statement after the data processing.
  • the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain; the specified blockchain stores the hash value of the verifiable statement.
  • the verifiable statement based on the data processing, before performing the business processing corresponding to the target business further includes: receiving instruction information from the business processor; the instruction information is used to indicate the verifiable The declared holder user sends a service processing request of the target service to the service processing party.
  • the embodiment of this specification provides a business processing device based on a verifiable statement.
  • the target business to be processed by the user determines the required target statement field, and keeps the field value of the target statement field as plain text. Except the target statement in the verifiable statement
  • the field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted.
  • the field value is leaked, which can effectively ensure that user information is stored safely, and users can manage their user information (that is, information that can be encrypted), and can control and present user information to relevant third parties without worrying Some data leaks.
  • the improvement of a technology can be clearly distinguished between hardware improvements (for example, improvements in circuit structures such as diodes, transistors, switches, etc.) or software improvements (improvements in method flow).
  • hardware improvements for example, improvements in circuit structures such as diodes, transistors, switches, etc.
  • software improvements improvements in method flow.
  • the improvement of many methods and processes of today can be regarded as a direct improvement of the hardware circuit structure.
  • Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by the hardware entity module.
  • a programmable logic device Programmable Logic Device, PLD
  • PLD Programmable Logic Device
  • FPGA Field Programmable Gate Array
  • HDL Hardware Description Language
  • ABEL Advanced Boolean Expression Language
  • AHDL Altera Hardware Description Language
  • HDCal JHDL
  • Lava Lava
  • Lola MyHDL
  • PALASM RHDL
  • VHDL Very-High-Speed Integrated Circuit Hardware Description Language
  • Verilog Verilog
  • the controller can be implemented in any suitable manner.
  • the controller can take the form of, for example, a microprocessor or a processor and a computer-readable medium storing computer-readable program codes (such as software or firmware) executable by the (micro)processor. , Logic gates, switches, application specific integrated circuits (ASICs), programmable logic controllers and embedded microcontrollers. Examples of controllers include but are not limited to the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicon Labs C8051F320, the memory controller can also be implemented as part of the memory control logic.
  • controller in addition to implementing the controller in a purely computer-readable program code manner, it is entirely possible to program the method steps to make the controller use logic gates, switches, application specific integrated circuits, programmable logic controllers and embedded
  • the same function can be realized in the form of a microcontroller, etc. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as a structure within the hardware component. Or even, the device for realizing various functions can be regarded as both a software module for realizing the method and a structure within a hardware component.
  • a typical implementation device is a computer.
  • the computer can be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
  • embodiments of this specification can be provided as a method, a system, or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can be provided to general-purpose computers, special-purpose computers, embedded processors, or other processors that can program business processing equipment based on verifiable claims to generate a machine, so that a computer or other programmable business based on verifiable claims
  • the instructions executed by the processor of the processing device generate means for implementing the functions specified in one or more processes in the flowchart and/or one or more blocks in the block diagram.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable business processing equipment based on verifiable claims to work in a specific manner, so that the instructions stored in the computer-readable memory generate instructions that include the instruction device.
  • the instruction device realizes the functions specified in one or more processes in the flowchart and/or one or more blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable business processing equipment based on verifiable claims, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so that the computer or other
  • the instructions executed on the programming device provide steps for implementing functions specified in one or more processes in the flowchart and/or one block or more in the block diagram.
  • the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • one or more embodiments of this specification can be provided as a method, a system or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • One or more embodiments of this specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • One or more embodiments of this specification can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.

Abstract

Disclosed are a verifiable claim-based service processing method, apparatus, and device. The method comprises: receiving a service processing request of a target service, wherein the target service is processed on the basis of a verifiable claim, the service processing request comprises the verifiable claim processed by a first data processing rule, in the verifiable claim processed by the first data processing rule, the field value of a claim field required by the target service is plain text, and the field value of at least one of the remaining claim fields is ciphertext that is encrypted on the basis of a specified hash algorithm; next, verifying the validity of the verifiable claim; and if the verification result is valid, performing a service processing corresponding to the target service on the basis of the field value of the claim field required by the target service in the verifiable claim.

Description

一种基于可验证声明的业务处理方法、装置及设备Business processing method, device and equipment based on verifiable statement 技术领域Technical field
本说明书涉及计算机技术领域,尤其涉及一种基于可验证声明的业务处理方法、装置及设备。This specification relates to the field of computer technology, and in particular to a business processing method, device and equipment based on verifiable claims.
背景技术Background technique
随着数字化的发展,个人、组织或实体在网络环境中如何定义其身份,以及如何有效地保护其隐私数据,成为人们面对的一个重要问题。通常,使用互联网服务产生的用户数据几乎不由用户个人掌控,用户身份信息泄露或被售卖的情况时有发生。为此,需要在进行数据交互的过程中进行身份验证。With the development of digitization, how individuals, organizations or entities define their identities in the network environment and how to effectively protect their private data has become an important issue facing people. Generally, user data generated by using Internet services is almost not controlled by the user, and user identity information is leaked or sold from time to time. For this reason, it is necessary to perform identity verification in the process of data exchange.
通常,可以采用数字身份唯一性的身份验证方式,但是该身份验证方式下,只能在相同场景或指定的场景中进行,而在不同场景中往往无法共识互认,为身份验证的应用和管理都带来了很大的不便,为此,需要提供一种能够有效保障用户信息被安全存储、用户可以管理其用户信息,并可以将用户信息可控的出示给相关第三方的技术方案。Usually, the unique identity verification method of digital identity can be used, but under this identity verification method, it can only be carried out in the same scene or specified scene, and consensus and mutual recognition are often not possible in different scenes. This is the application and management of identity verification. All have brought great inconvenience. Therefore, it is necessary to provide a technical solution that can effectively ensure that user information is stored safely, users can manage their user information, and can controllably present user information to relevant third parties.
发明内容Summary of the invention
本说明书实施例的目的是提供一种基于可验证声明的业务处理方法、装置及设备,以提供一种能够有效保障用户信息被安全存储、用户可以管理其用户信息,并可以将用户信息可控的出示给相关第三方的技术方案。The purpose of the embodiments of this specification is to provide a business processing method, device, and equipment based on verifiable claims, so as to provide a method that can effectively guarantee that user information is stored safely, that users can manage their user information, and that user information can be controlled. The technical solution presented to the relevant third party.
为了实现上述技术方案,本说明书实施例是这样实现的。In order to implement the above technical solutions, the embodiments of this specification are implemented in this way.
本说明书实施例提供的一种基于可验证声明的业务处理方法,所述方法包括:接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文。对所述可验证声明的有效性进行验证。若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。The embodiment of this specification provides a business processing method based on a verifiable statement, the method includes: receiving a business processing request of a target business, wherein the target business is processed based on the verifiable statement, and the business processing request includes The verifiable statement processed by the first data processing rule; in the verifiable statement processed by the first data processing rule, the field value of the statement field required by the target business is plain text, and at least one of the remaining statement fields The field value of the declared field is the ciphertext encrypted based on the specified hash algorithm. The validity of the verifiable statement is verified. If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
本说明书实施例提供的一种基于可验证声明的业务处理方法,所述方法包括:根 据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段。基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理。基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。The embodiment of this specification provides a business processing method based on a verifiable statement, the method includes: determining the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement; The target statement field is at least one statement field in the verifiable statement. Perform data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement from the verifiable statement The field value of at least one of the declaration fields other than the field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm. Based on the verifiable statement after data processing, the business processing corresponding to the target business is performed.
本说明书实施例提供的一种基于可验证声明的业务处理装置,所述装置包括:请求接收模块,接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文。验证模块,对所述可验证声明的有效性进行验证。业务处理模块,若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。The embodiment of this specification provides a service processing device based on a verifiable statement. The device includes a request receiving module that receives a service processing request of a target service. The target service is processed based on the verifiable claim. The processing request includes the verifiable statement processed by the first data processing rule; in the verifiable statement processed by the first data processing rule, the value of the statement field required by the target business is plain text, and the remaining statement fields The field value of at least one declaration field in the ciphertext is encrypted based on a specified hash algorithm. The verification module verifies the validity of the verifiable statement. The business processing module, if the verification result is valid, execute the business processing corresponding to the target business based on the field value of the statement field required by the target business in the verifiable statement.
本说明书实施例提供的一种基于可验证声明的业务处理装置,所述装置包括:字段确定模块,根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段。数据处理模块,基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理。业务处理模块,基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。The embodiment of this specification provides a business processing device based on a verifiable statement, the device includes: a field determination module, which determines the target required by the target business according to the target business to be processed of the user holding the verifiable statement Statement field; the target statement field is at least one statement field in the verifiable statement. The data processing module performs data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and excluding the verifiable statement The field value of at least one of the declaration fields other than the target declaration field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm. The business processing module performs business processing corresponding to the target business based on the verifiable statement after data processing.
本说明书实施例提供的一种基于可验证声明的业务处理设备,所述基于可验证声明的业务处理设备包括:处理器;以及被安排成存储计算机可执行指令的存储器,所述可执行指令在被执行时使所述处理器:接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文。对所述可验证声明的有效性进行验证。若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应 的业务处理。An embodiment of this specification provides a business processing device based on a verifiable statement. The business processing device based on a verifiable statement includes: a processor; and a memory arranged to store computer-executable instructions, where the executable instructions are When executed, the processor is caused to receive a service processing request of a target service, wherein the target service is processed based on a verifiable statement, and the service processing request includes the verifiable statement processed by the first data processing rule; In the verifiable statement processed by the first data processing rule, the field value of the statement field required by the target business is plain text, and the field value of at least one of the remaining statement fields is encrypted based on a specified hash algorithm The processed ciphertext. The validity of the verifiable statement is verified. If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
本说明书实施例提供的一种基于可验证声明的业务处理设备,所述基于可验证声明的业务处理设备包括:处理器;以及被安排成存储计算机可执行指令的存储器,所述可执行指令在被执行时使所述处理器:根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段。基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理。基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。An embodiment of this specification provides a business processing device based on a verifiable statement. The business processing device based on a verifiable statement includes: a processor; and a memory arranged to store computer-executable instructions, where the executable instructions are When executed, the processor is caused to: determine the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement; the target statement field is at least one of the verifiable claims A declaration field. Perform data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement from the verifiable statement The field value of at least one of the declaration fields other than the field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm. Based on the verifiable statement after data processing, the business processing corresponding to the target business is performed.
附图说明Description of the drawings
为了更清楚地说明本说明书实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本说明书中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of this specification, the following will briefly introduce the drawings needed in the description of the embodiments. Obviously, the drawings in the following description are only some of the implementations recorded in this specification. For example, for those of ordinary skill in the art, without creative work, other drawings can be obtained from these drawings.
图1为本说明书一种基于可验证声明的业务处理方法实施例;Figure 1 is an embodiment of a business processing method based on verifiable claims in this specification;
图2为本说明书另一种基于可验证声明的业务处理方法实施例;Figure 2 is another embodiment of the business processing method based on verifiable claims in this specification;
图3为本说明书又一种基于可验证声明的业务处理方法实施例;Figure 3 is another embodiment of a business processing method based on verifiable claims in this specification;
图4为本说明书一种基于可验证声明的业务处理装置实施例;Figure 4 is an embodiment of a business processing device based on verifiable claims in this specification;
图5为本说明书另一种基于可验证声明的业务处理装置实施例;Figure 5 is another embodiment of a business processing device based on verifiable claims in this specification;
图6为本说明书一种基于可验证声明的业务处理设备实施例;Figure 6 is an embodiment of a business processing device based on verifiable claims in this specification;
图7为本说明书另一种基于可验证声明的业务处理设备实施例。Figure 7 is another embodiment of a business processing device based on verifiable claims in this specification.
具体实施方式Detailed ways
本说明书实施例提供一种基于可验证声明的业务处理方法、装置及设备。The embodiments of this specification provide a business processing method, device and equipment based on verifiable claims.
为了使本技术领域的人员更好地理解本说明书中的技术方案,下面将结合本说明书实施例中的附图,对本说明书实施例中的技术方案进行清楚、完整地描述,显然,所 描述的实施例仅仅是本说明书一部分实施例,而不是全部的实施例。基于本说明书中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都应当属于本说明书保护的范围。In order to enable those skilled in the art to better understand the technical solutions in this specification, the following will clearly and completely describe the technical solutions in the embodiments of this specification in conjunction with the drawings in the embodiments of this specification. Obviously, the described The embodiments are only a part of the embodiments in this specification, rather than all the embodiments. Based on the embodiments in this specification, all other embodiments obtained by a person of ordinary skill in the art without creative work shall fall within the protection scope of this specification.
实施例一Example one
如图1所示,本说明书实施例提供一种基于可验证声明的业务处理方法,该方法的执行主体可以为服务器,其中,该服务器可以是一个独立的服务器,还可以是由多个服务器构成的服务器集群等。该服务器可以是声明持有用户一侧的服务器或者为声明持有用户的声明进行加密处理的代理方的服务器等。该方法具体可以包括步骤S102~S106。As shown in Figure 1, the embodiment of this specification provides a business processing method based on verifiable claims. The execution subject of the method can be a server, where the server can be an independent server or can be composed of multiple servers. Server clusters, etc. The server may be a server on the side of the claiming user or a server of an agent that performs encryption processing for the claim of the claiming user. The method may specifically include steps S102 to S106.
在步骤S102中,根据可验证声明的持有用户的待处理的目标业务,确定该目标业务所需的目标声明字段,目标声明字段为可验证声明中的至少一个声明字段。In step S102, according to the target business to be processed of the user holding the verifiable claim, a target statement field required by the target business is determined, where the target statement field is at least one statement field in the verifiable statement.
其中,可验证声明可以是用于描述个人、组织等实体所具有的某些属性的一种规范性的信息,可验证声明可以实现基于证据的信任,可以通过可验证声明,向其他实体证明当前实体的某些属性的信息是可信的。目标业务所需可以是目标业务的业务需求等,业务需求可以是执行某项业务所需要具备的要求,业务需求可以如学历为本科或本科以上,或者,年龄在18周岁以上等。不同的业务,可以具有不同的业务需求,具体可以根据实际情况设定。目标声明字段可以是可验证声明中包含的一个或多个声明字段,如可验证声明中包含姓名、身份证号码、出生日期和学历信息等声明字段,目标声明字段可以是上述声明字段中的任一声明字段,具体如出生日期的声明字段等,目标声明字段也可以是上述声明字段中的多个声明字段,具体如出生日期和学历信息两个声明字段等。Among them, a verifiable statement can be a kind of normative information used to describe certain attributes of entities such as individuals, organizations, etc., a verifiable statement can realize evidence-based trust, and a verifiable statement can prove to other entities that the current Information about certain attributes of the entity is credible. The target business needs can be the business needs of the target business, etc. The business needs can be the requirements needed to perform a certain business. The business needs can be a bachelor's degree or above, or an age of 18 or older. Different businesses can have different business requirements, which can be set according to actual conditions. The target declaration field can be one or more declaration fields contained in the verifiable declaration. For example, the verifiable declaration contains declaration fields such as name, ID number, date of birth, and academic information. The target declaration field can be any of the above declaration fields. A declaration field, such as the declaration field of the date of birth, etc. The target declaration field may also be multiple declaration fields of the above declaration fields, such as two declaration fields of the date of birth and education information.
在实施中,随着数字化的发展,个人、组织或实体在网络环境中如何定义其身份,以及如何有效地保护其隐私数据,成为人们面对的一个重要问题。通常,使用互联网服务产生的用户数据几乎不由用户个人掌控,用户身份信息泄露或被售卖的情况时有发生。为此,需要在进行数据交互的过程中进行身份验证。In the implementation, with the development of digitization, how to define the identity of individuals, organizations or entities in the network environment and how to effectively protect their private data has become an important issue facing people. Generally, user data generated by using Internet services is almost not controlled by the user, and user identity information is leaked or sold from time to time. For this reason, it is necessary to perform identity verification in the process of data exchange.
通常,可以采用数字身份唯一性的身份验证方式,但是该身份验证方式下,只能在相同场景或指定的场景中进行,而在不同场景中往往无法共识互认,为身份验证的应用和管理都带来了很大的不便,为此,需要提供一种能够有效保障用户信息被安全存储、用户可以管理其用户信息,并可以将用户信息可控的出示给相关第三方的技术方案。本说明书实施例提供一种可行的技术方案,具体可以包括以下内容:Usually, the unique identity verification method of digital identity can be used, but under this identity verification method, it can only be carried out in the same scene or specified scene, and consensus and mutual recognition are often not possible in different scenes. This is the application and management of identity verification. All have brought great inconvenience. Therefore, it is necessary to provide a technical solution that can effectively ensure that user information is stored safely, users can manage their user information, and can controllably present user information to relevant third parties. The embodiment of this specification provides a feasible technical solution, which may specifically include the following content:
在日常生活中,很多场景都需要验证用户的属性,审核用户提供的信息是否符合 相应的业务的预定标准,本说明书实施例中可以通过签发可验证声明来实现,可验证声明中可以包括与用户的属性相关的信息。具体地,对于某一项或多项业务,业务处理方(或业务提供方)可以根据该一项或多项业务的实际需求设置上述业务的处理机制,即业务处理方可以设定基于可验证声明执行业务处理,业务处理请求方(可以是请求某业务服务的用户)可以向业务处理方发送业务处理请求,其中,业务处理请求方可以包括多种,如可以是可验证声明的持有用户,也可以是声明持有用户或者为声明持有用户的可验证声明进行加密处理的代理方等。本实施例中以业务处理请求方为用户为例进行说明,在业务处理请求方需要进行某项业务处理之前,可验证声明的持有用户可以通过终端设备启动相应的应用程序,该应用程序中可以设置有不同业务的相关信息,当用户选择某业务(即目标业务)后,终端设备可以获取该业务的相关信息(如该业务的标识等),发送给服务器,服务器可以根据该业务的相关信息确定目标业务及目标业务的业务需求等。In daily life, many scenarios need to verify the attributes of the user, and check whether the information provided by the user meets the predetermined standards of the corresponding business. In the embodiments of this specification, this can be achieved by issuing a verifiable statement. The verifiable statement may include Information related to the properties of the. Specifically, for a certain one or more businesses, the business processor (or business provider) can set the processing mechanism of the aforementioned business according to the actual needs of the one or more businesses, that is, the business processor can set a verifiable basis A statement performs business processing. The business processing requester (which can be a user requesting a certain business service) can send a business processing request to the business processing party. The business processing requester can include multiple types, such as a user who holds a verifiable statement. , It can also be a claim holder or an agent that encrypts the verifiable claim of the claim holder, etc. In this embodiment, the business processing requester is an example of a user. Before the business processing requester needs to perform a certain business processing, the user who can verify the claim can start the corresponding application through the terminal device. In the application The relevant information of different services can be set. When the user selects a certain service (that is, the target service), the terminal device can obtain the relevant information of the service (such as the identification of the service, etc.) and send it to the server. The server can according to the relevant information of the service. The information determines the target business and the business requirements of the target business, etc.
针对不同的业务,可以具有不同的业务需求,而不同的业务需求可能会对应不同的属性的信息(即对应不同的声明字段),服务器中可以预先设置有不同业务(或业务需求)与声明字段的对应关系,服务器可以基于用户所需执行的目标业务,从上述对应关系中查找该目标业务对应的声明字段,并可以将查找到的声明字段确定为执行该目标业务所需的目标声明字段,或者,也可以将用户执行的目标业务的相关信息输入到预定模型(如分类模型等)中进行分析,以输出相应的结果(即目标声明字段),例如,用户所需执行的目标业务需要满足学历为本科或本科以上,则可以基于预定的分类模型确定上述目标业务对应的目标声明字段为学历信息字段,再例如,用户所需执行的目标业务需要满足的业务需求包括学历为本科或本科以上,以及年龄在18周岁以上,则基于预定的分类模型确定上述目标业务所需的目标声明字段为学历信息和出生日期等两个声明字段。Different services can have different business requirements, and different business requirements may correspond to different attribute information (that is, corresponding to different declaration fields), and different services (or business requirements) and declaration fields can be preset in the server Based on the target business that the user needs to perform, the server can search for the declaration field corresponding to the target business from the above correspondence, and can determine the found declaration field as the target declaration field required to execute the target business. Alternatively, the relevant information about the target business performed by the user can be input into a predetermined model (such as a classification model, etc.) for analysis to output the corresponding result (ie target statement field). For example, the target business that the user needs to perform needs to meet If you have a bachelor’s degree or above, you can determine that the target declaration field corresponding to the above target business is an academic information field based on a predetermined classification model. For another example, the business requirements that the user needs to perform the target business need to meet include a bachelor’s degree or above , And the age is over 18 years old, based on the predetermined classification model, it is determined that the target declaration fields required by the above target business are two declaration fields such as academic information and date of birth.
在步骤S104中,基于第一数据处理规则对可验证声明进行数据处理,第一规则包括:将目标声明字段的字段值保持为明文,对可验证声明中除目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,该加密处理为基于指定散列算法的加密处理。In step S104, data processing is performed on the verifiable statement based on the first data processing rule. The first rule includes: keeping the field value of the target statement field as plain text, and checking the statement fields other than the target statement field in the verifiable statement. Encryption processing is performed on the field value of at least one of the declared fields, and the encryption processing is an encryption processing based on a specified hash algorithm.
其中,可验证声明中可以包括声明字段和相应的字段值,声明字段可以是表示相应的字段值具有的共同特性的信息,如姓名、出生日期、学历信息等,字段值可以是声明字段对应的具体内容,如声明字段为姓名,字段值可以为张三等。指定散列算法可以 是任意的一种散列算法,例如SHA-1算法、SHA-224算法、SHA-256算法等,具体选用哪种散列算法作为指定散列算法,可以根据实际情况设定,本说明书实施例对此不做限定。Among them, the verifiable statement can include the statement field and the corresponding field value. The statement field can be information indicating the common characteristics of the corresponding field value, such as name, date of birth, education information, etc., and the field value can be corresponding to the statement field Specific content, such as the declaration field is name, the field value can be Zhang San etc. The specified hash algorithm can be any hash algorithm, such as SHA-1 algorithm, SHA-224 algorithm, SHA-256 algorithm, etc. The specific hash algorithm to be used as the specified hash algorithm can be set according to the actual situation The embodiments of this specification do not limit this.
在实施中,不同的业务需求可能会对应不同的声明字段,在实际应用中,除了业务需求对应的目标声明字段之外的其它声明字段,在该业务需求对应的业务处理过程中并不是必需的,而通常可验证声明中会包含有全部声明字段及其字段值,这样就会使得某些声明字段的字段值被泄露,为此,本说明书实施例中,可以预先设定对可验证声明的处理规则(即第一数据处理规则),基于该第一数据处理规则可以将可验证声明中的指定字段值进行加密处理,并使得某些字段值保持明文等,具体地,在根据用户所需执行的目标业务确定执行该目标业务所需的目标声明字段后,由于目标声明字段的字段值需要在目标业务对应的业务处理中使用,因此,可以保持可验证声明中目标声明字段的字段值为明文而不做变化,同时可以获取可验证声明中除目标声明字段外的其它声明字段,并可以对其它声明字段中的至少一个声明字段的字段值通过指定散列算法进行加密处理。基于第一数据处理规则处理后的可验证声明可以存储在服务器中,以便后续执行目标业务的业务处理。In implementation, different business requirements may correspond to different declaration fields. In actual applications, other declaration fields except the target declaration field corresponding to the business requirement are not necessary in the business processing process corresponding to the business requirement. , And usually the verifiable statement contains all the statement fields and their field values, which will cause the field values of some statement fields to be leaked. For this reason, in the embodiment of this specification, you can pre-set the verifiable statement Processing rules (that is, the first data processing rules), based on the first data processing rules, the specified field values in the verifiable statement can be encrypted, and some field values can be kept in plaintext, etc., specifically, according to user needs After the target business executed determines the target declaration field required to execute the target business, since the field value of the target declaration field needs to be used in the business processing corresponding to the target business, the field value of the target declaration field in the verifiable declaration can be maintained The plain text does not change, and at the same time, other declaration fields except the target declaration field in the verifiable declaration can be obtained, and the field value of at least one of the other declaration fields can be encrypted through a specified hash algorithm. The verifiable statement processed based on the first data processing rule may be stored in the server for subsequent execution of the business processing of the target business.
需要说明的是,对其它声明字段中的多个声明字段的字段值通过指定散列算法进行加密处理的过程中,对多个不同的声明字段的字段值所使用的指定散列算法应为同一种散列算法,例如,使用SHA-256算法对上述每个声明字段的字段值进行加密处理或使用MD5(Message-Digest Algorithm 5,第5信息摘要算法)对上述每个声明字段的字段值进行加密处理等。It should be noted that in the process of encrypting the field values of multiple declaration fields in other declaration fields through the specified hash algorithm, the specified hash algorithm used for the field values of multiple different declaration fields should be the same A kind of hashing algorithm, for example, use the SHA-256 algorithm to encrypt the field value of each of the above declaration fields or use MD5 (Message-Digest Algorithm 5, the fifth message digest algorithm) to perform the field value of each of the above declaration fields Encryption processing, etc.
在步骤S106中,基于数据处理后的可验证声明,进行目标业务对应的业务处理。In step S106, the business processing corresponding to the target business is performed based on the verifiable statement after the data processing.
在实施中,可以通过多种方式实现基于数据处理后的可验证声明,进行目标业务对应的业务处理,例如由(声明持有用户一侧的)该服务器直接向业务处理方的服务器发送目标业务的业务处理请求,从而触发业务处理方的服务器根据该业务处理请求,对目标业务进行业务处理,或者,(声明持有用户一侧的)该服务器在接收到由用户向业务处理方的服务器发送目标业务的业务处理请求的通知消息或提示信息后,可以将该通知消息或提示信息发送给可验证声明的用户,则用户可以通过终端设备向业务处理方的服务器发送目标业务的业务处理请求,从而触发业务处理方的服务器根据该业务处理请求,对目标业务进行业务处理,或者,还可以由用户主动发起目标业务的业务处理请求,(声明持有用户一侧的)该服务器接收到该业务处理请求后,可以将相应的数据处理后 的可验证声明和该业务处理请求发送给业务处理方的服务器,以触发业务处理方的服务器根据该业务处理请求,对目标业务进行业务处理等。具体需要通过何种方式进行目标业务对应的业务处理可以根据实际情况设定,本说明书实施例对此不做限定。In implementation, a verifiable statement based on data processing can be implemented in a variety of ways to perform business processing corresponding to the target business. For example, the server (on the side of the statement holding the user) directly sends the target business to the server of the business processor The service processing request, which triggers the service processing party’s server to perform business processing on the target service according to the service processing request, or (declaring that it holds the user’s side) the server receives the request from the user to the service processing party’s server After the notification message or prompt information of the service processing request of the target service, the notification message or prompt information can be sent to the user whose statement can be verified, and the user can send the service processing request of the target service to the server of the service processor through the terminal device. This triggers the service processor’s server to process the target service according to the service processing request, or the user can actively initiate the service processing request for the target service, and the server (declaring that it holds the user’s side) receives the service After processing the request, the corresponding verifiable statement after data processing and the service processing request can be sent to the server of the service processor to trigger the server of the service processor to perform service processing on the target service according to the service processing request. The specific method by which the business processing corresponding to the target business needs to be performed can be set according to the actual situation, which is not limited in the embodiment of this specification.
本说明书实施例提供一种基于可验证声明的业务处理方法,在执行基于可验证声明的目标业务的业务处理的过程中,对可验证声明进行数据处理,即目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文,然后对可验证声明的有效性进行验证,并在验证结果为有效时,基于目标业务所需的声明字段的字段值,执行目标业务对应的业务处理,这样通过对可验证声明进行有效性验证,然后再使用可验证声明中的字段值,有效保证用户信息的安全存储。The embodiment of this specification provides a business processing method based on a verifiable statement. In the process of executing the business processing of the target business based on the verifiable statement, data processing is performed on the verifiable statement, that is, the field of the statement field required by the target business The value is plain text, and the field value of at least one of the remaining claim fields is the cipher text that has been encrypted based on the specified hash algorithm, and then the validity of the verifiable claim is verified, and when the verification result is valid, based on the target The field value of the statement field required by the business executes the business processing corresponding to the target business, so that by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information is effectively guaranteed.
实施例二Example two
如图2所示,本说明书实施例提供一种基于可验证声明的业务处理方法,该方法的执行主体可以为服务器,其中,该服务器可以是一个独立的服务器,还可以是由多个服务器构成的服务器集群等。该服务器可以是基于可验证声明,对某一项或多项业务进行处理的一方的服务器等。该方法具体可以包括步骤S202~S206。As shown in Figure 2, the embodiment of this specification provides a business processing method based on verifiable claims. The execution subject of the method can be a server, where the server can be an independent server or can be composed of multiple servers. Server clusters, etc. The server may be a server of a party that processes one or more services based on a verifiable statement. The method may specifically include steps S202 to S206.
在步骤S202中,接收目标业务的业务处理请求,其中,目标业务基于可验证声明进行处理,该业务处理请求包括经第一数据处理规则处理的该可验证声明;经第一数据处理规则处理的该可验证声明中,目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文。In step S202, a business processing request of the target business is received, wherein the target business is processed based on a verifiable statement, and the business processing request includes the verifiable statement processed by the first data processing rule; the business processing request processed by the first data processing rule In the verifiable statement, the field value of the statement field required by the target business is plain text, and the field value of at least one statement field in the remaining statement fields is cipher text that has been encrypted based on a specified hash algorithm.
其中,业务处理请求可以是请求执行某项业务处理的消息,业务处理请求中还可以包括如业务的标识(如业务名称或编码等)、业务处理请求方的标识(如业务处理请求方的账号、名称或业务处理请求方所使用的终端设备的IMSI码、IP地址、MAC地址、通讯号码等)等。其中的业务可以是任意业务,具体可以根据实际情况设定。目标业务可以是上述实施例一中可验证声明的持有用户所需执行的目标业务。如上述实施例一所述,对其余声明字段中的多个声明字段的字段值经过指定散列算法加密处理的过程中,对多个不同的声明字段的字段值所使用的指定散列算法应为同一种散列算法。Among them, the service processing request may be a message requesting the execution of a certain service processing. The service processing request may also include the identifier of the service (such as the service name or code, etc.) and the identifier of the service processing requester (such as the account of the service processing requester). , Name or IMSI code, IP address, MAC address, communication number, etc. of the terminal equipment used by the requesting party for service processing. The business can be any business, and the specific business can be set according to the actual situation. The target business may be the target business required to be performed by the holder user that can be verified and declared in the first embodiment. As described in the first embodiment above, in the process of encrypting the field values of multiple statement fields in the remaining statement fields through a specified hash algorithm, the specified hash algorithm used for the field values of multiple different statement fields should be It is the same hash algorithm.
在实施中,业务处理请求方可以通过终端设备启动相应的应用程序,该应用程序中可以设置有不同业务处理的触发机制,当业务处理请求方触发某业务处理后,终端设备可以获取如业务的标识、业务处理请求方的标识等相关信息,并获取执行目标业务对 应的业务处理所需的可验证声明,其中,获取的可验证声明可以是已经经过第一数据处理规则处理后的可验证声明,即该可验证声明中目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文。可以通过获取的上述信息生成业务处理请求,终端设备可以向服务器发送该业务处理请求,从而服务器可以接收该业务处理请求。In implementation, the service processing requester can start the corresponding application program through the terminal device. The application program can be set up with different service processing trigger mechanisms. When the service processing requester triggers a certain service processing, the terminal device can obtain information such as business Identification, business processing requester identification and other relevant information, and obtain the verifiable statement required to perform the business processing corresponding to the target business, where the obtained verifiable statement may be the verifiable statement that has been processed by the first data processing rule , That is, the field value of the statement field required by the target business in the verifiable statement is plain text, and the field value of at least one of the other statement fields is cipher text that has been encrypted based on the specified hash algorithm. The service processing request can be generated from the acquired information, and the terminal device can send the service processing request to the server, so that the server can receive the service processing request.
需要说明的是,针对不同的业务,在业务处理的过程中的需求可能不同,相应的,所需的声明字段和字段值也会不同,例如,保险业务中,某项保险只针对工作于指定城市中的用户办理,则在该业务处理中需要确定用户是否工作于指定城市中,为此需要用户的“工作所在地”声明字段的字段值;再例如,信息推荐业务中,某待推荐的信息需要推荐给本科学历及本科学历以上学历的用户,则在该业务处理中需要确定用户是否是本科学历或本科学历以上的学历,为此需要用户的“学历信息”声明字段的字段值。为了避免某些声明字段的字段值被泄露,可以对上述声明字段的字段值进行加密处理,而上述目标业务所需的声明字段的字段值则需要保持明文,以便后续业务处理的过程中使用。It should be noted that for different businesses, the requirements in the process of business processing may be different. Correspondingly, the required declaration fields and field values will also be different. For example, in the insurance business, a certain insurance is only for the specified work For a user in a city, it is necessary to determine whether the user is working in a designated city in the business process, and for this, the user’s "work location" declaration field is required; for another example, in the information recommendation business, a piece of information to be recommended It is necessary to recommend to users with a bachelor’s degree and a bachelor’s degree or above. In the business process, it is necessary to determine whether the user has a bachelor’s degree or a bachelor’s degree or above. For this, the user’s "Educational Information" statement field value is required. In order to avoid the disclosure of the field values of certain declared fields, the field values of the aforementioned declaration fields can be encrypted, and the field values of the aforementioned declaration fields required by the target business need to be kept in plain text for subsequent business processing.
在步骤S204中,对可验证声明的有效性进行验证。In step S204, the validity of the verifiable statement is verified.
在实施中,服务器接收到基于可验证声明的业务处理请求后,可以先对可验证声明进行验证,以判断该可验证声明是否有效,在确定可验证声明有效的情况下,再基于可验证声明进行业务处理,从而进一步保证业务处理的安全性。具体地,服务器接收到业务处理请求后,可以从业务处理请求中提取其中包含的经第一数据处理规则处理后的可验证声明,然后,可以对经第一数据处理规则处理后的可验证声明进行验证。其中,对可验证声明进行验证可以包括多种方式,例如,可以获取对可验证声明中密文所采用的加密方式或指定散列算法的相关信息,之后可以通过获取的加密方式或指定散列算法的相关信息,对可验证声明中包括的明文的字段值进行加密处理,从而可以使得可验证声明中包含的声明字段的字段值成为密文。基于可验证声明中包含的声明字段对应的密文,通过预定的算法进行计算,得到最终的计算结果。可验证声明中还包括上述计算结果的基准值,可以将得到的计算结果与可验证声明中的基准值进行比较,如果两者相同,则验证通过,即可验证声明有效,如果两者不相同,则验证失败,即可验证声明无效。In implementation, after the server receives a business processing request based on a verifiable statement, it can first verify the verifiable statement to determine whether the verifiable statement is valid, and if it is determined that the verifiable statement is valid, then based on the verifiable statement Perform business processing to further ensure the security of business processing. Specifically, after the server receives the business processing request, it can extract the verifiable statement processed by the first data processing rule contained therein from the business processing request, and then can perform the verification of the verifiable statement processed by the first data processing rule. authenticating. Among them, the verification of the verifiable statement can include multiple methods. For example, the encryption method used for the ciphertext in the verifiable statement or the related information of the specified hash algorithm can be obtained, and then the obtained encryption method or specified hash can be obtained. For the information related to the algorithm, the field value of the plaintext included in the verifiable statement is encrypted, so that the field value of the statement field included in the verifiable statement can be made ciphertext. Based on the ciphertext corresponding to the statement field contained in the verifiable statement, the calculation is performed through a predetermined algorithm to obtain the final calculation result. The verifiable statement also includes the benchmark value of the above calculation results. The calculated result can be compared with the benchmark value in the verifiable statement. If the two are the same, the verification is passed and the statement is valid. If the two are not the same , The verification fails and the verification statement is invalid.
除了上述方式外,还可以包括多种方式,再例如,可验证声明中可以包括该经第一数据处理后的可验证声明的校验值,服务器获取到经第一数据处理规则处理后的可验证声明后,可以通过预定的校验算法确定该可验证声明的校验值,然后,可以将计算的 校验值与可验证声明中的校验值进行比较,如果两者相同,则验证通过,即可验证声明有效,如果两者不相同,则验证失败,即可验证声明无效等。在实际应用中,对可验证声明的有效性进行验证的方式不仅仅只包含上述两种方式,还可以包括其它多种可实现方式,具体可以根据实际情况设定,本说明书实施例对此不做限定。In addition to the above methods, multiple methods may also be included. For another example, the verifiable statement may include the verification value of the verifiable statement processed by the first data, and the server obtains the verifiable statement processed by the first data processing rule. After verifying the statement, the verification value of the verifiable statement can be determined by a predetermined verification algorithm, and then the calculated verification value can be compared with the verification value in the verifiable statement. If the two are the same, the verification is passed , You can verify that the statement is valid, if the two are not the same, the verification fails, you can verify that the statement is invalid, etc. In practical applications, the method of verifying the validity of the verifiable statement not only includes the above two methods, but also includes other multiple achievable methods, which can be specifically set according to the actual situation. The embodiment of this specification does not include this. Make a limit.
在步骤S206中,若验证结果为有效,则基于可验证声明中与上述业务需求相对应的声明字段的字段值,执行上述业务处理请求相对应的业务处理。In step S206, if the verification result is valid, the business processing corresponding to the business processing request is executed based on the field value of the statement field corresponding to the business requirement in the verifiable statement.
在实施中,如果对可验证声明的有效性进行验证的验证结果为有效,则表明该可验证声明准确,由于目标业务对应的业务处理的过程中,只需要使用到可验证声明中目标业务所需的声明字段的字段值,且该字段值为明文,因此,可以直接基于可验证声明中目标业务所需的声明字段的字段值,执行上述业务处理请求对应的业务处理。例如,信息推荐业务中,某待推荐的信息对应的业务需求为推荐给本科学历及本科学历以上学历的用户,可验证声明中信息推荐业务所需的声明字段为学历信息,若相应的字段值为本科,则基于该字段值,可以确定能够执行上述信息推荐业务对应的业务处理,此时,服务器可以将待推荐的信息发送给该用户等。In the implementation, if the verification result of verifying the validity of the verifiable statement is valid, it indicates that the verifiable statement is accurate. Because the business processing process corresponding to the target business, only the target business location in the verifiable statement needs to be used. The field value of the required statement field, and the field value is plain text, therefore, the business processing corresponding to the above business processing request can be performed directly based on the field value of the statement field required by the target business in the verifiable statement. For example, in the information recommendation business, the business requirement corresponding to the information to be recommended is to recommend to users with a bachelor’s degree or above. You can verify that the declared field required for the information recommendation business in the statement is academic information. If the corresponding field value is For undergraduates, based on the field value, it can be determined that the service processing corresponding to the above information recommendation service can be performed. At this time, the server can send the information to be recommended to the user, etc.
本说明书实施例提供一种基于可验证声明的业务处理方法,用户待处理的目标业务,确定所需的目标声明字段,将目标声明字段的字段值保持为明文,对可验证声明中除目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,使得用户的可验证信息中,在目标业务中不需要使用的声明字段进行加密处理,防止目标声明字段外的声明字段的字段值被泄露,从而可以有效保障用户信息被安全存储,而且,用户可以管理其用户信息(即可以被加密的信息),并可以将用户信息可控的出示给相关第三方,而不需要担心某些数据泄露。The embodiment of this specification provides a business processing method based on a verifiable statement. The target business to be processed by the user determines the required target statement field, keeps the field value of the target statement field as plain text, and removes the target statement from the verifiable statement. The field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted. The field value is leaked, which can effectively ensure that user information is stored safely, and users can manage their user information (that is, information that can be encrypted), and can control and show user information to relevant third parties without worrying Some data leaks.
实施例三Example three
如图3所示,本说明书实施例提供一种基于可验证声明的业务处理方法,该方法的执行主体可以为第一服务器和第二服务器,其中,第一服务器可以是声明持有用户或者为声明持有用户的声明进行加密处理的代理方的服务器,第二服务器可以是基于可验证声明,对某一项或多项业务进行处理的一方的服务器。第一服务器可以是一个独立的服务器,还可以是由多个服务器构成的服务器集群等。第二服务器也可以是一个独立的服务器,还可以是由多个服务器构成的服务器集群等。该方法具体可以包括步骤S302~S314。As shown in Figure 3, the embodiment of this specification provides a business processing method based on verifiable claims. The execution subject of the method can be a first server and a second server, where the first server can be a claim holder or a The server of the agent that declares that the user's statement is encrypted, and the second server may be the server of the party that processes one or more services based on the verifiable statement. The first server may be an independent server, or a server cluster composed of multiple servers. The second server may also be an independent server, or a server cluster composed of multiple servers. The method may specifically include steps S302 to S314.
在步骤S302中,第一服务器根据可验证声明的持有用户的待处理的目标业务,确定目标业务所需的目标声明字段,目标声明字段为可验证声明中的至少一个声明字段。In step S302, the first server determines the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement, and the target statement field is at least one statement field in the verifiable statement.
在实施中,用户的可验证声明在数据处理之前可以如下:In implementation, the verifiable statement of the user can be as follows before data processing:
Figure PCTCN2020121874-appb-000001
Figure PCTCN2020121874-appb-000001
Figure PCTCN2020121874-appb-000002
Figure PCTCN2020121874-appb-000002
Figure PCTCN2020121874-appb-000003
Figure PCTCN2020121874-appb-000003
其中的声明字段可以如上述的“姓名”、“身份证号”、“性别”、“出生日期”、“电话号码”、“学历”等,目标业务所需的目标声明字段可以是上述声明字段中的一个或多个。The declaration fields can be the above-mentioned "name", "ID number", "gender", "date of birth", "telephone number", "educational background", etc. The target declaration field required by the target business can be the above declaration field One or more of.
在步骤S304中,第一服务器基于第一数据处理规则对可验证声明进行数据处理;第一数据处理规则包括:将目标声明字段的字段值保持为明文,对可验证声明中除目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,该加密处理为基于指定散列算法的加密处理。In step S304, the first server performs data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and for the verifiable statement except for the target statement field The field value of at least one of the other declaration fields of is subjected to encryption processing, and the encryption processing is an encryption processing based on a specified hash algorithm.
在实施中,基于第一数据处理规则对可验证声明进行数据处理后得到的可验证声明可以如下:In implementation, the verifiable statement obtained after data processing of the verifiable statement based on the first data processing rule may be as follows:
Figure PCTCN2020121874-appb-000004
Figure PCTCN2020121874-appb-000004
Figure PCTCN2020121874-appb-000005
Figure PCTCN2020121874-appb-000005
Figure PCTCN2020121874-appb-000006
Figure PCTCN2020121874-appb-000006
基于上述数据处理后的可验证声明,目标业务所需的目标声明字段位于“学历信息”项目中,其中包括“学历”、“毕业院校”和“专业”的声明字段,其中“Item1”内的声明字段对应的字段值为密文(即hash值),“Item2”和“Item3”内的声明字段对应的字段值也分别为密文(即hash值),其中,“Item1”为上述步骤S302的示例中的“基本信息”项目,“Item2”为上述步骤S302的示例中的“学历”、“毕业院校”、“专业”和“毕业日期”等对应的项目,“Item3”为上述步骤S302的示例中的“紧急联系人”项目等。Based on the verifiable statement after the above data processing, the target statement fields required by the target business are located in the "Education Information" item, which includes the statement fields of "Education", "Graduation College" and "Professional", among which "Item1" The field value corresponding to the declaration field of "Item2" and "Item3" corresponds to the field value of the ciphertext (that is, the hash value), and the field value corresponding to the declaration field in "Item2" and "Item3" is also the ciphertext (that is, the hash value), where "Item1" is the above step The "Basic Information" item in the example of S302, "Item2" is the corresponding items such as "Education", "Graduation College", "Major", and "Date of Graduation" in the example of step S302 above, and "Item3" is the above The "Emergency Contact" item in the example of step S302, etc.
需要说明的是,用户的可验证声明或上述经第一数据处理规则处理后的可验证声明可以存储于区块链中,从而保证可验证声明的准确性。其中,指定散列算法与指定区块链中哈希处理中采用的算法相同,该指定区块链上存储有可验证声明的哈希值。为了方便区块链中的各个区块链节点能够对存储的可验证声明进行验证,并且考虑到散列算法是不可逆的,因此,指定区块链中哈希处理中采用的算法应该与指定散列算法相同。It should be noted that the verifiable statement of the user or the verifiable statement processed by the first data processing rule can be stored in the blockchain to ensure the accuracy of the verifiable statement. Among them, the specified hash algorithm is the same as the algorithm used in the hash processing in the specified block chain, and the specified block chain stores the hash value of the verifiable claim. In order to facilitate the verification of the stored verifiable statement by each blockchain node in the blockchain, and considering that the hash algorithm is irreversible, the algorithm used in the hash processing in the specified blockchain should be the same as the specified hash algorithm. The column algorithm is the same.
在实际应用中,第一服务器基于上述步骤S302和步骤S304的处理,对用户的可验证声明进行第一数据处理后,业务处理方可以基于该用户的可验证声明进行相应的业务处理,具体可以参见下述步骤S306~步骤S314的处理。In practical applications, after the first server performs the first data processing on the verifiable statement of the user based on the processing of steps S302 and S304 above, the business processor can perform corresponding business processing based on the verifiable statement of the user, which can be specifically See the processing of step S306 to step S314 below.
在步骤S306中,第一服务器向第二服务器(即目标业务的业务处理方的服务器)发送目标业务的业务处理请求,该业务处理请求中包括数据处理后的可验证声明;以使第二服务器基于数据处理后的可验证声明对目标业务进行业务处理。In step S306, the first server sends a service processing request of the target service to the second server (that is, the server of the service processor of the target service), and the service processing request includes a verifiable statement after data processing; so that the second server Perform business processing on the target business based on the verifiable statement after data processing.
在实施中,当业务处理请求方需要进行某项业务处理之前,可以通知相应的用户准备可验证声明,此时,用户可以通过终端设备向第一服务器发送用户所需执行的目标业务,第一服务器可以执行上述步骤S302和步骤S304的处理,以对可验证声明进行处理得到基于第一数据处理规则处理后的可验证声明。需要说明的是,不同的业务需求,处理后的可验证声明可能不同,第一服务器中可以存储有同一用户的相同原始内容的可验证声明经过不同数据处理规则处理后的可验证声明。In implementation, before the service processing requester needs to perform a certain service processing, the corresponding user can be notified to prepare a verifiable statement. At this time, the user can send the target service that the user needs to perform to the first server through the terminal device. The server may execute the processing of step S302 and step S304 above to process the verifiable statement to obtain a verifiable statement processed based on the first data processing rule. It should be noted that the processed verifiable claims may be different for different business requirements. The first server may store verifiable claims of the same original content of the same user after being processed by different data processing rules.
当业务处理方需要执行目标业务的业务处理时,由于进行该业务处理,需要使用 用户的可验证声明,因此,第一服务器可以获取数据处理后的可验证声明等信息生成目标业务的业务处理请求,并向第二服务器发送该业务处理请求,第二服务器可以接收基于可验证声明的目标业务的业务处理请求。When the business processor needs to perform the business processing of the target business, because the business processing needs to use the verifiable statement of the user, the first server can obtain the verifiable statement and other information after the data processing to generate the business processing request of the target business , And send the service processing request to the second server, and the second server can receive the service processing request of the target service based on the verifiable statement.
目标业务的业务处理请求的触发方式可以多种多样,除了可以通过上述方式触发外,还可以通过下述方式实现,具体可以包括以下内容:第一服务器接收业务处理方的指示信息;该指示信息用于指示可验证声明的持有用户向业务处理方发送目标业务的业务处理请求。The service processing request of the target service can be triggered in a variety of ways. In addition to the above-mentioned methods, it can also be implemented in the following ways, which can specifically include the following content: the first server receives the indication information of the service processor; the indication information It is used to instruct the holder of the verifiable claim to send the service processing request of the target service to the service processor.
在实施中,第一服务器可以接收业务处理方(第二服务器)的指示信息,以指示可验证声明的持有用户向业务处理方(第二服务器)发送目标业务的业务处理请求,此时,用户可以通过终端设备从第一服务器中获取向上述可验证声明,并可以以此生成目标业务的业务处理请求,终端设备向第二服务器发送目标业务的业务处理请求,或者,第一服务器将该指示信息和上述可验证声明发送给用户的终端设备,用户的终端设备可以生成目标业务的业务处理请求,并向第二服务器发送该业务处理请求。In implementation, the first server may receive the instruction information of the service processor (second server) to instruct the holder of the verifiable claim to send the service processing request of the target service to the service processor (second server). At this time, The user can obtain the above verifiable statement from the first server through the terminal device, and can generate the service processing request of the target service based on the terminal device. The terminal device sends the service processing request of the target service to the second server, or the first server sends the The instruction information and the above verifiable statement are sent to the user's terminal device, and the user's terminal device can generate a service processing request for the target service, and send the service processing request to the second server.
第二服务器接收到业务处理请求后,可以先对该业务处理请求中的可验证声明的有效性进行验证,以保证业务处理的安全性,具体可以参见下述步骤S308~步骤S312的处理。After receiving the service processing request, the second server may first verify the validity of the verifiable statement in the service processing request to ensure the security of the service processing. For details, refer to the processing of the following steps S308 to S312.
在步骤S308中,第二服务器基于指定散列算法对可验证声明中包含的明文的字段值进行加密处理。In step S308, the second server encrypts the field value of the plaintext contained in the verifiable statement based on the specified hash algorithm.
在实施中,由于可验证声明中包含明文和密文,而且密文是经过指定散列算法进行加密,通常很难得到该密文对应的可验证声明中的实际内容,因此,可以通过密文的方式对可验证声明进行验证,具体地,可以对可验证声明中的密文保持不变,对可验证声明中的明文进行处理,即可以对可验证声明中每个声明字段的显示为明文的字段值进行加密处理,由于进行上述加密处理的目的是验证可验证声明的有效性,因此,该加密处理与上述基于第一数据处理规则对可验证声明进行处理的过程中使用的加密算法应该相同,即该加密算法为指定散列算法。基于上述内容,第二服务器可以基于指定散列算法对可验证声明中包含的明文的字段值进行加密处理,这样,可验证声明中的全部字段值都已调整成为密文。In implementation, since the verifiable statement contains plaintext and ciphertext, and the ciphertext is encrypted by a specified hash algorithm, it is usually difficult to obtain the actual content of the verifiable statement corresponding to the ciphertext. Therefore, the ciphertext can be passed The verifiable statement can be verified in the manner of, specifically, the ciphertext in the verifiable statement can be kept unchanged, and the plain text in the verifiable statement can be processed, that is, the display of each statement field in the verifiable statement can be displayed as plain text The field value of is encrypted. Since the purpose of the above-mentioned encryption processing is to verify the validity of the verifiable statement, the encryption processing and the above-mentioned encryption algorithm used in the process of processing the verifiable statement based on the first data processing rule should be Same, that is, the encryption algorithm is a designated hash algorithm. Based on the above content, the second server can encrypt the field values of the plaintext contained in the verifiable statement based on the specified hash algorithm, so that all the field values in the verifiable statement have been adjusted to ciphertext.
在实际应用中,上述步骤S308的具体处理可以多种多样,除了上述处理方式外,还可以包括其它多种方式,以下再提供一种可选的处理方式,即在实际应用中,可验证 声明中的字段值无法确定是明文还是密文,此时,可以包括以下步骤A2~步骤A6的处理。In practical applications, the specific processing of the above step S308 can be various. In addition to the above processing methods, it can also include other methods. The following provides an optional processing method, that is, in practical applications, the statement can be verified It is impossible to determine whether the field value in is plaintext or ciphertext. In this case, the following steps A2 to A6 can be included.
步骤A2,第二服务器获取可验证声明中包含的声明字段的字段值。Step A2: The second server obtains the field value of the statement field contained in the verifiable statement.
在实施中,第二服务器可以对可验证声明中的内容进行分析,确定可验证声明中包含的声明字段,其中确定的声明字段可以是可验证声明中包含的全部的声明字段,也可以是可验证声明中某些指定的声明字段,如可验证声明中用户信息相关的声明字段(如姓名、出生日期、身份证号等声明字段)等。本说明书实施例中可以以可验证声明中的全部声明字段为例进行说明。In the implementation, the second server can analyze the content of the verifiable statement to determine the statement fields contained in the verifiable statement, where the determined statement field can be all the statement fields contained in the verifiable statement, or it can be a verifiable statement. Some specified declaration fields in the verification statement, such as the declaration fields related to user information in the verification statement (such as name, date of birth, ID card number, and other declaration fields), etc. In the embodiments of this specification, all the statement fields in the verifiable statement can be taken as an example for description.
步骤A4,如果上述字段值中包括满足预定的构成规则的字段值,则第二服务器获取可验证声明对应的声明索引信息,该声明索引信息中记录有字段值为明文或字段值为密文。Step A4: If the above field value includes a field value that meets a predetermined composition rule, the second server obtains the statement index information corresponding to the verifiable statement, and the statement index information records that the field value is plain text or the field value is cipher text.
其中,预定的构成规则可以是基于指定散列算法对原字段值进行加密后得到的密文的构成规则等,预定的构成规则可以根据实际情况确定,本说明书实施例对此不做限定。声明索引信息可以是用于记录某字段值为明文还是密文的信息,声明索引信息可以有多种展现形式,例如声明索引信息可以以Claim index字段的形式呈现,并且其中可以通过“0”或“1”的方式记录各个字段值为明文还是密文,或者,也可以通过标记“hash”的方式(如上述步骤S304中的示例)记录密文的字段值,剩余的字段值为明文等。The predetermined composition rule may be a ciphertext composition rule obtained by encrypting the original field value based on a specified hash algorithm, etc. The predetermined composition rule may be determined according to actual conditions, which is not limited in the embodiment of this specification. The declared index information can be information used to record the value of a certain field in plaintext or ciphertext. The declared index information can have multiple presentation forms. For example, the declared index information can be presented in the form of a Claim index field, and it can pass "0" or The "1" mode records whether each field value is plaintext or ciphertext, or the field value of the ciphertext can also be recorded by marking "hash" (as the example in step S304 above), and the remaining field values are plaintext.
在实施中,在可验证声明中,可能无法准确区分出哪个字段值为明文,哪个字段值为密文,例如,某用户的身份证号为一串数字,而用户的身份证号经过加密处理后还是一串数字,这样可能无法确定该身份证号是密文还是明文,为此,第一服务器可以在生成上述可验证声明的同时,生成该可验证声明对应的声明索引信息。第二服务器得到可验证声明中包含的声明字段的字段值后,可以对每个字段值进行分析,判断每个字段值是否满足预定的构成规则,如果其中的某一个或多个字段值满足预定的构成规则,则可以确定可验证声明中包含明文和密文,为了确定哪些字段值为明文,哪些字段值为密文,以便后续对相应的字段值进行处理,可以从第一服务器中获取可验证声明对应的声明索引信息,通过声明索引信息中记录的信息可以确定可验证声明中哪些字段值为明文,哪些字段值为密文。In implementation, in the verifiable statement, it may not be able to accurately distinguish which field value is plain text and which field value is cipher text. For example, a user’s ID number is a string of numbers, and the user’s ID number is encrypted. After it is still a string of numbers, it may not be possible to determine whether the ID number is ciphertext or plaintext. For this reason, the first server can generate the statement index information corresponding to the verifiable statement while generating the verifiable statement. After the second server obtains the field value of the statement field contained in the verifiable statement, it can analyze each field value to determine whether each field value meets the predetermined composition rule, and if one or more of the field values meet the predetermined In order to determine which fields are in plaintext and which fields are in ciphertext, so that the corresponding field values can be processed later, the verifiable statement can be obtained from the first server. Verify the statement index information corresponding to the statement. The information recorded in the statement index information can determine which fields in the verifiable statement are in plaintext and which fields are in ciphertext.
步骤A6,第二服务器根据声明索引信息,基于指定散列算法对可验证声明中包含的明文的字段值进行加密处理。Step A6: The second server encrypts the field value of the plain text contained in the verifiable statement based on the specified hash algorithm according to the statement index information.
在实施中,由于声明索引信息中记录有哪些字段值为明文,哪些字段值为密文,因此,可以基于声明索引信息中记录的内容,从可验证声明中查找到明文的字段值,并可以基于指定散列算法对可验证声明中包含的明文的字段值进行加密处理,得到该字段值的密文。例如,指定散列算法可以MD5算法,可以使用MD5算法分别计算每个明文的字段值,得到每个字段值对应的MD5值,由于可验证声明中包含的密文的字段值也是经过该指定散列算法(即MD5算法)得到,因此,可验证声明中包含的密文的字段值也为相应的MD5值,这样,可验证声明中包含的声明字段的字段值均为MD5值。In the implementation, since which field values are recorded in the declaration index information as plain text and which fields are in cipher text, based on the content recorded in the declaration index information, the field values of the plain text can be found from the verifiable declaration, and The field value of the plaintext contained in the verifiable statement is encrypted based on the specified hash algorithm to obtain the ciphertext of the field value. For example, the specified hash algorithm can be the MD5 algorithm, and the MD5 algorithm can be used to calculate the field value of each plaintext separately to obtain the MD5 value corresponding to each field value. Because the field value of the ciphertext contained in the verifiable statement is also passed through the specified hash The column algorithm (ie, the MD5 algorithm) is obtained. Therefore, the field value of the ciphertext contained in the verifiable statement is also the corresponding MD5 value. In this way, the field value of the statement field contained in the verifiable statement is all the MD5 value.
在步骤S310中,第二服务器基于可验证声明中的密文,确定可验证声明中的密文对应的默克尔根。In step S310, the second server determines the Merkel root corresponding to the ciphertext in the verifiable statement based on the ciphertext in the verifiable statement.
在实施中,由于可验证声明中包含的声明字段通常较多,如果逐一验证每个声明字段的字段值,则会消耗较多时间,为了简单快速的验证可验证声明的有效性,可以采用默克尔树的方式对可验证声明的有效性进行验证,具体地,可以基于可验证声明中的密文构建默克尔树(即Merkle树),构建一棵完整的Merkle树需要递归的对各节点对进行哈希,并将新生成的哈希节点插入到Merkle树中,直到只剩一个节点(该节点就是Merkle树的根节点)为止。基于构建的Merkle树,计算该Merkle树的根节点对应的值,该根节点对应的值即可以为默克尔根。例如,基于上述步骤A6中的示例,可验证声明中包含的声明字段的字段值均为MD5值,可以通过上述MD5值构建相应的默克尔树,得到有MD5值构成的默克尔树,该默克尔树中会包含有一个根节点,可以基于上述MD5值计算根节点的MD5值,得到的根节点的MD5值可以作为可验证声明中的密文对应的默克尔根。In implementation, since there are usually many declaration fields contained in verifiable declarations, it will take a lot of time to verify the field value of each declaration field one by one. In order to verify the validity of the verifiable declaration simply and quickly, you can use the default The Kerr tree method verifies the validity of the verifiable statement. Specifically, the Merkle tree (ie Merkle tree) can be constructed based on the ciphertext in the verifiable statement. The construction of a complete Merkle tree requires recursively The node pairs are hashed, and the newly generated hash node is inserted into the Merkle tree until there is only one node left (this node is the root node of the Merkle tree). Based on the constructed Merkle tree, the value corresponding to the root node of the Merkle tree is calculated, and the value corresponding to the root node can be regarded as the Merkle root. For example, based on the example in step A6 above, it can be verified that the field values of the statement fields included in the statement are all MD5 values, and the corresponding Merkel tree can be constructed from the above MD5 values to obtain a Merkel tree composed of MD5 values. The Merkel tree will contain a root node, and the MD5 value of the root node can be calculated based on the above MD5 value, and the obtained MD5 value of the root node can be used as the Merkel root corresponding to the ciphertext in the verifiable statement.
上述步骤S310的具体处理方式可以多种多样,除了可以通过上述方式实现外,还可以通过其它多种方式实现,以下提供一种可选的处理方式没具体可以包括以下步骤B2~步骤B6的处理。The specific processing methods of the above step S310 can be various. In addition to the above methods, it can also be implemented in other ways. The following provides an optional processing method, but it does not specifically include the following steps B2 to B6. .
步骤B2,第二服务器按照可验证声明中声明字段的顺序,基于可验证声明中包含的声明字段对应的密文构建二叉树。In step B2, the second server constructs a binary tree based on the cipher text corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement.
其中,二叉树可以具备每个节点最多有两个子树的树结构。Among them, the binary tree may have a tree structure in which each node has at most two subtrees.
在实施中,第二服务器可以确定可验证声明中各个声明字段出现在可验证声明中前后顺序,例如,可验证声明中从前到后记录有:“姓名”:“张三”,“性别”:“男”,“出生日期”:“19880102”,则可验证声明中各声明字段出现在可验证声明中的前后 顺序为:姓名-性别-出生日期,或者,也可以是可验证声明中各声明字段由后向前的顺序等,在实际应用中,还可以是其它顺序,本说明书实施例对此不做限定。通过上述方式,第二服务器可以获取到可验证声明中声明字段的顺序,然后,第二服务器可以按照可验证声明中声明字段的顺序,基于可验证声明中包含的声明字段对应的密文构建二叉树。例如,可以按照可验证声明中各声明字段出现在可验证声明中的前后顺序姓名-性别-出生日期,基于姓名对应的密文、性别对应的密文和出生日期对应的密文构建二叉树,具体地,可以基于姓名对应的密文构建一个节点,并可以基于性别对应的密文构建一个节点,之后通过上述两个节点生成一个新的节点。可以基于出生日期对应的密文构建一个节点,再通过生成的新的节点与基于出生日期对应的密文构建一个节点生成第二个新的节点,从而构成一个完整的二叉树。In implementation, the second server can determine the order in which the various statement fields in the verifiable statement appear in the verifiable statement. For example, the verifiable statement records from front to back: "Name": "Zhang San", "Gender": "Male", "Date of Birth": "19880102", the order in which the statement fields in the verifiable statement appear in the verifiable statement is: name-gender-date of birth, or it can be the statement in the verifiable statement The order of the fields from back to front, etc., in practical applications, may also be in other order, which is not limited in the embodiment of this specification. Through the above method, the second server can obtain the order of the declared fields in the verifiable statement. Then, the second server can construct a binary tree based on the ciphertext corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement. . For example, you can construct a binary tree based on the cipher text corresponding to the name, the cipher text corresponding to the gender, and the cipher text corresponding to the date of birth according to the order name-gender-date of birth in which each statement field in the verifiable statement appears in the verifiable statement. Ground, a node can be constructed based on the ciphertext corresponding to the name, and a node can be constructed based on the ciphertext corresponding to the gender, and then a new node can be generated through the above two nodes. A node can be constructed based on the ciphertext corresponding to the date of birth, and then a second new node can be generated by constructing a node based on the ciphertext corresponding to the date of birth and the new node generated to form a complete binary tree.
步骤B4,第二服务器根据默克尔算法,确定上述二叉树中根节点的校验值。Step B4: The second server determines the check value of the root node in the above binary tree according to the Merkel algorithm.
在实施中,通过上述步骤B2中的方式可以构建一个二叉树,该二叉树中包括多个节点(包括叶子节点和根节点等),可以根据默克尔算法对二叉树中的节点逐步进行计算,得到每个节点的校验值,从而得到二叉树中根节点的校验值。具体地,可以使用姓名对应的密文和性别对应的密文组合成一条信息,通过指定散列算法计算该条信息的散列值,之后,再由计算的该散列值与出生日期对应的密文组合成一条信息,再次通过指定散列算法计算该条信息的散列值,可以将最终计算的散列值作为二叉树中根节点的校验值。In implementation, a binary tree can be constructed by the method in step B2 above. The binary tree includes multiple nodes (including leaf nodes and root nodes, etc.). The nodes in the binary tree can be calculated step by step according to the Merkel algorithm to obtain each The check value of each node is used to obtain the check value of the root node in the binary tree. Specifically, the ciphertext corresponding to the name and the ciphertext corresponding to the gender can be combined into a piece of information, and the hash value of the piece of information can be calculated by a specified hash algorithm, and then the calculated hash value corresponding to the date of birth The ciphertext is combined into a piece of information, and the hash value of the piece of information is calculated through the specified hash algorithm again, and the finally calculated hash value can be used as the check value of the root node in the binary tree.
步骤B6,第二服务器将上述二叉树中根节点的校验值确定为可验证声明中的密文对应的默克尔根。Step B6: The second server determines the check value of the root node in the above binary tree as the Merkel root corresponding to the ciphertext in the verifiable statement.
在步骤S312中,第二服务器基于上述默克尔根和可验证声明中的验证信息,对可验证声明的有效性进行验证。In step S312, the second server verifies the validity of the verifiable statement based on the verification information in the above-mentioned Merkel root and verifiable statement.
在实施中,可验证声明中的验证信息中可以包括可验证声明中的密文对应的默克尔根,此时,可以将计算得到的默克尔根与可验证声明中的验证信息中的默克尔根进行比较,如果两者相同,则表明该可验证声明有效,如果两者不同,则表明该可验证声明无效,此时,可以向业务处理请求方发送相同的通知消息。In implementation, the verification information in the verifiable statement can include the Merkel root corresponding to the cipher text in the verifiable statement. At this time, the calculated Merkel root can be combined with the verification information in the verifiable statement. Merkel root makes a comparison. If the two are the same, it indicates that the verifiable claim is valid. If the two are different, it indicates that the verifiable claim is invalid. At this time, the same notification message can be sent to the business processing requester.
在实际应用中,上述步骤S312的处理可以多种多样,除了可以通过上述方式处理外,还可以通过其它多种方式实现,以下提供一种可选的处理方式,具体可以包括以下步骤C2~C6的处理。In practical applications, the above-mentioned step S312 can be processed in a variety of ways. In addition to the above-mentioned methods, it can also be implemented in many other ways. The following provides an optional processing method, which can specifically include the following steps C2 to C6 Processing.
步骤C2,第二服务器获取可验证声明中的验证信息和可验证声明对应的密钥。Step C2: The second server obtains the verification information in the verifiable statement and the key corresponding to the verifiable statement.
其中,可验证声明中的验证信息可以是对可验证声明中的密文对应的默克尔根进行签名处理后得到的签名信息,其中的对可验证声明中的密文对应的默克尔根进行签名处理可以是使用密钥对可验证声明中的密文对应的默克尔根进行加密的处理,在实际应用中,对可验证声明中的密文对应的默克尔根进行签名处理还可以是其它方式的处理,本说明书实施例对此不做限定。本实施例中以使用密钥对可验证声明中的密文对应的默克尔根进行加密的处理为例进行说明。密钥可以是可验证声明的提供者的公钥等。Among them, the verification information in the verifiable statement may be the signature information obtained after signing the Merkel root corresponding to the ciphertext in the verifiable statement, where the Merkel root corresponding to the ciphertext in the verifiable statement The signature processing can be a process of using a key to encrypt the Merkel root corresponding to the ciphertext in the verifiable statement. In actual applications, the Merkel root corresponding to the ciphertext in the verifiable statement is signed and processed. It may be processed in other ways, which is not limited in the embodiment of this specification. In this embodiment, the process of encrypting the Merkel root corresponding to the ciphertext in the verifiable statement using a key is taken as an example for description. The key can be the public key of the provider of the verifiable claim, etc.
在实施中,第二服务器可以从可验证声明中查找到验证信息,并可以从中提取该可验证信息。此外,还可以从可验证声明的提供者出获取该可验证声明的密钥(如公钥等)。其中,签名信息可以由可验证声明的提供者通过其私钥进行加密处理得到,则可以通过可验证声明的提供者的公钥来获取签名信息对应的默克尔根。In implementation, the second server can find the verification information from the verifiable statement, and can extract the verifiable information therefrom. In addition, the key (such as a public key, etc.) of the verifiable claim can also be obtained from the provider of the verifiable claim. Among them, the signature information can be obtained by the provider of the verifiable claim through the private key of the encryption process, and the Merkel root corresponding to the signature information can be obtained through the public key of the provider of the verifiable claim.
步骤C4,第二服务器基于该密钥对可验证声明中的验证信息进行验签处理,得到可验证声明中的验证信息对应的基准默克尔根。Step C4: The second server verifies the verification information in the verifiable statement based on the key to obtain the reference Merkel root corresponding to the verification information in the verifiable statement.
在实施中,可以使用可验证声明对应的密钥(如可验证声明的提供者的公钥)对可验证声明中的验证信息进行验签处理(即验证签名信息的处理),如果验签成功,则可以得到可验证声明中的验证信息对应的基准默克尔根,如果验签失败,则表明可验证声明可能存在风险。In implementation, the key corresponding to the verifiable statement (such as the public key of the provider of the verifiable statement) can be used to verify the verification information in the verifiable statement (that is, the process of verifying the signature information), if the verification is successful , You can get the benchmark Merkel root corresponding to the verification information in the verifiable statement. If the verification fails, it indicates that the verifiable statement may be at risk.
步骤C6,第二服务器如果上述默克尔根与基准默克尔根相匹配,则确定可验证声明有效。Step C6: The second server determines that the verifiable statement is valid if the aforementioned Merkel root matches the reference Merkel root.
需要说明的是,对可验证声明的有效性进行验证的方式还可以包括多种,以下再提供一种可选的处理方式,具体可以包括以下内容:基于上述指定散列算法对上述可验证声明中包含的明文的字段值进行加密处理,其中,该指定散列算法与指定区块链中哈希处理中采用的算法相同,该指定区块链上存储有可验证声明的哈希值。可以基于可验证声明的声明标识(如该可验证声明的名称或编码等),从上述指定区块链中获取该声明标识对应的可验证声明的哈希值,然后,可以基于从指定区块链中获取的哈希值,以及上述明文的字段值进行加密处理的结果和上述可验证声明中包含的密文,确定可验证声明是否有效,具体如,上述指定区块链中存储有上述可验证声明中包含的各字段的字段值对应的哈希值,可以将获取的每个字段的字段值对应的哈希值与上述明文的哈希值或密文进行匹配,如果双方的每个字段的字段值对应的哈希值均匹配,则可验证声明有 效,否则,可验证声明无效。It should be noted that there may be multiple ways to verify the validity of a verifiable statement. An optional processing method is provided below, which may specifically include the following content: the verification of the verifiable statement based on the above specified hash algorithm The field value of the plaintext contained in is encrypted, where the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain, and the specified blockchain stores the hash value of the verifiable claim. Based on the statement identifier of the verifiable statement (such as the name or code of the verifiable statement, etc.), the hash value of the verifiable statement corresponding to the statement identifier can be obtained from the specified blockchain above, and then, based on the specified block The hash value obtained in the chain, as well as the result of the encryption processing of the field value of the above plaintext and the ciphertext contained in the above verifiable statement, determine whether the verifiable statement is valid, for example, the above specified blockchain stores the above The hash value corresponding to the field value of each field contained in the verification statement can be obtained by matching the hash value corresponding to the field value of each field with the hash value or ciphertext of the above plaintext. If each field of both parties If the hash values corresponding to the field values of all match, the claim can be verified as valid, otherwise, the claim can be verified as invalid.
在步骤S314中,若验证结果为有效,则第二服务器基于可验证声明中与上述业务需求相对应的声明字段的字段值,执行上述业务处理请求相对应的业务处理。In step S314, if the verification result is valid, the second server executes the business processing corresponding to the business processing request based on the field value of the statement field corresponding to the business requirement in the verifiable statement.
在实施中,如果基于上述默克尔根和可验证声明中的验证信息确定可验证声明有效,则可以确定验证结果为有效,此时,第二服务器基于可验证声明中与上述业务需求相对应的声明字段的字段值,执行上述业务处理请求相对应的业务处理。例如,信息推荐业务中,某待推荐的信息需要推荐给本科学历及本科学历以上学历的用户,则在该业务处理中需要确定用户是否是本科学历或本科学历以上的学历,为此需要用户的“学历信息”声明字段的字段值,基于上述内容,第一服务器可以将用户的“学历信息”声明字段的字段值保持明文,其它声明字段的字段值进行加密处理,然后,第二服务器在执行上述信息推荐业务的处理中,可以基于上述处理过程对处理后的可验证声明进行有效性验证,在验证结果为有效时,第二服务器可以使用“学历信息”声明字段的字段值确定该用户是否满足信息推荐的要求,如果满足,则可以向该用户推送相应的信息,如果不满足,则可以获取下一个用户继续执行上述处理过程,以向相应的用户推送相应的信息。In the implementation, if it is determined that the verifiable statement is valid based on the verification information in the above Merkel root and verifiable statement, then the verification result can be determined to be valid. At this time, the second server is based on the verifiable statement corresponding to the above business requirements For the field value of the declared field, execute the business processing corresponding to the above business processing request. For example, in the information recommendation business, a piece of information to be recommended needs to be recommended to users with a bachelor’s degree or above. In the business process, it is necessary to determine whether the user has a bachelor’s degree or a bachelor’s degree or above. For this, the user’s The field value of the "Education Information" declaration field. Based on the above content, the first server can keep the field value of the user's "Education Information" declaration field in plaintext, and the field values of other declaration fields are encrypted, and then the second server is executing In the processing of the above information recommendation service, the processed verifiable statement can be validated based on the above processing process. When the verification result is valid, the second server can use the field value of the "educational information" statement field to determine whether the user is The requirements for information recommendation are met. If they are met, the corresponding information can be pushed to the user. If they are not met, the next user can be acquired to continue the above processing process to push the corresponding information to the corresponding user.
本说明书实施例提供一种基于可验证声明的业务处理方法,基于待处理的目标业务,确定所需的目标声明字段,将目标声明字段的字段值保持为明文,对可验证声明中除目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,使得用户的可验证信息中,在目标业务中不需要使用的声明字段进行加密处理,防止目标声明字段外的声明字段的字段值被泄露,从而可以有效保障用户信息被安全存储,而且,用户可以管理其用户信息(即可以被加密的信息),并可以将用户信息可控的出示给相关第三方,而不需要担心某些数据泄露。而且,在执行基于可验证声明的目标业务的业务处理的过程中,对可验证声明进行数据处理,即目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文,然后对可验证声明的有效性进行验证,并在验证结果为有效时,基于目标业务所需的声明字段的字段值,执行目标业务对应的业务处理,这样通过对可验证声明进行有效性验证,然后再使用可验证声明中的字段值,从而进一步保证用户信息的安全存储。The embodiment of this specification provides a business processing method based on a verifiable statement. Based on the target business to be processed, the required target statement field is determined, and the field value of the target statement field is kept in plain text. The field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted. The field value is leaked, which can effectively ensure that user information is stored safely, and users can manage their user information (that is, information that can be encrypted), and can control and show user information to relevant third parties without worrying Some data leaks. Moreover, in the process of executing the business processing of the target business based on the verifiable statement, data processing is performed on the verifiable statement, that is, the field value of the statement field required by the target business is plain text, and the value of at least one of the other statement fields is The field value is the ciphertext encrypted based on the specified hash algorithm, and then the validity of the verifiable statement is verified, and when the verification result is valid, based on the field value of the statement field required by the target business, execute the target business correspondence In this way, by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information is further ensured.
实施例四Example four
以上为本说明书实施例提供的基于可验证声明的业务处理方法,基于同样的思路,本说明书实施例还提供一种基于可验证声明的业务处理装置,如图4所示。The above embodiment of this specification provides a business processing method based on a verifiable statement. Based on the same idea, the embodiment of this specification also provides a service processing device based on a verifiable statement, as shown in FIG. 4.
该基于可验证声明的业务处理装置包括:请求接收模块401、验证模块402和业务处理模块403,其中:请求接收模块401,接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文;验证模块402,对所述可验证声明的有效性进行验证;业务处理模块403,若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。The service processing device based on a verifiable statement includes: a request receiving module 401, a verification module 402, and a service processing module 403. The request receiving module 401 receives a service processing request for a target service, wherein the target service is based on a verifiable claim Processing, the business processing request includes the verifiable statement processed by the first data processing rule; in the verifiable statement processed by the first data processing rule, the field value of the statement field required by the target business It is plain text, and the field value of at least one of the remaining statement fields is the cipher text that has been encrypted based on the specified hash algorithm; the verification module 402 verifies the validity of the verifiable statement; the business processing module 403, if If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
本说明书实施例中,所述验证模块402,包括:加密单元,基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理;默克尔根确定单元,基于所述可验证声明中的密文,确定所述可验证声明中的密文对应的默克尔根;验证单元,基于所述默克尔根和所述可验证声明中的验证信息,对所述可验证声明的有效性进行验证。In the embodiment of this specification, the verification module 402 includes: an encryption unit that encrypts the field value of the plaintext contained in the verifiable statement based on the specified hash algorithm; the Merkel root determination unit is based on the specified hash algorithm; The ciphertext in the verifiable statement determines the Merkel root corresponding to the ciphertext in the verifiable statement; the verification unit, based on the Merkel root and the verification information in the verifiable statement, The validity of the verification statement can be verified.
本说明书实施例中,所述加密单元,获取所述可验证声明中包含的声明字段的字段值;如果所述字段值中包括满足预定的构成规则的字段值,则获取所述可验证声明对应的声明索引信息,所述声明索引信息中记录有所述字段值为明文或所述字段值为密文;根据所述声明索引信息,基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理。In the embodiment of this specification, the encryption unit obtains the field value of the statement field contained in the verifiable statement; if the field value includes a field value that satisfies a predetermined composition rule, obtains the corresponding verifiable statement In the statement index information, it is recorded that the field value is plaintext or the field value is ciphertext; according to the statement index information, based on the specified hash algorithm, the verifiable statement contains The field value of the plaintext is encrypted.
本说明书实施例中,所述默克尔根确定单元,按照所述可验证声明中声明字段的顺序,基于所述可验证声明中包含的声明字段对应的密文构建二叉树;根据默克尔算法,确定所述二叉树中根节点的校验值;将所述二叉树中根节点的校验值确定为所述可验证声明中的密文对应的默克尔根。In the embodiment of this specification, the Merkel root determination unit constructs a binary tree based on the ciphertext corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement; according to the Merkel algorithm , Determine the check value of the root node in the binary tree; determine the check value of the root node in the binary tree as the Merkel root corresponding to the ciphertext in the verifiable statement.
本说明书实施例中,所述可验证声明中的验证信息为签名信息,所述验证单元,获取所述可验证声明中的验证信息和所述可验证声明对应的密钥;基于所述密钥对所述可验证声明中的验证信息进行验签处理,得到所述可验证声明中的验证信息对应的基准默克尔根;如果所述默克尔根与所述基准默克尔根相匹配,则确定所述可验证声明有效。In the embodiment of this specification, the verification information in the verifiable statement is signature information, and the verification unit obtains the verification information in the verifiable statement and the key corresponding to the verifiable statement; based on the key Perform signature verification processing on the verification information in the verifiable statement to obtain the reference Merkel root corresponding to the verification information in the verifiable statement; if the Merkel root matches the reference Merkel root , It is determined that the verifiable statement is valid.
本说明书实施例提供一种基于可验证声明的业务处理装置,在执行基于可验证声明的目标业务的业务处理的过程中,对可验证声明进行数据处理,即目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文,然后对可验证声明的有效性进行验证,并在验证结果为有效时,基于目标业务所需的声明字段的字段值,执行目标业务对应的业务处理,这样通过 对可验证声明进行有效性验证,然后再使用可验证声明中的字段值,从而可以有效保证用户信息的安全存储。The embodiment of this specification provides a business processing device based on a verifiable statement. In the process of executing the business processing of the target business based on the verifiable statement, data processing is performed on the verifiable statement, that is, the field of the statement field required by the target business The value is plain text, and the field value of at least one of the remaining claim fields is the cipher text that has been encrypted based on the specified hash algorithm, and then the validity of the verifiable claim is verified, and when the verification result is valid, based on the target The field value of the statement field required by the business executes the business processing corresponding to the target business, so that by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information can be effectively guaranteed.
实施例五Example five
基于同样的思路,本说明书实施例还提供一种基于可验证声明的业务处理装置,如图5所示。Based on the same idea, the embodiment of this specification also provides a service processing device based on a verifiable statement, as shown in FIG. 5.
该基于可验证声明的业务处理装置包括:字段确定模块501、数据处理模块502和业务处理模块503,其中:字段确定模块501,根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段;数据处理模块502,基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理;业务处理模块503,基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。The business processing device based on the verifiable statement includes: a field determination module 501, a data processing module 502, and a business processing module 503. The field determination module 501 determines the target business to be processed according to the verifiable statement holding the user’s target business. The target statement field required by the target business; the target statement field is at least one statement field in the verifiable statement; the data processing module 502 performs data processing on the verifiable statement based on the first data processing rule; The first data processing rule includes: keeping the field value of the target statement field as plain text, and encrypting the field value of at least one of the statement fields other than the target statement field in the verifiable statement Processing, the encryption processing is encryption processing based on a specified hash algorithm; the business processing module 503 performs business processing corresponding to the target business based on the verifiable statement after data processing.
本说明书实施例中,所述业务处理模块503,向所述目标业务的业务处理方发送所述目标业务的业务处理请求,所述业务处理请求中包括所述数据处理后的可验证声明;以使所述业务处理方基于所述数据处理后的可验证声明对所述目标业务进行业务处理。In the embodiment of this specification, the service processing module 503 sends a service processing request of the target service to the service processor of the target service, and the service processing request includes the verifiable statement after the data processing; The business processor is enabled to perform business processing on the target business based on the verifiable statement after the data processing.
本说明书实施例中,所述指定散列算法与指定区块链中哈希处理中采用的算法相同;所述指定区块链上存储有所述可验证声明的哈希值。In the embodiment of this specification, the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain; the specified blockchain stores the hash value of the verifiable statement.
本说明书实施例中,还包括:指示信息接收模块,接收业务处理方的指示信息;所述指示信息用于指示所述可验证声明的持有用户向所述业务处理方发送所述目标业务的业务处理请求。In the embodiment of this specification, it further includes: an instruction information receiving module to receive instruction information of the service processor; the instruction information is used to instruct the user holding the verifiable claim to send the target service to the service processor Business processing request.
本说明书实施例提供一种基于可验证声明的业务处理装置,用户待处理的目标业务,确定所需的目标声明字段,将目标声明字段的字段值保持为明文,对可验证声明中除目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,使得用户的可验证信息中,在目标业务中不需要使用的声明字段进行加密处理,防止目标声明字段外的声明字段的字段值被泄露,从而可以有效保障用户信息被安全存储。The embodiment of this specification provides a business processing device based on a verifiable statement. The target business to be processed by the user determines the required target statement field, keeps the field value of the target statement field in plain text, and removes the target statement from the verifiable statement. The field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted. The field value is leaked, which can effectively ensure that user information is stored safely.
实施例六Example Six
以上为本说明书实施例提供的基于可验证声明的业务处理装置,基于同样的思路,本说明书实施例还提供一种基于可验证声明的业务处理设备,如图6所示。The service processing device based on verifiable claims provided in the above embodiments of this specification, based on the same idea, the embodiments of this specification also provide a service processing device based on verifiable claims, as shown in FIG. 6.
所述基于可验证声明的业务处理设备可以为上述实施例提供的第二服务器,第二服务器可以是基于可验证声明,对某一项或多项业务进行处理的一方的服务器。The service processing device based on the verifiable statement may be the second server provided in the foregoing embodiment, and the second server may be a server of the party that processes one or more services based on the verifiable statement.
基于可验证声明的业务处理设备可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上的处理器601和存储器602,存储器602中可以存储有一个或一个以上存储应用程序或数据。其中,存储器602可以是短暂存储或持久存储。存储在存储器602的应用程序可以包括一个或一个以上模块(图示未示出),每个模块可以包括对基于可验证声明的业务处理设备中的一系列计算机可执行指令。更进一步地,处理器601可以设置为与存储器602通信,在基于可验证声明的业务处理设备上执行存储器602中的一系列计算机可执行指令。基于可验证声明的业务处理设备还可以包括一个或一个以上电源603,一个或一个以上有线或无线网络接口604,一个或一个以上输入输出接口605,一个或一个以上键盘606。Business processing equipment based on verifiable claims may have relatively large differences due to different configurations or performances, and may include one or more processors 601 and a memory 602, and the memory 602 may store one or more storage applications or data . Among them, the memory 602 may be short-term storage or persistent storage. The application program stored in the memory 602 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for a business processing device based on a verifiable statement. Further, the processor 601 may be configured to communicate with the memory 602, and execute a series of computer-executable instructions in the memory 602 on a service processing device based on a verifiable statement. The service processing equipment based on the verifiable statement may also include one or more power sources 603, one or more wired or wireless network interfaces 604, one or more input and output interfaces 605, and one or more keyboards 606.
具体在本实施例中,基于可验证声明的业务处理设备包括有存储器,以及一个或一个以上的程序,其中一个或者一个以上程序存储于存储器中,且一个或者一个以上程序可以包括一个或一个以上模块,且每个模块可以包括对基于可验证声明的业务处理设备中的一系列计算机可执行指令,且经配置以由一个或者一个以上处理器执行该一个或者一个以上程序包含用于进行以下计算机可执行指令:接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文;对所述可验证声明的有效性进行验证;若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。Specifically, in this embodiment, the business processing device based on verifiable claims includes a memory and one or more programs. One or more programs are stored in the memory, and one or more programs may include one or more programs. Modules, and each module may include a series of computer-executable instructions in a business processing device based on verifiable claims, and is configured to be executed by one or more processors. The one or more programs include a computer for performing the following Executable instruction: receiving a business processing request of a target business, wherein the target business is processed based on a verifiable statement, and the business processing request includes the verifiable statement processed by the first data processing rule; In the verifiable statement processed by the rule, the field value of the statement field required by the target business is plaintext, and the field value of at least one statement field in the remaining statement fields is ciphertext encrypted based on a specified hash algorithm; The validity of the verifiable statement is verified; if the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
本说明书实施例中,所述对所述可验证声明的有效性进行验证,包括:基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理;基于所述可验证声明中的密文,确定所述可验证声明中的密文对应的默克尔根;基于所述默克尔根和所述可验证声明中的验证信息,对所述可验证声明的有效性进行验证。In the embodiment of this specification, the verification of the validity of the verifiable statement includes: encrypting the field value of the plain text contained in the verifiable statement based on the specified hash algorithm; and based on the verifiable statement; Verify the ciphertext in the statement to determine the Merkel root corresponding to the ciphertext in the verifiable statement; based on the Merkel root and the verification information in the verifiable statement, the validity of the verifiable statement Verification.
本说明书实施例中,所述基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理,包括:获取所述可验证声明中包含的声明字段的字段值;如果所述字段值中包括满足预定的构成规则的字段值,则获取所述可验证声明对应的声明索引信息,所述声明索引信息中记录有所述字段值为明文或所述字段值为密文;根据所述 声明索引信息,基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理。In the embodiment of the present specification, the encrypting the field value of the plain text contained in the verifiable statement based on the specified hash algorithm includes: obtaining the field value of the statement field contained in the verifiable statement; if If the field value includes a field value that satisfies a predetermined composition rule, the statement index information corresponding to the verifiable statement is obtained, and the statement index information records that the field value is plain text or the field value is cipher text According to the statement index information, the field value of the plaintext contained in the verifiable statement is encrypted based on the specified hash algorithm.
本说明书实施例中,所述基于所述可验证声明中的密文,确定所述可验证声明中的密文对应的默克尔根,包括:按照所述可验证声明中声明字段的顺序,基于所述可验证声明中包含的声明字段对应的密文构建二叉树;根据默克尔算法,确定所述二叉树中根节点的校验值;将所述二叉树中根节点的校验值确定为所述可验证声明中的密文对应的默克尔根。In the embodiment of this specification, the determining the Merkel root corresponding to the ciphertext in the verifiable statement based on the ciphertext in the verifiable statement includes: in accordance with the order of the statement fields in the verifiable statement, Construct a binary tree based on the ciphertext corresponding to the statement field contained in the verifiable statement; determine the check value of the root node in the binary tree according to the Merkel algorithm; determine the check value of the root node in the binary tree as the verifiable statement The ciphertext in the verification statement corresponds to the Merkel root.
本说明书实施例中,所述可验证声明中的验证信息为签名信息,所述基于所述默克尔根和所述可验证声明中的验证信息,对所述可验证声明的有效性进行验证,包括:获取所述可验证声明中的验证信息和所述可验证声明对应的密钥;基于所述密钥对所述可验证声明中的验证信息进行验签处理,得到所述可验证声明中的验证信息对应的基准默克尔根;如果所述默克尔根与所述基准默克尔根相匹配,则确定所述可验证声明有效。In the embodiment of this specification, the verification information in the verifiable statement is signature information, and the validity of the verifiable statement is verified based on the Merkel root and the verification information in the verifiable statement , Including: obtaining the verification information in the verifiable statement and the key corresponding to the verifiable statement; performing verification processing on the verification information in the verifiable statement based on the key to obtain the verifiable statement The verification information in the corresponding reference Merkel root; if the Merkel root matches the reference Merkel root, it is determined that the verifiable statement is valid.
本说明书实施例提供一种基于可验证声明的业务处理设备,在执行基于可验证声明的目标业务的业务处理的过程中,对可验证声明进行数据处理,即目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文,然后对可验证声明的有效性进行验证,并在验证结果为有效时,基于目标业务所需的声明字段的字段值,执行目标业务对应的业务处理,这样通过对可验证声明进行有效性验证,然后再使用可验证声明中的字段值,从而可以有效保证用户信息的安全存储。The embodiment of this specification provides a business processing device based on a verifiable statement. In the process of executing the business processing of the target business based on the verifiable statement, data processing is performed on the verifiable statement, that is, the field of the statement field required by the target business The value is plain text, and the field value of at least one of the remaining claim fields is the cipher text that has been encrypted based on the specified hash algorithm, and then the validity of the verifiable claim is verified, and when the verification result is valid, based on the target The field value of the statement field required by the business executes the business processing corresponding to the target business, so that by verifying the validity of the verifiable statement, and then using the field value in the verifiable statement, the safe storage of user information can be effectively guaranteed.
实施例七Example Seven
基于同样的思路,本说明书实施例还提供一种基于可验证声明的业务处理设备,如图7所示。Based on the same idea, the embodiment of this specification also provides a service processing device based on a verifiable statement, as shown in FIG. 7.
所述基于可验证声明的业务处理设备可以为上述实施例提供的第一服务器,第一服务器可以是声明持有用户一侧的服务器或者为声明持有用户的声明进行加密处理的代理方的服务器。The service processing device based on the verifiable statement may be the first server provided in the above-mentioned embodiment, and the first server may be a server on the side of the statement holding user or a server of the agent that performs encryption processing for the statement holding the user’s statement .
基于可验证声明的业务处理设备可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上的处理器701和存储器702,存储器702中可以存储有一个或一个以上存储应用程序或数据。其中,存储器702可以是短暂存储或持久存储。存储在存储器702的应用程序可以包括一个或一个以上模块(图示未示出),每个模块可以包括对 基于可验证声明的业务处理设备中的一系列计算机可执行指令。更进一步地,处理器701可以设置为与存储器702通信,在基于可验证声明的业务处理设备上执行存储器702中的一系列计算机可执行指令。基于可验证声明的业务处理设备还可以包括一个或一个以上电源703,一个或一个以上有线或无线网络接口704,一个或一个以上输入输出接口705,一个或一个以上键盘706。Business processing equipment based on verifiable claims may have relatively large differences due to different configurations or performances, and may include one or more processors 701 and a memory 702, and the memory 702 may store one or more storage applications or data . Among them, the memory 702 may be short-term storage or persistent storage. The application program stored in the memory 702 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for a business processing device based on verifiable claims. Further, the processor 701 may be configured to communicate with the memory 702, and execute a series of computer-executable instructions in the memory 702 on a service processing device based on a verifiable statement. The service processing device based on the verifiable statement may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input and output interfaces 705, and one or more keyboards 706.
具体在本实施例中,基于可验证声明的业务处理设备包括有存储器,以及一个或一个以上的程序,其中一个或者一个以上程序存储于存储器中,且一个或者一个以上程序可以包括一个或一个以上模块,且每个模块可以包括对基于可验证声明的业务处理设备中的一系列计算机可执行指令,且经配置以由一个或者一个以上处理器执行该一个或者一个以上程序包含用于进行以下计算机可执行指令:根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段;基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理;基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。Specifically, in this embodiment, the business processing device based on verifiable claims includes a memory and one or more programs. One or more programs are stored in the memory, and one or more programs may include one or more programs. Modules, and each module may include a series of computer-executable instructions in a business processing device based on verifiable claims, and is configured to be executed by one or more processors. The one or more programs include a computer for performing the following Executable instruction: according to the target business to be processed of the user holding the verifiable claim, determine the target statement field required by the target business; the target statement field is at least one statement field in the verifiable statement; based on The first data processing rule performs data processing on the verifiable statement; the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement field from the verifiable statement The field value of at least one of the other statement fields is encrypted, and the encryption is based on a specified hash algorithm; based on the verifiable statement after data processing, the business processing corresponding to the target business is performed .
本说明书实施例中,所述基于数据处理后的可验证声明,进行所述目标业务对应的业务处理,包括:向所述目标业务的业务处理方发送所述目标业务的业务处理请求,所述业务处理请求中包括所述数据处理后的可验证声明;以使所述业务处理方基于所述数据处理后的可验证声明对所述目标业务进行业务处理。In the embodiment of this specification, the performing the business processing corresponding to the target business based on the verifiable statement after data processing includes: sending the business processing request of the target business to the business processing party of the target business, the The business processing request includes the verifiable statement after the data processing; so that the business processor performs business processing on the target business based on the verifiable statement after the data processing.
本说明书实施例中,所述指定散列算法与指定区块链中哈希处理中采用的算法相同;所述指定区块链上存储有所述可验证声明的哈希值。In the embodiment of this specification, the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain; the specified blockchain stores the hash value of the verifiable statement.
本说明书实施例中,所述基于数据处理后的可验证声明,进行所述目标业务对应的业务处理之前,还包括:接收业务处理方的指示信息;所述指示信息用于指示所述可验证声明的持有用户向所述业务处理方发送所述目标业务的业务处理请求。In the embodiment of this specification, the verifiable statement based on the data processing, before performing the business processing corresponding to the target business, further includes: receiving instruction information from the business processor; the instruction information is used to indicate the verifiable The declared holder user sends a service processing request of the target service to the service processing party.
本说明书实施例提供一种基于可验证声明的业务处理设备,用户待处理的目标业务,确定所需的目标声明字段,将目标声明字段的字段值保持为明文,对可验证声明中除目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,使得用户的可验证信息中,在目标业务中不需要使用的声明字段进行加密处理,防止目标声明字段外的声明字段的字段值被泄露,从而可以有效保障用户信息被安全存储,而且, 用户可以管理其用户信息(即可以被加密的信息),并可以将用户信息可控的出示给相关第三方,而不需要担心某些数据泄露。The embodiment of this specification provides a business processing device based on a verifiable statement. The target business to be processed by the user determines the required target statement field, and keeps the field value of the target statement field as plain text. Except the target statement in the verifiable statement The field value of at least one of the declared fields other than the field is encrypted, so that in the user’s verifiable information, the declaration field that is not required to be used in the target business is encrypted to prevent the declaration field outside the target declaration field from being encrypted. The field value is leaked, which can effectively ensure that user information is stored safely, and users can manage their user information (that is, information that can be encrypted), and can control and present user information to relevant third parties without worrying Some data leaks.
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps described in the claims can be performed in a different order than in the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
在20世纪90年代,对于一个技术的改进可以很明显地区分是硬件上的改进(例如,对二极管、晶体管、开关等电路结构的改进)还是软件上的改进(对于方法流程的改进)。然而,随着技术的发展,当今的很多方法流程的改进已经可以视为硬件电路结构的直接改进。设计人员几乎都通过将改进的方法流程编程到硬件电路中来得到相应的硬件电路结构。因此,不能说一个方法流程的改进就不能用硬件实体模块来实现。例如,可编程逻辑器件(Programmable Logic Device,PLD)(例如现场可编程门阵列(Field Programmable Gate Array,FPGA))就是这样一种集成电路,其逻辑功能由用户对器件编程来确定。由设计人员自行编程来把一个数字系统“集成”在一片PLD上,而不需要请芯片制造厂商来设计和制作专用的集成电路芯片。而且,如今,取代手工地制作集成电路芯片,这种编程也多半改用“逻辑编译器(logic compiler)”软件来实现,它与程序开发撰写时所用的软件编译器相类似,而要编译之前的原始代码也得用特定的编程语言来撰写,此称之为硬件描述语言(Hardware Description Language,HDL),而HDL也并非仅有一种,而是有许多种,如ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated Circuit Hardware Description Language)与Verilog。本领域技术人员也应该清楚,只需要将方法流程用上述几种硬件描述语言稍作逻辑编程并编程到集成电路中,就可以很容易得到实现该逻辑方法流程的硬件电路。In the 1990s, the improvement of a technology can be clearly distinguished between hardware improvements (for example, improvements in circuit structures such as diodes, transistors, switches, etc.) or software improvements (improvements in method flow). However, with the development of technology, the improvement of many methods and processes of today can be regarded as a direct improvement of the hardware circuit structure. Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by the hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (such as a Field Programmable Gate Array (Field Programmable Gate Array, FPGA)) is such an integrated circuit whose logic function is determined by the user's programming of the device. It is programmed by the designer to "integrate" a digital system on a piece of PLD, without requiring chip manufacturers to design and manufacture dedicated integrated circuit chips. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly realized with "logic compiler" software, which is similar to the software compiler used in program development and writing, but before compilation The original code must also be written in a specific programming language, which is called Hardware Description Language (HDL), and there is not only one type of HDL, but many types, such as ABEL (Advanced Boolean Expression Language) , AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description), etc., currently most commonly used It is VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. It should also be clear to those skilled in the art that just a little bit of logic programming of the method flow in the above-mentioned hardware description languages and programming into an integrated circuit can easily obtain the hardware circuit that implements the logic method flow.
控制器可以按任何适当的方式实现,例如,控制器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑控制器和嵌入微控制器的形式,控制器的例子包括但不限于以下微控制器: ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20以及Silicone Labs C8051F320,存储器控制器还可以被实现为存储器的控制逻辑的一部分。本领域技术人员也知道,除了以纯计算机可读程序代码方式实现控制器以外,完全可以通过将方法步骤进行逻辑编程来使得控制器以逻辑门、开关、专用集成电路、可编程逻辑控制器和嵌入微控制器等的形式来实现相同功能。因此这种控制器可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构。或者甚至,可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。The controller can be implemented in any suitable manner. For example, the controller can take the form of, for example, a microprocessor or a processor and a computer-readable medium storing computer-readable program codes (such as software or firmware) executable by the (micro)processor. , Logic gates, switches, application specific integrated circuits (ASICs), programmable logic controllers and embedded microcontrollers. Examples of controllers include but are not limited to the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicon Labs C8051F320, the memory controller can also be implemented as part of the memory control logic. Those skilled in the art also know that, in addition to implementing the controller in a purely computer-readable program code manner, it is entirely possible to program the method steps to make the controller use logic gates, switches, application specific integrated circuits, programmable logic controllers and embedded The same function can be realized in the form of a microcontroller, etc. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as a structure within the hardware component. Or even, the device for realizing various functions can be regarded as both a software module for realizing the method and a structure within a hardware component.
上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机。具体的,计算机例如可以为个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules, or units illustrated in the above embodiments may be specifically implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. Specifically, the computer can be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本说明书一个或多个实施例时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above device, the functions are divided into various units and described separately. Of course, when implementing one or more embodiments of this specification, the functions of each unit may be implemented in the same one or more software and/or hardware.
本领域内的技术人员应明白,本说明书的实施例可提供为方法、系统、或计算机程序产品。因此,本说明书一个或多个实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本说明书一个或多个实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of this specification can be provided as a method, a system, or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
本说明书的实施例是参照根据本说明书实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程基于可验证声明的业务处理设备的处理器以产生一个机器,使得通过计算机或其他可编程基于可验证声明的业务处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The embodiments of this specification are described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to the embodiments of this specification. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to general-purpose computers, special-purpose computers, embedded processors, or other processors that can program business processing equipment based on verifiable claims to generate a machine, so that a computer or other programmable business based on verifiable claims The instructions executed by the processor of the processing device generate means for implementing the functions specified in one or more processes in the flowchart and/or one or more blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程基于可验证声明的业务处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/ 或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable business processing equipment based on verifiable claims to work in a specific manner, so that the instructions stored in the computer-readable memory generate instructions that include the instruction device. For manufactured products, the instruction device realizes the functions specified in one or more processes in the flowchart and/or one or more blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程基于可验证声明的业务处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable business processing equipment based on verifiable claims, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so that the computer or other The instructions executed on the programming device provide steps for implementing functions specified in one or more processes in the flowchart and/or one block or more in the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.
本领域技术人员应明白,本说明书的实施例可提供为方法、系统或计算机程序产品。因此,本说明书一个或多个实施例可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本说明书一个或多个实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of this specification can be provided as a method, a system or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
本说明书一个或多个实施例可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本说明书一个或多个实施例,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。One or more embodiments of this specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. One or more embodiments of this specification can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
以上所述仅为本说明书的实施例而已,并不用于限制本说明书。对于本领域技术人员来说,本说明书可以有各种更改和变化。凡在本说明书的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本说明书的权利要求范围之内。The above descriptions are only examples of this specification, and are not intended to limit this specification. For those skilled in the art, this specification can have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this specification shall be included in the scope of the claims of this specification.

Claims (14)

  1. 一种基于可验证声明的业务处理方法,所述方法包括:A business processing method based on verifiable claims, the method comprising:
    接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文;Receive a business processing request for a target business, where the target business is processed based on a verifiable statement, the business processing request includes the verifiable statement processed by the first data processing rule; all the target business processed by the first data processing rule In the verifiable statement, the field value of the statement field required by the target business is plaintext, and the field value of at least one statement field in the remaining statement fields is ciphertext encrypted based on a specified hash algorithm;
    对所述可验证声明的有效性进行验证;Verify the validity of the verifiable statement;
    若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
  2. 根据权利要求1所述的方法,所述对所述可验证声明的有效性进行验证,包括:The method according to claim 1, wherein the verifying the validity of the verifiable statement comprises:
    基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理;Encrypting the field value of the plaintext contained in the verifiable statement based on the specified hash algorithm;
    基于所述可验证声明中的密文,确定所述可验证声明中的密文对应的默克尔根;Determine the Merkel root corresponding to the ciphertext in the verifiable statement based on the ciphertext in the verifiable statement;
    基于所述默克尔根和所述可验证声明中的验证信息,对所述可验证声明的有效性进行验证。Based on the Merkel root and the verification information in the verifiable statement, the validity of the verifiable statement is verified.
  3. 根据权利要求2所述的方法,所述基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理,包括:The method according to claim 2, wherein the encrypting the field value of the plaintext contained in the verifiable statement based on the specified hash algorithm comprises:
    获取所述可验证声明中包含的声明字段的字段值;Obtaining the field value of the statement field included in the verifiable statement;
    如果所述字段值中包括满足预定的构成规则的字段值,则获取所述可验证声明对应的声明索引信息,所述声明索引信息中记录有所述字段值为明文或所述字段值为密文;If the field value includes a field value that satisfies a predetermined composition rule, the statement index information corresponding to the verifiable statement is obtained, and the statement index information records that the field value is plain text or the field value is secret Text
    根据所述声明索引信息,基于所述指定散列算法对所述可验证声明中包含的明文的字段值进行加密处理。According to the statement index information, the field value of the plaintext contained in the verifiable statement is encrypted based on the specified hash algorithm.
  4. 根据权利要求2所述的方法,所述基于所述可验证声明中的密文,确定所述可验证声明中的密文对应的默克尔根,包括:The method according to claim 2, wherein the determining the Merkel root corresponding to the ciphertext in the verifiable statement based on the ciphertext in the verifiable statement comprises:
    按照所述可验证声明中声明字段的顺序,基于所述可验证声明中包含的声明字段对应的密文构建二叉树;Construct a binary tree based on the cipher text corresponding to the declared fields contained in the verifiable statement according to the order of the declared fields in the verifiable statement;
    根据默克尔算法,确定所述二叉树中根节点的校验值;Determining the check value of the root node in the binary tree according to the Merkel algorithm;
    将所述二叉树中根节点的校验值确定为所述可验证声明中的密文对应的默克尔根。The check value of the root node in the binary tree is determined as the Merkel root corresponding to the ciphertext in the verifiable statement.
  5. 根据权利要求2所述的方法,所述可验证声明中的验证信息为签名信息,所述基于所述默克尔根和所述可验证声明中的验证信息,对所述可验证声明的有效性进行验证,包括:The method according to claim 2, wherein the verification information in the verifiable statement is signature information, and the verification information based on the Merkel root and the verifiable statement is valid for the verifiable statement Verification, including:
    获取所述可验证声明中的验证信息和所述可验证声明对应的密钥;Obtaining the verification information in the verifiable statement and the key corresponding to the verifiable statement;
    基于所述密钥对所述可验证声明中的验证信息进行验签处理,得到所述可验证声明中的验证信息对应的基准默克尔根;Performing signature verification processing on the verification information in the verifiable statement based on the key to obtain the benchmark Merkel root corresponding to the verification information in the verifiable statement;
    如果所述默克尔根与所述基准默克尔根相匹配,则确定所述可验证声明有效。If the Merkel root matches the benchmark Merkel root, it is determined that the verifiable statement is valid.
  6. 一种基于可验证声明的业务处理方法,所述方法包括:A business processing method based on verifiable claims, the method comprising:
    根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段;Determine the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement; the target statement field is at least one statement field in the verifiable statement;
    基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理;Perform data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement from the verifiable statement The field value of at least one of the declaration fields other than the field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm;
    基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。Based on the verifiable statement after data processing, the business processing corresponding to the target business is performed.
  7. 根据权利要求6所述的方法,所述基于数据处理后的可验证声明,进行所述目标业务对应的业务处理,包括:The method according to claim 6, wherein the performing business processing corresponding to the target business based on the verifiable statement after data processing includes:
    向所述目标业务的业务处理方发送所述目标业务的业务处理请求,所述业务处理请求中包括所述数据处理后的可验证声明;以使所述业务处理方基于所述数据处理后的可验证声明对所述目标业务进行业务处理。Send the business processing request of the target business to the business processor of the target business, the business processing request includes the verifiable statement after the data processing; so that the business processor is based on the data processed The verifiable statement performs business processing on the target business.
  8. 根据权利要求6所述的方法,所述指定散列算法与指定区块链中哈希处理中采用的算法相同;所述指定区块链上存储有所述可验证声明的哈希值。The method according to claim 6, wherein the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain; the specified blockchain stores the hash value of the verifiable statement.
  9. 根据权利要求6所述的方法,所述基于数据处理后的可验证声明,进行所述目标业务对应的业务处理之前,还包括:The method according to claim 6, wherein, before performing the business processing corresponding to the target business based on the verifiable statement after data processing, the method further comprises:
    接收业务处理方的指示信息;所述指示信息用于指示所述可验证声明的持有用户向所述业务处理方发送所述目标业务的业务处理请求。Receiving instruction information of the service processor; the instruction information is used to instruct the user holding the verifiable claim to send the service processing request of the target service to the service processor.
  10. 一种基于可验证声明的业务处理装置,所述装置包括:A business processing device based on a verifiable statement, the device comprising:
    请求接收模块,接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文;The request receiving module receives a business processing request of a target business, wherein the target business is processed based on a verifiable statement, and the business processing request includes the verifiable statement processed by the first data processing rule; In the verifiable statement processed by the rule, the field value of the statement field required by the target business is plaintext, and the field value of at least one statement field in the remaining statement fields is ciphertext encrypted based on a specified hash algorithm;
    验证模块,对所述可验证声明的有效性进行验证;The verification module verifies the validity of the verifiable statement;
    业务处理模块,若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。The business processing module, if the verification result is valid, execute the business processing corresponding to the target business based on the field value of the statement field required by the target business in the verifiable statement.
  11. 一种基于可验证声明的业务处理装置,所述装置包括:A business processing device based on a verifiable statement, the device comprising:
    字段确定模块,根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段;The field determination module determines the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement; the target statement field is at least one statement field in the verifiable statement;
    数据处理模块,基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理;The data processing module performs data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and excluding the verifiable statement Performing encryption processing on the field value of at least one of the declaration fields other than the target declaration field, and the encryption processing is an encryption processing based on a specified hash algorithm;
    业务处理模块,基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。The business processing module performs business processing corresponding to the target business based on the verifiable statement after data processing.
  12. 根据权利要求11所述的装置,所述指定散列算法与指定区块链中哈希处理中采用的算法相同;所述指定区块链上存储有所述可验证声明的哈希值。The device according to claim 11, wherein the specified hash algorithm is the same as the algorithm used in the hash processing in the specified blockchain; the specified blockchain stores the hash value of the verifiable statement.
  13. 一种基于可验证声明的业务处理设备,所述基于可验证声明的业务处理设备包括:A business processing device based on a verifiable statement. The business processing device based on a verifiable statement includes:
    处理器;以及Processor; and
    被安排成存储计算机可执行指令的存储器,所述可执行指令在被执行时使所述处理器:A memory arranged to store computer-executable instructions which, when executed, cause the processor to:
    接收目标业务的业务处理请求,其中,所述目标业务基于可验证声明进行处理,所述业务处理请求包括经第一数据处理规则处理的所述可验证声明;经第一数据处理规则处理的所述可验证声明中,所述目标业务所需的声明字段的字段值为明文,其余声明字段中的至少一个声明字段的字段值为经过基于指定散列算法加密处理的密文;Receive a business processing request for a target business, where the target business is processed based on a verifiable statement, the business processing request includes the verifiable statement processed by the first data processing rule; all the target business processed by the first data processing rule In the verifiable statement, the field value of the statement field required by the target business is plaintext, and the field value of at least one statement field in the remaining statement fields is ciphertext encrypted based on a specified hash algorithm;
    对所述可验证声明的有效性进行验证;Verify the validity of the verifiable statement;
    若验证结果为有效,则基于所述可验证声明中所述目标业务所需的声明字段的字段值,执行所述目标业务对应的业务处理。If the verification result is valid, the business processing corresponding to the target business is executed based on the field value of the statement field required by the target business in the verifiable statement.
  14. 一种基于可验证声明的业务处理设备,所述基于可验证声明的业务处理设备包括:A business processing device based on a verifiable statement. The business processing device based on a verifiable statement includes:
    处理器;以及Processor; and
    被安排成存储计算机可执行指令的存储器,所述可执行指令在被执行时使所述处理器:A memory arranged to store computer-executable instructions which, when executed, cause the processor to:
    根据可验证声明的持有用户的待处理的目标业务,确定所述目标业务所需的目标声明字段;所述目标声明字段为所述可验证声明中的至少一个声明字段;Determine the target statement field required by the target business according to the target business to be processed of the user holding the verifiable statement; the target statement field is at least one statement field in the verifiable statement;
    基于第一数据处理规则对所述可验证声明进行数据处理;所述第一数据处理规则包括:将所述目标声明字段的字段值保持为明文,对所述可验证声明中除所述目标声明字 段外的其他声明字段中的至少一个声明字段的字段值进行加密处理,所述加密处理为基于指定散列算法的加密处理;Perform data processing on the verifiable statement based on the first data processing rule; the first data processing rule includes: keeping the field value of the target statement field as plain text, and removing the target statement from the verifiable statement The field value of at least one of the declaration fields other than the field is encrypted, and the encryption processing is an encryption processing based on a specified hash algorithm;
    基于数据处理后的可验证声明,进行所述目标业务对应的业务处理。Based on the verifiable statement after data processing, the business processing corresponding to the target business is performed.
PCT/CN2020/121874 2019-12-11 2020-10-19 Verifiable claim-based service processing method, apparatus, and device WO2021114872A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911277737.7A CN111125731A (en) 2019-12-11 2019-12-11 Business processing method, device and equipment based on verifiable statement
CN201911277737.7 2019-12-11

Publications (1)

Publication Number Publication Date
WO2021114872A1 true WO2021114872A1 (en) 2021-06-17

Family

ID=70498529

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/121874 WO2021114872A1 (en) 2019-12-11 2020-10-19 Verifiable claim-based service processing method, apparatus, and device

Country Status (3)

Country Link
CN (1) CN111125731A (en)
TW (1) TW202123040A (en)
WO (1) WO2021114872A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116896440A (en) * 2023-09-11 2023-10-17 中国信息通信研究院 Block chain-based declaration data verification method and device, equipment and medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111125731A (en) * 2019-12-11 2020-05-08 支付宝(杭州)信息技术有限公司 Business processing method, device and equipment based on verifiable statement
CN111726230B (en) * 2020-05-22 2023-04-18 支付宝(杭州)信息技术有限公司 Data storage method, data recovery method, device and equipment
CN113127516B (en) * 2020-07-31 2023-12-12 支付宝(杭州)信息技术有限公司 Method, device and equipment for processing blockchain data
CN112052244A (en) * 2020-09-08 2020-12-08 浙江省交通规划设计研究院有限公司 Method and device for establishing model attribute, electronic equipment and storage medium
CN112200585B (en) * 2020-11-10 2021-08-20 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN112579321A (en) * 2020-12-23 2021-03-30 京东数字科技控股股份有限公司 Method, device and equipment for downloading service data
CN114944937B (en) * 2022-04-19 2024-04-09 网易(杭州)网络有限公司 Distributed digital identity verification method, system, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190222424A1 (en) * 2018-01-12 2019-07-18 Nok Nok Labs, Inc. System and method for binding verifiable claims
CN110224837A (en) * 2019-06-06 2019-09-10 西安纸贵互联网科技有限公司 Zero-knowledge proof method and terminal based on distributed identity
CN111125731A (en) * 2019-12-11 2020-05-08 支付宝(杭州)信息技术有限公司 Business processing method, device and equipment based on verifiable statement

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493007B (en) * 2019-09-06 2021-07-13 腾讯科技(深圳)有限公司 Block chain based information verification method, device, equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190222424A1 (en) * 2018-01-12 2019-07-18 Nok Nok Labs, Inc. System and method for binding verifiable claims
CN110224837A (en) * 2019-06-06 2019-09-10 西安纸贵互联网科技有限公司 Zero-knowledge proof method and terminal based on distributed identity
CN111125731A (en) * 2019-12-11 2020-05-08 支付宝(杭州)信息技术有限公司 Business processing method, device and equipment based on verifiable statement

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WILLEKE DE ROOIJ: "Verifiable Claims for Digital identity", VX COMPANY, 10 August 2018 (2018-08-10), pages 1 - 8, XP055822490, Retrieved from the Internet <URL:https://vxcompany.com/insight/verifiable-claims-for-digital-identity/> [retrieved on 20210708] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116896440A (en) * 2023-09-11 2023-10-17 中国信息通信研究院 Block chain-based declaration data verification method and device, equipment and medium
CN116896440B (en) * 2023-09-11 2023-11-10 中国信息通信研究院 Block chain-based declaration data verification method and device, equipment and medium

Also Published As

Publication number Publication date
CN111125731A (en) 2020-05-08
TW202123040A (en) 2021-06-16

Similar Documents

Publication Publication Date Title
WO2021114872A1 (en) Verifiable claim-based service processing method, apparatus, and device
WO2021068636A1 (en) Block chain-based creation method, apparatus, device and system for verifiable claim
WO2021209041A1 (en) Authorization processing based on verifiable credential
RU2728524C1 (en) Method and device for consensus verification
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
US11288371B2 (en) Blockchain-based data processing method, apparatus, and device
CN108540459B (en) Data storage method, device, system, electronic equipment and computer readable medium
US10116645B1 (en) Controlling use of encryption keys
ES2935164T3 (en) Method for registering and sharing a digital identity of a user using distributed ledger
CN110263544B (en) Receipt storage method and node combining transaction type and judgment condition
CN110245942B (en) Receipt storage method and node combining user type and judgment condition
CN110245947B (en) Receipt storage method and node combining conditional restrictions of transaction and user types
WO2020233637A1 (en) Receipt storage method combining code labelling with user type, and node
US10003467B1 (en) Controlling digital certificate use
WO2020233614A1 (en) Conditional receipt storage method and node combining code labeling with event type
EP4128692B1 (en) Service-to-service strong authentication
CN110474775B (en) User creating method, device and equipment in block chain type account book
TWI782502B (en) Information verification method, device and equipment
CN109977684A (en) A kind of data transmission method, device and terminal device
TW202036339A (en) Securely performing cryptographic operations
US11349658B2 (en) Blockchain data processing method, apparatus, and device
CN113922962A (en) Method and device for selectively disclosing digital identity attribute
CN114826736A (en) Information sharing method, device, equipment and storage medium
CN113901424A (en) Method and device for selectively disclosing digital identity attribute
US20200213100A1 (en) Multi-chain information management method, storage medium and blockchain identity parser

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20898424

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20898424

Country of ref document: EP

Kind code of ref document: A1