WO2022177199A1 - Did-based user authentication system that remedies blockchain oracle problem - Google Patents

Did-based user authentication system that remedies blockchain oracle problem Download PDF

Info

Publication number
WO2022177199A1
WO2022177199A1 PCT/KR2022/001384 KR2022001384W WO2022177199A1 WO 2022177199 A1 WO2022177199 A1 WO 2022177199A1 KR 2022001384 W KR2022001384 W KR 2022001384W WO 2022177199 A1 WO2022177199 A1 WO 2022177199A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
authentication
trust anchor
transaction
certificate
Prior art date
Application number
PCT/KR2022/001384
Other languages
French (fr)
Korean (ko)
Inventor
이정륜
한황제
윤태연
Original Assignee
주식회사 블록체인기술연구소
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 블록체인기술연구소 filed Critical 주식회사 블록체인기술연구소
Publication of WO2022177199A1 publication Critical patent/WO2022177199A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention relates to a DID-based user authentication system that supplements the oracle problem of the block chain. of the user authentication system.
  • Blockchain refers to a data distribution processing technology that distributes and stores all data that is managed by all users participating in the network. It is also called 'Distributed Ledger Technology (DLT)' or 'Public Transaction Ledger' in that the ledger containing transaction information is not owned by the transaction subject or a specific institution, but is a technology shared by all network participants.
  • Blockchain is a name given to the fact that blocks containing transaction contents are linked like a chain. This block chain is a technology to prevent hacking such as forgery and forgery of transaction contents, and it uses a method to prevent data forgery by sending transaction details to all users participating in the transaction and collating them for each transaction.
  • Blockchain is a core concept of decentralization, which aims for P2P (Peer to Peer) transactions, away from the existing financial system that secures and manages all transactions in financial institutions.
  • P2P refers to a communication network that connects personal computers without a server or client, and each connected computer acts as a server and client and shares information. Through the method of sharing and verifying the same data by multiple nodes, a trust relationship is formed in the digital world. This environment makes it possible to realize smart contracts that can conveniently conclude and modify contracts with P2P without intermediaries.
  • an oracle refers to bringing data outside the blockchain into the blockchain.
  • the data outside the block chain is called off-chain
  • the data that enters the block chain is called on-chain.
  • Blockchain is a distributed storage technology that makes it almost impossible to forge or falsify data, but it can only be managed with the block chain when the data enters the block chain. If data does not enter the blockchain, or if forgery occurs in the process of entering the blockchain, it is difficult to trust even if the data is managed by the blockchain.
  • Blockchain oracle issues such as how to decide through voting by cryptocurrency owners, how to choose a median of various data, or how to have a middleware that provides reliable data between the real world and the blockchain
  • Various methods have been proposed to solve the problem.
  • the technical problem to be solved by the present invention is that the user node and the trust anchor node are the issuing authority through the process of the trust anchor node periodically or aperiodically or aperiodically proving that the issuing authority node that it guarantees is authenticated using the data recorded in the transaction. It is to provide a DID-based user authentication system that can perform transparent certificate issuance while trusting the node.
  • a DID-based user authentication system for solving the above problems is a DID-based user authentication system including an issuer node, a trust anchor node, a user node, and a transaction statistics system, the user identity Issuer node that records the history of issuance of certificates for authentication or public certification as a transaction in the block of the block chain, a transaction statistics system that receives and stores transaction statistics from the transactions recorded in the block, and the transaction statistics system
  • a trust anchor node that statistically calculates information on public keys used for certificate issuance in the issuing authority node using transaction statistics information, and a certificate issuance request for user identity authentication or public certification to the issuing authority node and a user node, wherein the trust anchor node requests authentication of the public keys used for issuing a certificate from the issuing authority node.
  • each corresponding certificate type is recorded for each public key used for issuing the certificate, and is used for each corresponding certificate type It can include both information about the public key used and the public key used previously.
  • the trust anchor node may request authentication for all public keys used for issuing certificates from the issuing authority node or may request authentication by setting a threshold value.
  • a DID-based user authentication system for solving the above problems is a DID-based user authentication system including an issuer node, a first trust anchor node, a second trust anchor node, a user node, and a transaction statistics system
  • a user authentication system of An issuer node that records issuance history as a transaction in a block of a block chain a first trust anchor node that issues the identity authentication VC after verifying the DID in response to a request for issuing the identity authentication VC from the issuing institution node, the A transaction statistics system that receives and stores transaction statistics from a transaction recorded in a block, a user node that requests issuance of a certificate for user identity authentication or public proof to the issuing authority node, and transaction statistics received from the transaction statistics system
  • a second trust anchor node that statistically calculates information on public keys used for certificate issuance in the issuing authority node using the information, and requests authentication of the public keys used for certificate issuance to the issuing authority node includes
  • the first trust anchor node and the second trust anchor node may be separate nodes.
  • the trust anchor node can prove that the issuing authority node it guarantees is authenticated periodically or aperiodically by using the data recorded in the transaction, and by disclosing the authentication information about this, the user node can communicate with The DID document of the issuing authority node can be trusted.
  • transparent certificate issuance can be made while providing reliability to a user node and a trust anchor node through periodic or aperiodic identity authentication of the issuing authority node.
  • the trust anchor node, the issuer node, and the user node in providing a DID-based service, can trust the DID document registered in the block chain and improve the oracle problem.
  • FIG. 1 is a diagram illustrating a distributed processing system using a block chain to which the technical idea according to the present invention can be applied.
  • FIGS 2 and 3 are block diagrams showing the connection of blocks used in the block chain system.
  • FIG. 4 is a block diagram illustrating a DID-based user authentication system according to an embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating a DID-based user authentication method according to an embodiment of the present invention.
  • FIG. 6 is a block diagram illustrating a DID-based user authentication system according to another embodiment of the present invention.
  • FIG. 7 is a block diagram of a computing device of a node according to an embodiment of the present invention.
  • Data outside the block chain is expressed as off-chain data, and the data recorded within the block chain is expressed as on-chain data, and the node that performs that role is referred to as a trust anchor node. If forgery occurs in the process of off-chain data being recorded in the block chain, it is difficult to trust such data, no matter how block chain it is.
  • Trust Anchor node is used to solve the oracle problem, but it is dangerous to trust the DID document based on the fact that the trust anchor node is registered. And, when a third party claims that it is a subject with an incorrect DID document, confusion is caused to the user. In other words, since an authentication problem occurs, the Oracle problem in DID-based services must be improved. To this end, a management process that can check whether the data guaranteed by the trust anchor node is valid is required, and the present invention intends to propose a method for improving the oracle problem.
  • the trust anchor node plays the role of an intermediary that records the first off-chain data (DID document) as on-chain data, and in this process, the trust anchor node performs authentication for the DID owner.
  • the subject who registered the DID proves that their DID is "did:lit:thisisAschool” through the identity authentication VC (Verifiable Credential) issued by the trust anchor node.
  • registering a DID document in the blockchain can be performed from any node, such as a trust anchor node or a user node. Accordingly, there is a fundamental Oracle problem. If a third party claims to be a school A using a completely different DID, the user cannot trust the school A guaranteed by the trust anchor node. Therefore, the trust anchor node needs to prove that the DID of school A that it guarantees is a valid DID. To solve this, the trust anchor node needs to authenticate the issuing authority node that it endorsed.
  • the present invention proposes a method of supplementing the Oracle problem according to this necessity.
  • FIG. 1 is a diagram illustrating a distributed processing system using a block chain to which the technical idea according to the present invention can be applied.
  • a distributed processing system 100 using a block chain is a distributed network system consisting of a plurality of nodes 110-170.
  • the nodes 110 to 170 constituting the distributed network 100 may be electronic devices having computing power, such as computers, mobile terminals, and dedicated electronic devices.
  • the decentralized network 100 can store and refer to information commonly known to all participating nodes in a connected bundle of blocks called blockchain.
  • the nodes 110-170 can communicate with each other and can be divided into a full node that stores, manages, and propagates the block chain and a light node that can simply participate in transactions. .
  • a node without a separate description in this specification, it often refers to a full node that participates in a distributed network and performs an operation to create, store, or verify a block chain, but is not limited thereto.
  • Each block connected to the block chain includes transaction details within a certain period, ie, transactions.
  • the nodes can manage transactions by creating, storing, or verifying the blockchain according to their respective roles.
  • the transaction may represent various types of transactions.
  • the transaction may correspond to a financial transaction for indicating the ownership status of virtual currency and its change.
  • the transaction may correspond to a physical transaction for indicating the ownership status of the object and its change.
  • the transaction may correspond to an information sharing process to represent the recording, storage and transfer of information. Nodes performing a transaction in the distributed network 100 may have a private key and a public key pair each cryptographically related.
  • FIGS 2 and 3 are block diagrams showing the connection of blocks used in the block chain system.
  • the block chain 200 is a kind of distributed database of one or more sequentially connected blocks 210 , 220 , 230 .
  • the block chain 200 is used to store and manage user's transaction details in the block chain system, and each node participating in the network of the block chain system creates a block and connects it to the block chain 200 .
  • a limited number of blocks 210, 220, and 230 are shown in FIG. 2, the number of blocks that can be included in the block chain is not limited thereto.
  • Each block included in the block chain 200 may be configured to include a block header 211 and a block body 213 .
  • the block header 211 may include a hash value of the previous block 220 to indicate a connection relationship between blocks. In the process of verifying whether the block chain 200 is valid, the connection relationship in the block header 211 is used.
  • the block body 213 may include data stored and managed in the block 210 , for example, a transaction list or a transaction chain.
  • the block header 211 may include a hash 2112 of a previous block, a hash 2113 of a current block, and a nonce 2114 . Also, the block header 211 may include a root 2115 indicating a header of a transaction list in a block.
  • the blockchain 200 may include one or more connected blocks.
  • the one or more blocks are connected based on a hash value in the block header 211 .
  • the hash value 2112 of the previous block included in the block header 211 is the same as the current hash 2213 included in the previous block 220 as a hash value of the previous block 220 .
  • the one or more blocks are chained by the hash value of the previous block in each block header. Nodes participating in the distributed network verify the validity of a block based on the hash value of the previous block included in the one or more blocks, so it is impossible for a single malicious node to forge or falsify the contents of an already created block do.
  • the block body 213 may include a transaction list 2131 .
  • the transaction list 2131 is a list of blockchain-based transactions.
  • the transaction list 2131 may include a record of financial transactions made in the blockchain-based financial system.
  • the transaction list 2131 may be expressed in the form of a tree, for example, the amount of money transmitted by user A to user B is recorded in the form of a list, and the storage length in the block is the value of the transaction included in the current block. It can be increased or decreased based on the number.
  • the block 210 may include other information 2116 other than the information included in the block header 211 and the block body 213 .
  • Nodes participating in a decentralized network have the same blockchain, and the same transactions are stored in blocks.
  • a block containing a list of transactions is shared on the network, so all participants can verify it.
  • FIG. 4 is a block diagram illustrating a DID-based user authentication system according to an embodiment of the present invention.
  • the DID-based user authentication system 300 includes an issuer node 400 , a trust anchor node 500 , a user node 600 , and a transaction statistics system 700 . ) is configured to include
  • the DID document is stored in the block chain through the issuing agency node 400 or the trust anchor node 500 It is assumed that you have registered in advance.
  • the operation algorithm of the DID-based user authentication system 300 in the present invention is first, the issuing agency node 400 completes the self-authentication procedure performed in the trust anchor node 500, and after performing the self-authentication procedure, the issuing agency node ( 400) It transmits its DID to the trust anchor node 500 .
  • the self-authentication procedure performed in the trust anchor node 500 is a step of confirming the identity of the issuing authority node 400, and may be performed by various authentication procedures such as mobile phone self-authentication and digital signature.
  • the trust anchor node 500 checks the DID transmitted from the issuing authority node 400, and when the DID transmitted from the issuing authority node 400 is verified, the trust anchor node 500 is the corresponding issuing authority node 400 ) to issue an identity authentication VC (Verifiable Credential).
  • identity authentication VC Verifiable Credential
  • Verifiable Credential In relation to Verifiable Credential (VC), Claim is a description of one subject and is expressed as a subject-property-information relationship.
  • a credential is a certificate issued by an issuer, and is a set of one or more claims made for one subject.
  • VC Verifiable Credential
  • VC is a set of data that is issued as data including the issuer's digital signature in the credential, and includes metadata such as information on whether the credential has been changed, issuer information, and a digital signature.
  • the identity authentication VC issued by the trust anchor node 500 to the issuing authority node 400 means that the DID provided by the issuing authority node 400 has been verified, and the issuing authority node 400 is in the DID document. It means that identity and ownership have been verified.
  • the trust anchor node 500 checks the public key information used for issuing a certificate for user authentication in the issuing agency node 400 and requests authentication to the issuing agency node 400 and publishes the authentication result by receiving the confirmation of the issuing authority node 400, and users can trust the DID document registered in the block chain through the authentication result. Accordingly, the trust anchor node 500 , the issuing authority node 400 , and the user node 600 can perform a transparent certificate issuance process while providing trust to each other.
  • the issuing authority node 400 is a node that issues a certificate for user identity authentication, and issues a certificate for user identity authentication in response to a certificate issuance request from the user node 600 and transmits it to the user node 600 , the certificate
  • the issuance history is recorded as a transaction in the block of the blockchain.
  • the first issuing authority node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document, transmits the DID document to the trust anchor node 500, and requests registration in the block chain. That is, the issuing authority node 400 generates public keys to be registered in the DID document, transmits the public keys to the trust anchor node 500 by including the public keys in the DID document, and requests registration in the block chain.
  • the first issuing authority node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document and directly registers the DID document in the block chain.
  • the issuing authority node 400 records the certificate issuance history as a transaction in the block of the block chain, and the following is an example of the recorded transaction.
  • each corresponding certificate type is recorded for each public key used for issuing the certificate in the issuing authority node 400, and the type of the public key used for issuing the certificate is different for each corresponding certificate type.
  • the public key P means a key used before the public key A in issuing transcripts, and all these histories are recorded in the transaction.
  • the transaction statistics system 700 receives and stores transaction statistics from transactions recorded in blocks of the block chain.
  • the public key used for issuing the certificate in the issuing authority node 400 is matched for each certificate and statistically stored.
  • the trust anchor node 500 receives transaction statistics information from the transaction statistics system 700, and acquires and issues accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 through the transaction statistics information
  • the authority node 400 statistically calculates information on public keys used for certificate issuance.
  • the trust anchor node 500 provides the public key statistically through the accumulated data of the transaction to the specific issuing institution node 400 in order to guarantee the issuing institution node 400 (eg, school A) that it guarantees. Requests for authentication periodically or aperiodically. That is, to prove that the public key used by the specific issuing agency node 400 (eg, school A) is a value included in the DID document registered in the block chain, it is authenticated with the specific issuing agency node 400 . to request
  • the following shows an example of a query statement in which the trust anchor node 500 requests authentication of a specific issuing authority node 400 .
  • the trust anchor node 500 may request authentication for all public keys from a specific issuing authority node 400, or may request authentication by setting a threshold value.
  • the specific issuing authority node 400 may periodically or aperiodically replace the key used for issuing the certificate for security. , the information of keys used before replacement) is calculated statistically.
  • the trust anchor node 500 may request authentication for all keys used for certificate issuance from the specific issuing authority node 400, or set a threshold value to request authentication for the number of keys corresponding to the threshold value. have.
  • N keys are registered in the DID document
  • N authentication results are requested by requesting authentication for all N keys
  • the trust anchor node 500 guarantees the reliability of the specific issuing authority node 400 by publishing the authentication result for the specific issuing authority node 400 .
  • the user nodes 600 may have the reliability of the DID document registered in the block chain through the authentication result for the specific issuer node 400 of the trust anchor node 500 .
  • DID-based services there is no central authority that manages identity, so the authentication method is very important. Therefore, there is a limit for the user to completely trust the DID issued by the trust anchor node 500 .
  • the trust anchor node 500 can use the accumulated data recorded in the transaction to periodically or aperiodically prove that the issuing authority node 400 that it guarantees is authenticated, and by disclosing this, the user can communicate You can trust the DID document of the publisher node 400 you want to use.
  • the issuing authority node 400 also provides trust to the user node 600 and the trust anchor node 500 through periodic or aperiodic identity authentication, and transparent certificate issuance is made.
  • the issuer node 400, trust anchor node 500, and user node 600 can trust the DID document registered in the block chain and improve oracle problems that may occur in DID-based services. have.
  • FIG. 5 is a flowchart illustrating a DID-based user authentication method according to an embodiment of the present invention.
  • a DID-based user authentication method is performed between an issuer node 400 , a trust anchor node 500 , a user node 600 , and a transaction statistics system 700 .
  • the first issuing authority node 400 adds a plurality of public keys to be used for certificate issuance to the DID document, and transmits the DID document to the trust anchor node 500 to request registration in the block chain or , the first issuing agency node 400 directly registers in the block chain (S100). That is, the issuing authority node 400 registers the DID document including the public keys to be used for issuing the certificate in the block chain in some way.
  • the issuing authority node 400 records the certificate issuance history as a transaction in the block of the block chain (S110).
  • the transaction statistics system 700 receives and stores the transaction statistics from the transactions recorded in the block of the block chain (S120).
  • the transaction statistics the public key used for issuing the certificate in the issuing authority node 400 is matched for each certificate and statistically stored.
  • the trust anchor node 500 receives transaction statistics information from the transaction statistics system 700, and acquires accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 through the transaction statistics information, , statistically calculates information on public keys used for certificate issuance in the issuing authority node 400 .
  • the trust anchor node 500 periodically or aperiodically authenticates the public key statistically obtained through the accumulated data of the transaction to the specific issuer node 400 in order to guarantee the issuing authority node 400 that it guarantees. request (S130).
  • the trust anchor node 500 guarantees the reliability of the specific issuer node 400 by publishing the authentication result for the specific issuer node 400 ( S140 ).
  • FIG. 6 is a block diagram illustrating a DID-based user authentication system according to another embodiment of the present invention.
  • the DID-based user authentication system 310 includes an issuer node 400 , a first trust anchor node 510 , a second trust anchor node 520 , and a user node 600 , a transaction statistics system 700 .
  • the issuing authority node 400 is a node that issues a certificate for user identity authentication, and issues a certificate for user identity authentication in response to a certificate issuance request from the user node 600 to the user node 600 . and records the certificate issuance history as a transaction in the block of the blockchain.
  • the first issuing agency node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document, transmits the DID document to the first trust anchor node 510 with public trust, and requests registration on the block chain do. That is, the issuing authority node 400 generates public keys to be registered in the DID document, transmits the public keys to the first trust anchor node 510 by including the public keys in the DID document, and requests registration in the block chain.
  • the first issuing authority node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document and directly registers the DID document in the block chain.
  • the issuing authority node 400 records the certificate issuance history as a transaction in the block of the block chain.
  • each corresponding certificate type is recorded for each public key used for issuing the certificate in the issuing authority node 400, and the type of the public key used for issuing the certificate is different for each corresponding certificate type.
  • a history of the change details of the public key used for issuing the certificate is all recorded.
  • the transaction statistics system 700 receives and stores transaction statistics from transactions recorded in blocks of the block chain.
  • the public key used for issuing the certificate in the issuing authority node 400 is matched for each certificate and statistically stored.
  • the second trust anchor node 520 receives transaction statistics information from the transaction statistics system 700, and acquires accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 through the transaction statistics information, , statistically calculates information on public keys used for certificate issuance in the issuing authority node 400 .
  • the second trust anchor node 520 periodically or non-certifies the public key statistically through the accumulated data of the transaction to the specific issuer node 400 in order to guarantee the issuing authority node 400 that it guarantees. request periodically. That is, in order to prove that the public key used by the specific issuing agency node 400 for issuing the certificate is a value included in the DID document registered in the block chain, authentication is requested from the specific issuing agency node 400 .
  • the second trust anchor node 520 may request authentication for all public keys from the specific issuing authority node 400 or may request authentication by setting a threshold value.
  • the specific issuing authority node 400 may periodically or aperiodically replace the key used for issuing the certificate for security. , the information of keys used before replacement) is calculated statistically.
  • the second trust anchor node 520 may request authentication for all keys used for certificate issuance from the specific issuing authority node 400 or may request by setting a threshold value.
  • the second trust anchor node 520 guarantees the reliability of the specific issuer node 400 by periodically or non-periodically publishing the authentication result for the specific issuer node 400 .
  • the user nodes 600 may have the reliability of the DID document registered in the block chain through the authentication result for the specific issuer node 400 of the second trust anchor node 520 .
  • the second trust anchor node 520 for example, whenever BP nodes (Block Producers, block generating nodes) of the block chain that provide DID-based services generate blocks, the transaction statistics system 700 provides It periodically or aperiodically requests the specific issuing authority node 400 to authenticate the public key statistically based on the accumulated data.
  • BP nodes Block Producers, block generating nodes
  • the first trust anchor node 510 may be a node whose public trust is recognized by receiving the DID document from the issuing authority node 400 and requesting registration in the block chain
  • the second trust anchor node 520 provides transaction statistics It may be a node that receives the accumulated data of the transaction from the system 700 and periodically or aperiodically performs validation of the DID document and the public key for the specific issuer node 400 .
  • the first trust anchor node 510 and the second trust anchor node 520 may be physically separated from each other or may be the same node.
  • FIG. 7 is a block diagram of a computing device of a node according to an embodiment of the present invention.
  • the computing device 1000 of a node includes a processor 1100 and a memory 1200 , and the processor 1100 includes one or more cores and a graphic processing unit and/or Alternatively, it may include a connection path (eg, a bus, etc.) for transmitting and receiving signals with other components.
  • a connection path eg, a bus, etc.
  • the processor 1100 executes the operation of the DID-based user authentication system described with reference to FIGS. 4 to 6 by executing one or more instructions stored in the memory 1200 .
  • the processor 1100 collects information about data upload/download that occurs in one or more nodes by executing one or more instructions stored in the memory, writes the collected information to a block, and writes the collected information to the block. Based on the information, related information is provided for at least one node.
  • the processor 1100 may further include a random access memory (RAM) and a read-only memory (ROM) for temporarily and/or permanently storing signals (or data) processed therein.
  • the processor 1100 may be implemented in the form of a system on chip (SoC) including at least one of a graphic processing unit, a RAM, and a ROM.
  • SoC system on chip
  • the memory 1200 may store programs (one or more instructions) for processing and controlling the processor 1100 .
  • Programs stored in the memory 1200 may be divided into a plurality of modules according to functions.
  • a software module may include random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.
  • RAM random access memory
  • ROM read only memory
  • EPROM erasable programmable ROM
  • EEPROM electrically erasable programmable ROM
  • flash memory hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.
  • the components of the present invention may be implemented as a program (or application) to be executed in combination with a computer, which is hardware, and stored in a medium.
  • Components of the present invention may be implemented as software programming or software components, and similarly, embodiments may include various algorithms implemented as data structures, processes, routines, or combinations of other programming constructs, including C, C++ , Java, assembler, etc. may be implemented in a programming or scripting language. Functional aspects may be implemented in an algorithm running on one or more processors.

Abstract

A DID-based user authentication system that remedies the blockchain oracle problem is provided. The DID-based user authentication system is a DID-based user authentication system comprising an issuer node, a trust anchor node, a user node, and a transaction statistics system, wherein the DID-based user authentication system comprises: the issuer node which records the history of issuing a certificate for user identity authentication or public authentication as a transaction in a block of a block chain; the transaction statistics system which receives and stores transaction statistics from the transaction recorded in the block; a trust anchor node which statistically calculates information on public keys used for issuing the certificate at the issuer node by using the transaction statistics information received from the transaction statistics system; and the user node which performs a certificate issuance request for user identity authentication or public authentication with respect to the issuer node, wherein the trust anchor node requests the issuer node to authenticate the public keys used for issuing the certificate.

Description

블록체인의 오라클 문제를 보완한 DID 기반의 사용자 인증 시스템DID-based user authentication system that supplements the oracle problem of blockchain
본 발명은 블록체인의 오라클 문제를 보완한 DID 기반의 사용자 인증 시스템에 관한 것으로서, 더욱 상세하게는, 트러스트앵커 노드의 인증 절차를 통해 DID 기반 서비스에서 발생가능한 블록체인의 오라클 문제를 보완한 DID 기반의 사용자 인증 시스템에 관한 것이다.The present invention relates to a DID-based user authentication system that supplements the oracle problem of the block chain. of the user authentication system.
블록체인(blockchain)은 네트워크에 참여하는 모든 사용자가 관리 대상이 되는 모든 데이터를 분산하여 저장하는 데이터 분산처리기술을 의미한다. 거래 정보가 담긴 원장을 거래 주체나 특정 기관에서 보유하는 것이 아니라 네트워크 참여자 모두가 나누어 가지는 기술이라는 점에서 '분산원장기술(DLT:Distributed Ledger Technology)' 또는 '공공거래장부'라고도 한다. 블록체인은 거래 내용이 담긴 블록(block)을 사슬처럼 연결(chain)한 것이라 하여 붙여진 명칭이다. 이러한 블록체인은 거래 내용의 위변조와 같은 해킹을 막기 위한 기술이며, 거래에 참여하는 모든 사용자에게 거래 내역을 보내 주며 거래 때마다 이를 대조해 데이터 위조를 막는 방식을 사용한다. Blockchain refers to a data distribution processing technology that distributes and stores all data that is managed by all users participating in the network. It is also called 'Distributed Ledger Technology (DLT)' or 'Public Transaction Ledger' in that the ledger containing transaction information is not owned by the transaction subject or a specific institution, but is a technology shared by all network participants. Blockchain is a name given to the fact that blocks containing transaction contents are linked like a chain. This block chain is a technology to prevent hacking such as forgery and forgery of transaction contents, and it uses a method to prevent data forgery by sending transaction details to all users participating in the transaction and collating them for each transaction.
블록체인은 금융기관에서 모든 거래를 담보하고 관리하는 기존의 금융 시스템에서 벗어나 P2P(Peer to Peer;개인 대 개인) 거래를 지향하는, 탈중앙화를 핵심 개념으로 한다. P2P란 서버나 클라이언트 없이 개인 컴퓨터 사이를 연결하는 통신망을 말하며, 연결된 각각의 컴퓨터가 서버이자 클라이언트 역할을 하며 정보를 공유하는 방식이다. 다수의 노드가 같은 데이터를 공유하고 검증하는 방식을 통해 디지털 상에 신뢰관계를 형성하게 된다. 이러한 환경은 중개자 없이 P2P로 편리하게 계약을 체결하고 수정할 수 있는 스마트 컨트랙트를 실현 가능하게 한다.Blockchain is a core concept of decentralization, which aims for P2P (Peer to Peer) transactions, away from the existing financial system that secures and manages all transactions in financial institutions. P2P refers to a communication network that connects personal computers without a server or client, and each connected computer acts as a server and client and shares information. Through the method of sharing and verifying the same data by multiple nodes, a trust relationship is formed in the digital world. This environment makes it possible to realize smart contracts that can conveniently conclude and modify contracts with P2P without intermediaries.
기존 금융 시스템에서는 금융회사들이 중앙 서버에 거래 기록을 보관해 온 반면, P2P 방식을 기반으로 하는 블록체인에서는 거래 정보를 블록에 담아 차례대로 연결하고 이를 모든 참여자가 공유한다.In the existing financial system, financial companies have kept transaction records in a central server, whereas in a blockchain based on the P2P method, transaction information is stored in blocks, connected in turn, and shared by all participants.
또한, 블록체인 분야에서 오라클(oracle)이란 블록체인 밖에 있는 데이터를 블록체인 안으로 가져오는 것을 말한다. 이때 블록체인 밖에 있는 데이터를 오프체인(off-chain)이라고 하고, 그 데이터가 블록체인 안으로 들어온 것을 온체인(on-chain)이라고 한다. 블록체인은 데이터의 위변조가 거의 불가능한 분산 저장 기술이지만, 데이터가 블록체인 안으로 들어와야 블록체인으로 관리할 수 있다. 데이터가 블록체인 안으로 들어오지 않거나, 혹은 블록체인 안으로 들어오는 과정에서 위변조가 발생한다면, 설령 그 데이터가 블록체인으로 관리된다고 할지라도 신뢰하기 어렵다.Also, in the blockchain field, an oracle refers to bringing data outside the blockchain into the blockchain. At this time, the data outside the block chain is called off-chain, and the data that enters the block chain is called on-chain. Blockchain is a distributed storage technology that makes it almost impossible to forge or falsify data, but it can only be managed with the block chain when the data enters the block chain. If data does not enter the blockchain, or if forgery occurs in the process of entering the blockchain, it is difficult to trust even if the data is managed by the blockchain.
현실 세계에 있는 데이터가 블록체인 안으로 들어오는 과정은 생각만큼 쉽지 않다. 오프체인 데이터가 온체인 데이터로 바뀌기 위해서는, 현실 세계와 블록체인의 중간에서 데이터를 블록체인 안에 넣어주는 사람이나 장치가 필요하다. 오라클 문제는 이러한 중간자 역할을 하는 사람이나 장치를 어떻게 신뢰할 수 있을 것인가 하는 문제이다. 블록체인은 탈중앙 분산화를 추구하므로 권위를 가진 중앙이 존재하지 않는다. 따라서 블록체인에 데이터를 입력하는 중간자를 신뢰할 수 있는 특별한 방법이 필요하다.The process of getting data in the real world into the blockchain is not as easy as you might think. In order for off-chain data to be turned into on-chain data, a person or device that puts data into the blockchain is needed between the real world and the blockchain. The oracle problem is how to trust the person or device acting as this middleman. Blockchain pursues decentralization, so there is no central authority with authority. Therefore, there is a need for a special way to trust the man in the middle of entering data into the blockchain.
블록체인에서 오라클 문제를 해결하기 위해 다양한 방법이 도입되고 있으나 확실한 해결책은 존재하지 않는다. 암호화폐 소유자들의 투표(voting)를 통해 결정하거나, 다양한 데이터의 중앙값(median)을 선택하거나, 현실 세계와 블록체인 사이에서 신뢰할 수 있는 데이터를 제공해 주는 중간자(middleware)를 두는 방법 등 블록체인 오라클 문제를 해결하기 위한 다양한 방안이 제시되고 있다.Various methods are being introduced to solve the oracle problem in the blockchain, but there is no definitive solution. Blockchain oracle issues, such as how to decide through voting by cryptocurrency owners, how to choose a median of various data, or how to have a middleware that provides reliable data between the real world and the blockchain Various methods have been proposed to solve the problem.
본 발명이 해결하고자 하는 기술적 과제는, 트러스트앵커 노드가 트랜잭션에 기록된 데이터를 이용해 주기적 또는 비주기적으로 자신이 보증한 발행기관 노드가 인증되었음을 증명하는 과정을 통해 사용자 노드 및 트러스트앵커 노드가 발행기관 노드를 신뢰하면서 투명한 증명서 발급이 수행될 수 있는 DID 기반의 사용자 인증 시스템을 제공하는 것이다. The technical problem to be solved by the present invention is that the user node and the trust anchor node are the issuing authority through the process of the trust anchor node periodically or aperiodically or aperiodically proving that the issuing authority node that it guarantees is authenticated using the data recorded in the transaction. It is to provide a DID-based user authentication system that can perform transparent certificate issuance while trusting the node.
다만, 본 발명이 해결하고자 하는 기술적 과제들은 상기 과제들로 한정되는 것이 아니며, 본 발명의 기술적 사상 및 영역으로부터 벗어나지 않는 범위에서 다양하게 확장될 수 있다.However, the technical problems to be solved by the present invention are not limited to the above problems, and may be variously expanded without departing from the technical spirit and scope of the present invention.
상기 과제를 해결하기 위한 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 시스템은, 발행기관 노드, 트러스트앵커 노드, 사용자 노드, 및 트랜잭션 통계 시스템을 포함하는 DID 기반의 사용자 인증 시스템으로서, 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급에 관한 이력을 블록체인의 블록 내에 트랜잭션으로 기록하는 발행기관 노드, 상기 블록에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장하는 트랜잭션 통계 시스템, 상기 트랜잭션 통계 시스템으로부터 전달받은 트랜잭션 통계 정보를 이용하여 상기 발행기관 노드에서의 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산하는 트러스트앵커 노드, 및 상기 발행기관 노드에 대해 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급 요청을 수행하는 사용자 노드를 포함하고, 상기 트러스트앵커 노드는 상기 발행기관 노드에 대해 증명서 발급에 이용된 상기 공개키들에 대한 인증을 요청한다. A DID-based user authentication system according to an embodiment of the present invention for solving the above problems is a DID-based user authentication system including an issuer node, a trust anchor node, a user node, and a transaction statistics system, the user identity Issuer node that records the history of issuance of certificates for authentication or public certification as a transaction in the block of the block chain, a transaction statistics system that receives and stores transaction statistics from the transactions recorded in the block, and the transaction statistics system A trust anchor node that statistically calculates information on public keys used for certificate issuance in the issuing authority node using transaction statistics information, and a certificate issuance request for user identity authentication or public certification to the issuing authority node and a user node, wherein the trust anchor node requests authentication of the public keys used for issuing a certificate from the issuing authority node.
본 발명에 따른 몇몇 실시예에서, 상기 발행기관 노드가 상기 블록에 트랜잭션으로 기록한 증명서 발급 이력은, 증명서 발급에 이용된 공개키별로 각 대응하는 증명서 종류가 기록되고, 각 대응하는 증명서의 종류별로 사용된 공개키 및 이전에 사용된 공개키에 대한 정보를 모두 포함할 수 있다. In some embodiments according to the present invention, in the certificate issuance history recorded by the issuing authority node as a transaction in the block, each corresponding certificate type is recorded for each public key used for issuing the certificate, and is used for each corresponding certificate type It can include both information about the public key used and the public key used previously.
본 발명에 따른 몇몇 실시예에서, 상기 트러스트앵커 노드는, 상기 발행기관 노드에 대해 증명서 발급에 이용된 모든 공개키에 대한 인증을 요청하거나 임계치 값을 설정하여 인증을 요청할 수 있다. In some embodiments according to the present invention, the trust anchor node may request authentication for all public keys used for issuing certificates from the issuing authority node or may request authentication by setting a threshold value.
상기 과제를 해결하기 위한 본 발명의 다른 실시예에 따른 DID 기반의 사용자 인증 시스템은, 발행기관 노드, 제1 트러스트앵커 노드, 제2 트러스트앵커 노드, 사용자 노드, 및 트랜잭션 통계 시스템을 포함하는 DID 기반의 사용자 인증 시스템으로서, 상기 트러스트앵커 노드에서 수행되는 본인인증 절차 완료 후 자신의 DID를 상기 트러스트앵커 노드로 전달하여 신원인증 VC(Verifiable Credential) 발급을 요청하고, 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급에 관한 이력을 블록체인의 블록 내에 트랜잭션으로 기록하는 발행기관 노드, 상기 발행기관 노드로부터의 상기 신원인증 VC 발급 요청에 대해 상기 DID 검증 후 상기 신원인증 VC를 발급하는 제1 트러스트앵커 노드, 상기 블록에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장하는 트랜잭션 통계 시스템, 상기 발행기관 노드에 대해 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급 요청을 수행하는 사용자 노드, 및 상기 트랜잭션 통계 시스템으로부터 전달받은 트랜잭션 통계 정보를 이용하여 상기 발행기관 노드에서의 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산하고, 상기 발행기관 노드에 대해 증명서 발급에 이용된 상기 공개키들에 대한 인증을 요청하는 제2 트러스트앵커 노드를 포함한다. A DID-based user authentication system according to another embodiment of the present invention for solving the above problems is a DID-based user authentication system including an issuer node, a first trust anchor node, a second trust anchor node, a user node, and a transaction statistics system As a user authentication system of An issuer node that records issuance history as a transaction in a block of a block chain, a first trust anchor node that issues the identity authentication VC after verifying the DID in response to a request for issuing the identity authentication VC from the issuing institution node, the A transaction statistics system that receives and stores transaction statistics from a transaction recorded in a block, a user node that requests issuance of a certificate for user identity authentication or public proof to the issuing authority node, and transaction statistics received from the transaction statistics system A second trust anchor node that statistically calculates information on public keys used for certificate issuance in the issuing authority node using the information, and requests authentication of the public keys used for certificate issuance to the issuing authority node includes
본 발명에 따른 몇몇 실시예에서, 상기 제1 트러스트앵커 노드와 상기 제2 트러스트앵커 노드는 서로 다른 별개의 노드일 수 있다. In some embodiments according to the present invention, the first trust anchor node and the second trust anchor node may be separate nodes.
본 발명의 기타 구체적인 사항들은 상세한 설명 및 도면들에 포함되어 있다.Other specific details of the invention are included in the detailed description and drawings.
본 발명에 따르면, DID 기반 서비스에서 발생하는 근본적인 오라클 문제를 개선할 수 있다. According to the present invention, it is possible to improve a fundamental oracle problem occurring in a DID-based service.
또한, 본 발명에 따르면, 트러스트앵커 노드는 트랜잭션에 기록된 데이터를 이용해 주기적 또는 비주기적으로 자신이 보증한 발행기관 노드가 인증되었음을 증명할 수 있으며, 이에 관한 인증 정보를 공개함으로써 사용자 노드는 통신하고자 하는 발행기관 노드의 DID 문서를 신뢰할 수 있다. In addition, according to the present invention, the trust anchor node can prove that the issuing authority node it guarantees is authenticated periodically or aperiodically by using the data recorded in the transaction, and by disclosing the authentication information about this, the user node can communicate with The DID document of the issuing authority node can be trusted.
또한, 본 발명에 따르면, DID 기반 서비스를 제공함에 있어서 발행기관 노드의 주기적 또는 비주기적인 신원 인증을 통해 사용자 노드, 트러스트앵커 노드에게 신뢰성을 제공하면서 투명한 증명서 발급이 이루어질 수 있다. In addition, according to the present invention, in providing a DID-based service, transparent certificate issuance can be made while providing reliability to a user node and a trust anchor node through periodic or aperiodic identity authentication of the issuing authority node.
또한, 본 발명에 따르면, DID 기반 서비스를 제공함에 있어서 트러스트앵커 노드, 발행기관 노드, 사용자 노드는 블록체인에 등록된 DID 문서를 신뢰할 수 있게 되면서 오라클 문제를 개선할 수 있다. In addition, according to the present invention, in providing a DID-based service, the trust anchor node, the issuer node, and the user node can trust the DID document registered in the block chain and improve the oracle problem.
다만, 본 발명의 효과는 상기 효과들로 한정되는 것이 아니며, 본 발명의 기술적 사상 및 영역으로부터 벗어나지 않는 범위에서 다양하게 확장될 수 있다.However, the effects of the present invention are not limited to the above effects, and may be variously expanded without departing from the spirit and scope of the present invention.
도 1은 본 발명에 따른 기술적 사상이 적용될 수 있는 블록체인을 이용한 분산처리 시스템을 도시한 도면이다.1 is a diagram illustrating a distributed processing system using a block chain to which the technical idea according to the present invention can be applied.
도 2 및 도 3은 블록체인 시스템에서 이용되는 블록의 연결을 도시한 블록도이다.2 and 3 are block diagrams showing the connection of blocks used in the block chain system.
도 4는 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 시스템을 도시한 블록도이다. 4 is a block diagram illustrating a DID-based user authentication system according to an embodiment of the present invention.
도 5는 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 방법을 도시한 순서도이다. 5 is a flowchart illustrating a DID-based user authentication method according to an embodiment of the present invention.
도 6은 본 발명의 다른 실시예에 따른 DID 기반의 사용자 인증 시스템을 도시한 블록도이다. 6 is a block diagram illustrating a DID-based user authentication system according to another embodiment of the present invention.
도 7은 본 발명의 실시예에 따른 노드의 컴퓨팅 장치의 구성도이다.7 is a block diagram of a computing device of a node according to an embodiment of the present invention.
본 발명의 이점 및 특징, 그리고 그것들을 달성하는 방법은 첨부되는 도면과 함께 상세하게 후술되어 있는 실시예들을 참조하면 명확해질 것이다. 그러나, 본 발명은 이하에서 개시되는 실시예들에 한정되는 것이 아니라 서로 다른 다양한 형태로 구현될 것이며, 단지 본 실시예들은 본 발명의 개시가 완전하도록 하며, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 발명의 범주를 완전하게 알려주기 위해 제공되는 것이며, 본 발명은 청구항의 범주에 의해 정의될 뿐이다. Advantages and features of the present invention and methods of achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be embodied in various different forms, and only these embodiments allow the disclosure of the present invention to be complete, and common knowledge in the art to which the present invention pertains It is provided to fully inform those who have the scope of the invention, and the present invention is only defined by the scope of the claims.
본 명세서에서 사용된 용어는 실시예들을 설명하기 위한 것이며, 본 발명을 제한하고자 하는 것은 아니다. 본 명세서에서, 단수형은 문구에서 특별히 언급하지 않는 한 복수형도 포함한다. 명세서에서 사용되는 "포함한다(comprises)" 및/또는 "포함하는(comprising)"은 언급된 구성요소, 단계, 동작 및/또는 소자는 하나 이상의 다른 구성요소, 단계, 동작 및/또는 소자의 존재 또는 추가를 배제하지 않는다.The terminology used herein is for the purpose of describing the embodiments, and is not intended to limit the present invention. In this specification, the singular also includes the plural, unless specifically stated otherwise in the phrase. As used herein, “comprises” and/or “comprising” refers to the presence of one or more other components, steps, operations and/or elements mentioned. or addition is not excluded.
다른 정의가 없다면, 본 명세서에서 사용되는 모든 용어(기술 및 과학적 용어를 포함)는 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 공통적으로 이해될 수 있는 의미로 사용될 수 있을 것이다. 또한, 일반적으로 사용되는 사전에 정의되어 있는 용어들은 명백하게 특별히 정의되어 있지 않는 한 이상적으로 또는 과도하게 해석되지 않는다.Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used with the meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless clearly specifically defined.
이하, 첨부한 도면들을 참조하여, 본 발명의 바람직한 실시예들을 보다 상세하게 설명하고자 한다. 도면 상의 동일한 구성요소에 대해서는 동일한 참조 부호를 사용하고 동일한 구성요소에 대해서 중복된 설명은 생략한다.Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the accompanying drawings. The same reference numerals are used for the same components in the drawings, and repeated descriptions of the same components are omitted.
블록체인 기반의 모든 서비스는 오라클 문제(oracle problem)가 존재한다. 그렇기 때문에 블록체인에 등록하는 데이터의 신뢰성이 보장되어야 한다. 블록체인에 기록되는 데이터에 대해 사용자는 신뢰할 수 있어야 하는데 블록체인 외부의 데이터를 블록체인 내로 가져올 때 데이터가 위변조될 수 있으며, 특히 블록체인에 기록된 DID 문서 역시도 신뢰할 수 있어야 한다.All blockchain-based services have an oracle problem. Therefore, the reliability of data registered in the blockchain must be guaranteed. Users must trust the data recorded in the block chain, and when data outside the block chain is brought into the block chain, the data can be forged. In particular, the DID document recorded in the block chain must also be trusted.
블록체인 외부에 있는 데이터를 오프체인 데이터, 그 데이터가 블록체인 내에 기록된 것을 온체인 데이터라고 표현하며, 그 역할을 수행하는 노드를 트러스트앵커(Trust Anchor) 노드라고 표현한다. 오프체인 데이터가 블록체인 내에 기록되는 과정에서 위변조가 발생한다면, 아무리 블록체인이라 하더라도 이러한 데이터는 신뢰하기 어렵다. Data outside the block chain is expressed as off-chain data, and the data recorded within the block chain is expressed as on-chain data, and the node that performs that role is referred to as a trust anchor node. If forgery occurs in the process of off-chain data being recorded in the block chain, it is difficult to trust such data, no matter how block chain it is.
오라클 문제를 해소하기 위해 트러스트앵커(Trust Anchor) 노드를 이용하지만 트러스트앵커 노드가 등록한 사실 만으로 DID 문서를 신뢰하는 것은 위험하다. 그리고, 제3자가 잘못된 DID 문서로 어떤 주체임을 주장할 경우 사용자에게는 혼란이 야기된다. 즉, 인증 문제가 발생하므로 DID 기반 서비스에서 오라클 문제는 반드시 개선되어야 한다. 그러기 위해서는 트러스트앵커 노드가 보증하는 데이터가 유효한지 검사할 수 있는 관리 프로세스가 필요하며 본 발명에서는 이러한 오라클 문제를 개선할 수 있는 방안을 제안하고자 한다.Trust Anchor node is used to solve the oracle problem, but it is dangerous to trust the DID document based on the fact that the trust anchor node is registered. And, when a third party claims that it is a subject with an incorrect DID document, confusion is caused to the user. In other words, since an authentication problem occurs, the Oracle problem in DID-based services must be improved. To this end, a management process that can check whether the data guaranteed by the trust anchor node is valid is required, and the present invention intends to propose a method for improving the oracle problem.
구체적으로, DID 기반 서비스에서의 오라클 문제를 설명하면, DID 프레임워크에서 트러스트앵커 노드가 최초의 오프체인 데이터(DID 문서)를 온체인 데이터로 기록하는 중간자 역할을 수행하며, 이 과정에서 트러스트앵커 노드는 DID 소유주에 대한 인증을 수행한다. DID를 등록한 주체는 자신의 DID가 "did:lit:thisisAschool"임을 트러스트앵커 노드가 발행한 신원인증 VC(Verifiable Credential)를 통해 증명한다.Specifically, when explaining the oracle problem in DID-based services, in the DID framework, the trust anchor node plays the role of an intermediary that records the first off-chain data (DID document) as on-chain data, and in this process, the trust anchor node performs authentication for the DID owner. The subject who registered the DID proves that their DID is "did:lit:thisisAschool" through the identity authentication VC (Verifiable Credential) issued by the trust anchor node.
하지만, 블록체인에 DID 문서를 등록하는 것은 트러스트앵커 노드 또는 사용자 노드 등 어느 노드에서든 수행할 수 있다. 이에 따라, 근본적인 오라클 문제가 존재한다. 만약에, 제3자가 전혀 다른 DID를 이용해 자신이 A학교라고 주장한다면 사용자는 트러스트앵커 노드가 보증한 A학교를 신뢰할 수 없게 된다. 그러므로, 트러스트앵커 노드는 자신이 보증하는 A학교의 DID가 유효한 DID임을 증명해야할 필요가 있다. 이를 해결하기 위해 트러스트앵커 노드는 자신이 보증한 발행기관 노드를 인증할 필요가 있다. 본 발명에서는 이러한 필요성에 따른 오라클 문제 보완 방안을 제시한다. However, registering a DID document in the blockchain can be performed from any node, such as a trust anchor node or a user node. Accordingly, there is a fundamental Oracle problem. If a third party claims to be a school A using a completely different DID, the user cannot trust the school A guaranteed by the trust anchor node. Therefore, the trust anchor node needs to prove that the DID of school A that it guarantees is a valid DID. To solve this, the trust anchor node needs to authenticate the issuing authority node that it endorsed. The present invention proposes a method of supplementing the Oracle problem according to this necessity.
이하에서는 우선, 본 발명의 개념이 적용될 수 있는 블록체인을 이용한 분산처리 시스템에 관해 설명하기로 한다. Hereinafter, first, a distributed processing system using a block chain to which the concept of the present invention can be applied will be described.
도 1은 본 발명에 따른 기술적 사상이 적용될 수 있는 블록체인을 이용한 분산처리 시스템을 도시한 도면이다.1 is a diagram illustrating a distributed processing system using a block chain to which the technical idea according to the present invention can be applied.
도 1을 참조하면 블록체인을 이용한 분산처리 시스템(100)은 복수의 노드들(110-170)로 이루어진 분산형 네트워크(distributed network) 시스템이다. 상기 분산형 네트워크(100)를 구성하는 노드들(110-170)은 컴퓨터, 이동 단말기, 전용 전자 장치 등 연산 능력이 있는 전자 장치일 수 있다.Referring to FIG. 1 , a distributed processing system 100 using a block chain is a distributed network system consisting of a plurality of nodes 110-170. The nodes 110 to 170 constituting the distributed network 100 may be electronic devices having computing power, such as computers, mobile terminals, and dedicated electronic devices.
일반적으로 분산형 네트워크(100)는 블록체인이라 불리는 블록(block)의 연결 묶음 내에 모든 참여 노드에 공통으로 알려진 정보를 저장하고 참조할 수 있다. 상기 노드들(110-170)은 상호간 통신이 가능하며 블록체인을 저장, 관리 및 전파를 담당하는 완전 노드(full node)와 단순하게 트랜잭션에만 참여할 수 있는 간이 노드(light node)로 구분될 수 있다. 본 명세서에서 별다른 설명 없이 노드에 대하여 언급되는 경우, 이는 분산형 네트워크에 참여하며 블록체인을 생성, 저장 또는 검증하는 동작을 수행하는 완전 노드를 지칭하는 경우가 많으나, 이에 한정되는 것은 아니다. In general, the decentralized network 100 can store and refer to information commonly known to all participating nodes in a connected bundle of blocks called blockchain. The nodes 110-170 can communicate with each other and can be divided into a full node that stores, manages, and propagates the block chain and a light node that can simply participate in transactions. . When referring to a node without a separate description in this specification, it often refers to a full node that participates in a distributed network and performs an operation to create, store, or verify a block chain, but is not limited thereto.
상기 블록체인에 연결되어 있는 각 블록들은 일정 기간 내의 거래 내역, 즉 트랜잭션(transaction)들을 포함한다. 상기 노드들은 각각 역할에 따라 블록체인을 생성, 저장 또는 검증함으로써 트랜잭션들을 관리할 수 있다.Each block connected to the block chain includes transaction details within a certain period, ie, transactions. The nodes can manage transactions by creating, storing, or verifying the blockchain according to their respective roles.
실시 형태에 따라 상기 트랜잭션은 다양한 형태의 거래를 나타낼 수 있다. 일 실시예에서 상기 트랜잭션은 가상화폐의 소유 상태 및 그 변동을 나타내기 위한 금융 거래에 해당할 수 있다. 다른 실시예에서 상기 트랜잭션은 물건의 소유 상태 및 그 변동을 나타내기 위한 실물 거래에 해당할 수 있다. 또 다른 실시예에서 상기 트랜잭션은 정보의 기록, 저장 및 이송을 나타내기 위한 정보 공유 과정에 해당할 수 있다. 상기 분산형 네트워크(100)에서 거래를 수행하는 노드들은 각각의 암호학적 연관관계가 있는 개인키(private key) 및 공개키(public key) 쌍을 가질 수 있다.According to an embodiment, the transaction may represent various types of transactions. In one embodiment, the transaction may correspond to a financial transaction for indicating the ownership status of virtual currency and its change. In another embodiment, the transaction may correspond to a physical transaction for indicating the ownership status of the object and its change. In another embodiment, the transaction may correspond to an information sharing process to represent the recording, storage and transfer of information. Nodes performing a transaction in the distributed network 100 may have a private key and a public key pair each cryptographically related.
도 2 및 도 3은 블록체인 시스템에서 이용되는 블록의 연결을 도시한 블록도이다.2 and 3 are block diagrams showing the connection of blocks used in the block chain system.
도 2를 참조하면 블록체인(200)은 순차적으로 연결된 하나 이상의 블록들(210, 220, 230)의 분산 데이터베이스의 일종이다. 상기 블록체인(200)은 블록체인 시스템 내 사용자의 거래 내역을 저장하고 관리하기 위해 사용되며, 상기 블록체인 시스템의 네트워크에 참여하는 각 노드가 블록을 생성하여 상기 블록체인(200)에 연결한다. 도 2에는 제한된 수의 블록들(210, 220, 230)이 도시되어 있으나 블록체인에 포함될 수 있는 블록의 수는 이에 제한되지 아니한다.Referring to FIG. 2 , the block chain 200 is a kind of distributed database of one or more sequentially connected blocks 210 , 220 , 230 . The block chain 200 is used to store and manage user's transaction details in the block chain system, and each node participating in the network of the block chain system creates a block and connects it to the block chain 200 . Although a limited number of blocks 210, 220, and 230 are shown in FIG. 2, the number of blocks that can be included in the block chain is not limited thereto.
상기 블록체인(200)에 포함된 각 블록은 블록 헤더(211)와 블록 바디(213)를 포함하도록 구성될 수 있다. 상기 블록 헤더(211)는 각 블록들간의 연결 관계를 나타내기 위하여 이전 블록(220)의 해시 값을 포함할 수 있다. 상기 블록체인(200)이 유효한지 검증하는 과정에서 상기 블록 헤더(211) 내의 연결 관계가 사용된다. 상기 블록 바디(213)는 상기 블록(210)에 저장되고 관리되는 데이터, 예를 들어 트랜잭션 리스트 또는 트랜잭션 체인을 포함할 수 있다.Each block included in the block chain 200 may be configured to include a block header 211 and a block body 213 . The block header 211 may include a hash value of the previous block 220 to indicate a connection relationship between blocks. In the process of verifying whether the block chain 200 is valid, the connection relationship in the block header 211 is used. The block body 213 may include data stored and managed in the block 210 , for example, a transaction list or a transaction chain.
도 3을 참조하면, 상기 블록 헤더(211)는 이전 블록의 해시(2112), 현재 블록의 해시(2113), 넌스(Nonce)(2114)를 포함할 수 있다. 또한, 상기 블록 헤더(211)는 블록 내의 트랜잭션 리스트의 헤더를 나타내는 루트(2115)를 포함할 수 있다.Referring to FIG. 3 , the block header 211 may include a hash 2112 of a previous block, a hash 2113 of a current block, and a nonce 2114 . Also, the block header 211 may include a root 2115 indicating a header of a transaction list in a block.
전술된 바와 같이, 상기 블록체인(200)은 연결된 하나 이상의 블록들을 포함할 수 있다. 상기 하나 이상의 블록들은 상기 블록 헤더(211) 내의 해시 값에 기초하여 연결된다. 상기 블록 헤더(211)에 포함된 이전 블록의 해시 값(2112)은 직전 블록(220)에 대한 해시 값으로서 직전 블록(220)에 포함된 현재 해시(2213)와 동일한 값이다. 상기 하나 이상의 블록들은 각 블록 헤더 내의 이전 블록의 해시 값에 의하여 연쇄적으로 연결된다. 상기 분산형 네트워크에 참여하는 노드들은 상기 하나 이상의 블록들에 포함된 이전 블록의 해시 값에 기반하여 블록의 유효성을 검증하므로 악의적인 단일 노드가 이미 생성된 블록의 내용을 위조 또는 변조하는 행위가 불가능하다.As described above, the blockchain 200 may include one or more connected blocks. The one or more blocks are connected based on a hash value in the block header 211 . The hash value 2112 of the previous block included in the block header 211 is the same as the current hash 2213 included in the previous block 220 as a hash value of the previous block 220 . The one or more blocks are chained by the hash value of the previous block in each block header. Nodes participating in the distributed network verify the validity of a block based on the hash value of the previous block included in the one or more blocks, so it is impossible for a single malicious node to forge or falsify the contents of an already created block do.
상기 블록 바디(213)는 트랜잭션 리스트(2131)를 포함할 수 있다. 상기 트랜잭션 리스트(2131)는 블록체인 기반의 거래의 목록이다. 예를 들면, 상기 트랜잭션 리스트(2131)는 상기 블록체인 기반의 금융 시스템에서 이루어진 금융 거래에 대한 기록을 포함할 수 있다. 상기 트랜잭션 리스트(2131)는 트리(tree) 형태로 표현될 수 있으며, 예를 들어, 사용자 A가 사용자 B에게 전송한 금액을 목록 형태로 기록하며, 블록 내의 저장 길이는 현재 블록에 포함된 트랜잭션의 수에 기초하여 증감될 수 있다.The block body 213 may include a transaction list 2131 . The transaction list 2131 is a list of blockchain-based transactions. For example, the transaction list 2131 may include a record of financial transactions made in the blockchain-based financial system. The transaction list 2131 may be expressed in the form of a tree, for example, the amount of money transmitted by user A to user B is recorded in the form of a list, and the storage length in the block is the value of the transaction included in the current block. It can be increased or decreased based on the number.
그리고, 블록(210)은 블록 헤더(211)와 블록 바디(213)에 포함된 정보 이외의 기타 정보(2116)를 포함할 수 있다. In addition, the block 210 may include other information 2116 other than the information included in the block header 211 and the block body 213 .
분산형 네트워크에 참여하는 노드들은 동일한 블록체인을 가지며, 블록에는 동일한 트랜잭션이 저장된다. 트랜잭션 목록이 포함된 블록이 네트워크에 공유되므로 모든 참여자가 검증할 수 있다.Nodes participating in a decentralized network have the same blockchain, and the same transactions are stored in blocks. A block containing a list of transactions is shared on the network, so all participants can verify it.
도 4는 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 시스템을 도시한 블록도이다. 4 is a block diagram illustrating a DID-based user authentication system according to an embodiment of the present invention.
도 4를 참조하면, 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 시스템(300)은, 발행기관 노드(400), 트러스트앵커 노드(500), 사용자 노드(600), 트랜잭션 통계 시스템(700)을 포함하도록 구성된다. Referring to FIG. 4 , the DID-based user authentication system 300 according to an embodiment of the present invention includes an issuer node 400 , a trust anchor node 500 , a user node 600 , and a transaction statistics system 700 . ) is configured to include
본 발명에서는 발행기관 노드(400)가 사용자 인증을 위한 증명서 발급에 사용될 복수 개의 공개키를 DID 문서에 기록한 후 발행기관 노드(400) 또는 트러스트앵커 노드(500)를 통하여 상기 DID 문서를 블록체인에 미리 등록하였음을 가정한다. In the present invention, after the issuing agency node 400 records a plurality of public keys to be used for issuing a certificate for user authentication in the DID document, the DID document is stored in the block chain through the issuing agency node 400 or the trust anchor node 500 It is assumed that you have registered in advance.
본 발명에서의 DID 기반 사용자 인증 시스템(300)의 동작 알고리즘은 우선, 발행기관 노드(400)는 트러스트앵커 노드(500)에서 수행되는 본인인증 절차를 완료하고, 본인인증 절차 수행 후 발행기관 노드(400) 자신의 DID를 트러스트앵커 노드(500)로 전달한다. The operation algorithm of the DID-based user authentication system 300 in the present invention is first, the issuing agency node 400 completes the self-authentication procedure performed in the trust anchor node 500, and after performing the self-authentication procedure, the issuing agency node ( 400) It transmits its DID to the trust anchor node 500 .
트러스트앵커 노드(500)에서 수행되는 본인인증 절차는 발행기관 노드(400)의 신원을 확인하는 단계로서, 휴대폰 본인인증, 전자서명 등 다양한 방식의 인증 절차로 수행될 수 있다. The self-authentication procedure performed in the trust anchor node 500 is a step of confirming the identity of the issuing authority node 400, and may be performed by various authentication procedures such as mobile phone self-authentication and digital signature.
그리고, 트러스트앵커 노드(500)는 발행기관 노드(400)로부터 전달된 DID를 확인하고, 발행기관 노드(400)로부터 전달된 DID가 검증되면, 트러스트앵커 노드(500)는 해당 발행기관 노드(400)에 대해 신원인증 VC(Verifiable Credential)를 발행한다. Then, the trust anchor node 500 checks the DID transmitted from the issuing authority node 400, and when the DID transmitted from the issuing authority node 400 is verified, the trust anchor node 500 is the corresponding issuing authority node 400 ) to issue an identity authentication VC (Verifiable Credential).
검증가능한 자격증명(VC; Verifiable Credential)과 관련하여, Claim은 하나의 주체에 대한 설명으로서 주체-특성-정보의 관계로 표현된다. Credential은 발행인이 발급하는 증명서로서 하나의 주체에 대해 만들어진 하나 이상의 Claim의 집합이다. VC(Verifiable Credential)는 Credential에 발행인의 전자서명이 포함된 데이터로 발급한, Credential이 변경되었는지에 관한 정보, 발행인 정보, 전자서명 등의 메타 데이터가 포함된 데이터의 집합이다.In relation to Verifiable Credential (VC), Claim is a description of one subject and is expressed as a subject-property-information relationship. A credential is a certificate issued by an issuer, and is a set of one or more claims made for one subject. VC (Verifiable Credential) is a set of data that is issued as data including the issuer's digital signature in the credential, and includes metadata such as information on whether the credential has been changed, issuer information, and a digital signature.
트러스트앵커 노드(500)가 발행기관 노드(400)에 대해 발행한 신원인증 VC는 해당 발행기관 노드(400)가 제공한 DID가 검증되었다는 의미를 갖고, 해당 발행기관 노드(400)는 DID 문서에 대해 신원 인증 및 소유권 인증이 된 것을 의미한다. The identity authentication VC issued by the trust anchor node 500 to the issuing authority node 400 means that the DID provided by the issuing authority node 400 has been verified, and the issuing authority node 400 is in the DID document. It means that identity and ownership have been verified.
후속적으로 블록체인의 트랜잭션 통계 분석을 통해, 트러스트앵커 노드(500)는 발행기관 노드(400)에서 사용자 인증을 위한 증명서 발급에 사용된 공개키 정보를 확인하여 발행기관 노드(400)로 인증 요청을 하고, 발행기관 노드(400)의 확인을 받아 인증 결과를 공개하고, 사용자들은 상기 인증 결과를 통해 블록체인에 등록된 DID 문서를 신뢰할 수 있다. 따라서, 트러스트앵커 노드(500), 발행기관 노드(400), 사용자 노드(600)는 서로에게 신뢰를 제공하면서 투명한 증명서 발급 과정이 수행될 수 있다. Subsequently, through the transaction statistical analysis of the block chain, the trust anchor node 500 checks the public key information used for issuing a certificate for user authentication in the issuing agency node 400 and requests authentication to the issuing agency node 400 and publishes the authentication result by receiving the confirmation of the issuing authority node 400, and users can trust the DID document registered in the block chain through the authentication result. Accordingly, the trust anchor node 500 , the issuing authority node 400 , and the user node 600 can perform a transparent certificate issuance process while providing trust to each other.
이하에서는 각 구성요소의 역할 및 동작과정에 대해 설명한다. Hereinafter, the role and operation process of each component will be described.
발행기관 노드(400)는 사용자 신원 인증을 위한 증명서를 발급하는 노드로서, 사용자 노드(600)에서의 증명서 발급 요청에 대해 사용자 신원 인증을 위한 증명서를 발급하여 사용자 노드(600)로 전달하고, 증명서 발급 이력을 블록체인의 블록 내에 트랜잭션으로 기록한다. The issuing authority node 400 is a node that issues a certificate for user identity authentication, and issues a certificate for user identity authentication in response to a certificate issuance request from the user node 600 and transmits it to the user node 600 , the certificate The issuance history is recorded as a transaction in the block of the blockchain.
이에 앞서, 최초의 발행기관 노드(400)는 증명서 발급에 사용될 복수 개의 공개키를 DID 문서에 추가하여 상기 DID 문서를 트러스트앵커 노드(500)로 전달하고, 블록체인에 등록 요청한다. 즉, 발행기관 노드(400)는 DID 문서에 등록할 공개키들을 생성하고, 상기 공개키들을 DID 문서에 포함하여 트러스트앵커 노드(500)로 전달하고, 블록체인에 등록 요청한다. Prior to this, the first issuing authority node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document, transmits the DID document to the trust anchor node 500, and requests registration in the block chain. That is, the issuing authority node 400 generates public keys to be registered in the DID document, transmits the public keys to the trust anchor node 500 by including the public keys in the DID document, and requests registration in the block chain.
또는, 최초의 발행기관 노드(400)는 증명서 발급에 사용될 복수 개의 공개키를 DID 문서에 추가하여 상기 DID 문서를 직접 블록체인에 등록한다. Alternatively, the first issuing authority node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document and directly registers the DID document in the block chain.
아래는 DID 문서의 예시를 나타낸 것이다.Below is an example of a DID document.
(DID Document)(DID Document)
authentication - 공개키X, 공개키Y, 공개키Z, … authentication - public key X, public key Y, public key Z, …
assertionMethod - 공개키A, 공개키B, 공개키C, …assertionMethod - public key A, public key B, public key C, …
capabilityInvocation - … , capabilityDelegation - … , keyAgreement - … capabilityInvocation - … , capabilityDelegation - … , keyAgreement - …
발행기관 노드(400)는 증명서 발급 이력을 블록체인의 블록 내에 트랜잭션으로 기록하며, 아래는 기록되는 트랜잭션의 예시를 나타낸 것이다. The issuing authority node 400 records the certificate issuance history as a transaction in the block of the block chain, and the following is an example of the recorded transaction.
(Transaction)(Transaction)
("did:lit:thisisAschool", 성적증명서, 공개키A, 20201201), ("did:lit:thisisAschool", 성적증명서, 공개키A, 20201130), ("did:lit:thisisAschool", transcript, public key A, 20201201), ("did:lit:thisisAschool", transcript, public key A, 20201130),
("did:lit:thisisAschool", 성적증명서, 공개키P , 20201130), …("did:lit:thisisAschool", transcript, public key P , 20201130), …
("did:lit:thisisAschool", 졸업증명서, 공개키B, 20201203), ("did:lit:thisisAschool", 졸업증명서, 공개키B, 20201201), …("did:lit:thisisAschool", graduation certificate, public key B, 20201203), ("did:lit:thisisAschool", graduation certificate, public key B, 20201201), …
("did:lit:thisisAschool", 학적부, 공개키C, 20201202), ("did:lit:thisisAschool", 학적부, 공개키C, 20201206), …("did:lit:thisisAschool", academic record, public key C, 20201202), ("did:lit:thisisAschool", academic record, public key C, 20201206), …
상기 트랜잭션에는 발행기관 노드(400)에서 증명서 발급에 이용된 공개키별로 각 대응하는 증명서 종류가 기록되어 있으며, 각 대응하는 증명서 종류별로 증명서 발급에 이용되는 공개키의 종류가 달라진다. 상기 예시에서 공개키P는 성적증명서 발급에 있어서 공개키A 이전에 사용되었던 키를 의미하며, 트랜잭션에는 이러한 히스토리가 모두 기록된다. In the transaction, each corresponding certificate type is recorded for each public key used for issuing the certificate in the issuing authority node 400, and the type of the public key used for issuing the certificate is different for each corresponding certificate type. In the above example, the public key P means a key used before the public key A in issuing transcripts, and all these histories are recorded in the transaction.
트랜잭션 통계 시스템(700)은 블록체인의 블록 내에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장한다. 트랜잭션 통계에는 발행기관 노드(400)에서 증명서 발급에 이용한 공개키가 각 증명서별로 매칭되어 통계적으로 저장되어 있다. The transaction statistics system 700 receives and stores transaction statistics from transactions recorded in blocks of the block chain. In the transaction statistics, the public key used for issuing the certificate in the issuing authority node 400 is matched for each certificate and statistically stored.
트러스트앵커 노드(500)는 트랜잭션 통계 시스템(700)으로부터 트랜잭션 통계 정보를 전달받으며, 상기 트랜잭션 통계 정보를 통해 발행기관 노드(400)에서의 증명서 발급 이력에 이용된 트랜잭션의 누적 데이터를 획득하고, 발행기관 노드(400)에서 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산한다. 아래는 발행기관 노드(400)에서의 증명서 발급 이력에 이용된 트랜잭션의 누적 데이터를 개략적으로 나타낸 것이다.The trust anchor node 500 receives transaction statistics information from the transaction statistics system 700, and acquires and issues accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 through the transaction statistics information The authority node 400 statistically calculates information on public keys used for certificate issuance. The following schematically shows the accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 .
A학교 : 성적 증명서 : [ 공개키A, 공개키P ]School A: Transcript: [Public Key A, Public Key P]
A학교 : 졸업 증명서 : [ 공개키B ]School A: Graduation certificate: [Public key B]
A학교 : 학적부 : [ 공개키C ]School A: Academic record: [Public key C]
그리고, 트러스트앵커 노드(500)는 자신이 보증하는 발행기관 노드(400)(예를 들어, A학교)를 보증하기 위해 특정 발행기관 노드(400)에게 트랜잭션의 누적 데이터를 통해 통계낸 공개키에 대한 인증을 주기적 또는 비주기적으로 요청한다. 즉, 특정 발행기관 노드(400)(예를 들어, A학교)가 증명서 발급에 이용한 공개키가 블록체인에 등록된 DID 문서에 포함되어 있는 값임을 증명하기 위해 특정 발행기관 노드(400)로 인증을 요청한다. In addition, the trust anchor node 500 provides the public key statistically through the accumulated data of the transaction to the specific issuing institution node 400 in order to guarantee the issuing institution node 400 (eg, school A) that it guarantees. Requests for authentication periodically or aperiodically. That is, to prove that the public key used by the specific issuing agency node 400 (eg, school A) is a value included in the DID document registered in the block chain, it is authenticated with the specific issuing agency node 400 . to request
아래는 트러스트앵커 노드(500)가 특정 발행기관 노드(400)르 인증 요청한 쿼리문의 예시를 나타낸 것이다. The following shows an example of a query statement in which the trust anchor node 500 requests authentication of a specific issuing authority node 400 .
requestAuthentication(공개키A, 공개키B, 공개키C, 공개키P) requestAuthentication(Public Key A, Public Key B, Public Key C, Public Key P)
트러스트앵커 노드(500)는 특정 발행기관 노드(400)에게 모든 공개키에 대한 인증을 요청하거나, 임계치 값을 설정하여 인증을 요청할 수 있다. The trust anchor node 500 may request authentication for all public keys from a specific issuing authority node 400, or may request authentication by setting a threshold value.
즉, 특정 발행기관 노드(400)는 보안성을 위해 증명서 발급에 사용되는 키를 주기적 또는 비주기적으로 교체할 수 있는데, 트랜잭션 통계 시스템(700)은 증명서 발급에 사용된 여러 키(현재 사용되는 키, 교체 전 사용된 키)들의 정보를 통계적으로 연산한다. 이런 경우에 트러스트앵커 노드(500)는 특정 발행기관 노드(400)에게 증명서 발급에 사용된 모든 키에 대해 인증을 요청하거나 임계치 값을 설정하여 그 임계치에 해당하는 개수의 키에 대해 인증을 요청할 수 있다.That is, the specific issuing authority node 400 may periodically or aperiodically replace the key used for issuing the certificate for security. , the information of keys used before replacement) is calculated statistically. In this case, the trust anchor node 500 may request authentication for all keys used for certificate issuance from the specific issuing authority node 400, or set a threshold value to request authentication for the number of keys corresponding to the threshold value. have.
구체적으로 예를 들어, DID 문서에 키가 N개 등록되어있다고 가정하면, 모든 N개의 키에 대한 인증을 요구하여 N개의 인증 결과를 받았을 때 발행기관 노드(400)는 키를 모두 소유하고 있다고 판단할 수 있다. 하지만 키의 개수가 많아질 경우 모든 키에 대한 인증 요청을 하고 검증하기에 부하가 발생할 수 있으므로, 이 경우에 임계치 값 M(M ≤ N)을 설정하여 M개 이상의 인증 결과를 받을 경우 발행기관 노드(400)는 모든 키를 소유하고 있다고 판단할 수도 있다. Specifically, for example, assuming that N keys are registered in the DID document, when N authentication results are requested by requesting authentication for all N keys, it is determined that the issuing authority node 400 owns all the keys. can do. However, if the number of keys increases, it may cause a load to request and verify authentication for all keys. (400) may determine that all keys are owned.
트러스트앵커 노드(500)는 특정 발행기관 노드(400)에 대한 인증 결과를 공개하여 특정 발행기관 노드(400)의 신뢰성을 보증한다. 사용자 노드(600)들은 트러스트앵커 노드(500)의 특정 발행기관 노드(400)에 대한 인증 결과를 통해 블록체인에 등록된 DID 문서의 신뢰성을 가질 수 있다. The trust anchor node 500 guarantees the reliability of the specific issuing authority node 400 by publishing the authentication result for the specific issuing authority node 400 . The user nodes 600 may have the reliability of the DID document registered in the block chain through the authentication result for the specific issuer node 400 of the trust anchor node 500 .
본 발명에 따르면, DID 기반 서비스에서 발생하는 근본적인 오라클 문제를 개선할 수 있다. DID 기반 서비스는 신원을 관리해주는 중앙 기관이 없으므로 인증 방안이 매우 중요하다. 그러므로 트러스트앵커 노드(500)가 발급한 DID를 사용자가 전적으로 신뢰하기에는 한계가 존재한다. According to the present invention, it is possible to improve a fundamental oracle problem occurring in a DID-based service. In DID-based services, there is no central authority that manages identity, so the authentication method is very important. Therefore, there is a limit for the user to completely trust the DID issued by the trust anchor node 500 .
본 발명에서 제안한 방법을 통해 트러스트앵커 노드(500)는 트랜잭션에 기록된 누적 데이터를 이용해 주기적 또는 비주기적으로 자신이 보증한 발행기관 노드(400)가 인증되었음을 증명할 수 있으며, 이를 공개함으로써 사용자는 통신하고자 하는 발행기관 노드(400)의 DID 문서를 신뢰할 수 있다. 발행기관 노드(400) 또한 주기적 또는 비주기적인 신원 인증을 통해서 사용자 노드(600), 트러스트앵커 노드(500)에게 신뢰를 제공하면서 투명한 증명서 발급이 이루어지게 된다. Through the method proposed in the present invention, the trust anchor node 500 can use the accumulated data recorded in the transaction to periodically or aperiodically prove that the issuing authority node 400 that it guarantees is authenticated, and by disclosing this, the user can communicate You can trust the DID document of the publisher node 400 you want to use. The issuing authority node 400 also provides trust to the user node 600 and the trust anchor node 500 through periodic or aperiodic identity authentication, and transparent certificate issuance is made.
본 발명에서 제안한 방법을 통해 발행기관 노드(400), 트러스트앵커 노드(500), 사용자 노드(600)는 블록체인에 등록된 DID 문서를 신뢰할 수 있으면서 DID 기반 서비스에서 발생가능한 오라클 문제를 개선할 수 있다.Through the method proposed in the present invention, the issuer node 400, trust anchor node 500, and user node 600 can trust the DID document registered in the block chain and improve oracle problems that may occur in DID-based services. have.
도 5는 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 방법을 도시한 순서도이다. 5 is a flowchart illustrating a DID-based user authentication method according to an embodiment of the present invention.
도 5를 참조하면, 본 발명의 일 실시예에 따른 DID 기반의 사용자 인증 방법은 발행기관 노드(400), 트러스트앵커 노드(500), 사용자 노드(600), 트랜잭션 통계 시스템(700) 사이에서의 동작을 포함하며, 우선, 최초의 발행기관 노드(400)는 증명서 발급에 사용될 복수 개의 공개키를 DID 문서에 추가하고, 상기 DID 문서를 트러스트앵커 노드(500)로 전달하여 블록체인에 등록 요청하거나, 최초의 발행기관 노드(400)가 직접 블록체인에 등록한다(S100). 즉, 발행기관 노드(400)가 증명서 발급에 사용할 공개키들이 포함된 DID 문서를 어떤 방식으로든 블록체인에 등록해 둔다. Referring to FIG. 5 , a DID-based user authentication method according to an embodiment of the present invention is performed between an issuer node 400 , a trust anchor node 500 , a user node 600 , and a transaction statistics system 700 . operation, and first, the first issuing authority node 400 adds a plurality of public keys to be used for certificate issuance to the DID document, and transmits the DID document to the trust anchor node 500 to request registration in the block chain or , the first issuing agency node 400 directly registers in the block chain (S100). That is, the issuing authority node 400 registers the DID document including the public keys to be used for issuing the certificate in the block chain in some way.
이어서, 발행기관 노드(400)는 증명서 발급 이력을 블록체인의 블록 내에 트랜잭션으로 기록한다(S110).Next, the issuing authority node 400 records the certificate issuance history as a transaction in the block of the block chain (S110).
이어서, 트랜잭션 통계 시스템(700)은 블록체인의 블록 내에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장한다(S120). 트랜잭션 통계에는 발행기관 노드(400)에서 증명서 발급에 이용한 공개키가 각 증명서별로 매칭되어 통계적으로 저장되어 있다.Then, the transaction statistics system 700 receives and stores the transaction statistics from the transactions recorded in the block of the block chain (S120). In the transaction statistics, the public key used for issuing the certificate in the issuing authority node 400 is matched for each certificate and statistically stored.
이어서, 트러스트앵커 노드(500)는 트랜잭션 통계 시스템(700)으로부터 트랜잭션 통계 정보를 전달받으며, 상기 트랜잭션 통계 정보를 통해 발행기관 노드(400)에서의 증명서 발급 이력에 이용된 트랜잭션의 누적 데이터를 획득하고, 발행기관 노드(400)에서 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산한다. 그리고, 트러스트앵커 노드(500)는 자신이 보증하는 발행기관 노드(400)를 보증하기 위해 특정 발행기관 노드(400)에게 트랜잭션의 누적 데이터를 통해 통계낸 공개키에 대한 인증을 주기적 또는 비주기적으로 요청한다(S130).Then, the trust anchor node 500 receives transaction statistics information from the transaction statistics system 700, and acquires accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 through the transaction statistics information, , statistically calculates information on public keys used for certificate issuance in the issuing authority node 400 . In addition, the trust anchor node 500 periodically or aperiodically authenticates the public key statistically obtained through the accumulated data of the transaction to the specific issuer node 400 in order to guarantee the issuing authority node 400 that it guarantees. request (S130).
이어서, 트러스트앵커 노드(500)는 특정 발행기관 노드(400)에 대한 인증 결과를 공개하여(S140) 특정 발행기관 노드(400)의 신뢰성을 보증한다.Next, the trust anchor node 500 guarantees the reliability of the specific issuer node 400 by publishing the authentication result for the specific issuer node 400 ( S140 ).
도 6은 본 발명의 다른 실시예에 따른 DID 기반의 사용자 인증 시스템을 도시한 블록도이다. 6 is a block diagram illustrating a DID-based user authentication system according to another embodiment of the present invention.
도 6을 참조하면, 본 발명의 다른 실시예에 따른 DID 기반의 사용자 인증 시스템(310)은, 발행기관 노드(400), 제1 트러스트앵커 노드(510), 제2 트러스트앵커 노드(520), 사용자 노드(600), 트랜잭션 통계 시스템(700)을 포함하도록 구성된다. Referring to FIG. 6 , the DID-based user authentication system 310 according to another embodiment of the present invention includes an issuer node 400 , a first trust anchor node 510 , a second trust anchor node 520 , and a user node 600 , a transaction statistics system 700 .
발행기관 노드(400)는 상술한 바와 같이, 사용자 신원 인증을 위한 증명서를 발급하는 노드로서, 사용자 노드(600)에서의 증명서 발급 요청에 대해 사용자 신원 인증을 위한 증명서를 발급하여 사용자 노드(600)로 전달하고, 증명서 발급 이력을 블록체인의 블록 내에 트랜잭션으로 기록한다. As described above, the issuing authority node 400 is a node that issues a certificate for user identity authentication, and issues a certificate for user identity authentication in response to a certificate issuance request from the user node 600 to the user node 600 . and records the certificate issuance history as a transaction in the block of the blockchain.
이에 앞서, 최초의 발행기관 노드(400)는 증명서 발급에 사용될 복수 개의 공개키를 DID 문서에 추가하여 상기 DID 문서를 공신력이 있는 제1 트러스트앵커 노드(510)로 전달하고, 블록체인에 등록 요청한다. 즉, 발행기관 노드(400)는 DID 문서에 등록할 공개키들을 생성하고, 상기 공개키들을 DID 문서에 포함하여 제1 트러스트앵커 노드(510)로 전달하고, 블록체인에 등록 요청한다.Prior to this, the first issuing agency node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document, transmits the DID document to the first trust anchor node 510 with public trust, and requests registration on the block chain do. That is, the issuing authority node 400 generates public keys to be registered in the DID document, transmits the public keys to the first trust anchor node 510 by including the public keys in the DID document, and requests registration in the block chain.
또는, 최초의 발행기관 노드(400)는 증명서 발급에 사용될 복수 개의 공개키를 DID 문서에 추가하여 상기 DID 문서를 직접 블록체인에 등록한다. Alternatively, the first issuing authority node 400 adds a plurality of public keys to be used for issuing a certificate to the DID document and directly registers the DID document in the block chain.
발행기관 노드(400)는 증명서 발급 이력을 블록체인의 블록 내에 트랜잭션으로 기록한다. 상기 트랜잭션에는 발행기관 노드(400)에서 증명서 발급에 이용된 공개키별로 각 대응하는 증명서 종류가 기록되어 있으며, 각 대응하는 증명서 종류별로 증명서 발급에 이용되는 공개키의 종류가 달라진다. 특히, 상기 트랜잭션에는 증명서 발급에 이용되었던 공개키의 변경 내역에 관한 히스토리가 모두 기록된다. The issuing authority node 400 records the certificate issuance history as a transaction in the block of the block chain. In the transaction, each corresponding certificate type is recorded for each public key used for issuing the certificate in the issuing authority node 400, and the type of the public key used for issuing the certificate is different for each corresponding certificate type. In particular, in the transaction, a history of the change details of the public key used for issuing the certificate is all recorded.
트랜잭션 통계 시스템(700)은 블록체인의 블록 내에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장한다. 트랜잭션 통계에는 발행기관 노드(400)에서 증명서 발급에 이용한 공개키가 각 증명서별로 매칭되어 통계적으로 저장되어 있다. The transaction statistics system 700 receives and stores transaction statistics from transactions recorded in blocks of the block chain. In the transaction statistics, the public key used for issuing the certificate in the issuing authority node 400 is matched for each certificate and statistically stored.
제2 트러스트앵커 노드(520)는 트랜잭션 통계 시스템(700)으로부터 트랜잭션 통계 정보를 전달받으며, 상기 트랜잭션 통계 정보를 통해 발행기관 노드(400)에서의 증명서 발급 이력에 이용된 트랜잭션의 누적 데이터를 획득하고, 발행기관 노드(400)에서 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산한다. The second trust anchor node 520 receives transaction statistics information from the transaction statistics system 700, and acquires accumulated data of transactions used in the certificate issuance history in the issuing authority node 400 through the transaction statistics information, , statistically calculates information on public keys used for certificate issuance in the issuing authority node 400 .
그리고, 제2 트러스트앵커 노드(520)는 자신이 보증하는 발행기관 노드(400)를 보증하기 위해 특정 발행기관 노드(400)에게 트랜잭션의 누적 데이터를 통해 통계낸 공개키에 대한 인증을 주기적 또는 비주기적으로 요청한다. 즉, 특정 발행기관 노드(400)가 증명서 발급에 이용한 공개키가 블록체인에 등록된 DID 문서에 포함되어 있는 값임을 증명하기 위해 특정 발행기관 노드(400)로 인증을 요청한다. In addition, the second trust anchor node 520 periodically or non-certifies the public key statistically through the accumulated data of the transaction to the specific issuer node 400 in order to guarantee the issuing authority node 400 that it guarantees. request periodically. That is, in order to prove that the public key used by the specific issuing agency node 400 for issuing the certificate is a value included in the DID document registered in the block chain, authentication is requested from the specific issuing agency node 400 .
제2 트러스트앵커 노드(520)는 특정 발행기관 노드(400)에게 모든 공개키에 대한 인증을 요청하거나, 임계치 값을 설정하여 인증을 요청할 수 있다. The second trust anchor node 520 may request authentication for all public keys from the specific issuing authority node 400 or may request authentication by setting a threshold value.
즉, 특정 발행기관 노드(400)는 보안성을 위해 증명서 발급에 사용되는 키를 주기적 또는 비주기적으로 교체할 수 있는데, 트랜잭션 통계 시스템(700)은 증명서 발급에 사용된 여러 키(현재 사용되는 키, 교체 전 사용된 키)들의 정보를 통계적으로 연산한다. 이런 경우에 제2 트러스트앵커 노드(520)는 특정 발행기관 노드(400)에게 증명서 발급에 사용된 모든 키에 대해 인증을 요청하거나 임계치 값을 설정하여 요청할 수 있다.That is, the specific issuing authority node 400 may periodically or aperiodically replace the key used for issuing the certificate for security. , the information of keys used before replacement) is calculated statistically. In this case, the second trust anchor node 520 may request authentication for all keys used for certificate issuance from the specific issuing authority node 400 or may request by setting a threshold value.
제2 트러스트앵커 노드(520)는 특정 발행기관 노드(400)에 대한 인증 결과를 주기적 또는 비주기적으로 공개하여 특정 발행기관 노드(400)의 신뢰성을 보증한다. 사용자 노드(600)들은 제2 트러스트앵커 노드(520)의 특정 발행기관 노드(400)에 대한 인증 결과를 통해 블록체인에 등록된 DID 문서의 신뢰성을 가질 수 있다. The second trust anchor node 520 guarantees the reliability of the specific issuer node 400 by periodically or non-periodically publishing the authentication result for the specific issuer node 400 . The user nodes 600 may have the reliability of the DID document registered in the block chain through the authentication result for the specific issuer node 400 of the second trust anchor node 520 .
제2 트러스트앵커 노드(520)는 예를 들어, DID 기반 서비스를 제공하는 블록체인의 BP 노드(Block Producer, 블록 생성 노드)들이 블록을 생성할 때 마다 트랜잭션 통계 시스템(700)으로부터 제공받은 트랜잭션의 누적 데이터를 통해 통계낸 공개키에 대한 인증을 특정 발행기관 노드(400)에게 주기적 또는 비주기적으로 요청한다. The second trust anchor node 520, for example, whenever BP nodes (Block Producers, block generating nodes) of the block chain that provide DID-based services generate blocks, the transaction statistics system 700 provides It periodically or aperiodically requests the specific issuing authority node 400 to authenticate the public key statistically based on the accumulated data.
여기에서, 제1 트러스트앵커 노드(510)는 발행기관 노드(400)로부터 DID 문서를 전달받아 블록체인에 등록 요청하는 공신력이 인정되는 노드일 수 있고, 제2 트러스트앵커 노드(520)는 트랜잭션 통계 시스템(700)으로부터 트랜잭션의 누적 데이터를 제공받아 특정 발행기관 노드(400)에 대해 DID 문서 및 공개키에 대한 유효성 인증을 주기적 또는 비주기적으로 수행하는 노드일 수 있다. 제1 트러스트앵커 노드(510)와 제2 트러스트앵커 노드(520)는 물리적으로 서로 분리된 노드이거나 동일한 노드일 수도 있다. Here, the first trust anchor node 510 may be a node whose public trust is recognized by receiving the DID document from the issuing authority node 400 and requesting registration in the block chain, and the second trust anchor node 520 provides transaction statistics It may be a node that receives the accumulated data of the transaction from the system 700 and periodically or aperiodically performs validation of the DID document and the public key for the specific issuer node 400 . The first trust anchor node 510 and the second trust anchor node 520 may be physically separated from each other or may be the same node.
도 7은 본 발명의 실시예에 따른 노드의 컴퓨팅 장치의 구성도이다.7 is a block diagram of a computing device of a node according to an embodiment of the present invention.
도 7을 참조하면, 본 발명의 실시예에 따른 노드의 컴퓨팅 장치(1000)는 프로세서(1100)와 메모리(1200)를 포함하고, 프로세서(1100)는 하나 이상의 코어(core) 및 그래픽 처리부 및/또는 다른 구성요소와 신호를 송수신하는 연결 통로(예를 들어, 버스(bus) 등)를 포함할 수 있다.Referring to FIG. 7 , the computing device 1000 of a node according to an embodiment of the present invention includes a processor 1100 and a memory 1200 , and the processor 1100 includes one or more cores and a graphic processing unit and/or Alternatively, it may include a connection path (eg, a bus, etc.) for transmitting and receiving signals with other components.
일 실시예에 따른 프로세서(1100)는 메모리(1200)에 저장된 하나 이상의 인스트럭션을 실행함으로써, 도 4 내지 도 6과 관련하여 설명된 DID 기반의 사용자 인증 시스템의 동작을 실행한다. The processor 1100 according to an embodiment executes the operation of the DID-based user authentication system described with reference to FIGS. 4 to 6 by executing one or more instructions stored in the memory 1200 .
예를 들어, 프로세서(1100)는 메모리에 저장된 하나 이상의 인스트럭션을 실행함으로써 하나 이상의 노드에서 발생되는 데이터 업로드/다운로드에 관한 정보들을 수집하고, 상기 수집된 정보들을 블록에 기록하고, 상기 블록에 기록된 정보에 기초하여, 적어도 하나의 노드에 대해 관련 정보를 제공한다. For example, the processor 1100 collects information about data upload/download that occurs in one or more nodes by executing one or more instructions stored in the memory, writes the collected information to a block, and writes the collected information to the block. Based on the information, related information is provided for at least one node.
한편, 프로세서(1100)는 내부에서 처리되는 신호(또는, 데이터)를 일시적 및/또는 영구적으로 저장하는 램(RAM: Random Access Memory) 및 롬(ROM: Read-Only Memory)을 더 포함할 수 있다. 또한, 프로세서(1100)는 그래픽 처리부, 램 및 롬 중 적어도 하나를 포함하는 시스템온칩(SoC: system on chip) 형태로 구현될 수 있다. Meanwhile, the processor 1100 may further include a random access memory (RAM) and a read-only memory (ROM) for temporarily and/or permanently storing signals (or data) processed therein. . In addition, the processor 1100 may be implemented in the form of a system on chip (SoC) including at least one of a graphic processing unit, a RAM, and a ROM.
메모리(1200)에는 프로세서(1100)의 처리 및 제어를 위한 프로그램들(하나 이상의 인스트럭션들)을 저장할 수 있다. 메모리(1200)에 저장된 프로그램들은 기능에 따라 복수 개의 모듈들로 구분될 수 있다.The memory 1200 may store programs (one or more instructions) for processing and controlling the processor 1100 . Programs stored in the memory 1200 may be divided into a plurality of modules according to functions.
본 발명의 실시예와 관련하여 설명된 시스템의 동작들은 하드웨어로 직접 구현되거나, 하드웨어에 의해 실행되는 소프트웨어 모듈로 구현되거나, 또는 이들의 결합에 의해 구현될 수 있다. 소프트웨어 모듈은 RAM(Random Access Memory), ROM(Read Only Memory), EPROM(Erasable Programmable ROM), EEPROM(Electrically Erasable Programmable ROM), 플래시 메모리(Flash Memory), 하드 디스크, 착탈형 디스크, CD-ROM, 또는 본 발명이 속하는 기술 분야에서 잘 알려진 임의의 형태의 컴퓨터 판독가능 기록매체에 상주할 수도 있다.The operations of the system described in relation to the embodiments of the present invention may be implemented directly in hardware, as a software module executed by hardware, or by a combination thereof. A software module may include random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.
본 발명의 구성 요소들은 하드웨어인 컴퓨터와 결합되어 실행되기 위해 프로그램(또는 어플리케이션)으로 구현되어 매체에 저장될 수 있다. 본 발명의 구성 요소들은 소프트웨어 프로그래밍 또는 소프트웨어 요소들로 실행될 수 있으며, 이와 유사하게, 실시 예는 데이터 구조, 프로세스들, 루틴들 또는 다른 프로그래밍 구성들의 조합으로 구현되는 다양한 알고리즘을 포함하여, C, C++, 자바(Java), 어셈블러(assembler) 등과 같은 프로그래밍 또는 스크립트 언어로 구현될 수 있다. 기능적인 측면들은 하나 이상의 프로세서들에서 실행되는 알고리즘으로 구현될 수 있다.The components of the present invention may be implemented as a program (or application) to be executed in combination with a computer, which is hardware, and stored in a medium. Components of the present invention may be implemented as software programming or software components, and similarly, embodiments may include various algorithms implemented as data structures, processes, routines, or combinations of other programming constructs, including C, C++ , Java, assembler, etc. may be implemented in a programming or scripting language. Functional aspects may be implemented in an algorithm running on one or more processors.
전술된 실시예들은 모든 면에서 예시적인 것이며 한정적인 것이 아닌 것으로 이해되어야 하며, 본 발명의 범위는 전술된 상세한 설명보다는 후술될 청구범위에 의해 나타내어질 것이다. 그리고 이 청구범위의 의미 및 범위는 물론, 그 등가개념으로부터 도출되는 모든 변경 및 변형 가능한 형태가 본 발명의 범위에 포함되는 것으로 해석되어야 한다.It is to be understood that the above-described embodiments are illustrative in all respects and not restrictive, the scope of the present invention being indicated by the following claims rather than by the foregoing detailed description. And it should be construed that all changes and modifications derived from the meaning and scope of the claims as well as equivalent concepts are included in the scope of the present invention.

Claims (5)

  1. 발행기관 노드, 트러스트앵커 노드, 사용자 노드, 및 트랜잭션 통계 시스템을 포함하는 DID 기반의 사용자 인증 시스템으로서,A DID-based user authentication system comprising an issuer node, a trust anchor node, a user node, and a transaction statistics system,
    사용자 신원 인증 또는 공적 증명을 위한 증명서 발급에 관한 이력을 블록체인의 블록 내에 트랜잭션으로 기록하는 발행기관 노드;an issuer node that records the history of issuing a certificate for user identity authentication or public authentication as a transaction in a block of the block chain;
    상기 블록에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장하는 트랜잭션 통계 시스템;a transaction statistics system for receiving and storing transaction statistics from the transactions recorded in the block;
    상기 트랜잭션 통계 시스템으로부터 전달받은 트랜잭션 통계 정보를 이용하여 상기 발행기관 노드에서의 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산하는 트러스트앵커 노드; 및a trust anchor node for statistically calculating information on public keys used for certificate issuance in the issuing authority node using the transaction statistics information received from the transaction statistics system; and
    상기 발행기관 노드에 대해 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급 요청을 수행하는 사용자 노드;를 포함하고, A user node that performs a certificate issuance request for user identity authentication or public authentication to the issuing authority node;
    상기 트러스트앵커 노드는 상기 발행기관 노드에 대해 증명서 발급에 이용된 상기 공개키들에 대한 인증을 요청하는, DID 기반의 사용자 인증 시스템.The trust anchor node requests the issuing authority node to authenticate the public keys used to issue the certificate, a DID-based user authentication system.
  2. 제 1항에 있어서, The method of claim 1,
    상기 발행기관 노드가 상기 블록에 트랜잭션으로 기록한 증명서 발급 이력은, The certificate issuance history recorded by the issuing authority node as a transaction in the block is,
    증명서 발급에 이용된 공개키별로 각 대응하는 증명서 종류가 기록되고, 각 대응하는 증명서의 종류별로 사용된 공개키 및 이전에 사용된 공개키에 대한 정보를 모두 포함하는, DID 기반의 사용자 인증 시스템.A DID-based user authentication system in which each corresponding certificate type is recorded for each public key used for issuing a certificate, and information on the public key used for each corresponding certificate type and the previously used public key are all included.
  3. 제 1항에 있어서, The method of claim 1,
    상기 트러스트앵커 노드는, 상기 발행기관 노드에 대해 증명서 발급에 이용된 모든 공개키에 대한 인증을 요청하거나 임계치 값을 설정하여 인증을 요청하는, DID 기반의 사용자 인증 시스템.The trust anchor node, a DID-based user authentication system for requesting authentication for all public keys used for issuing certificates from the issuing authority node or by setting a threshold value to request authentication.
  4. 발행기관 노드, 제1 트러스트앵커 노드, 제2 트러스트앵커 노드, 사용자 노드, 및 트랜잭션 통계 시스템을 포함하는 DID 기반의 사용자 인증 시스템으로서,A DID-based user authentication system comprising an issuer node, a first trust anchor node, a second trust anchor node, a user node, and a transaction statistics system,
    상기 트러스트앵커 노드에서 수행되는 본인인증 절차 완료 후 자신의 DID를 상기 트러스트앵커 노드로 전달하여 신원인증 VC(Verifiable Credential) 발급을 요청하고, 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급에 관한 이력을 블록체인의 블록 내에 트랜잭션으로 기록하는 발행기관 노드;After completing the identity authentication procedure performed in the trust anchor node, the user transfers his/her DID to the trust anchor node to request the issuance of an identity authentication VC (Verifiable Credential), and blocks the history of user identity authentication or certificate issuance for public authentication issuer nodes that record transactions in blocks of the chain;
    상기 발행기관 노드로부터의 상기 신원인증 VC 발급 요청에 대해 상기 DID 검증 후 상기 신원인증 VC를 발급하는 제1 트러스트앵커 노드;a first trust anchor node for issuing the identity authentication VC after verifying the DID for the identity authentication VC issuance request from the issuing authority node;
    상기 블록에 기록된 트랜잭션으로부터 트랜잭션 통계를 전달받아 저장하는 트랜잭션 통계 시스템; a transaction statistics system for receiving and storing transaction statistics from the transactions recorded in the block;
    상기 발행기관 노드에 대해 사용자 신원 인증 또는 공적 증명을 위한 증명서 발급 요청을 수행하는 사용자 노드; 및a user node for performing a certificate issuance request for user identity authentication or public authentication to the issuing authority node; and
    상기 트랜잭션 통계 시스템으로부터 전달받은 트랜잭션 통계 정보를 이용하여 상기 발행기관 노드에서의 증명서 발급에 이용된 공개키들의 정보를 통계적으로 연산하고, 상기 발행기관 노드에 대해 증명서 발급에 이용된 상기 공개키들에 대한 인증을 요청하는 제2 트러스트앵커 노드;를 포함하는, DID 기반의 사용자 인증 시스템.By using the transaction statistics information received from the transaction statistics system, information on public keys used for certificate issuance in the issuing authority node is statistically calculated, and for the public keys used for certificate issuance to the issuing authority node A DID-based user authentication system, including; a second trust anchor node that requests authentication.
  5. 제 4항에 있어서, 5. The method of claim 4,
    상기 제1 트러스트앵커 노드와 상기 제2 트러스트앵커 노드는 서로 다른 별개의 노드인, DID 기반의 사용자 인증 시스템.The DID-based user authentication system, wherein the first trust anchor node and the second trust anchor node are different and separate nodes.
PCT/KR2022/001384 2021-02-22 2022-01-26 Did-based user authentication system that remedies blockchain oracle problem WO2022177199A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2021-0023711 2021-02-22
KR1020210023711A KR102465466B1 (en) 2021-02-22 2021-02-22 The DID-based user authentication system that complements the blockchain's oracle problem

Publications (1)

Publication Number Publication Date
WO2022177199A1 true WO2022177199A1 (en) 2022-08-25

Family

ID=82930911

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/001384 WO2022177199A1 (en) 2021-02-22 2022-01-26 Did-based user authentication system that remedies blockchain oracle problem

Country Status (2)

Country Link
KR (1) KR102465466B1 (en)
WO (1) WO2022177199A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170317997A1 (en) * 2016-04-30 2017-11-02 Civic Technologies, Inc. Methods and systems of providing verification of the identity of a digital entity using a centralized or distributed ledger
WO2019217937A1 (en) * 2018-05-11 2019-11-14 Civic Technologies, Inc. Rewards and penalties of the reward function for the attestation game
US20200204345A1 (en) * 2018-12-21 2020-06-25 International Business Machines Corporation Blockchain trust anchor
KR20200094406A (en) * 2019-01-30 2020-08-07 주식회사 하나은행 System for employment information sharing and method for service providing using the same
KR20200096790A (en) * 2017-12-15 2020-08-13 엔체인 홀딩스 리미티드 System and method for authenticating off-chain data based on proof verification
KR102197218B1 (en) * 2019-07-31 2021-01-04 주식회사 티이이웨어 System and method for providing distributed id and fido based block chain identification

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101936758B1 (en) 2018-06-08 2019-01-11 주식회사 미탭스플러스 Encryption apparatus and method for integrity of information inquiry history

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170317997A1 (en) * 2016-04-30 2017-11-02 Civic Technologies, Inc. Methods and systems of providing verification of the identity of a digital entity using a centralized or distributed ledger
KR20200096790A (en) * 2017-12-15 2020-08-13 엔체인 홀딩스 리미티드 System and method for authenticating off-chain data based on proof verification
WO2019217937A1 (en) * 2018-05-11 2019-11-14 Civic Technologies, Inc. Rewards and penalties of the reward function for the attestation game
US20200204345A1 (en) * 2018-12-21 2020-06-25 International Business Machines Corporation Blockchain trust anchor
KR20200094406A (en) * 2019-01-30 2020-08-07 주식회사 하나은행 System for employment information sharing and method for service providing using the same
KR102197218B1 (en) * 2019-07-31 2021-01-04 주식회사 티이이웨어 System and method for providing distributed id and fido based block chain identification

Also Published As

Publication number Publication date
KR20220120058A (en) 2022-08-30
KR102465466B1 (en) 2022-11-09

Similar Documents

Publication Publication Date Title
US20230070963A1 (en) Blockchain-implemented method for control and distribution of digital content
US11669811B2 (en) Blockchain-based digital token utilization
CN111727594B (en) System and method for privacy management using digital ledgers
WO2018124857A1 (en) Blockchain database-based method and terminal for authenticating user non-face-to-face by utilizing mobile id, and server utilizing method and terminal
WO2018070848A1 (en) Method for providing smart contract-based certificate service, and server employing same
WO2018030707A1 (en) Authentication system and method, and user equipment, authentication server, and service server for performing same method
WO2018080207A1 (en) Method for issuing currency and making payment by managing balance database for each block in blockchain and server using same
WO2018155822A1 (en) Method for providing simplified account registration service and user authentication service, and authentication server using same
WO2016204461A1 (en) System and method for block-chain-based financial institution certificate verification
CN110892674A (en) Transaction generation method and block verification method of block chain
CN108924107B (en) Verifiable method for block chain remote medical data calling
KR102383099B1 (en) The non-face-to-face large document access blockchain system that combines blockchain-based DID service and IPFS-based data sharing technology and private key distributed storage technology
US20200259663A1 (en) One-Time Data Signature System and Method with Untrusted Server Assistance
CN113256297B (en) Data processing method, device and equipment based on block chain and readable storage medium
WO2018088475A1 (en) Electronic authentication method and program
WO2019125041A1 (en) Authentication system using separation, then distributed storage of personal information using blockchain
WO2020117020A1 (en) Method for generating pki key based on biometric information and device for generating key by using same method
CN111600844A (en) Identity distribution and authentication method based on zero-knowledge proof
CN112839046A (en) Traceable anonymous crowdsourcing method and system based on block chain
WO2022177204A1 (en) Did-based decentralized system for storing and sharing user data
WO2019125069A1 (en) Authentication system using separation, then combination of personal information using blockchain
WO2020158973A1 (en) Hypothesis acceptance protocol-2 mode blockchain consensus system and method
CN114944937A (en) Distributed digital identity verification method, system, electronic device and storage medium
WO2022177199A1 (en) Did-based user authentication system that remedies blockchain oracle problem
WO2023095967A1 (en) Remote-interaction large document access system in which blockchain-based did service, ipfs-based data sharing technology and private key distributed storage technology are combined

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22756402

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22756402

Country of ref document: EP

Kind code of ref document: A1