WO2022177204A1 - Système décentralisé basé sur un did pour stocker et partager des données d'utilisateur - Google Patents

Système décentralisé basé sur un did pour stocker et partager des données d'utilisateur Download PDF

Info

Publication number
WO2022177204A1
WO2022177204A1 PCT/KR2022/001539 KR2022001539W WO2022177204A1 WO 2022177204 A1 WO2022177204 A1 WO 2022177204A1 KR 2022001539 W KR2022001539 W KR 2022001539W WO 2022177204 A1 WO2022177204 A1 WO 2022177204A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
user terminal
user
sharing
information
Prior art date
Application number
PCT/KR2022/001539
Other languages
English (en)
Korean (ko)
Inventor
이정륜
한황제
윤태연
Original Assignee
주식회사 블록체인기술연구소
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 블록체인기술연구소 filed Critical 주식회사 블록체인기술연구소
Publication of WO2022177204A1 publication Critical patent/WO2022177204A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention relates to a DID-based decentralized user data storage and sharing system. More specifically, users who can enhance security through a decentralized private key recovery service, improve key backup and management issues for the vast amount of key pairs required in a DID environment, and share users’ sensitive data It relates to data storage and sharing systems.
  • Blockchain refers to a data distribution processing technology that distributes and stores all data that is managed by all users participating in the network. It is also called 'Distributed Ledger Technology (DLT)' or 'Public Transaction Ledger' in that the ledger containing transaction information is not owned by the transaction subject or a specific institution, but is a technology shared by all network participants.
  • Blockchain is a name given to the fact that blocks containing transaction contents are linked like a chain. This block chain is a technology to prevent hacking such as forgery and forgery of transaction contents, and it uses a method to prevent data forgery by sending transaction details to all users participating in the transaction and collating them for each transaction.
  • Blockchain is a core concept of decentralization, which aims for P2P (Peer to Peer) transactions, away from the existing financial system that secures and manages all transactions in financial institutions.
  • P2P refers to a communication network that connects personal computers without a server or client, and each connected computer acts as a server and client and shares information.
  • a trust relationship is formed digitally through a method in which multiple nodes share and verify the same data. This environment makes it possible to realize smart contracts that can conveniently conclude and modify contracts with P2P without intermediaries.
  • the technical problem to be solved by the present invention is to provide a user data storage and sharing system that can improve the problem of managing a vast amount of private and symmetric keys for data sharing in a blockchain network.
  • a user data storage and sharing system for solving the above problems is a user data storage and sharing system including a data sharing mediation server, a first user terminal, and a storage device, and interworking with a blockchain network Registers or deletes DID information for setting access rights to user data in the DID document of the data sharing mediation server registered in the blockchain network and the data sharing mediation server registered in the blockchain network to inquire about DID information registered in the blockchain network, , a first user terminal for transmitting encrypted user data, key index information, and initial vector information to the data sharing mediation server, and the encrypted user data from the data sharing mediation server, the key index information, and the and a storage device for receiving and storing initial vector information, wherein when a second user terminal different from the first user terminal requests user data of the first user terminal from the data sharing intermediary server, the first user terminal registers the DID information of the second user terminal in the DID document of the data sharing mediation server registered in the blockchain network, and grants the second user terminal access to the user data of the first user terminal do.
  • the DID document of the data sharing intermediary server registered in the blockchain network includes a first attribute value and a second attribute value
  • the first attribute value is DID information of the data owner terminal
  • the second attribute value may include DID information of the user terminal accessible to the shared data.
  • the first user terminal when the second user terminal requests the user data of the first user terminal to the data sharing intermediary server, the first user terminal is, Decrypting user data, generating a shared symmetric key and a random initial vector to be shared with the second user terminal, encrypting the decrypted user data using the shared symmetric key, the generated random initial vector and the The encrypted user data may be transmitted to the second user terminal.
  • the data sharing mediation server includes the second user terminal in the value of the second attribute of the DID document of the data sharing mediation server associated with the first user terminal registered in the blockchain network. check whether the DID information is registered, and allow access of the second user terminal when the DID information of the second user terminal is registered in the second attribute value, and the second user terminal,
  • a shared symmetric key may be generated by inquiring DID documents of the first user terminal and the second user terminal, and the encrypted user data may be decrypted using the generated shared symmetric key.
  • the sender and receiver can safely transmit and receive sensitive data while improving the problem of managing a vast amount of symmetric keys for sensitive data including user personal information in a blockchain network.
  • the sender and the receiver can transmit and receive sensitive data by sharing a secure symmetric key within the blockchain network.
  • the sender and the receiver can record only the index information of the key used for data sharing at any time. Pairs can be created for easy data sharing.
  • FIG. 1 is a diagram illustrating a distributed processing system using a block chain to which the technical idea according to the present invention can be applied.
  • FIGS 2 and 3 are block diagrams showing the connection of blocks used in the block chain system.
  • FIG. 4 is a block diagram schematically illustrating a DID-based decentralized user data storage and sharing system according to the present invention.
  • FIG. 5 is a block diagram illustrating an operation of storing user data in a system for storing and sharing user data according to an embodiment of the present invention.
  • FIG. 6 is a block diagram illustrating an operation of generating and backing up a child key in a key management system included in a user data storage and sharing system according to an embodiment of the present invention.
  • FIG. 7 is a diagram exemplarily illustrating a DID generation process of a data sharing intermediary server in a user data storage and sharing system according to an embodiment of the present invention.
  • FIG. 8 is a diagram exemplarily illustrating a DID document of a first user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • FIG. 9 is a diagram exemplarily illustrating a DID document of a data sharing mediation server in a user data storage and sharing system according to an embodiment of the present invention.
  • FIG. 10 is a block diagram illustrating an operation of sharing user data in a system for storing and sharing user data according to an embodiment of the present invention.
  • FIG. 11 is a diagram exemplarily illustrating a DID document of a second user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • FIG. 12 is a diagram exemplarily illustrating a DID document of a data sharing mediation server in a user data storage and sharing system according to an embodiment of the present invention.
  • FIG. 13 is a diagram exemplarily illustrating a DID document of a first user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • FIG. 14 is a diagram exemplarily illustrating a DID document of a second user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • 15 is a block diagram of a computing device of a node according to an embodiment of the present invention.
  • the existing personal information and authentication information management method is centralized, and there are risks in terms of protection of personal privacy and inconvenience in the management and authentication process for the managed personal information and authentication information.
  • An alternative is needed. Therefore, research on self-sovereign identity service (SSI), which combines block chain and identity authentication, is being conducted at home and abroad, but the existing self-authentication method is done through an accredited certificate issued by a third party. have.
  • SSI self-sovereign identity service
  • DID Distributed Identifier
  • DID digital information
  • the DID service is being developed with a focus on registering personal information that can be disclosed on the block chain and specifying the personal use or scope of use when necessary.
  • these services focus only on proof of ownership and prevention of forgery, and it is necessary to store and share sensitive data for individuals based on DID.
  • DID means a unique identifier that can prove who you are by CRUD (Create, Read, Update, Delete) of information that can identify an individual centered on the user without a central authority.
  • DID acts as a pointer to the DID document of a blockchain transaction as a single key value.
  • the DID is an identifier generated based on the user's public key.
  • the DID document refers to a set necessary for an individual to authenticate himself or herself and prove association with the DID.
  • the object of DID CRUD execution is a DID document, which means information necessary for verification when using the DID service.
  • DID and DID document The relationship between DID and DID document is to search for DID in the block chain and create a DID document based on the transaction contents, and the method of reading the DID document based on the DID may be different for each block chain.
  • a symmetric key is shared between the sender and the receiver in advance, or the data is encrypted with the symmetric key and the symmetric key is encrypted with the public key of the receiver and delivered.
  • users have the burden of managing a vast amount of private and symmetric keys. Therefore, in the present invention, the problem of managing a vast amount of keys required for sharing user data is to be improved.
  • FIG. 1 is a diagram illustrating a distributed processing system using a block chain to which the technical idea according to the present invention can be applied.
  • a distributed processing system 100 using a block chain is a distributed network system consisting of a plurality of nodes 110-170.
  • the nodes 110 to 170 constituting the distributed network 100 may be electronic devices having computing power, such as computers, mobile terminals, and dedicated electronic devices.
  • the decentralized network 100 can store and refer to information commonly known to all participating nodes in a connected bundle of blocks called blockchain.
  • the nodes 110-170 can communicate with each other and can be divided into a full node that stores, manages, and propagates the block chain and a light node that can simply participate in transactions. .
  • a node without a separate description in this specification, it often refers to a full node that participates in a distributed network and performs an operation to create, store, or verify a block chain, but is not limited thereto.
  • Each block connected to the block chain includes transaction details within a certain period, ie, transactions.
  • the nodes can manage transactions by creating, storing, or verifying the blockchain according to their respective roles.
  • the transaction may represent various types of transactions.
  • the transaction may correspond to a financial transaction for indicating the ownership status of cryptocurrency and its change.
  • the transaction may correspond to a physical transaction for indicating the ownership status of the object and its change.
  • the transaction may correspond to an information sharing process to represent the recording, storage and transfer of information. Nodes performing a transaction in the distributed network 100 may have a private key and a public key pair each cryptographically related.
  • FIGS 2 and 3 are block diagrams showing the connection of blocks used in the block chain system.
  • the block chain 200 is a kind of distributed database of one or more sequentially connected blocks 210 , 220 , 230 .
  • the block chain 200 is used to store and manage user's transaction details in the block chain system, and each node participating in the network of the block chain system creates a block and connects it to the block chain 200 .
  • 3 shows a limited number of blocks 210 , 220 , 230 , but the number of blocks that can be included in the block chain is not limited thereto.
  • Each block included in the block chain 200 may be configured to include a block header 211 and a block body 213 .
  • the block header 211 may include a hash value of the previous block 220 to indicate a connection relationship between blocks. In the process of verifying whether the block chain 200 is valid, the connection relationship in the block header 211 is used.
  • the block body 213 may include data stored and managed in the block 210 , for example, a transaction list or a transaction chain.
  • the block header 211 may include a hash 2112 of a previous block, a hash 2113 of a current block, and a nonce 2114 . Also, the block header 211 may include a root 2115 indicating a header of a transaction list in a block.
  • the blockchain 200 may include one or more connected blocks.
  • the one or more blocks are connected based on a hash value in the block header 211 .
  • the hash value 2112 of the previous block included in the block header 211 is the same as the current hash 2213 included in the previous block 220 as a hash value of the previous block 220 .
  • the one or more blocks are chained by the hash value of the previous block in each block header. Nodes participating in the distributed network verify the validity of a block based on the hash value of the previous block included in the one or more blocks, so it is impossible for a single malicious node to forge or falsify the contents of an already created block do.
  • the block body 213 may include a transaction list 2131 .
  • the transaction list 2131 is a list of blockchain-based transactions.
  • the transaction list 2131 may include a record of financial transactions made in the blockchain-based financial system.
  • the transaction list 2131 may be expressed in the form of a tree, for example, the amount of money transmitted by user A to user B is recorded in the form of a list, and the storage length in the block is the value of the transaction included in the current block. It can be increased or decreased based on the number.
  • the block 210 may include other information 2116 other than the information included in the block header 211 and the block body 213 .
  • Nodes participating in a decentralized network have the same blockchain, and the same transactions are stored in blocks.
  • a block containing a list of transactions is shared on the network, so all participants can verify it.
  • the user data storage and sharing method described in the present invention is an algorithm executed in a computing device.
  • FIG. 4 is a block diagram schematically illustrating a DID-based decentralized user data storage and sharing system according to the present invention.
  • 5 is a block diagram illustrating an operation of storing user data in a system for storing and sharing user data according to an embodiment of the present invention.
  • 6 is a block diagram illustrating an operation of generating and backing up a child key in a key management system included in a user data storage and sharing system according to an embodiment of the present invention.
  • 7 is a diagram exemplarily illustrating a DID generation process of a data sharing intermediary server in a user data storage and sharing system according to an embodiment of the present invention.
  • FIG. 8 is a diagram exemplarily illustrating a DID document of a first user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • 9 is a diagram exemplarily illustrating a DID document of a data sharing mediation server in a user data storage and sharing system according to an embodiment of the present invention.
  • the user data storage and sharing system 300 includes a data sharing mediation server 310 , a first user terminal 321 , and a storage device 330 . is composed
  • the data sharing mediation server 310, the first user terminal 321, and the storage device 330 are connected to each other through a network, and the network includes a plurality of It refers to a connection structure in which information exchange is possible between each node, such as terminals and servers of Examples of such networks include RF, 3rd Generation Partnership Project (3GPP) network, Long Term Evolution (LTE) network, 5th Generation Partnership Project (5GPP) network, World Interoperability for Microwave Access (WIMAX) network, Internet, LAN (Local Area Network), Wireless LAN (Wireless Local Area Network), WAN (Wide Area Network), PAN (Personal Area Network), Bluetooth network, NFC network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia) Broadcasting) network and the like, but the present invention is not limited thereto.
  • 3GPP 3rd Generation Partnership Project
  • LTE Long Term Evolution
  • 5GPP 5th Generation Partnership Project
  • WWX World Interoperability for Microwave Access
  • Internet Internet
  • LAN
  • the first user terminal 321 may be implemented as, for example, a computer that can access a remote server or terminal through a network.
  • the computer may include, for example, navigation, a laptop equipped with a web browser, a desktop, and a laptop.
  • the first user terminal 321 may be implemented as a terminal capable of accessing a remote server or terminal through a network.
  • a wireless communication device that guarantees portability and mobility, navigation, Personal Communication System (PCS), Global System for Mobile communications (GSM), Personal Digital Cellular (PDC), Personal Handyphone System (PHS), and Personal Handyphone System (PDA) Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) terminal, smartphone, smart phone It may include all kinds of handheld-based wireless communication devices such as a smartpad and a tablet PC.
  • PCS Personal Communication System
  • GSM Global System for Mobile communications
  • PDC Personal Digital Cellular
  • PHS Personal Handyphone System
  • PDA Personal Handyphone System
  • IMT International Mobile Telecommunication
  • CDMA Code Division Multiple Access
  • W-CDMA Wide-Code Division Multiple Access
  • Wibro Wireless Broadband Internet
  • the first user terminal 321 is a device that wants to encrypt the user data data_A and store it in the storage device 330, and the user data data_A may be data requiring privacy protection, such as sensitive personal information, for example. . Alternatively, the user data data_A may be verifiable credential (VC) data.
  • VC verifiable credential
  • the first user terminal 321 may share user data (data_A) with other user terminals through the instance service provided by the data sharing mediation server 310, and the instance service provided by the data sharing mediation server 310 is Each user terminal may have ownership. And, each instance service has a DID document, which is registered in the blockchain system.
  • the process in which the first user terminal 321 encrypts and stores the user data data_A in the storage device 330 is first performed in a state in which the DID and the DID document of the first user terminal 321 are registered in the block chain system. Create a DID and DID document of the data sharing mediation server 310 .
  • the attribute value capabilityInvocation means the DID set of the person who has the authority to utilize data
  • the property value capabilityDelegation means the DID set of the person who has the right to utilize the data and the set of the person authorized to register/delete users in capabilityInvocation.
  • the capabilityDelegation item must be the DID of the data owner, that is, the first user terminal 321, and in the above example, key information related to sharing of user data (data_A) (index is x-th key) is registered in the capabilityDelegation item.
  • the first user terminal 321 generates a child key using the key management system, and performs an operation algorithm of encrypting the user data (data_A).
  • the key management system includes a key management server 410 and the first to third database devices 420, 430, and 440.
  • the key management system recovers a private key and a public key pair. The algorithm will be described.
  • the key management server 410 generates a 128-bit random S1 code necessary for generating the master key, and transmits it to the first user terminal 321 . Then, the key management server 410 transfers the S1 code to the first database device 420 and stores it.
  • the first to third database devices 440 are devices included in the key backup system and are devices capable of storing information for key restoration. In addition, the first to third database devices 440 are physically separated from each other and store different data, respectively.
  • the first user terminal 321 generates a 256-bit random S2 code required to generate mnemonic code words, and transmits it to the second database device 430 through the key management server 410.
  • the S2 code is stored in the second database device 430 .
  • the first user terminal 321 generates a 128-bit random S3 code as a value for setting a path necessary for generating a child key, and the third database device 440 through the key management server 410 ) to store the S3 code in the third database device 440 .
  • the first user terminal 321 generates a mnemonic code word using the S2 code, and generates a 512-bit master seed using the generated mnemonic code word and the S1 code.
  • the first user terminal 321 generates a master key using the master seed, and then generates an HD wallet using the master key. That is, the first user terminal 321 generates a master private key and a master public key by using the master seed.
  • the first user terminal 321 sets an index to extract a child key from the master key.
  • the index used by the first user terminal 321 for extracting the child key has a numeric value of 4 bytes (0 ⁇ 2 31 -1).
  • the first user terminal 321 sets a path for extracting the child key, and the path means a path for deriving the child key from the master key.
  • the path is set as follows by dividing the 128-bit (16-byte) S3 code into four 32-bit signed integers.
  • the first user terminal 321 extracts a child key from the HD wallet using a CKD (Child Key Derivation) function according to the set path. As a result of extraction of the child key of the first user terminal 321, a pair of a private key and a public key pair is generated.
  • CKD Child Key Derivation
  • the first user terminal 321 transmits its own S1 code, S2 code, and S3 code values to the first to third database devices 440 through the key management server 410 and stores them. Thereafter, the child key may be extracted using the S1 code, the S2 code, and the S3 code stored in the first to third database devices 440 , and a pair of a private key and a public key may be generated.
  • the first user terminal 321 may use an application for encrypting user data (data_A), and through the child key extraction algorithm described above with reference to FIG. 6 , the nth child key, which is key information of KeyAgreement of the DID document, is generated. do.
  • the nth child key includes a private key a and a public key a G.
  • the first user terminal 321 makes a request to store the encrypted user data (E_data_A) to the data sharing mediation server 310, and the data sharing mediation server 310 includes the first user terminal ( 321) is registered, and if the DID of the first user terminal 321 is registered, the data sharing intermediary server 310 transmits the encrypted data (E_data_A) to the storage device 330 in the following structure. Save.
  • the type of the storage device 330 is not limited in the present invention, and various types of storage devices such as cloud, local storage, and IPFS may be used.
  • 10 is a block diagram illustrating an operation of sharing user data in a system for storing and sharing user data according to an embodiment of the present invention.
  • 11 is a diagram exemplarily illustrating a DID document of a second user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • 12 is a diagram exemplarily illustrating a DID document of a data sharing mediation server in a user data storage and sharing system according to an embodiment of the present invention.
  • 13 is a diagram exemplarily illustrating a DID document of a first user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • 14 is a diagram exemplarily illustrating a DID document of a second user terminal in a system for storing and sharing user data according to an embodiment of the present invention.
  • the user data storage and sharing system 300 is a data sharing mediation server 310, a first user terminal 321, a second user terminal 322, and a storage device 330 .
  • the second user terminal 322 provides its DID and the key index (y) to be used together to the first user terminal 321 , and requests sharing of the user data data_A of the first user.
  • the following is an example of the key index y provided by the second user terminal 322 .
  • the first user terminal 321 registers the DID of the second user terminal 322 in the DID document of the data sharing intermediary server 310 of the block chain system after user authentication of the second user terminal 322 . At this time, it is registered in the capabilityInvocation attribute value to determine whether to use the user data data_A of the first user terminal 321 for the second user terminal 322 .
  • the first user terminal 321 recovers the symmetric key S_a to decrypt the encrypted user data E_data_A. To this end, the first user terminal 321 extracts the n-th child key (a, a ⁇ G). That is, the first user terminal 321 may use an application for decrypting the encrypted user data E_data_A, and through the child key extraction algorithm described above with reference to FIG. 5 , the nth key information of KeyAgreement of the DID document Create a child key.
  • the first user terminal 321 decrypts the encrypted user data E_data_A downloaded from the storage device 330 .
  • the first user terminal 321 inquires the nth public key of the second user terminal 322 .
  • the first user terminal 321 searches the did resolver for did:lit:USERB to inquire the DID document of the second user terminal 322 .
  • the first user terminal 321 inquires the value of the nth public key among the public keys of the second user terminal 322 (b ⁇ G).
  • the first user terminal 321 generates a symmetric key to be shared with the second user terminal 322 .
  • the DID documents of the first user terminal 321 and the second user terminal 322 are inquired to utilize key information of keyAgreement.
  • the shared symmetric key of the first user terminal 321 and the second user terminal 322 is obtained by using the n-th private key of the first user terminal 321 and the n-th public key of the second user terminal 322 (a) ⁇ bG), create a shared symmetric key (S_ab).
  • the first user terminal 321 generates a 16-byte random initial vector required for encryption (iv_ab).
  • the first user terminal 321 encrypts the user data data_A using the shared symmetric key S_ab.
  • the first user terminal 321 transmits the initial vector iv_ab and the encrypted user data E_data_A to the second user terminal 322 (Ciphertext_ab, iv_ab).
  • the data sharing mediation server 310 checks whether the DID of the second user terminal 322 is registered in the DID document of the data sharing mediation server 310 associated with the first user terminal 321 of the block chain system. 2
  • the user terminal 322 is allowed to access. Specifically, the data sharing mediation server 310 checks whether the DID of the second user terminal 322 is registered in the capabilitiestiyInvocation attribute value of the DID document of the data sharing mediation server 310 associated with the first user terminal 321 . do.
  • the data sharing mediation server 310 is the second user when the DID of the second user terminal 322 is registered in the capabiltiyInvocation attribute value of the DID document of the data sharing mediation server 310 associated with the first user terminal 321. Allows access to the data sharing mediation server 310 of the terminal 322 .
  • the second user terminal 322 also generates a shared symmetric key.
  • the DID documents of the first user terminal 321 and the second user terminal 322 are inquired to utilize key information of keyAgreement.
  • the shared symmetric key of the second user terminal 322 and the first user terminal 321 is the nth private key of the second user terminal 322, the nth public key of the first user terminal 321 (b ⁇ a ⁇ G) is used to generate a shared symmetric key (S_ab).
  • the second user terminal 322 shares the user data data_A of the first user terminal 321 by decrypting the encrypted user data E_data_A.
  • 15 is a block diagram of a computing device of a node according to an embodiment of the present invention.
  • a computing device 1000 of a node includes a processor 1100 and a memory 1200 , and the processor 1100 includes one or more cores and a graphic processing unit and/or Alternatively, it may include a connection path (eg, a bus, etc.) for transmitting and receiving signals with other components.
  • a connection path eg, a bus, etc.
  • the processor 1100 executes one or more instructions stored in the memory 1200, thereby executing the operation of the user data storage and sharing algorithm with reference to FIGS. 5 to 14 .
  • the processor 1100 collects information about user identification authentication and private key generation generated in one or more nodes by executing one or more instructions stored in the memory, and generates a transaction based on the collected information. Provides related information for at least one node.
  • the processor 1100 may further include a random access memory (RAM) and a read-only memory (ROM) for temporarily and/or permanently storing signals (or data) processed therein.
  • the processor 1100 may be implemented in the form of a system on chip (SoC) including at least one of a graphic processing unit, a RAM, and a ROM.
  • SoC system on chip
  • the memory 1200 may store programs (one or more instructions) for processing and controlling the processor 1100 .
  • Programs stored in the memory 1200 may be divided into a plurality of modules according to functions.
  • a software module may include random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.
  • RAM random access memory
  • ROM read only memory
  • EPROM erasable programmable ROM
  • EEPROM electrically erasable programmable ROM
  • flash memory hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.
  • the components of the present invention may be implemented as a program (or application) to be executed in combination with a computer, which is hardware, and stored in a medium.
  • Components of the present invention may be implemented as software programming or software components, and similarly, embodiments may include various algorithms implemented as data structures, processes, routines, or combinations of other programming constructs, including C, C++ , Java, assembler, etc. may be implemented in a programming or scripting language. Functional aspects may be implemented in an algorithm running on one or more processors.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)
  • Databases & Information Systems (AREA)
  • Power Engineering (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Un système décentralisé basé sur un identifiant décentralisé chiffré (DID) pour stocker et partager des données d'utilisateur est divulgué. Le système pour stocker et partager des données d'utilisateur comprend : un serveur de courtage de partage de données ; un premier terminal d'utilisateur ; et un dispositif de stockage, le serveur de courtage de partage de données établissant une liaison avec un réseau de chaîne de blocs et demandant des informations DID enregistrées dans le réseau de chaîne de blocs, le premier terminal d'utilisateur enregistrant ou supprimant des informations DID pour établir un droit d'accès à des données d'utilisateur dans un document DID du serveur de courtage de partage de données qui est enregistré dans le réseau de chaîne de blocs, et transmettant des données d'utilisateur chiffrées, des informations d'index de clé, et des informations de vecteur initial au serveur de courtage de partage de données, et le dispositif de stockage recevant, en provenance du serveur de courtage de partage de données, et stockant les données d'utilisateur chiffrées, les informations d'index de clé et les informations de vecteur initial.
PCT/KR2022/001539 2021-02-22 2022-01-28 Système décentralisé basé sur un did pour stocker et partager des données d'utilisateur WO2022177204A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020210023716A KR102465467B1 (ko) 2021-02-22 2021-02-22 Did 기반의 탈중앙화된 사용자 데이터 저장 및 공유 시스템
KR10-2021-0023716 2021-02-22

Publications (1)

Publication Number Publication Date
WO2022177204A1 true WO2022177204A1 (fr) 2022-08-25

Family

ID=82930918

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/001539 WO2022177204A1 (fr) 2021-02-22 2022-01-28 Système décentralisé basé sur un did pour stocker et partager des données d'utilisateur

Country Status (2)

Country Link
KR (2) KR102465467B1 (fr)
WO (1) WO2022177204A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801815A (zh) * 2023-02-03 2023-03-14 安徽中科晶格技术有限公司 基于区块链的植物生长状况共享方法、装置及存储介质

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102662021B1 (ko) 2022-11-18 2024-04-29 동명대학교산학협력단 중고자동차 데이터 신뢰성을 보장하는 did 기반 거래 시스템 및 그 방법
KR102515367B1 (ko) * 2023-01-20 2023-03-30 주식회사 그래파이 블록체인 기반 데이터 공유 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070051314A (ko) * 2004-08-09 2007-05-17 컴캐스트 케이블 홀딩스, 엘엘씨 단순화된 구조의 키 관리를 위한 시스템 및 방법
US20200242221A1 (en) * 2019-07-02 2020-07-30 Alibaba Group Holding Limited System and method for mapping decentralized identifiers to real-world entities
KR102179497B1 (ko) * 2020-04-13 2020-11-17 주식회사 한국정보보호경영연구소 멀티 클라우드 기반의 데이터 저장 및 관리 시스템 및 그 구동방법
KR102189301B1 (ko) * 2020-04-22 2020-12-11 주식회사 한국정보보호경영연구소 블록체인 기반 보안이 강화된 클라우드 서비스 제공 시스템 및 방법
KR20210007844A (ko) * 2019-07-11 2021-01-20 주식회사 코인플러그 관계성 탈중앙화 아이디 서비스를 제공하는 방법 및 이를 이용한 블록체인 노드

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101857223B1 (ko) 2017-11-13 2018-05-11 주식회사 온더 블록체인 토큰 기반의 사용자 식별 방법 및 시스템

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070051314A (ko) * 2004-08-09 2007-05-17 컴캐스트 케이블 홀딩스, 엘엘씨 단순화된 구조의 키 관리를 위한 시스템 및 방법
US20200242221A1 (en) * 2019-07-02 2020-07-30 Alibaba Group Holding Limited System and method for mapping decentralized identifiers to real-world entities
KR20210007844A (ko) * 2019-07-11 2021-01-20 주식회사 코인플러그 관계성 탈중앙화 아이디 서비스를 제공하는 방법 및 이를 이용한 블록체인 노드
KR102179497B1 (ko) * 2020-04-13 2020-11-17 주식회사 한국정보보호경영연구소 멀티 클라우드 기반의 데이터 저장 및 관리 시스템 및 그 구동방법
KR102189301B1 (ko) * 2020-04-22 2020-12-11 주식회사 한국정보보호경영연구소 블록체인 기반 보안이 강화된 클라우드 서비스 제공 시스템 및 방법

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801815A (zh) * 2023-02-03 2023-03-14 安徽中科晶格技术有限公司 基于区块链的植物生长状况共享方法、装置及存储介质
CN115801815B (zh) * 2023-02-03 2023-05-05 安徽中科晶格技术有限公司 基于区块链的植物生长状况共享方法、装置及存储介质

Also Published As

Publication number Publication date
KR20220120062A (ko) 2022-08-30
KR20220143625A (ko) 2022-10-25
KR102465467B1 (ko) 2022-11-09
KR102483369B1 (ko) 2022-12-29

Similar Documents

Publication Publication Date Title
WO2022177204A1 (fr) Système décentralisé basé sur un did pour stocker et partager des données d'utilisateur
Xu et al. Healthchain: A blockchain-based privacy preserving scheme for large-scale health data
WO2019083082A1 (fr) Procédé d'authentification et de communication fondé sur ksi pour environnement résidentiel, sans danger et intelligent, et système associé
CN108418680B (zh) 一种基于安全多方计算技术的区块链密钥恢复方法、介质
WO2017119564A1 (fr) Système et procédé de transmission d'informations sécurisées pour une authentification d'identité personnelle
WO2019124610A1 (fr) Procédé d'authentification utilisant une séparation, puis le stockage distribué et combinaison d'informations personnelles utilisant une chaîne de blocs
WO2018147673A1 (fr) Procédé d'authentification d'utilisateur à base de clé symétrique pour garantir l'anonymat dans un environnement de réseau de capteurs sans fil
WO2019132272A1 (fr) Identifiant en tant que service basé sur une chaîne de blocs
WO2019125041A1 (fr) Système d'authentification utilisant une séparation, puis un stockage distribué d'informations personnelles utilisant une chaîne de blocs
WO2018147488A1 (fr) Procédé sécurisé d'authentification basée sur des attributs pour le cloud computing
Juyal et al. Privacy and security of IoT based skin monitoring system using blockchain approach
CN114503508A (zh) 用于在区块链上存储经认证的数据的计算机实施的方法和系统
WO2019125069A1 (fr) Système d'authentification à l'aide d'une séparation, puis d'une combinaison d'informations personnelles à l'aide d'une chaîne de blocs
WO2020138733A1 (fr) Système de chaîne de blocs pour fournir l'anonymat d'informations privées et procédé pour fournir l'anonymat d'informations privées dans une chaîne de blocs
Wen et al. A Blockchain‐Based Privacy Preservation Scheme in Mobile Medical
WO2019125081A1 (fr) Système d'octroi de droits d'accès à usage unique à l'aide d'une chaîne de blocs
WO2020166876A1 (fr) Procédé et système de gestion de don de sang
WO2023095967A1 (fr) Système d'accès à un grand document avec interaction à distance dans lequel un service did basé sur une chaîne de blocs, une technologie de partage de données basée ipfs et une technologie de stockage distribuée à clé privée sont combinés
Mittal et al. A three-phase framework for secure storage and sharing of healthcare data based on blockchain, IPFS, proxy re-encryption and group communication
WO2022177201A1 (fr) Système de gestion et de récupération de clé privée ayant des informations de sauvegarde de clé stockées de manière répartie
WO2021075604A1 (fr) Procédé et dispositif de transmission de données d'héritage
WO2021025403A2 (fr) Procédé de gestion de clé de sécurité et serveur de gestion de clé de sécurité
WO2023177013A1 (fr) Système de paiement utilisant une authentification biométrique basée sur un identifiant did
WO2024117568A1 (fr) Procédé et dispositif de chiffrement de données
WO2023106629A1 (fr) Procédé de commande pour système de notarisation de données de preuve basé sur une chaîne de blocs, et support d'enregistrement et système pour la mise en œuvre de ce procédé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22756407

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22756407

Country of ref document: EP

Kind code of ref document: A1