WO2022196850A1 - Method and system for issuing and certifying digital vaccination certificate - Google Patents

Method and system for issuing and certifying digital vaccination certificate Download PDF

Info

Publication number
WO2022196850A1
WO2022196850A1 PCT/KR2021/003519 KR2021003519W WO2022196850A1 WO 2022196850 A1 WO2022196850 A1 WO 2022196850A1 KR 2021003519 W KR2021003519 W KR 2021003519W WO 2022196850 A1 WO2022196850 A1 WO 2022196850A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
institution
electronic device
vaccination
inoculation
Prior art date
Application number
PCT/KR2021/003519
Other languages
French (fr)
Korean (ko)
Inventor
최철원
Original Assignee
블록체인랩스 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 블록체인랩스 주식회사 filed Critical 블록체인랩스 주식회사
Publication of WO2022196850A1 publication Critical patent/WO2022196850A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H40/00ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices
    • G16H40/20ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the management or administration of healthcare resources or facilities, e.g. managing hospital staff or surgery rooms
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H50/00ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics
    • G16H50/80ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics for detecting, monitoring or modelling epidemics or pandemics, e.g. flu
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/88Medical equipments

Definitions

  • Embodiments disclosed in this document relate to technology for issuing and distributing digital certificates.
  • a vaccine is developed to address the pandemic, and vaccination begins once the vaccine is complete. At this time, the vaccinated person and the non-vaccinated person are divided, and in order to distinguish between the vaccinated person and the non-vaccinated person, an authentication means capable of authenticating the vaccination person is required.
  • vaccinated and non-vaccinated becomes essential, especially for highly contagious diseases. Due to its strong contagious nature, immunization may be required, for example, in order to have access to places where a large number of people may come into contact.
  • a certificate may be issued to certify that you are the vaccinated person.
  • the certificate may contain information about the name of the recipient, vaccine information, medical institution, and the like. If the certificate is a paper certificate, it is difficult to verify the authenticity of the certificate itself, and the risk of personal information leakage is high.
  • the electronic certificate issuance procedure includes an identity authentication procedure and a payment procedure, which is not convenient for the user because the issuance procedure is difficult. Even if the issuance is completed through a complicated issuance procedure, it is difficult to reuse because it is distributed in the form of printed paper (submitted to an institution, etc.)
  • Various embodiments disclosed in this document are intended to provide a method and system that simplifies the issuance and distribution of certificates, and allows users to conveniently authenticate whether or not they have been vaccinated.
  • As a one-time certificate issuance we want to make it possible to certify all over the world.
  • a method includes a blockchain network including a public distributed ledger, a first electronic device associated with a first user, and a second electronic device associated with a second user, the blockchain network stores a first user identifier associated with the first user, a first organization identifier corresponding to at least one trusted authority, and the first electronic device is issued by the at least one trusted authority, and a first inoculation certificate comprising a first authority digital signature, the first user identifier, and information associated with the vaccination of the first user.
  • the method may include generating, by the first electronic device, a second inoculation certificate, wherein the second inoculation certificate includes information related to vaccination, whether vaccination is performed, the digital signature of the first institution, and the first inoculation certificate.
  • the method may include obtaining, by the electronic device, information on whether or not the vaccination has been performed.
  • authentication of whether to vaccinate with minimal exposure of personal information can be made.
  • high-reliability authentication can be achieved between individuals without using a national agency or a trusted agency as an intermediary.
  • various effects directly or indirectly identified through this document may be provided.
  • 1 is a schematic diagram of a system for issuing a vaccination digital certificate and verifying whether or not vaccination is performed according to an embodiment.
  • FIG. 2 is a block diagram of an identity authentication server and a vaccination management server according to an embodiment.
  • FIG. 3 is a block diagram of a medical institution electronic device and a personal electronic device according to an exemplary embodiment.
  • FIG. 4 is a signal flow diagram illustrating a method for an identity authentication server to issue an identity certificate to a personal electronic device according to an embodiment.
  • FIG. 5 is a signal flow diagram illustrating a method for a vaccination management server to issue a vaccination institution certificate to an electronic device of a medical institution according to an embodiment.
  • FIG. 6 is a signal flow diagram for a method of registering a practitioner of vaccination in the vaccination management server according to an embodiment.
  • FIG. 7 is a signal flow diagram for a method of issuing an inoculation certificate according to an embodiment.
  • FIG. 8 is a signal flow diagram for a method of authenticating whether vaccination is performed according to an embodiment.
  • system 10 for issuing a vaccination digital certificate and verifying whether or not inoculation is performed according to an embodiment.
  • system 10 for issuing a vaccination digital certificate and verifying whether or not inoculation is performed according to an embodiment.
  • the issuance and certification process of the vaccination digital certificate performed on the system 10 will be described as follows.
  • a vaccination certificate (hereinafter, inoculation certificate) that certifies whether or not a vaccine is available may be issued in the form of a digital certificate.
  • Vaccination Certificate The digital certificate may be a data set including data related to vaccination. The data may include personal sensitive information related to vaccination.
  • the vaccination management institution may be an institution or organization that manages matters related to vaccination of vaccines.
  • Vaccination management institutions can monitor the sequence of importing, distributing, and inoculating vaccines, and store and manage records thereof.
  • Vaccination management agency can be understood as a trust agency as an agency operated by the state.
  • the identity authentication institution may be an institution or an organization that manages identity information about individuals and medical institutions.
  • An identity certification authority may manage identity information about an individual that can identify a specific individual.
  • the identity certification authority may issue a certificate (hereinafter, an identity certificate) for at least one item of identity information.
  • the identity authentication institution may manage basic information (identity information) about a medical institution that can identify a specific medical institution.
  • the identity authentication institution may issue a certificate (hereinafter, referred to as a medical institution certificate) for at least one item of basic information of a medical institution.
  • the identity authentication institution may perform authentication of medical institutions necessary for vaccination and identity authentication of inoculators.
  • An identity certification authority is an organization operated by the state and can be understood as a trusted authority.
  • Vaccination may be performed by a medical institution that is accredited to administer the vaccine.
  • the vaccination management institution may select a medical institution that can perform vaccination among medical institutions or manage a list of pre-selected medical institutions.
  • the vaccination management institution may check basic identity information about the vaccination institution and issue a certificate of the vaccination institution.
  • an identity authentication institution For the issuance of an inoculation certificate, an identity authentication institution, a vaccination management institution, and a medical institution may cooperate with each other.
  • Vaccination digital certificate (hereinafter, inoculation certificate) may be issued by a vaccination management institution.
  • the identity authentication institution may provide identity authentication to the vaccination management institution with basic information of a medical institution for issuing an inoculation certificate.
  • the identity authentication authority and the vaccination management authority may be integrated.
  • a vaccination management institution can directly store basic identity information about an individual or a medical institution and issue an identity certificate.
  • the system 10 includes an identity authentication server 100 , a vaccination management server 200 , a medical institution electronic device 300 , a personal electronic device 400 , and a third-party electronic device 500 . can do.
  • the identity authentication server 100 and the vaccination management server 200 may include a plurality of authentication servers, but the system 10 configured with one authentication server is disclosed below.
  • the identity authentication server 100 is a server device operated by an identity authentication authority.
  • the vaccination management server 200 is a server device operated by a vaccination management institution.
  • the medical institution electronic device 300 is an electronic device (eg, PC, tablet, server device) possessed by a medical institution performing vaccination.
  • the personal electronic device 400 is a personal electronic device (eg, a smartphone, tablet, personal PC) to be vaccinated.
  • the third-party electronic device 500 is an electronic device (eg, a PC, a tablet, a server device) owned by another person or a company that checks whether a specific individual is vaccinated. The structure and operation of the server device and the electronic device will be described later with reference to FIGS. 2 and 3 .
  • the identity authentication server 100 may issue an identity certificate for an individual and transmit the generated identity certificate to the personal electronic device 400 .
  • the identity authentication server 100 may issue a medical institution certificate for a medical institution, and transmit the issued certificate to the medical institution electronic device 300 .
  • the personal electronic device 400 may store the received identity certificate.
  • the medical institution electronic device 300 may store the received medical institution certificate.
  • the medical institution certificate may be understood as a confirmation certificate that enables identification of a specific medical institution.
  • the medical institution certificate may be a verification certificate for the medical institution itself or an identity certificate for a medical institution representative.
  • the vaccination management server 200 may issue a certificate of a white vaccination institution for a specific medical institution, and may transmit the issued certificate to the electronic device 300 of the medical institution.
  • the medical institution electronic device 300 may store the received vaccination institution certificate.
  • the vaccination management server 200 may receive the medical institution certificate from the identity authentication server 100 or the medical institution electronic device 300 .
  • the vaccination management server 200 may issue the vaccination institution certificate after identifying whether it is a specific medical institution authorized to inoculate based on the medical institution certificate.
  • the medical institution electronic device 300 may identify vaccine information.
  • the vaccine information may include information about a vaccine to be administered to the inoculator.
  • Vaccine information may include, for example, the name of the vaccine, manufacturer, clinical information, identification information, and distribution information.
  • the electronic device 300 of a medical institution may receive the vaccine information by recognizing a code (eg, barcode, QR code) attached to the vaccine.
  • the medical institution electronic device 300 may receive a direct input for vaccine information from a medical person.
  • the medical institution electronic device 300 may identify an individual who is an inoculator. For example, the medical institution electronic device 300 may receive an identity certificate stored in the personal electronic device 300 and identify an individual who is the owner of the personal electronic device 300 based on the received identity certificate. After the vaccination is completed, the electronic device 300 of the medical institution may transmit the identified vaccine information, the identified personal information, and the inoculation information to the vaccination management server 200 .
  • the inoculation information may include information necessary to report the fact of inoculation, such as inoculation time, inoculation location, and inoculation status.
  • the vaccination management server 200 may issue an inoculation certificate based on the received vaccine information, personal information, and inoculation information.
  • the vaccination management server 200 may transmit the issued vaccination certificate to the personal electronic device 400 .
  • the personal electronic device 300 may store an inoculation certificate.
  • the personal electronic device 300 may transmit all or part of at least some information included in the inoculation certificate to an electronic device of an individual who is the owner of another subject requesting vaccination authentication or to an electronic device 500 of a third party.
  • the certificate disclosed herein may be digitally signed by an issuer.
  • a digital signature is a method that can serve as a means of proving the identity of the issuer.
  • the issuer can digitally sign the certificate using an identifier for the corresponding to its digital identity.
  • the certificate recipient can verify the identity of who is the issuer of the certificate through the digital signature.
  • Each subject included in the system 10 identity authentication server 100, vaccination management server 200, medical institution electronic device 300, personal electronic device 400
  • An identifier can be used to issue a digitally signed certificate.
  • the digital signature may consist of various algorithms.
  • a key generation algorithm, A signing algorithm, and A signature verifying algorithm may be used.
  • the RSA algorithm may be utilized.
  • the identity authentication server 100 may digitally sign an identity certificate and a medical institution certificate with its own identifier.
  • the vaccination management server 200 may digitally sign the vaccination certificate with its identifier. Recipients who have received the identity certificate or inoculation certificate can verify the issuer through a digital signature and trust the contents of the certificate.
  • the identity authentication server 100 or the vaccination management server 200 may sign the certificate with its own private key.
  • the certificate recipient may decrypt the inoculation certificate with the public key owned by the identity authentication server 100 or the vaccination management server 200 .
  • the certificate disclosed in this document may be designed to be verifiable by a third party. That is, the certificate issued and distributed on the system 10 may be verified by all, not by a specific trusted organization (eg, an identity authentication institution, a vaccination management institution).
  • a specific trusted organization eg, an identity authentication institution, a vaccination management institution.
  • the public key is not stored in a specific centralized authority, but in a centralized P2P network such as a federated identity management system of multiple trusted authorities or a distributed ledger. have.
  • the certificate can be verified by using the value of the public key stored in a place where anyone can access it.
  • the recipient who receives the inoculation certificate digitally signed by the vaccination management server 200 does not authenticate the inoculation certificate through the vaccination management organization, but through the digital signature of the public vaccination management organization, the inoculation It can be directly confirmed that the certificate was issued by the vaccination management agency, and the contents of the vaccination certificate can be trusted.
  • the personal electronic device 400 may generate a certificate by processing a part of the contents of the inoculation certificate.
  • the personal electronic device 400 may transmit the processed certificate to the third-party electronic device 500 .
  • the purpose of processing is to protect privacy by not transmitting all the contents included in the inoculation certificate to a third party, and only include essential contents. For example, if only the fact of the inoculation needs to be proved, the certificate containing only the 'vaccination status' excludes information such as 'what vaccine was received' and 'what medical institution received the vaccine from' may be transmitted to the electronic device 500 .
  • the system 10 may be operated based on the blockchain network 600 .
  • the blockchain network 600 of the system 10 may include at least one blockchain network among known public blockchains.
  • a key value for the digital signature of each of the subjects 100 , 200 , 300 , 400 may be stored in the blockchain network 600 .
  • the identifier of each of the subjects 100 , 200 , 300 , 400 may be an account or an address value of the blockchain network 600 .
  • the system 10 can function as a global system. Since the certificate issuance and verification can be made based on the blockchain network 600, which is a global platform, the inoculation certificate can be issued and verified without being restricted by the trust institutions of each country or other authentication systems for each country.
  • the system 10 based on the blockchain network 600 will be described as an example. However, the present invention is not limited thereto, and other open and reliable networks may be employed.
  • the identity authentication server 100, the vaccination management server 200, the medical institution electronic device 300, and the personal electronic device 400 communicate with the block chain network 600, and the block chain network ( 600), at least one application that allows access to an account on the above may be stored.
  • the at least one application may include a wallet application of the blockchain network 600 .
  • the certificate issued and distributed by the system 10 may have a specification of a verifiable credential (VC) designed according to the W3C standard protocol.
  • VC verifiable credential
  • Each of the entities 100 , 200 , 300 , and 400 of the system 100 may be an issuer of a VC.
  • the processed certificate may have a specification of a verifiable presentation (VP) designed according to the W3C standard protocol.
  • the VP may be composed of some claims among claims included in one VC, and may be composed of a plurality of VCs.
  • the VP may include VCs signed by different issuers. Entities 100 , 200 , 300 , 400 of system 10 may create or issue a VP containing only the necessary information from one or more VCs.
  • Digital signatures or digital identifiers used under the blockchain network 600 may be understood as decentralized identifiers (DID) according to the W3C standard protocol. .
  • the VC may include an identifier of an issuer and a destructor of the issuer.
  • the VC when the VC for the owner of the personal electronic device 400 is issued by the identity authentication server 100 , the VC is the identifier information (the first identifier) of the identity authentication server 100 and the personal electronic device 400 . of identifier information (second identifier). This may include a meaning that the VC was issued by the first identifier and was issued to the second identifier.
  • the personal electronic device 400 may generate a VP by signing the VC with its second identifier.
  • the VP may include information that the owner of the second identifier currently owns the VC issued to the second identifier by the first identifier.
  • a third party that has received the VP including some information of the VC can confirm that it has received the authentication information from the rightful owner of the VC, and can trust the authentication information.
  • a third party receiving the VP can confirm that the VP created by the rightful owner of the VC has been transmitted by checking whether the second identifier of the person who created the VP matches the second identifier included in the VC, The information stored in the VP can be trusted.
  • the blockchain network 600 may store ID registries 610 and 620 .
  • Identifiers eg, DIDs
  • Public keys of VC issuers may be stored in .
  • the ID registries 610 and 620 may store DIDs of the identity authentication server 100 , the vaccination management server 200 , the medical institution electronic device 300 , and the personal electronic device 400 .
  • Each of the subjects 100, 200, 300, and 400 of the system 10 accesses the DID registry 610, 620 of the blockchain network 600 for mutual verification of certificates, and stores the IDs stored in the registry. You may have permission to read.
  • the blockchain network 600 may include a first ID registry 610 and a second ID registry 620 .
  • the first ID registry 610 may be understood as a storage space managed by the identity authentication server 100 and the vaccination management server 200 .
  • Data stored in the first ID registry 610 may be input, modified, or deleted by the trusted organizations 100 and 200 . Accordingly, the medical institution electronic device 300 and the personal electronic device 400 can view data stored in the first ID registry 610 , but cannot modify or delete data stored in the first ID registry 610 , New data cannot be added to the ID registry 610 .
  • data stored in the second ID registry 620 may be input, modified, or deleted by the respective subjects 100 , 200 , 300 , and 400 . Therefore, the information provided by the trusted institutions 100 and 200 can be stored in the block chain network 600, and the subject who reads it can trust the information.
  • FIG. 2 is a block diagram of the identity authentication server 100 and the vaccination management server 200 according to an embodiment.
  • the identity authentication server 100 and the vaccination management server 200 may be integrated.
  • the identity authentication server 100 and the vaccination management server 200 are illustrated as one server device, for example, they may be composed of a plurality of server devices.
  • the identity authentication server 100 may include a processor 110 , a memory 120 , and a communication circuit 130 .
  • the processor 110 may control the overall operation of the identity authentication server 100 .
  • the identity authentication server 100 may transmit/receive data to and from other subjects 200 , 300 , and 400 of the system 10 through the communication circuit 130 .
  • the memory 120 may include a personal identity DB 122 including identity information on individuals to whom an identity certificate is to be issued.
  • the personal identity DB 122 may include the types of data shown in Table 1. An identity certificate for an individual may be issued based on the personal identity DB 122 .
  • One Digital identity identifiers (such as DIDs) 2 name 3 date of birth 4 Phone number 5 Personal identification number (e.g. social security number) 6 nationality 7 push token
  • the memory 120 may include a medical institution DB 124 for medical institutions to which a medical institution certificate is to be issued.
  • the medical institution DB 124 may include the types of data shown in Table 2.
  • a medical institution certificate for a medical institution may be issued based on the medical institution DB 124 .
  • One Medical institution identification number e.g. institution registration number
  • ID 2 Medical institution name
  • Medical institution address 3 Medical institution address 4
  • Representative Name 5 Representative phone number 6
  • Medical institution digital identity identifier e.g. DID
  • the processor 110 may include an identity certificate issuing module issuing module 112 and a medical institution certificate issuing module issuing module 114 .
  • the processor 110 may execute the instructions stored in the memory 120 to drive the identity certificate issuing module issuing module 112 and the medical institution certificate issuing module issuing module 114 .
  • Operations performed by the identity certificate issuing module issuing module 112 and the medical institution certificate issuing module issuing module 114 may be understood as operations performed by the processor 110 .
  • Other operations described as being performed by the identity authentication server 100 may be understood as operations performed by the processor 110 .
  • the identity certificate issuing module issuing module 112 is a personal identity DB stored in the memory 120 . (122) can be used to issue an identity certificate.
  • an identity certificate including at least a portion of data included in the personal identity DB 122 may be generated.
  • the generated identity certificate may be digitally signed with the digital identity identifier of the identity authentication server 100 .
  • the identity certificate may include an identifier of an individual to whom the identity certificate is issued.
  • the medical institution certificate issuing module issuing module 114 may issue a medical institution certificate using the medical institution DB 124 stored in the memory 120 .
  • a medical institution certificate including at least a portion of data included in the medical institution DB 124 may be generated. It is possible to digitally sign the generated medical institution certificate with the digital identity identifier of the identity authentication server 100 .
  • the medical institution certificate may include an identifier of a medical institution to which the certificate is issued.
  • the identity authentication server 100 may include a wallet for the identity authentication server 100 to communicate with the blockchain network 600 .
  • the wallet may include an account of the identity authentication server 100 on the blockchain network 600 .
  • the identity authentication server 100 may store the private key in the memory 120 . When the identity authentication server 100 issues a certificate, it may be signed with its own private key.
  • the wallet may include a DID agent.
  • the DID agent may be issued a DID on the blockchain network 600, inquire the DID, and change the DID.
  • the identity certificate issuing module 112 may store the DID of the individual who issued the certificate and the fact of issuing the certificate in the first registry 610 .
  • the medical institution certificate issuance module 114 may store the DID of the subject who issued the certificate and the fact that the certificate is issued in the first registry 610 .
  • the vaccination management server 200 may include a processor 210 , a memory 220 , and a communication circuit 230 .
  • the processor 210 may control the overall operation of the vaccination management server 200 .
  • the vaccination management server 200 may transmit/receive data to and from other subjects 100 , 300 , 400 of the system 10 through the communication circuit 230 .
  • the memory 220 may include a vaccine DB 222 including information on vaccines.
  • Vaccine DB 222 may include the types of data shown in Table 3. Information on vaccines to be described later may include at least one data included in Table 3.
  • An inoculation certificate may be issued based on the vaccine DB 222 .
  • the vaccine DB 222 may be periodically updated according to new information. As the vaccine DB 222 is updated, an action necessary for the medical institution electronic device 300 or the personal electronic device 400 storing the inoculation certificate may be performed. The action may include, for example, a notification operation and an inoculation certificate renewal operation.
  • Vaccine type 4 Method of administration, number of inoculations 5 Clinical information (allergy, side effects) 6 Post-observation information 7 Distribution information (serial number, date of import, distribution method, delivery date to medical institutions)
  • the memory 220 may include a vaccination institution DB 2124 including information on a vaccination institution having the authority to perform vaccination.
  • the vaccination institution DB 2124 is shown in Table 4 It may include the type of data shown in . There may be multiple vaccination practitioners for a single medical institution. Based on the vaccination agency DB 224, the vaccination management server 200 may determine whether to issue an inoculation certificate.
  • One Medical institution ID identification number e.g. institution registration number
  • Vaccination practitioner name 3
  • Vaccination practitioner phone number 4
  • Vaccination practitioner identifier digital identity e.g. DID
  • permission status 6
  • Healthcare IdentifierDigital Identity e.g. DID
  • the memory 220 may include a vaccination history DB 2126 including information on the performed vaccination.
  • the vaccination history DB 2126 may include the types of data shown in Table 5.
  • One Identifier ID of the inoculant 2 Vaccine type 3 Vaccine serial number 4 Vaccination Medical Institution ID 5 Digital identifier of the individual who performed the vaccination. Information on vaccination such as time, place, and number of vaccinations. 6 Inoculation information such as inoculation time, place, frequency, etc.
  • the processor 210 may include an inoculation certificate issuing module issuing module 212 and a vaccination post management module 214 .
  • the processor 210 may execute the instructions stored in the memory 220 to drive the vaccination certificate issuing module issuing module 212 and the vaccination post management module 214 .
  • Operations performed by the vaccination certificate issuing module issuing module 212 and the vaccination post management module 214 may be understood as operations performed by the processor 2110 .
  • Other operations described as being performed by the vaccination management server 2100 may be understood as operations performed by the processor 210 .
  • the vaccination certificate issuing module issuing module 212 is a vaccine DB stored in the memory 220 .
  • the vaccination institution DB 2224 , and the inoculation history DB 226 may be used to issue an inoculation certificate.
  • an inoculation certificate including at least a portion of the data included in the vaccine DB 222 , the vaccination institution DB 2224 , and the inoculation history DB 226 may be generated.
  • the generated inoculation certificate may be digitally signed with the digital identity identifier of the vaccination management server 200 .
  • the vaccination follow-up management module 214 is a medical institution electronic device 300 and/or personal electronic device based on the vaccine DB 222 , the vaccination institution DB 2224 , and the inoculation history DB 226 stored in the memory 220 .
  • follow-up care may be provided for the device 400 .
  • the vaccination follow-up management module 214 may transmit the additional information to the medical institution electronic device 300 and/or the personal electronic device 400 . .
  • the vaccination management server 200 may include a wallet for communication between the vaccination management server 200 and the blockchain network 600 .
  • the wallet may include an account of the vaccination management server 200 on the blockchain network 600 .
  • the vaccination management server 200 may store the private key in the memory 220 . When the vaccination management server 200 issues a certificate, it can be signed with its own private key.
  • the wallet may include a DID agent.
  • the DID agent may be issued a DID on the blockchain network 600, inquire the DID, and change the DID.
  • the inoculation certificate issuance module 212 may store the individual DID, the medical institution's DID, and the certificate issuance fact included in the inoculation certificate in the first registry 610 .
  • FIG. 3 is a block diagram of a medical institution electronic device 300 and a personal electronic device 400 according to an exemplary embodiment.
  • the medical institution electronic device 300 may include a processor 310 , a memory 320 , a communication circuit 330 , a camera 340 , and a display 350 .
  • the processor 310 may control overall operations of the electronic device 300 of a medical institution.
  • the medical institution electronic device 300 may transmit/receive data to and from other subjects 100 , 200 , and 400 of the system 10 through the communication circuit 330 .
  • the memory 320 may store the first application 322 .
  • the medical institution electronic device 300 may execute the first application 322 and output an execution screen of the first application 322 through the display 350 .
  • the first application 322 may be understood as an application for receiving an authentication service provided on the system 10 .
  • the first application 322 may include functions necessary to use the authentication service, such as a function for requesting issuance of a medical institution certificate and an inoculation certificate, a function for recognizing information on vaccines, and a function for recognizing an inoculator.
  • the first application 322 may store an identifier (eg, DID) of a medical institution. It may be understood as an application for driving an identity authentication function and a vaccination report function of a medical institution that are performed.
  • the memory 320 may store the medical institution certificate 324 , the vaccination institution certificate 326 , and the vaccination practitioner list 328 .
  • the medical institution certificate 324 may be issued by the identity authentication server 100 .
  • the vaccination agency certificate 326 may be issued by the vaccination management server 300 .
  • the vaccination practitioner list 328 may be understood as a list of practitioners who may perform vaccination among medical personnel working in a medical institution.
  • the memory 322 of the electronic device 300 of the medical institution may include a secure element SE (not shown).
  • the medical institution certificate 324 and the vaccination institution certificate 326 may be stored in the secure element.
  • the secure element may be restricted in direct communication with the external devices 100 , 200 , and 400 .
  • the first application 322 may relay data transmission/reception between the secure element and the external devices 100 , 200 , and 400 .
  • the external devices 100 , 200 , and 400 may communicate with the secure element through short-range wireless communication through the communication circuit 330 .
  • the identifier of the medical institution electronic device 300 may be stored in the secure element.
  • the electronic device 300 of a medical institution may photograph a vaccine to be inoculated through the camera 340 or may photograph a person inoculated.
  • the electronic device 300 of a medical institution may identify an individual vaccine and/or inoculation recipient through the camera 340 .
  • the personal electronic device 400 may include a processor 410 , a memory 420 , a communication circuit 430 , a camera 440 , and a display 450 .
  • the processor 410 may control overall operations of the personal electronic device 400 .
  • the personal electronic device 400 may transmit/receive data to and from other subjects 100 , 200 , and 300 of the system 10 through the communication circuit 430 .
  • the memory 420 may store the second application 422 .
  • the personal electronic device 400 may execute the second application 422 and output an execution screen of the second application 422 through the display 450 .
  • the second application 422 may be understood as an application for driving an identity authentication function and a vaccination authentication function provided to an individual on the system 10 .
  • the memory 420 may store the identity certificate 424 and the inoculation certificate 426 .
  • the identity certificate 424 may be issued by the identity authentication server 100 .
  • the vaccination certificate 426 may be issued by the vaccination management server 300 .
  • the identity certificate 424 and the inoculation certificate 426 are stored in the personal electronic device 400 , and are not stored in the identity authentication server 100 , the vaccination management server 200 , and the medical institution electronic device 300 .
  • the owner of the personal electronic device 400 can directly prove his/her identity or vaccination status by using the certificate stored in his/her electronic device 400 directly without communication with other trusted organizations. have.
  • the personal electronic device 400 may generate a certificate including only necessary information and share it with a third party. In this way, individual sovereignty over data can be strengthened.
  • the memory 422 of the electronic device 400 of the medical institution may include a secure element SE (not shown).
  • the identity certificate 424 and the inoculation certificate 426 may be stored in the secure element.
  • the secure element may be restricted in direct communication with the external devices 100 , 200 , and 300 .
  • the second application 422 may relay data transmission/reception between the secure element and the external devices 100 , 200 , and 300 .
  • the external devices 100 , 200 , and 300 may communicate with the secure element through short-range wireless communication through the communication circuit 430 .
  • the personal electronic device 300 may share a stored certificate or a processed certificate with a third party through the communication circuit 330 .
  • the memory 420 may store the second application 422 .
  • the personal electronic device 400 may execute the second application 422 and output an execution screen of the second application 422 through the display 450 .
  • the second application 422 may be understood as an application for receiving an authentication service provided on the system 10 .
  • the second application 422 may include functions necessary to use the authentication service, such as a function to request issuance of an identity certificate and an inoculation certificate, and a function to share a certificate stored in the personal electronic device 400 .
  • the second application 422 may store an individual identifier (eg, DID).
  • the first application 322 and the second application 422 may include a wallet for communicating with the blockchain network 600 .
  • the wallet may include accounts on the blockchain network 600 .
  • the medical institution electronic device 300 and the personal electronic device 400 may store respective private keys in the memories 320 and 420 .
  • signing may be performed with their own private key.
  • the first application 322 and the second application 422 may include a DID agent.
  • the first application 322 and the second application 422 may receive a DID on the block chain network 600, inquire the DID, and change the DID.
  • VC verifiable credential
  • VP verifiable presentation
  • FIG. 4 is a signal flow diagram illustrating a method for the identity authentication server 100 to issue an identity certificate to the personal electronic device 400 according to an embodiment.
  • the personal electronic device 400 may request the identity authentication server 100 to issue an identity authentication VC (the above-mentioned identity certificate) ( 4010 ).
  • the personal electronic device 400 may drive the second application 422 and transmit the request to the identity authentication server 100 through the second application 422 .
  • the personal electronic device 300 may transmit its own DID (hereinafter, personal DID).
  • the identity authentication server 100 may confirm the received DID through the personal identity DB 122 block chain network 600 .
  • the identity authentication server 100 may transmit an identity verification request to the personal electronic device 300 ( 4020 ). Before issuing the identity authentication VC, the identity confirmation request may be performed to identify whether the owner of the personal electronic device 300 is a specific individual to whom the identity authentication VC is issued.
  • the identity authentication server 100 may acquire personal information ( 4030 ).
  • the identity authentication server 100 may acquire the personal information of the owner of the personal electronic device 300 from a third service that provides the identity authentication service.
  • the personal information may include name, gender, date of birth, mobile phone number, nationality, and personal identification number (eg, data in Table 1).
  • the identity authentication server 100 may compare the acquired personal information with data stored in the personal identity DB 122 and check whether the two match. Through this, the identity authentication server 100 can check whether the identity authentication VC issuance request is made by a legitimate user. It can be stored.
  • the identity authentication server 100 may issue an identity authentication VC (4040).
  • Identity Authentication VC The identity authentication server 100 may include the personal DID and personal information received from the personal electronic device 400. One VC may be issued.
  • the identity authentication VC may be digitally signed as an identifier for a digital identity as an identifier of the identity authentication server 100 .
  • the identifier may be, for example, a secret key (DID) of an account of the blockchain network 600 of the identity authentication server 100 .
  • DID secret key
  • the identity authentication server 100 and the personal electronic device 400 may form a communication channel for mutual data transmission ( 4050 ).
  • the identity authentication server 100 may transmit the identity authentication VC to the personal electronic device 400 through the communication channel.
  • the personal electronic device 400 may store the received identity authentication VC in the memory 420 .
  • the identity authentication VC may be referred to as the identity certificate 424 of FIG. 3 .
  • the communication channel may be an inter-DID encrypted secret communication channel.
  • the communication channel may be a DIDComm communication channel.
  • a communication channel formed to distribute VCs may be understood as an encrypted secret communication channel between DIDs.
  • the identity authentication VC may be delivered to the second application 422 of the personal electronic device 400 possessing the DID, which is the issuance target of the VC, through the DIDComm communication channel.
  • the identity authentication server 100 may use a web socket connected to the second application 422 .
  • the identity authentication server 100 may use the message queue after sending a push notification to the second application 422 when the websocket does not exist.
  • the identity authentication server 100 may update the personal identity DB 122 for the user who has issued the identity authentication VC to the personal identity DB 122 and store personal information (4070). For example, the identity authentication server 100 may store the DID obtained in step 4010 and the personal information obtained in step 4030 in the personal identity DB 122 in the personal identity DB 122 . Accordingly, the DID and the personal information may be mapped to each other and stored. In addition, it is possible to record whether the identity authentication VC is issued in the personal identity DB 122 .
  • the identity authentication server 100 may receive and store the push notification token from the second application 422 of the personal electronic device 400 ( 4080 ). The identity authentication server 100 may send a push notification to the personal electronic device 400 through the push notification token and the second application 422 .
  • the push notification token stored in the personal electronic device 400 may update the identity authentication server 100 with updates whenever the second application 422 is driven ( 4090 ).
  • the identity authentication server 100 may record the identity authentication VC issuance fact for the user DID in the first registry 610 of the blockchain network 600 . Therefore, the fact that the identity authentication VC issued by the identity authentication authority for the corresponding DID can be verified.
  • the method of issuing an identity certificate of FIG. 4 may be similarly applied to a method of issuing a medical institution certificate to the medical institution electronic device 300 .
  • the medical institution electronic device 300 may request a medical institution authentication VC (the aforementioned medical institution certificate) issuance request (eg, operation 4010 ).
  • the medical institution electronic device 300 may drive the first application 322 and transmit the request to the identity authentication server 100 through the first application 322 .
  • the medical institution electronic device 300 may transmit basic information about the medical institution and the DID of the medical institution stored in the first application 322 to the identity authentication server 100 .
  • the identity authentication server 100 may compare information stored in the medical institution DB 124 based on the received basic information. Through this, the identity authentication server 100 can check whether the medical institution authentication VC issuance request is made by a legitimate user. When the information stored in the medical institution DB 124 and the received basic information match, the identity authentication server 100 may issue a medical institution authentication VC including the identifier DID of the medical institution and the identifier of the identity authentication institution.
  • the identity authentication server 100 and the medical institution electronic device 300 may form a communication channel for mutual data transmission (eg, operation 4050).
  • the identity authentication server 100 may transmit the medical institution authentication VC to the medical institution electronic device 300 through the communication channel.
  • the medical institution electronic device 200 may store the received medical institution authentication VC in the memory 320 .
  • the medical institution authentication VC may be referred to as the medical institution certificate 324 of FIG. 3 .
  • the identity authentication server 100 may map and store basic information about the medical institution that issued the medical institution authentication VC and the medical institution DID to the medical institution DB 124 (eg, operation 4070). You can record whether or not it is issued.
  • the identity authentication server 100 may record the fact that the medical institution authentication VC is issued for the medical institution DID in the first registry 610 of the blockchain network 600 . Therefore, the fact that the medical institution authentication VC issued the DID by the identity authentication institution can be verified.
  • Operations 4080 to 4090 of FIG. 4 may be equally performed through the identity authentication server 100 and the first application 322 of the electronic device 300 of the medical institution.
  • the identity authentication server 100 may transmit a push notification to the medical institution electronic device 300 through the first application 322 .
  • a vaccination institution may be understood as a medical institution licensed to perform vaccination.
  • the list of vaccination institutions may be designated in advance and stored in the vaccination institution (DB) 224 of the vaccination management server 200 .
  • the vaccination institution can prove that it is a medical institution that can vaccinate with the certificate of the vaccination institution.
  • the medical institution electronic device 300 may transmit a vaccination institution authentication VC issuance request including the medical institution authentication VC (eg, the medical institution certificate 324 of FIG. 3 ) to the vaccination management server 200 ( 5010 ).
  • the request may include a medical institution authentication VC (eg, the medical institution certificate 324 of FIG. 3 ).
  • the medical institution electronic device 300 may sign the medical institution authentication VC with the medical institution DID and transmit the digitally signed medical institution authentication VC to the vaccination management server 200 .
  • the vaccination management server 200 may check whether the medical institution authentication VC is transmitted from a person having a legitimate authority to own the VC by checking whether the digital signature matches the medical institution DID stored in the medical institution authentication VC.
  • the server 200 may reject the VC issuance request.
  • the medical institution electronic device 300 may receive a medical institution authentication VC by the method described above with reference to FIG. 4 before applying for the vaccination institution authentication VC.
  • the medical institution electronic device 300 may perform identity authentication by submitting the medical institution authentication VC to the vaccination management server 200 .
  • a representative (individual) of a medical institution may download the first application 322 to the electronic device 300 of the medical institution and then generate the medical institution's own DID.
  • the DID generated locally by the representative through the first application 322 of the electronic device 300 of the medical institution may be stored and registered in the second registry 620 of the blockchain network 600 .
  • the medical institution DID may be replaced with a DID of an individual representative of the medical institution.
  • the medical institution electronic device 300 transmits the generated DID to the identity authentication server 100, and the identity authentication VC for the individual representative may be treated as a medical institution authentication VC.
  • the vaccination management server 200 may verify the received medical institution authentication VC (5020).
  • the vaccination management server 200 may verify the digital signature of the identity authentication server 100 of the medical institution authentication VC.
  • the vaccination management server 200 may check whether the DID that signed the medical institution authentication VC is the DID of the trusted institution registered in the first registry 610 of the blockchain network 600 . It is possible to check the DID owner initiated through the blockchain network 600 through the blockchain network 600 .
  • the vaccination management server 200 may compare the information of the vaccination institution DB 224 with the information of the medical institution authentication VC (5020). When the vaccination management server 200 has information matching the medical institution authentication VC in the vaccination institution DB 224 , it can confirm that the medical institution that has applied for the VC is a medical institution that has been previously authenticated as a vaccination institution.
  • the vaccination management server 200 may issue a vaccination institution VC (5030).
  • Vaccination institution VC may include an identifier of a vaccination management institution and an identifier of a medical institution.
  • the vaccination management server 200 and the medical institution electronic device 300 may form a communication channel for mutual data transmission (5040).
  • the vaccination management server 200 may transmit the vaccination institution VC to the electronic device 300 of the medical institution through the communication channel.
  • the medical institution electronic device 300 may store the received vaccination institution VC in the memory 320 .
  • the vaccination institution VC may be referred to as the vaccination institution certificate 326 of FIG. 3 .
  • the communication channel of operation 5040 may be an encrypted communication channel.
  • the communication channel may be a DIDComm communication channel.
  • the vaccination institution VC may be transmitted to the first application 322 of the medical institution electronic device 300 possessing the DID, which is the issuance target of the VC, through the DIDComm communication channel.
  • the vaccination management server 200 may use a web socket connected to the first application 322 .
  • the vaccination management server 200 may use the message queue after sending a push notification to the first application 322 when the websocket does not exist.
  • the vaccination management server 200 may store the VC issuance history in the vaccination institution DB (5060). In various embodiments, the vaccination management server 200 may record the fact that the vaccination institution authentication VC is issued for the medical institution DID in the first registry 610 of the blockchain network 600 . Therefore, it can be verified that the DID was issued by the vaccination agency certification VC by the vaccination management agency.
  • the vaccination management server 200 may receive and store the push notification token from the first application 322 of the electronic device 300 of the medical institution ( 5070 ).
  • the vaccination management server 200 may send a push notification to the medical institution electronic device 300 through the push notification token and the first application 322 .
  • the push notification token stored in the electronic device 300 of the medical institution may update the update information to the vaccination institution server 200 whenever the first application 322 is driven ( 4090 ).
  • the medical institution authentication VC may be replaced with the identity authentication VC of the individual representative of the medical institution.
  • Information on the individual representative may be stored in the vaccination agency DB 224 of the vaccination management server 200 (eg, Table 2). Individual representatives can submit the identity authentication VC issued by their DID and receive a vaccination agency VC.
  • the medical institution electronic device 300 may manage a list of practitioners to be vaccinated among medical personnel of the corresponding medical institution.
  • the medical institution electronic device 300 may store information about the practitioners in the vaccination practitioner list 328 .
  • the medical institution electronic device 300 may immediately update the changed information in the vaccination practitioner list 328 .
  • the medical institution electronic device 300 may transmit the vaccination practitioner list to the vaccination management server 200 (6010).
  • the vaccination management server 200 may update the vaccination institution DB 224 .
  • the list of vaccination practitioners may be stored in a mapping with a medical institution.
  • a medical practitioner who is a vaccination practitioner may download the first application 322 to an electronic device 300-1 (hereinafter, referred to as medical practitioner electronic device 300-1) possessed by the person and may generate a DID.
  • the medical personnel electronic device 300 - 1 may register the locally generated DID in the blockchain network 600 .
  • the medical personnel electronic device 300 - 1 may receive an identity authentication VC for the medical personnel from the identity authentication server 100 .
  • a first application 322 may be installed in the medical personnel electronic device 300 - 1 .
  • the medical personnel electronic device 300 - 1 may have the same block diagram as the medical institution electronic device 300 of FIG. 3 .
  • the medical personnel electronic device 300 - 1 may transmit the identity authentication VC to the vaccination management server 200 ( 6030 ).
  • the vaccination management server 200 may verify the digital signature of the identity authentication server 100 of the identity authentication VC.
  • the vaccination management server 200 may compare the information of the practitioner in the vaccination institution DB 224 and the information of the identity authentication VC. When there is information matching the identity authentication VC in the vaccination institution DB 224, the vaccination management server 200 may confirm that the medical person who applied for the VC is a medical person who has been previously authenticated as a vaccination practitioner (6040).
  • the vaccination management server 200 may issue a vaccination institution VC to a specific medical person (6050).
  • the vaccination institution VC may include the DID of the medical institution and the DID of the medical personnel.
  • the vaccination management server 200 and the medical personnel electronic device 300-1 may form a communication channel for data communication with each other (6060).
  • the vaccination management server 200 may transmit the vaccination institution VC to the healthcare provider electronic device 300-1 through the communication channel.
  • the healthcare provider electronic device 300 - 1 may store the received vaccination institution VC in a memory (eg, the memory 320 of FIG. 3 ).
  • the vaccination institution VC may be referred to as the vaccination institution certificate 326 of FIG. 3 .
  • the vaccination management server 200 may store the VC issuance history in the vaccination institution DB 224 (6080). In various embodiments, the vaccination management server 200 may record the fact that the vaccination institution VC is issued for the healthcare provider DID in the first registry 610 of the blockchain network 600 . Therefore, the fact that the Vaccination Agency VC issued the DID by the Vaccination Management Agency can be verified.
  • the electronic device 300 of the medical institution may transmit a vaccination practitioner deletion update request to the vaccination management server 200 .
  • the vaccination management server 200 may delete the practitioner from the vaccination institution DB 224 and cause the deleted practitioner's DID to be deleted from the first registry 610 of the block chain network 600 (6080) .
  • Vaccination agency VC issued for the deleted practitioner's DID will be unavailable. Therefore, it becomes impossible to issue an inoculation certificate through the electronic device 300-1 for medical personnel.
  • FIG. 7 is a signal flow diagram for a method of issuing an inoculation certificate according to an embodiment.
  • the medical institution electronic device 300 and the medical personnel electronic device 300 - 1 may be subjects that can request issuance of an inoculation certificate after vaccination. Although an example in which the medical institution electronic device 300 performs a request for issuing an inoculation certificate is illustrated through FIG. 7 , the same procedure may be applied to the medical care provider electronic device 300-1.
  • the medical institution electronic device 300 may identify a vaccine to be used ( 7010 ).
  • the electronic device 300 of a medical institution may drive the first application 322 and identify a vaccine to be inoculated.
  • the vaccine to be identified may be a vaccine to be directly vaccinated to the vaccinated person.
  • the medical institution electronic device 300 may acquire information about a vaccine to be used, for example, information such as a vaccine type, a serial number, and distribution information of the corresponding vaccine (eg, data in Table 3).
  • the identification procedure may be performed by manual input or by barcode/QR code recognition.
  • the medical institution electronic device 300 may receive the identity authentication VC from the personal electronic device 400 possessed by the inoculator ( 7020 ).
  • the identity authentication VC may include a digital signature of the individual's DID.
  • the medical institution electronic device 300 may identify the inoculator through the digital signature and identity authentication VC.
  • the medical institution electronic device 300 may transmit the inoculation information, the identity authentication VC of the inoculator, and the vaccination institution authentication VC of the medical institution to the vaccination management server 200, and may request issuance of the inoculation authentication VC (7030). ).
  • the vaccine identification information, the identity authentication VC, and the vaccination institution authentication VC may be digitally signed with the user DID of the medical institution electronic device 300 .
  • the electronic device 300 of the medical institution may collect and transmit information on a vaccine inoculated to a vaccination management institution and information on an individual inoculation.
  • the inoculation information may include medical information that needs to be recorded in relation to inoculation, such as identified vaccine information, inoculation time, and inoculation location.
  • the vaccination management server 200 may verify the received information.
  • the vaccination management server 200 may verify the received digital signatures of the received vaccination institution VC and the electronic device 300 of the medical institution ( 7040 ). That is, whether it is a digital signature by the vaccination institution can be verified.
  • the vaccination management server 200 may compare the received vaccine information with the vaccine DB 222 to confirm whether the correct vaccine information distributed to the corresponding medical institution is input. The vaccination management server 200 may check whether the received identity authentication VC is valid. When it is determined that the corresponding information needs to be supplemented, the vaccination management server 200 may transmit a supplementation request to the electronic device 300 of the medical institution.
  • the vaccination management server 200 may issue an inoculation authentication VC (7050).
  • the vaccination management server 200 may transmit the issued vaccination authentication VC to the personal electronic device 400 .
  • the personal electronic device 400 may store the inoculation authentication VC.
  • the inoculation certification VC may be referred to as an inoculation certificate 426 .
  • the user of the personal electronic device 400 may check detailed information about the inoculated vaccine through the second application 422 .
  • the inoculation certificate 426 may include a vaccine type, an inoculation date, an inoculation time, information on a medical institution that performed the vaccination, and information on a medical person who performed the vaccination.
  • the vaccination management server 200 may store the vaccination history in the vaccination history DB 226 .
  • FIG. 8 is a signal flow diagram for a method of authenticating whether vaccination is performed according to an embodiment.
  • An individual who has completed the inoculation holds the inoculation certificate 426 in the personal electronic device 400 .
  • the second application 422 of the personal electronic device 400 it is possible to authenticate whether a subject has been vaccinated or not with respect to a subject that requests authentication of whether or not to vaccinate.
  • FIG. 8 an example of authenticating whether or not vaccination is performed between individual A and individual B is illustrated.
  • certification of whether or not vaccination is performed can be performed by any third party, such as a company or service. Any subject possessing the electronic device 400 in which the second application 422 providing the inoculation authentication function is installed may perform the authentication.
  • a request for authentication of whether to vaccinate or not may occur between the electronic device A 400a and the electronic device B 400b ( 8010 ).
  • the electronic device A 400a and the electronic device B 400b may execute the second application 422 and output a screen requesting authentication.
  • the electronic device A 400a and the electronic device B 400b may generate an authentication request by scanning each other's screens.
  • an authentication request may occur.
  • the electronic device A 400a and the electronic device B 400b may establish an encrypted communication channel ( 8020 ).
  • the electronic device A 400a may issue a processed inoculation certificate including only some information included in the inoculation certificate 426 .
  • the processed inoculation certificate may be referred to as VP as described above.
  • the electronic device A 400a may issue a VP including only information on whether or not vaccination has been performed ( 8030 ).
  • the electronic device A 400a may transmit the VP for whether or not to vaccinate to the electronic device B 400b. Since the VP is digitally signed by the vaccination management agency, Person B can trust it. As described above, exposure of personal information can be minimized by using a zero-knowledge proof that only authenticates information on whether or not vaccination is performed.
  • the electronic device A 400a may issue a VP including only whether or not vaccination is performed among the identity authentication VC and the inoculation authentication VC.
  • the electronic device A 400a may transmit a corresponding VP to a subject requesting both identity information and whether to vaccinate.
  • the system 10 based on the blockchain network 600 is an open system, anyone using the same DID agent can use the authentication service provided by the system 10 .
  • certification can be freely performed in the private sector without a national agency or a specific trusted agency as an intermediary.
  • the electronic device may be a device of various types.
  • the electronic device may include, for example, a portable communication device (eg, a smartphone), a computer device, a portable multimedia device, a portable medical device, a camera, a wearable device, or a home appliance device.
  • a portable communication device eg, a smartphone
  • a computer device e.g., a laptop, a desktop, a tablet, or a smart bracelet
  • a portable multimedia device e.g., a portable medical device
  • a camera e.g., a camera
  • a wearable device e.g., a portable medical device
  • a home appliance device e.g., a portable medical device, a portable medical device, a camera, a wearable device, or a home appliance device.
  • the electronic device according to the embodiment of the present document is not limited to the above-described devices.
  • first, second, or first or second may simply be used to distinguish an element from other elements in question, and may refer elements to other aspects (e.g., importance or order) is not limited. It is said that one (eg, first) component is “coupled” or “connected” to another (eg, second) component, with or without the terms “functionally” or “communicatively”. When referenced, it means that one component can be connected to the other component directly (eg by wire), wirelessly, or through a third component.
  • module may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit.
  • a module may be an integrally formed part or a minimum unit or a part of the part that performs one or more functions.
  • the module may be implemented in the form of an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • a storage medium eg, internal memory (#36) or external memory (#38)
  • a machine eg, electronic device #01
  • It may be implemented as software (eg, program #40) including one or more instructions.
  • a processor eg, processor #20
  • a device eg, electronic device #01
  • the one or more instructions may include code generated by a compiler or code executable by an interpreter.
  • the device-readable storage medium may be provided in the form of a non-transitory storage medium.
  • 'non-transitory' only means that the storage medium is a tangible device and does not contain a signal (eg, electromagnetic wave), and this term is used in cases where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.
  • a signal eg, electromagnetic wave
  • the method according to various embodiments disclosed in this document may be provided as included in a computer program product.
  • Computer program products may be traded between sellers and buyers as commodities.
  • the computer program product is distributed in the form of a machine-readable storage medium (eg compact disc read only memory (CD-ROM)), or via an application store (eg Play Store TM ) or on two user devices ( It can be distributed (eg downloaded or uploaded) directly, online between smartphones (eg: smartphones).
  • a portion of the computer program product may be temporarily stored or temporarily generated in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a memory of a relay server.
  • each component eg, a module or a program of the above-described components may include a singular or a plurality of entities.
  • one or more components or operations among the above-described corresponding components may be omitted, or one or more other components or operations may be added.
  • a plurality of components eg, a module or a program
  • the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to the integration. .
  • operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, or omitted. , or one or more other operations may be added.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Public Health (AREA)
  • Medical Informatics (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Business, Economics & Management (AREA)
  • Primary Health Care (AREA)
  • Business, Economics & Management (AREA)
  • Epidemiology (AREA)
  • Biomedical Technology (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Pathology (AREA)
  • Bioethics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

In an authentication method comprising a blockchain network including a public distributed ledger, a first electronic device associated with a first user, and a second electronic device associated with a second user, the blockchain network may store a first user identifier associated with the first user and a first institution identifier corresponding to at least one trusted institution, and the first electronic device may include a first vaccination certificate issued by the at least one trusted institution and including a first digital institution signature of the trusted institution, the first user identifier, and information associated with vaccination of the first user. Various other embodiments understood through the specification are also possible.

Description

백신 접종 디지털 인증서를 발급하고 증명하는 방법 및 그 시스템Method and system for issuing and certifying vaccination digital certificate
본 문서에서 개시되는 실시 예들은, 디지털 인증서의 발행 및 유통 기술과 관련된다. Embodiments disclosed in this document relate to technology for issuing and distributing digital certificates.
전세계에 바이러스가 유행하게 되면, 이 바이러스로 인한 전염병은 글로벌 팬데믹(pandemic) 현상으로 이어지게 된다. 팬데믹 현상을 해결하기 위해 백신이 개발되고, 백신이 완성되면 백신 접종이 시작된다. 이 때 백신 접종자와 백신 비접종자가 나누어지게 되고, 백신 접종자와 백신 비접종자를 구분하기 위하여, 백신 접종자를 인증할 수 있는 인증 수단이 요구된다.When a virus spreads around the world, an epidemic caused by this virus will lead to a global pandemic. A vaccine is developed to address the pandemic, and vaccination begins once the vaccine is complete. At this time, the vaccinated person and the non-vaccinated person are divided, and in order to distinguish between the vaccinated person and the non-vaccinated person, an authentication means capable of authenticating the vaccination person is required.
백신 접종자와 백신 비 접종자의 구분은 특히 전염성이 강한 질병에 대해서 필수적이게 된다. 강한 전염성으로 인해, 예를 들어, 많은 사람들이 접촉할 수 있는 장소에 입장 권한을 가지기 위해서 백신 접종자 인증이 요구될 수 있다. 일반적으로, 백신 접종자 임을 인증하기 위하여 인증서가 발급될 수 있다. 인증서에는 접종자의 이름, 백신 정보, 의료 기관 등에 대한 정보가 포함될 수 있다. 만약, 인증서가 종이 인증서인 경우, 인증서 자체에 대한 진위 여부 확인이 어렵고, 개인 정보 유출의 위험이 높다.The distinction between vaccinated and non-vaccinated becomes essential, especially for highly contagious diseases. Due to its strong contagious nature, immunization may be required, for example, in order to have access to places where a large number of people may come into contact. In general, a certificate may be issued to certify that you are the vaccinated person. The certificate may contain information about the name of the recipient, vaccine information, medical institution, and the like. If the certificate is a paper certificate, it is difficult to verify the authenticity of the certificate itself, and the risk of personal information leakage is high.
또한 현재의 전자 인증서는, 특정 신뢰 기관에 의해서만 발급이 이루어진다.지고, 전자 인증서 발급 절차에는 본인 인증 절차, 결제 절차가 포함되어 있어 발급 절차가 까다롭기 때문에 사용자에게 편리하지 않다. 복잡한 발급 절차를 통해 발급에 완료를 하더라도, 인쇄된 종이의 형태로 유통(기관에 제출 등)되므로 재사용이 어렵고, 다시 발급 및 인쇄 절차를 반복해야하는 불편함이 따른다.In addition, the current electronic certificate is issued only by a specific trusted authority. The electronic certificate issuance procedure includes an identity authentication procedure and a payment procedure, which is not convenient for the user because the issuance procedure is difficult. Even if the issuance is completed through a complicated issuance procedure, it is difficult to reuse because it is distributed in the form of printed paper (submitted to an institution, etc.)
본 문서에서 개시되는 다양한 실시 예들은 인증서의 발급과 유통 절차를 간소화하고, 사용자가 편리하게 백신 접종 여부를 인증할 수 있는 방법 및 시스템을 제공하고자 한다. 또한 인증 과정에서 개인 정보 유출의 위험이 없도록 하며, 개인과 개인간에도 쉽게 인증이 수행될 수 있도록 하고자 한다. 일회의 인증서 발급으로써서 전세계에서 인증이 가능하도록 하고자 한다.Various embodiments disclosed in this document are intended to provide a method and system that simplifies the issuance and distribution of certificates, and allows users to conveniently authenticate whether or not they have been vaccinated. In addition, we want to ensure that there is no risk of personal information leakage during the authentication process, and that authentication can be easily performed between individuals. As a one-time certificate issuance, we want to make it possible to certify all over the world.
본 문서에 개시되는 일 실시 예에 따른 방법은, 퍼블릭 분산 원장을 포함하는 블록체인 네트워크, 제1 사용자와 연관된 제1 전자장치 및 제2 사용자와 연관된 제2 전자장치를 포함하고, 상기 블록체인 네트워크는, 상기 제1 사용자와 연관된 제1 사용자 식별자, 적어도 하나의 신뢰기관에 대응되는 제1 기관 식별자를 저장하고, 및 상기 제1 전자장치는 상기 적어도 하나의 신뢰기관으로부터 발급되고, 신뢰기관의 제1 기관 디지털 서명, 상기 제1 사용자 식별자, 및 제1 사용자의 백신 접종과 연관된 정보를 포함하는 제1 접종 인증서를 포한다. 상기 방법은, 상기 제1 전자장치가 제2 접종 인증서를 생성하는 단계를 포함하되, 상기 제2 접종 인증서는 상기 백신 접종과 연관된 정보 중 백신 접종 여부, 상기 제1 기관 디지털 서명, 및 상기 제1 전자장치에 저장되고, 상기 제1 사용자와 연관된 제1 식별자를 기초로 생성된 제1 디지털 서명을 포함하고, 상기 제1 전자장치가 상기 제2 전자장치로 상기 제2 접종 인증서를 전송하는 단계, 상기 제2 전자장치가 상기 제2 접종 인증서에 포함된 제1 기관 디지털 서명을 상기 블록체인 네트워크에 저장된 제1 기관 식별자를 기초로 검증하는 단계, 상기 제2 전자장치가 상기 제2 접종 인증서에 포함된 제1 디지털 서명을 상기 블록체인 네트워크에 저장된 제1 사용자 식별자를 기초로 검증하는 단계, 및 상기 제1 기관 디지털 서명에 대한 검증 결과 및 상기 제1 디지털 서명에 대한 검증 결과를 기초로, 상기 제2 전자장치가 상기 백신 접종 여부에 대한 정보를 획득하는 단계를 포함할 수 있다.A method according to an embodiment disclosed in this document includes a blockchain network including a public distributed ledger, a first electronic device associated with a first user, and a second electronic device associated with a second user, the blockchain network stores a first user identifier associated with the first user, a first organization identifier corresponding to at least one trusted authority, and the first electronic device is issued by the at least one trusted authority, and a first inoculation certificate comprising a first authority digital signature, the first user identifier, and information associated with the vaccination of the first user. The method may include generating, by the first electronic device, a second inoculation certificate, wherein the second inoculation certificate includes information related to vaccination, whether vaccination is performed, the digital signature of the first institution, and the first inoculation certificate. Transmitting, by the first electronic device, the second inoculation certificate to the second electronic device, which is stored in the electronic device and includes a first digital signature generated based on the first identifier associated with the first user; verifying, by the second electronic device, the first institution digital signature included in the second inoculation certificate based on the first institution identifier stored in the blockchain network, the second electronic device being included in the second inoculation certificate verifying the first digital signature based on a first user identifier stored in the blockchain network, and based on the verification result for the first institution digital signature and the verification result for the first digital signature, 2 The method may include obtaining, by the electronic device, information on whether or not the vaccination has been performed.
본 문서에 개시되는 실시 예들에 따르면, 개인 정보의 노출을 최소화한 백신 접종 여부에 대한 인증이 이루어질 수 있다. 또한 국가 기관이나 신뢰 기관을 중개자로 하지 않고 개인과 개인 사이에서 신뢰도 높은 인증이 이루어질 수 있다. 이 외에, 본 문서를 통해 직접적 또는 간접적으로 파악되는 다양한 효과들이 제공될 수 있다.According to the embodiments disclosed in this document, authentication of whether to vaccinate with minimal exposure of personal information can be made. In addition, high-reliability authentication can be achieved between individuals without using a national agency or a trusted agency as an intermediary. In addition, various effects directly or indirectly identified through this document may be provided.
도 1은 일 실시 예에 따른 백신접종 디지털인증서를 발급하고 접종 여부를 증명하는 시스템에 대한 개략도이다.1 is a schematic diagram of a system for issuing a vaccination digital certificate and verifying whether or not vaccination is performed according to an embodiment.
도 2는 일 실시 예에 따른 신원인증서버 및 백신접종관리서버의 블록도이다.2 is a block diagram of an identity authentication server and a vaccination management server according to an embodiment.
도 3은 일 실시 예에 따른 의료기관 전자장치 및 개인 전자장치의 블록도이다. 3 is a block diagram of a medical institution electronic device and a personal electronic device according to an exemplary embodiment.
도 4는 일 실시 예에 따른 신원인증서버가 개인 전자장치에 신원 인증서를 발급하는 방법에 대한 신호 흐름도이다.4 is a signal flow diagram illustrating a method for an identity authentication server to issue an identity certificate to a personal electronic device according to an embodiment.
도 5는 일 실시 예에 따른 백신접종관리서버가 의료기관 전자장치에 백신접종기관 인증서를 발급하는 방법에 대한 신호 흐름도이다.5 is a signal flow diagram illustrating a method for a vaccination management server to issue a vaccination institution certificate to an electronic device of a medical institution according to an embodiment.
도 6은 일 실시 예에 따른 백신접종관리서버에 백신 접종의 실무자를 등록하는 방법에 대한 신호 흐름도이다6 is a signal flow diagram for a method of registering a practitioner of vaccination in the vaccination management server according to an embodiment.
도 7은 일 실시 예에 따른 접종 인증서를 발급하는 방법에 대한 신호 흐름도이다.7 is a signal flow diagram for a method of issuing an inoculation certificate according to an embodiment.
도 8은 일 실시 예에 따른 백신 접종 여부를 인증하는 방법에 대한 신호 흐름도이다.8 is a signal flow diagram for a method of authenticating whether vaccination is performed according to an embodiment.
도면의 설명과 관련하여, 동일 또는 유사한 구성요소에 대해서는 동일 또는 유사한 참조 부호가 사용될 수 있다.In connection with the description of the drawings, the same or similar reference numerals may be used for the same or similar components.
이하, 본 발명의 다양한 실시 예가 첨부된 도면을 참조하여 기재된다. 그러나, 이는 본 발명을 특정한 실시 형태에 대해 한정하려는 것이 아니며, 본 발명의 실시 예의 다양한 변경(modification), 균등물(equivalent), 및/또는 대체물(alternative)을 포함하는 것으로 이해되어야 한다. Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that various modifications, equivalents, and/or alternatives of the embodiments of the present invention are included.
도 1은 일 실시 예에 따른 백신접종 디지털인증서를 발급하고 접종 여부를 증명하는 시스템(10)(이하, 시스템(10))에 대한 개략도이다. 시스템(10)상에서 이루어지는 백신접종 디지털인증서의 발급 및 증명 과정을 설명하면 다음과 같다. 1 is a schematic diagram of a system 10 (hereinafter referred to as system 10) for issuing a vaccination digital certificate and verifying whether or not inoculation is performed according to an embodiment. The issuance and certification process of the vaccination digital certificate performed on the system 10 will be described as follows.
백신 여부를 인증해주는 백신 접종 인증서(이하, 접종 인증서)는 디지털 인증서의 형태로 발급될 수 있다. 접종 인증서디지털 인증서는 백신 접종과 연관된 데이터를 포함하는 데이터 셋일 수 있다. 상기 데이터는 접종과 관련된 개인의 민감 정보를 포함할 수 있다. A vaccination certificate (hereinafter, inoculation certificate) that certifies whether or not a vaccine is available may be issued in the form of a digital certificate. Vaccination Certificate The digital certificate may be a data set including data related to vaccination. The data may include personal sensitive information related to vaccination.
백신접종관리기관은 백신의 접종과 연관된 사항을 관리하는 기관이나 단체일 수 있다. 백신접종관리기관은 백신을 수입하고, 유통하고, 접종하는 일련의 과정을 모니터링하고 그에 대한 기록을 저장, 관리할 수 있다. 백신접종관리기관은 국가에 의하여 운영되는 기관으로서 신뢰기관으로 이해될 수 있다.The vaccination management institution may be an institution or organization that manages matters related to vaccination of vaccines. Vaccination management institutions can monitor the sequence of importing, distributing, and inoculating vaccines, and store and manage records thereof. Vaccination management agency can be understood as a trust agency as an agency operated by the state.
신원인증기관은 개인과 의료기관에 대한 신원 정보를 관리하는 기관이나 단체일 수 있다. 신원인증기관은 특정 개인을 식별할 수 있도록 하는 개인에 대한 신원 정보를 관리할 수 있다. 신원인증기관은 신원 정보의 적어도 하나의 항목에 대해 인증서(이하, 신원 인증서)를 발행할 수 있다. 신원인증기관은 특정 의료기관을 식별할 수 있도록 하는 의료기관에 대한 기본 정보(신원 정보)를 관리할 수 있다. 신원인증기관은 의료기관의 기본 정보의 적어도 하나의 항목에 대해 인증서(이하, 의료기관 인증서)를 발행할 수 있다. 신원인증기관은 백신 접종을 위해 필요한 의료 기관의 인증, 접종자의 신원 인증을 수행할 수 있다. 신원인증기관은 국가에 의하여 운영되는 기관으로서 신뢰기관으로 이해될 수 있다.The identity authentication institution may be an institution or an organization that manages identity information about individuals and medical institutions. An identity certification authority may manage identity information about an individual that can identify a specific individual. The identity certification authority may issue a certificate (hereinafter, an identity certificate) for at least one item of identity information. The identity authentication institution may manage basic information (identity information) about a medical institution that can identify a specific medical institution. The identity authentication institution may issue a certificate (hereinafter, referred to as a medical institution certificate) for at least one item of basic information of a medical institution. The identity authentication institution may perform authentication of medical institutions necessary for vaccination and identity authentication of inoculators. An identity certification authority is an organization operated by the state and can be understood as a trusted authority.
백신접종은 백신을 접종할 수 있도록 공인된 의료기관에 의해 수행될 수 있다. 백신접종관리기관은 의료기관들 중 백신 접종을 수행할 수 있는 의료기관을 선정하거나, 기 선정된 의료 기관의 목록을 관리할 수 있다. 백신접종관리기관은 백신접종기관에 대한 기본신원 정보를 확인하고, 백신접종기관 인증서를 발행할 수 있다.Vaccination may be performed by a medical institution that is accredited to administer the vaccine. The vaccination management institution may select a medical institution that can perform vaccination among medical institutions or manage a list of pre-selected medical institutions. The vaccination management institution may check basic identity information about the vaccination institution and issue a certificate of the vaccination institution.
접종 인증서의 발급을 위하여, 신원인증기관, 백신접종관리기관, 의료기관은 상호협력할 수 있다. 백신접종 디지털인증서(이하, 접종 인증서)는 백신접종관리기관에 의하여 발급될 수 있다. 신원인증기관은 접종 인증서를 발급하기 위한 의료기관의 기본 정보를 백신접종관리기관에신원 인증을 제공할 수 있다. For the issuance of an inoculation certificate, an identity authentication institution, a vaccination management institution, and a medical institution may cooperate with each other. Vaccination digital certificate (hereinafter, inoculation certificate) may be issued by a vaccination management institution. The identity authentication institution may provide identity authentication to the vaccination management institution with basic information of a medical institution for issuing an inoculation certificate.
다양한 실시 예에서 신원인증기관과 백신접종관리기관은 통합될 수 있다. 예를 들어, 백신접종관리기관은 단독으로 직접 개인이나 의료기관에 대한 기본신원 정보를 보관하고, 신원 인증서를 발급할 수 있다. In various embodiments, the identity authentication authority and the vaccination management authority may be integrated. For example, a vaccination management institution can directly store basic identity information about an individual or a medical institution and issue an identity certificate.
도 1을 참조하면, 시스템(10)은 신원인증서버(100), 백신접종관리서버(200), 의료기관 전자장치(300), 개인 전자장치(400), 제3 자 전자장치(500)를 포함할 수 있다. 신원인증서버(100) 및 백신접종관리서버(200)는 복수 개의 인증서버들을 포함할 수 있으나, 이하 하나의 인증 서버로 구성된 시스템(10)이 개시된다.Referring to FIG. 1 , the system 10 includes an identity authentication server 100 , a vaccination management server 200 , a medical institution electronic device 300 , a personal electronic device 400 , and a third-party electronic device 500 . can do. The identity authentication server 100 and the vaccination management server 200 may include a plurality of authentication servers, but the system 10 configured with one authentication server is disclosed below.
신원인증서버(100)란 신원인증기관에 의하여 운영되는 서버 장치이다. 백신접종관리서버(200)란 백신접종관리기관에 의하여 운영되는 서버 장치이다. 의료기관 전자장치(300)는 백신 접종을 수행하는 의료기관이 소지한 전자장치(예: PC, 태블릿, 서버 장치)이다. 개인 전자장치(400)는 백신 접종 대상인 개인의 전자장치(예: 스마트폰, 태블릿, 개인 PC)이다. 제3자 전자장치(500)는 특정 개인의 백신 접종 여부를 확인하는 타인, 회사 등이 소유한 전자장치(예: PC, 태블릿, 서버 장치)이다. 서버 장치 및 전자장치의 구조 및 동작은 도 2 및 도 3을 통하여 후술된다.The identity authentication server 100 is a server device operated by an identity authentication authority. The vaccination management server 200 is a server device operated by a vaccination management institution. The medical institution electronic device 300 is an electronic device (eg, PC, tablet, server device) possessed by a medical institution performing vaccination. The personal electronic device 400 is a personal electronic device (eg, a smartphone, tablet, personal PC) to be vaccinated. The third-party electronic device 500 is an electronic device (eg, a PC, a tablet, a server device) owned by another person or a company that checks whether a specific individual is vaccinated. The structure and operation of the server device and the electronic device will be described later with reference to FIGS. 2 and 3 .
신원인증서버(100)는 개인에 대한 신원 인증서를 발행할 수 있고, 발생한 신원 인증서를 개인 전자장치(400)로 전송할 수 있다. 신원인증서버(100)는 의료 기관에 대한 의료기관 인증서를 발행할 수 있고, 발행한 인증서는 의료기관 전자장치(300)로 전송할 수 있다. 개인 전자장치(400)는 수신된 신원 인증서를 저장할 수 있다. 의료기관 전자장치(300)는 수신된 의료기관 인증서를 저장할 수 있다.The identity authentication server 100 may issue an identity certificate for an individual and transmit the generated identity certificate to the personal electronic device 400 . The identity authentication server 100 may issue a medical institution certificate for a medical institution, and transmit the issued certificate to the medical institution electronic device 300 . The personal electronic device 400 may store the received identity certificate. The medical institution electronic device 300 may store the received medical institution certificate.
다양한 실시 예에서, 의료기관 인증서는 특정 의료기관임을 식별할 수 있게 하는 확인증으로 이해될 수 있다. 의료기관 인증서는 의료기관 자체에 대한 확인증이거나, 의료기관 대표자에 대한 신원 인증서일 수 있다. In various embodiments, the medical institution certificate may be understood as a confirmation certificate that enables identification of a specific medical institution. The medical institution certificate may be a verification certificate for the medical institution itself or an identity certificate for a medical institution representative.
백신접종관리서버(200)는 특정 의료기관에 대한 백신접종백기관 인증서를 발행할 수 있고, 발행한 인증서를 의료기관 전자장치(300)로 전송할 수 있다. 의료기관 전자장치(300)는 수신된 백신접종기관 인증서를 저장할 수 있다.The vaccination management server 200 may issue a certificate of a white vaccination institution for a specific medical institution, and may transmit the issued certificate to the electronic device 300 of the medical institution. The medical institution electronic device 300 may store the received vaccination institution certificate.
백신접종관리서버(200)이 백신접종기관 인증서를 발행할 때, 백신접종관리서버(200)는 신원인증서버(100) 또는 의료기관 전자장치(300)로부터 의료기관 인증서를 수신할 수 있다. 백신접종관리서버(200)는 의료기관 인증서를 기초로 접종 권한이 있는 특정 의료기관 인지 여부를 식별한 후에, 상기 백신접종기관 인증서를 발행할 수 있다.When the vaccination management server 200 issues the vaccination institution certificate, the vaccination management server 200 may receive the medical institution certificate from the identity authentication server 100 or the medical institution electronic device 300 . The vaccination management server 200 may issue the vaccination institution certificate after identifying whether it is a specific medical institution authorized to inoculate based on the medical institution certificate.
의료기관 전자장치(300)는 백신 정보를 식별할 수 있다. 백신 정보는 접종자에게 투여될 백신에 대한 정보를 포함할 수 있다. 백신 정보는 예를 들어, 백신의 이름, 제조사, 임상 정보, 식별 정보, 유통 정보를 포함할 수 있다. 예를 들어, 의료기관 전자장치(300)는 백신에 부착된 코드(예: 바코드, QR 코드)를 인식함으로써 상기 백신 정보를 수신할 수 있다. 또는 의료기관 전자장치(300)는 의료인으로부터 백신 정보에 대한 직접 입력을 수신할 수 있다.The medical institution electronic device 300 may identify vaccine information. The vaccine information may include information about a vaccine to be administered to the inoculator. Vaccine information may include, for example, the name of the vaccine, manufacturer, clinical information, identification information, and distribution information. For example, the electronic device 300 of a medical institution may receive the vaccine information by recognizing a code (eg, barcode, QR code) attached to the vaccine. Alternatively, the medical institution electronic device 300 may receive a direct input for vaccine information from a medical person.
의료기관 전자장치(300)는 접종자인 개인을 식별할 수 있다. 예를 들어, 의료기관 전자장치(300)는 개인 전자장치(300)에 저장된 신원 인증서를 수신하고, 수신된 신원 인증서를 기초로 통해, 개인 전자장치(300)의 소유자인 개인을 식별할 수 있다. 백신 접종이 완료된 후, 의료기관 전자장치(300)는 식별된 백신 정보, 식별된 개인 정보, 및 접종 정보를 백신접종관리서버(200)로 전송할 수 있다. 접종 정보란, 접종 시간, 접종 위치, 접종자 상태 등 접종 사실을 보고하는데 필요한 정보를 포함할 수 있다.The medical institution electronic device 300 may identify an individual who is an inoculator. For example, the medical institution electronic device 300 may receive an identity certificate stored in the personal electronic device 300 and identify an individual who is the owner of the personal electronic device 300 based on the received identity certificate. After the vaccination is completed, the electronic device 300 of the medical institution may transmit the identified vaccine information, the identified personal information, and the inoculation information to the vaccination management server 200 . The inoculation information may include information necessary to report the fact of inoculation, such as inoculation time, inoculation location, and inoculation status.
백신접종관리서버(200)는 수신된 백신 정보, 개인 정보, 및 접종 정보를 기초로 접종 인증서를 발행할 수 있다. 백신접종관리서버(200)는 발행한 접종 인증서를 개인 전자장치(400)로 전송할 수 있다.The vaccination management server 200 may issue an inoculation certificate based on the received vaccine information, personal information, and inoculation information. The vaccination management server 200 may transmit the issued vaccination certificate to the personal electronic device 400 .
개인 전자장치(300)는 접종 인증서를 저장할 수 있다. 개인 전자장치(300)는 백신 접종 인증을 요구하는 다른 주체의 소유인개인의 전자장치 또는 제3자의 전자장치(500)에 접종 인증서에 포함된 적어도 일부의 정보를의 전부 또는 일부를 전송할 수 있다.The personal electronic device 300 may store an inoculation certificate. The personal electronic device 300 may transmit all or part of at least some information included in the inoculation certificate to an electronic device of an individual who is the owner of another subject requesting vaccination authentication or to an electronic device 500 of a third party.
본 문서에서 개시되는 인증서는 발행자에 의하여 디지털 서명될 수 있다. 디지털 서명이란 발행자의 신원을 증명하는 수단이 될 수 있방법이다. 예를 들어, 발행자는 자신의 디지털 신원에 대응되는 을 위한 식별자(Identifier)를 이용하여 인증서에 디지털 서명을 할 수 있다. 인증서 수신자는 상기 디지털 서명을 통해 인증서의 발행자가 누구인지 여부를 확인할 수 있다의 신원을 증명할 수 있게 된다. 시스템(10)에 포함되는 각 주체들(신원인증서버(100), 백신접종관리서버(200), 의료기관 전자장치(300), 개인 전자장치(400))은 각자의 식별자를 가질 수 있고, 상기 식별자를 이용하여 디지털 서명된 인증서를 발행할 수 있다.The certificate disclosed herein may be digitally signed by an issuer. A digital signature is a method that can serve as a means of proving the identity of the issuer. For example, the issuer can digitally sign the certificate using an identifier for the corresponding to its digital identity. The certificate recipient can verify the identity of who is the issuer of the certificate through the digital signature. Each subject included in the system 10 (identity authentication server 100, vaccination management server 200, medical institution electronic device 300, personal electronic device 400) may have a respective identifier, and An identifier can be used to issue a digitally signed certificate.
다양한 실시 예에서, 디지털 서명은 다양한 알고리즘으로 구성될 수 있다. 키 생성 알고리즘(A key generation algorithm), 서명 알고리즘(A signing algorithm), 서명 검증 알고리즘(A signature verifying algorithm)이 활용될 수 있다. 일 예에서, RSA 알고리즘이 활용될 수 있다. In various embodiments, the digital signature may consist of various algorithms. A key generation algorithm, A signing algorithm, and A signature verifying algorithm may be used. In one example, the RSA algorithm may be utilized.
신원증명서버(100)는 신원 증명서 및 의료기관 증명서에 자신 식별자로의 디지털 서명을 할 수 있다. 백신접종관리서버(200)는 접종 증명서에 자신의 식별자로 디지털 서명을 할 수 있다. 신원 증명서 또는 접종 증명서를 수신한 수신자는 디지털 서명을 통해 발행자를 확인할 수 있고, 증명서의 내용을 신뢰할 수 있다.The identity authentication server 100 may digitally sign an identity certificate and a medical institution certificate with its own identifier. The vaccination management server 200 may digitally sign the vaccination certificate with its identifier. Recipients who have received the identity certificate or inoculation certificate can verify the issuer through a digital signature and trust the contents of the certificate.
예를 들어 키 생성 알고리즘의 경우, 신원증명서버(100) 또는 백신접종관리서버(200)는 자신의 비밀키로 인증서에 서명을 할 수 있다. 인증서 수신자는 신원증명서버(100) 또는 백신접종관리서버(200) 소유의 공개키로 접종 인증서를 해독할 수 있다.For example, in the case of a key generation algorithm, the identity authentication server 100 or the vaccination management server 200 may sign the certificate with its own private key. The certificate recipient may decrypt the inoculation certificate with the public key owned by the identity authentication server 100 or the vaccination management server 200 .
본 문서에서 개시되는 인증서는 제3 자에 의하여 검증 가능하도록(verifiable) 설계될 수 있다. 즉, 시스템(10) 상에서 발급되고 유통되는 증명서는 특정 신뢰 기관(예: 신원인증기관, 백신접종관리기관)이 아닌 모두에 의하여 검증될 수 있다. The certificate disclosed in this document may be designed to be verifiable by a third party. That is, the certificate issued and distributed on the system 10 may be verified by all, not by a specific trusted organization (eg, an identity authentication institution, a vaccination management institution).
예를 들어 키 생성 알고리즘의 경우, 공개 키는 중앙화 된 특정 중앙 기관에 보관되지않고, 복수 개의 신뢰 기관들의 연합된 ID 관리 시스템 또는 분산원장(distributed ledger)과 같은 탈 중앙화된 P2P 네트워크에 보관될 수 있다. 이로서 누구나 접근 가능한 장소에 보관된 공개키를 값을 활용하여 인증서를 검증할 수 있다.For example, in the case of a key generation algorithm, the public key is not stored in a specific centralized authority, but in a centralized P2P network such as a federated identity management system of multiple trusted authorities or a distributed ledger. have. In this way, the certificate can be verified by using the value of the public key stored in a place where anyone can access it.
예를 들어, 백신접종관리서버(200)에 의하여 디지털 서명된 접종 증명서를 수신한 수신자는 백신접종관리기관을 통해 상기 접종 증명서를 인증하지 않더라도, 공개된 백신접종관리기관의 디지털 서명을 통해 상기 접종 증명서가 백신접종관리기관에 의하여 발행되었음을 직접 확인할 수 있고, 접종 증명서의 내용을 신뢰할 수 있다.For example, the recipient who receives the inoculation certificate digitally signed by the vaccination management server 200 does not authenticate the inoculation certificate through the vaccination management organization, but through the digital signature of the public vaccination management organization, the inoculation It can be directly confirmed that the certificate was issued by the vaccination management agency, and the contents of the vaccination certificate can be trusted.
다양한 실시 예에서, 개인 전자장치(400)는 접종 증명서의 내용의 일부를 가공한 증명서를 생성할 수 있다. 개인 전자장치(400)는 가공된 증명서를 제3 자 전자장치(500)로 전송할 수 있다. 가공의 목적은 접종 증명서에 포함된 모든 내용을 제3 자에게 전송하지 않고, 필수적인 내용만 포함되도록 함으로써 프라이버시를 보호하기 위함이다. 예를 들어 접종 유무의 사실만 증명을 하면 되는 경우, '어떤 백신을 맞았는지', '어떤 의료기관으로부터 백신접종 맞았는지'와 같은 정보는 제외하고 '백신 접종 유무'만을 포함하는 인증서가 제3 자 전자장치(500)에 전송될 수 있다.In various embodiments, the personal electronic device 400 may generate a certificate by processing a part of the contents of the inoculation certificate. The personal electronic device 400 may transmit the processed certificate to the third-party electronic device 500 . The purpose of processing is to protect privacy by not transmitting all the contents included in the inoculation certificate to a third party, and only include essential contents. For example, if only the fact of the inoculation needs to be proved, the certificate containing only the 'vaccination status' excludes information such as 'what vaccine was received' and 'what medical institution received the vaccine from' may be transmitted to the electronic device 500 .
일 실시 예에서, 시스템(10)은 블록체인 네트워크(600) 기반으로 운영될 수 있다. 시스템(10)의 블록체인 네트워크(600)는 공지의 퍼블릭 블록체인 중 적어도 하나의 블록체인 네트워크를 포함할 수 있다. 각 주체들(100, 200, 300, 400)의 디지털 서명을 위한 키 값은 블록체인 네트워크(600)에 보관될 수 있다. 예를 들어, 각 주체들(100, 200, 300, 400)의 식별자는 블록체인 네트워크(600)의 계정(account)나 주소 값이 될 수 있다.In one embodiment, the system 10 may be operated based on the blockchain network 600 . The blockchain network 600 of the system 10 may include at least one blockchain network among known public blockchains. A key value for the digital signature of each of the subjects 100 , 200 , 300 , 400 may be stored in the blockchain network 600 . For example, the identifier of each of the subjects 100 , 200 , 300 , 400 may be an account or an address value of the blockchain network 600 .
블록체인 네트워크(600)를 활용함으로써, 시스템(10)은 글로벌 시스템으로 기능할 수 있다. 글로벌 플랫폼인 블록체인 네트워크(600) 기반으로 인증서 발행과 검증이 이루어질 수 있으므로, 각국의 신뢰기관이나 각국마다 다른 인증 시스템의에 제약을 받지 않고, 접종 인증서 발행 및 검증이 이루어질 수 있다. 이하 블록체인 네트워크(600) 기반의 시스템(10)을 예를 들어 설명한다. 다만 이에 한정되는 것은 아니고 공개된 신뢰가능한 다른 네트워크가 채용될 수 있다. By utilizing the blockchain network 600, the system 10 can function as a global system. Since the certificate issuance and verification can be made based on the blockchain network 600, which is a global platform, the inoculation certificate can be issued and verified without being restricted by the trust institutions of each country or other authentication systems for each country. Hereinafter, the system 10 based on the blockchain network 600 will be described as an example. However, the present invention is not limited thereto, and other open and reliable networks may be employed.
일 실시 예에서, 신원인증서버(100), 백신접종관리서버(200), 의료기관 전자장치(300) 및 개인 전자장치(400)는 블록체인 네트워크(600)와 통신을 수행하고, 블록체인 네트워크(600) 상의 계정에 접속근할 수 있도록 하는 적어도 하나의 어플리케이션이 저장될 수 있다. 상기 적어도 하나의 어플리케이션은 블록체인 네트워크(600)의 지갑(wallet) 어플리케이션을 포함할 수 있다.In an embodiment, the identity authentication server 100, the vaccination management server 200, the medical institution electronic device 300, and the personal electronic device 400 communicate with the block chain network 600, and the block chain network ( 600), at least one application that allows access to an account on the above may be stored. The at least one application may include a wallet application of the blockchain network 600 .
일 실시 예에서, 시스템(10)에서 발급 및 유통되는 인증서는 W3C 표준 규약에 따라 설계된 검증가능한 크레덴셜(verifiable credential, VC)의 스펙을 가질 수 있다. 시스템(100)의 각 주체들(100, 200, 300, 400)은 VC의 발행자(Issuer)가 될 수 있다.In an embodiment, the certificate issued and distributed by the system 10 may have a specification of a verifiable credential (VC) designed according to the W3C standard protocol. Each of the entities 100 , 200 , 300 , and 400 of the system 100 may be an issuer of a VC.
예를 들어, 가공된 인증서는 W3C 표준 규약에 따라 설계된 검증가능한 프레젠테이션(Verifiable Presentation, VP)의 스펙을 가질 수 있다. VP는 하나의 VC에 포함된 클레임들(Claims) 중 일부 클레임으로 구성될 수 있고, 복수의 VC들로 구성될 수 있다. 또한 VP는 서로 다른 발행자에 의하여 서명된 VC들을 포함할 수 있다.로 구성될 수 있다. 시스템(10)의 주체들(100, 200, 300, 400)은 하나 이상의 VC들로부터 필요한 정보만을 포함한 VP를 발행할 생성 또는 발행할 수 있다.For example, the processed certificate may have a specification of a verifiable presentation (VP) designed according to the W3C standard protocol. The VP may be composed of some claims among claims included in one VC, and may be composed of a plurality of VCs. Also, the VP may include VCs signed by different issuers. Entities 100 , 200 , 300 , 400 of system 10 may create or issue a VP containing only the necessary information from one or more VCs.
블록체인 네트워크(600) 하에서 사용되는 디지털 서명 또는 디지털 식별자는 W3C 표준 규약에 따른 탈 중앙화된 식별자(Decentralized Identifiers, DID)로 이해될 수 있다. . Digital signatures or digital identifiers used under the blockchain network 600 may be understood as decentralized identifiers (DID) according to the W3C standard protocol. .
다양한 실시 예에서, VC는 발행자의 식멸자 및 발행 대상의 식별자를 포함할 수 있다. 예를 들어 개인 전자장치(400)의 소유자에 대한 VC가 신원인증서버(100)에 의하여 발행된 경우, VC는 신원인증서버(100)의 식별자 정보(제1 식별자)와 개인 전자장치(400)의 식별자 정보(제2 식별자)를 포함할 수 있다. 이는 VC가 제1 식별자에 의해 발행되었고, 제2 식별자에게 발행되었다는 의미를 포함할 수 있다. In various embodiments, the VC may include an identifier of an issuer and a destructor of the issuer. For example, when the VC for the owner of the personal electronic device 400 is issued by the identity authentication server 100 , the VC is the identifier information (the first identifier) of the identity authentication server 100 and the personal electronic device 400 . of identifier information (second identifier). This may include a meaning that the VC was issued by the first identifier and was issued to the second identifier.
또한, 개인 전자장치(400)는 상기 VC에 대해 자신의 제2 식별자로 서명함으로써 VP를 생성할 수 있다. 이로써, VP는 제1 식별자에 의하여 제2 식별자에게 발행된 VC를 현재 제2 식별자의 주인이 소유하고 있다는 정보를 포함할 수 있다. 따라서 VC의 일부 정보를 포함하는 VP를 수신한 제3자는, VC의 정당한 소유자로부터 인증 정보를 수신한 것을 확인할 수 있고, 상기 인증 정보를 신뢰할 수 있다. 예를 들어, VP를 수신한 제3 자는 VP를 생성한 자의 제2 식별자와 VC에 포함된 제2 식별자의 일치 여부를 확인함으로써, VC의 정당한 소유자가 생성한 VP를 전송 받았음을 확인할 수 있고, VP내에 저장된 정보를 신뢰할 수 있다.Also, the personal electronic device 400 may generate a VP by signing the VC with its second identifier. Accordingly, the VP may include information that the owner of the second identifier currently owns the VC issued to the second identifier by the first identifier. Accordingly, a third party that has received the VP including some information of the VC can confirm that it has received the authentication information from the rightful owner of the VC, and can trust the authentication information. For example, a third party receiving the VP can confirm that the VP created by the rightful owner of the VC has been transmitted by checking whether the second identifier of the person who created the VP matches the second identifier included in the VC, The information stored in the VP can be trusted.
이하 블록체인 네트워크(600) 기반의 시스템(10)을 예를 들어 설명한다. 다만 이에 한정되는 것은 아니고 공개된 신뢰가능한 다른 네트워크가 채용될 수 있다. 블록체인 네트워크(600)를 통한 검증을 위하여 일 실시 예에서, 블록체인 네트워크(600)는 ID 레지스트리(610, 620)를 저장할 수 있다. ID 레지스트리(610, 620)에는 시스템(10)의 주체들의 식별자(예: DID)가 저장될 수 있다. 에는 VC발행자들의 공개 키가 저장될 수 있다. 예를 들어, ID레지스트리(610, 620)에는 신원인증서버(100), 백신접종관리서버(200), 의료기관 전자장치(300) 및 개인 전자장치(400)의 DID가 저장될 수 있다. Hereinafter, the system 10 based on the blockchain network 600 will be described as an example. However, the present invention is not limited thereto, and other open and reliable networks may be employed. For verification through the blockchain network 600 , in one embodiment, the blockchain network 600 may store ID registries 610 and 620 . Identifiers (eg, DIDs) of subjects of the system 10 may be stored in the ID registries 610 and 620 . Public keys of VC issuers may be stored in . For example, the ID registries 610 and 620 may store DIDs of the identity authentication server 100 , the vaccination management server 200 , the medical institution electronic device 300 , and the personal electronic device 400 .
시스템(10)의 각 주체들(100, 200, 300, 400)은 상호간의 인증서의 검증을 위하여 블록체인 네트워크(600)의 DID 레지스트리(610, 620)에 대한 접근하고, 상기 레지스트리에 저장된 ID들을 열람할 권한을 가질 수 있다.Each of the subjects 100, 200, 300, and 400 of the system 10 accesses the DID registry 610, 620 of the blockchain network 600 for mutual verification of certificates, and stores the IDs stored in the registry. You may have permission to read.
일 실시 예에서, 블록체인 네트워크(600)는 제1 ID레지스트리(610) 및 제2 ID레지스트리(620)를 포함할 수 있다. 제1 ID레지스트리(610)는 신원인증서버(100) 및 백신접종관리서버(200)에 의해 관리되는 저장 공간으로 이해될 수 있다. 제1 ID레지스트리(610)에 저장되는 데이터는 신뢰기관(100, 200)들에 의해 입력, 수정, 삭제될 수 있다. 따라서 의료기관 전자장치(300) 및 개인 전자장치(400)는 제1 ID 레지스트리(610)에 저장된 데이터를 열람할 수 있지만, 제1 ID 레지스트리(610)에 저장된 데이터를 수정하거나 삭제할 수 없고, 제1 ID 레지스트리(610)에 신규 데이터를 추가할 수 없다. 반면에 제2 ID레지스트리(620)에 저장되는 데이터는 각 주체들(100, 200, 300, 400)에 의하여 입력, 수정, 삭제될 수 있다. 따라서 신뢰기관(100, 200)에 의해 제공되는 정보가 블록체인 네트워크(600)에 저장될 수 있고, 이를 열람하는 주체는 상기 정보를 신뢰할 수 있다.In an embodiment, the blockchain network 600 may include a first ID registry 610 and a second ID registry 620 . The first ID registry 610 may be understood as a storage space managed by the identity authentication server 100 and the vaccination management server 200 . Data stored in the first ID registry 610 may be input, modified, or deleted by the trusted organizations 100 and 200 . Accordingly, the medical institution electronic device 300 and the personal electronic device 400 can view data stored in the first ID registry 610 , but cannot modify or delete data stored in the first ID registry 610 , New data cannot be added to the ID registry 610 . On the other hand, data stored in the second ID registry 620 may be input, modified, or deleted by the respective subjects 100 , 200 , 300 , and 400 . Therefore, the information provided by the trusted institutions 100 and 200 can be stored in the block chain network 600, and the subject who reads it can trust the information.
도 2는 일 실시 예에 따른 신원인증서버(100) 및 백신접종관리서버(200)의 블록도이다. 다양한 실시 예에서 신원인증서버(100) 및 백신접종관리서버(200)는 통합될 수 있다. 신원인증서버(100) 및 백신접종관리서버(200)는 하나의 서버 장치로 예를 들어 도시 되었으나, 복수의 서버 장치로 구성될 수 있다.2 is a block diagram of the identity authentication server 100 and the vaccination management server 200 according to an embodiment. In various embodiments, the identity authentication server 100 and the vaccination management server 200 may be integrated. Although the identity authentication server 100 and the vaccination management server 200 are illustrated as one server device, for example, they may be composed of a plurality of server devices.
일 실시 예에서, 신원인증서버(100)는 프로세서(110), 메모리(120), 통신회로(130)를 포함할 수 있다. 프로세서(110)는 신원인증서버(100)의 동작 전반을 제어할 수 있다. 신원인증서버(100)는 통신회로(130)를 통하여 시스템(10)의 다른 주제들(200, 300, 400)과 데이터를 송수신할 수 있다.In an embodiment, the identity authentication server 100 may include a processor 110 , a memory 120 , and a communication circuit 130 . The processor 110 may control the overall operation of the identity authentication server 100 . The identity authentication server 100 may transmit/receive data to and from other subjects 200 , 300 , and 400 of the system 10 through the communication circuit 130 .
일 실시 예에서, 메모리(120)는 신원 인증서를 발행할 대상인 개인들에 대한 신원 정보를 포함하는 개인신원DB(122)를 포함할 수 있다. 개인신원DB(122)는 표 1에 도시된 종류의 데이터를 포함할 수 있다. 개인신원DB(122)에 기초하여 개인에 대한 신원 인증서가 발행될 수 있다.In an embodiment, the memory 120 may include a personal identity DB 122 including identity information on individuals to whom an identity certificate is to be issued. The personal identity DB 122 may include the types of data shown in Table 1. An identity certificate for an individual may be issued based on the personal identity DB 122 .
1One 디지털 신원 식별자(예: DID)Digital identity identifiers (such as DIDs)
22 이름name
33 생년월일date of birth
44 전화번호Phone number
55 개인식별번호 (예: 주민번호)Personal identification number (e.g. social security number)
66 국적nationality
77 푸시토큰push token
메모리(120)는 의료기관 인증서를 발행할 대상인 의료기관들에 대한 의료기관DB(124)를 포함할 수 있다. 의료기관DB(124)는 표2에 도시된 종류의 데이터를 포함 할 수 있다. 의료기관DB(124)에 기초하여 의료기관에 대한 의료기관 인증서가 발행될 수 있다.The memory 120 may include a medical institution DB 124 for medical institutions to which a medical institution certificate is to be issued. The medical institution DB 124 may include the types of data shown in Table 2. A medical institution certificate for a medical institution may be issued based on the medical institution DB 124 .
1One 의료기관 식별번호(예: 기관 등록번호)IDMedical institution identification number (eg, institution registration number) ID
22 의료기관 명Medical institution name
33 의료기관 주소Medical institution address
44 대표자 이름Representative Name
55 대표자 전화번호Representative phone number
66 의료기관 디지털 신원 식별자(예: DID)Medical institution digital identity identifier (e.g. DID)
일 실시 예에서, 프로세서(110)는 신원 인증서 발급모듈발행모듈(112)과 의료기관 인증서 발급모듈발행모듈(114)을 포함할 수 있다. 프로세서(110)는 메모리(120)에 저장된 명령어들을 실행하여 신원 인증서 발급모듈발행모듈(112)과 의료기관 인증서 발급모듈발행모듈(114)을 구동시킬 수 있다. 신원 인증서 발급모듈발행모듈(112)과 의료기관 인증서 발급모듈발행모듈(114)에 의하여 수행되는 동작은 프로세서(110)에 의하여 수행되는 동작으로 이해될 수 있다. 기타 신원인증서버(100)에 의하여 수행되는 것으로 기술된 동작들은 프로세서(110)에 의하여 수행되는 동작으로 이해될 수 있다.신원 인증서 발급모듈발행모듈(112)은 메모리(120)에 저장된 개인신원DB(122)를 이용하여 신원 인증서를 발행급할 수 있다. 예를 들어, 개인신원DB(122)에 포함된 데이터의 적어도 일부를 포함하는 신원 인증서를 생성할 수 있다. 생성된 신원 인증서에 신원인증서버(100)의 디지털 신원 식별자로 디지털 서명을 할 수 있다. 상기 신원 인증서는 신원 인증서 발행 대상인 개인의 식별자를 포함할 수 있다.In an embodiment, the processor 110 may include an identity certificate issuing module issuing module 112 and a medical institution certificate issuing module issuing module 114 . The processor 110 may execute the instructions stored in the memory 120 to drive the identity certificate issuing module issuing module 112 and the medical institution certificate issuing module issuing module 114 . Operations performed by the identity certificate issuing module issuing module 112 and the medical institution certificate issuing module issuing module 114 may be understood as operations performed by the processor 110 . Other operations described as being performed by the identity authentication server 100 may be understood as operations performed by the processor 110 . The identity certificate issuing module issuing module 112 is a personal identity DB stored in the memory 120 . (122) can be used to issue an identity certificate. For example, an identity certificate including at least a portion of data included in the personal identity DB 122 may be generated. The generated identity certificate may be digitally signed with the digital identity identifier of the identity authentication server 100 . The identity certificate may include an identifier of an individual to whom the identity certificate is issued.
의료기관 인증서 발급모듈발행모듈(114)는 메모리(120)에 저장된 의료기관DB(124)를 이용하여 의료기관 인증서를 발급할 수 있다. 예를 들어, 의료기관DB(124)에 포함된 데이터의 적어도 일부를 포함하는 의료기관 인증서를 생성할 수 있다. 생성된 의료기관 인증서에 신원인증서버(100)의 디지털 신원 식별자로 디지털 서명을 할 수 있다. 상기 의료기관 인증서는 인증서 발행 대상인 의료기관의 식별자를 포함할 수 있다. The medical institution certificate issuing module issuing module 114 may issue a medical institution certificate using the medical institution DB 124 stored in the memory 120 . For example, a medical institution certificate including at least a portion of data included in the medical institution DB 124 may be generated. It is possible to digitally sign the generated medical institution certificate with the digital identity identifier of the identity authentication server 100 . The medical institution certificate may include an identifier of a medical institution to which the certificate is issued.
일 실시 예에서, 신원인증서버(100)는 신원인증서버(100)가 블록체인 네트워크(600)와 통신하기 위한 지갑(wallet)을 포함할 수 있다. 지갑은 블록체인 네트워크(600)상의 신원인증서버(100)의 계정을 포함할 수 있다. 예를 들어, 신원인증서버(100)는 개인 키를 메모리(120)에 저장할 수 있다. 신원인증서버(100)가 인증서를 발행할 때 자신의 개인키로 서명을 수행할 수 있다.In an embodiment, the identity authentication server 100 may include a wallet for the identity authentication server 100 to communicate with the blockchain network 600 . The wallet may include an account of the identity authentication server 100 on the blockchain network 600 . For example, the identity authentication server 100 may store the private key in the memory 120 . When the identity authentication server 100 issues a certificate, it may be signed with its own private key.
다양한 실시 예에서, 상기 지갑은 DID 에이전트(DID agent)를 포함할 수 있다. DID 에이젼트는 블록체인 네트워크(600)상의 DID를 발급 받고, DID를 조회하고, DID를 변경할 수 있다. 신원 인증서 발행모듈(112)은 인증서를 발행한 개인의 DID, 인증서 발행 사실을 제1 레지스트리(610)에 저장할 수 있다. 의료기관 인증서 발행모듈(114)은 인증서를 발행한 대상의 DID, 인증서 발행 사실을 제1 레지스트리(610)에 저장할 수 있다.In various embodiments, the wallet may include a DID agent. The DID agent may be issued a DID on the blockchain network 600, inquire the DID, and change the DID. The identity certificate issuing module 112 may store the DID of the individual who issued the certificate and the fact of issuing the certificate in the first registry 610 . The medical institution certificate issuance module 114 may store the DID of the subject who issued the certificate and the fact that the certificate is issued in the first registry 610 .
일 실시 예에서, 백신접종관리서버(200)는 프로세서(210), 메모리(220), 통신회로(230)를 포함할 수 있다. 프로세서(210)는 백신접종관리서버(200)의 동작 전반을 제어할 수 있다. 백신접종관리서버(200)는 통신회로(230)를 통하여 시스템(10)의 다른 주제들(100, 300, 400)과 데이터를 송수신할 수 있다.In an embodiment, the vaccination management server 200 may include a processor 210 , a memory 220 , and a communication circuit 230 . The processor 210 may control the overall operation of the vaccination management server 200 . The vaccination management server 200 may transmit/receive data to and from other subjects 100 , 300 , 400 of the system 10 through the communication circuit 230 .
일 실시 예에서, 메모리(220)는 백신에 대한 정보를 포함하는 백신DB(222)를 포함할 수 있다. 백신DB(222)는 표 3에 도시된 종류의 데이터를 포함할 수 있다. 이후 서술될 백신에 대한 정보는 표 3에 포함된 적어도 하나의 데이터를 포함할 수 있다. 백신DB(222)에 기초하여 접종 인증서가 발행될 수 있다. 또한 백신DB(222)는 신규 정보에 따라 주기적으로 갱신될 수 있다. 백신DB(222)의 갱신됨에 따라 의료기관 전자장치(300) 또는 접종 인증서를 저장하고 있는 개인 전자장치(400)에 필요한 액션이 수행될 수 있다. 상기 액션은 예를 들어, 알림 동작, 접종 인증서 갱신 동작을 포함할 수 있다.In an embodiment, the memory 220 may include a vaccine DB 222 including information on vaccines. Vaccine DB 222 may include the types of data shown in Table 3. Information on vaccines to be described later may include at least one data included in Table 3. An inoculation certificate may be issued based on the vaccine DB 222 . Also, the vaccine DB 222 may be periodically updated according to new information. As the vaccine DB 222 is updated, an action necessary for the medical institution electronic device 300 or the personal electronic device 400 storing the inoculation certificate may be performed. The action may include, for example, a notification operation and an inoculation certificate renewal operation.
1One 백신 이름vaccine name
22 제조사manufacturing company
33 백신 유형Vaccine type
44 투여 방법, 접종 횟수Method of administration, number of inoculations
55 임상 정보(알러지, 부작용)Clinical information (allergy, side effects)
66 사후 관찰 정보Post-observation information
77 유통 정보(시리얼 번호, 수입일, 유통 방법, 의료기관 배송일)Distribution information (serial number, date of import, distribution method, delivery date to medical institutions)
일 실시 예에서, 메모리(220)는 백신 접종을 수행할 권한을 가지는 백신접종기관에 대한 정보를 포함하는 백신접종기관DB(2124)를 포함할 수 있다.백신접종기관DB(2124)는 표 4에 도시된 종류의 데이터를 포함할 수 있다. 하나의 의료기관에 대해 복수의 백신접종 실무자가 존재할 수 있다. 백신접종기관DB(224)에 기초하여 백신접종관리서버(200)는 접종 인증서의 발행 여부를 결정할 수 있다.In an embodiment, the memory 220 may include a vaccination institution DB 2124 including information on a vaccination institution having the authority to perform vaccination. The vaccination institution DB 2124 is shown in Table 4 It may include the type of data shown in . There may be multiple vaccination practitioners for a single medical institution. Based on the vaccination agency DB 224, the vaccination management server 200 may determine whether to issue an inoculation certificate.
1One 의료기관 ID 식별번호(예: 기관 등록번호) Medical institution ID identification number (e.g. institution registration number)
22 백신접종 실무자 이름Vaccination practitioner name
33 백신접종 실무자 전화번호Vaccination practitioner phone number
44 백신접종 실무자 식별자디지털 신원(예: DID)Vaccination practitioner identifier digital identity (e.g. DID)
55 허가 상태permission status
66 의료기관 식별자디지털 신원(예: DID)Healthcare IdentifierDigital Identity (e.g. DID)
일 실시 예에서, 메모리(220)는 수행된 백신 접종에 대한 정보를 포함하는 백신접종이력DB(2126)를 포함할 수 있다. 백신접종이력DB(2126)은 표 5에 도시된 종류의 데이터를 포함할 수 있다.In an embodiment, the memory 220 may include a vaccination history DB 2126 including information on the performed vaccination. The vaccination history DB 2126 may include the types of data shown in Table 5.
1One 접종자의 식별자 IDIdentifier ID of the inoculant
22 백신 종류Vaccine type
33 백신 시리얼 번호 Vaccine serial number
44 백신접종 의료기관 IDVaccination Medical Institution ID
55 백신접종 수행자인 개인의 디지털 식별자 ID접종 시간, 장소, 횟수 등 접종 정보Digital identifier of the individual who performed the vaccination. Information on vaccination such as time, place, and number of vaccinations.
66 접종 시간, 장소, 횟수 등 접종 정보Inoculation information such as inoculation time, place, frequency, etc.
일 실시 예에서, 프로세서(210)는 접종 인증서 발급모듈발행모듈(212)과 백신접종 사후관리모듈(214)을 포함할 수 있다. 프로세서(210)는 메모리(220)에 저장된 명령어들을 실행하여 접종 인증서 발급모듈발행모듈(212)과 백신접종 사후관리모듈(214)을 구동시킬 수 있다. 접종 인증서 발급모듈발행모듈(212)과 백신접종 사후관리모듈(214)에 의하여 수행되는 동작은 프로세서(2110)에 의하여 수행되는 동작으로 이해될 수 있다. 기타 백신접종관리서버(2100)에 의하여 수행되는 것으로 기술된 동작들은 프로세서(210)에 의하여 수행되는 동작으로 이해될 수 있다.접종 인증서 발급모듈발행모듈(212)은 메모리(220)에 저장된 백신DB(222), 백신접종기관DB(2224), 및 접종이력DB(226)를 이용하여 접종 인증서를 발행급할 수 있다. 예를 들어, 백신DB(222), 백신접종기관DB(2224), 및 접종이력DB(226)에 포함된 데이터의 적어도 일부를 포함하는 접종 인증서를 생성할 수 있다. 생성된 접종 인증서에 백신접종관리서버(200)의 디지털 신원 식별자로 디지털 서명을 할 수 있다. In an embodiment, the processor 210 may include an inoculation certificate issuing module issuing module 212 and a vaccination post management module 214 . The processor 210 may execute the instructions stored in the memory 220 to drive the vaccination certificate issuing module issuing module 212 and the vaccination post management module 214 . Operations performed by the vaccination certificate issuing module issuing module 212 and the vaccination post management module 214 may be understood as operations performed by the processor 2110 . Other operations described as being performed by the vaccination management server 2100 may be understood as operations performed by the processor 210 . The vaccination certificate issuing module issuing module 212 is a vaccine DB stored in the memory 220 . 222 , the vaccination institution DB 2224 , and the inoculation history DB 226 may be used to issue an inoculation certificate. For example, an inoculation certificate including at least a portion of the data included in the vaccine DB 222 , the vaccination institution DB 2224 , and the inoculation history DB 226 may be generated. The generated inoculation certificate may be digitally signed with the digital identity identifier of the vaccination management server 200 .
백신접종 사후관리모듈(214)는 메모리(220)에 저장된 백신DB(222), 백신접종기관DB(2224), 및 접종이력DB(226)를 기초로 의료기관 전자장치(300) 및/또는 개인 전자장치(400)에 대해 사후 관리를 제공할 수 있다. 예를 들어, 백신DB(222)에 새로운 임상 정보가 추가된 경우, 백신접종 사후관리모듈(214)은 상기 추가 정보를 의료기관 전자장치(300) 및/또는 개인 전자장치(400)로 전송할 수 있다.The vaccination follow-up management module 214 is a medical institution electronic device 300 and/or personal electronic device based on the vaccine DB 222 , the vaccination institution DB 2224 , and the inoculation history DB 226 stored in the memory 220 . Follow-up care may be provided for the device 400 . For example, when new clinical information is added to the vaccine DB 222 , the vaccination follow-up management module 214 may transmit the additional information to the medical institution electronic device 300 and/or the personal electronic device 400 . .
일 실시 예에서, 백신접종관리서버(200)는 백신접종관리서버(200)와 블록체인 네트워크(600)가 통신하기 위한 지갑을 포함할 수 있다. 지갑은 블록체인 네트워크(600)상의 백신접종관리서버(200)의 계정을 포함할 수 있다. 예를 들어, 백신접종관리서버(200)는 개인 키를 메모리(220)에 저장할 수 있다. 백신접종관리서버(200)가 인증서를 발행할 때 자신의 개인키로 서명을 수행할 수 있다.In an embodiment, the vaccination management server 200 may include a wallet for communication between the vaccination management server 200 and the blockchain network 600 . The wallet may include an account of the vaccination management server 200 on the blockchain network 600 . For example, the vaccination management server 200 may store the private key in the memory 220 . When the vaccination management server 200 issues a certificate, it can be signed with its own private key.
다양한 실시 예에서, 상기 지갑은 DID 에이전트(DID agent)를 포함할 수 있다. DID 에이젼트는 블록체인 네트워크(600)상의 DID를 발급 받고, DID를 조회하고, DID를 변경할 수 있다. 접종 인증서 발행모듈(212)은 접종 인증서에 포함된 개인의 DID, 의료기관의 DID, 인증서 발행 사실을 제1 레지스트리(610)에 저장할 수 있다. In various embodiments, the wallet may include a DID agent. The DID agent may be issued a DID on the blockchain network 600, inquire the DID, and change the DID. The inoculation certificate issuance module 212 may store the individual DID, the medical institution's DID, and the certificate issuance fact included in the inoculation certificate in the first registry 610 .
도 3은 일 실시 예에 따른 의료기관 전자장치(300) 및 개인 전자장치(400)의 블록도이다. 3 is a block diagram of a medical institution electronic device 300 and a personal electronic device 400 according to an exemplary embodiment.
일 실시 예에서, 의료기관 전자장치(300)는 프로세서(310), 메모리(320), 통신회로(330), 카메라(340), 디스플레이(350)를 포함할 수 있다. 프로세서(310)는 의료기관 전자장치(300)의 동작 전반을 제어할 수 있다. 의료기관 전자장치(300)는 통신회로(330)를 통하여 시스템(10)의 다른 주제들(100, 200, 400)과 데이터를 송수신할 수 있다.In an embodiment, the medical institution electronic device 300 may include a processor 310 , a memory 320 , a communication circuit 330 , a camera 340 , and a display 350 . The processor 310 may control overall operations of the electronic device 300 of a medical institution. The medical institution electronic device 300 may transmit/receive data to and from other subjects 100 , 200 , and 400 of the system 10 through the communication circuit 330 .
일 실시 예에서, 메모리(320)는 제1 어플리케이션(322)을 저장할 수 있다. 의료기관 전자장치(300)는 제1 어플리케이션(322)을 실행시키고, 제1 어플리케이션(322)의 실행 화면을 디스플레이(350)를 통하여 출력할 수 있다. In an embodiment, the memory 320 may store the first application 322 . The medical institution electronic device 300 may execute the first application 322 and output an execution screen of the first application 322 through the display 350 .
제1 어플리케이션(322)은 시스템(10) 상에서 제공되는 인증 서비스를 제공받기 위한 어플리케이션으로 이해될 수 있다. 제1 어플리케이션(322)은 의료기관 인증서 및 접종 인증서의 발행 요청 기능, 백신에 대한 정보 인식 기능, 접종자 인식 기능 등 인증 서비스를 사용하기 위하여 필요한 기능들을 포함할 수 있다. 제1 어플리케이션(322)은 의료기관의 식별자(예: DID)를 저장할 수 있다.수행되는 의료 기관의 신원 인증 기능 및 백신 접종 보고 기능 등을 구동하기 위한 어플리케이션으로 이해될 수 있다.The first application 322 may be understood as an application for receiving an authentication service provided on the system 10 . The first application 322 may include functions necessary to use the authentication service, such as a function for requesting issuance of a medical institution certificate and an inoculation certificate, a function for recognizing information on vaccines, and a function for recognizing an inoculator. The first application 322 may store an identifier (eg, DID) of a medical institution. It may be understood as an application for driving an identity authentication function and a vaccination report function of a medical institution that are performed.
일 실시 예에서 메모리(320)는 의료기관 인증서(324), 백신접종기관 인증서(326), 및 백신접종 실무자 목록(328)을 저장할 수 있다. 의료기관 인증서(324)는 신원인증서버(100)에 의하여 발행된 것일 수 있다. 백신접종기관 인증서(326)는 백신접종관리서버(300)에 의하여 발행된 것일 수 있다. 백신접종 실무자 목록(328)은 의료 기관 내에 종사하는 의료인들 중에서 백신 접종을 수행할 수 있는 실무자에 대한 목록으로 이해될 수 있다.In an embodiment, the memory 320 may store the medical institution certificate 324 , the vaccination institution certificate 326 , and the vaccination practitioner list 328 . The medical institution certificate 324 may be issued by the identity authentication server 100 . The vaccination agency certificate 326 may be issued by the vaccination management server 300 . The vaccination practitioner list 328 may be understood as a list of practitioners who may perform vaccination among medical personnel working in a medical institution.
다양한 실시 예에서, 의료기관 전자장치(300)의 메모리(322)는 보안 요소(secure element)(SE)(미도시)를 포함할 수 있다. 의료기관 인증서(324) 및 백신접종기관 인증서(326)는 보안 요소에 저장될 수 있다. 예를 들어, 보안 요소는 외부 장치(100,200,400)과 직접 통신이 제한될 수 있다. 제1 어플리케이션(322)은 보안 요소와 외부 장치(100, 200, 400) 사이의 데이터 송수신을 중계할 수 있다. 다른 예에서, 외부 장치(100, 200, 400)는 통신 회로(330)를 통한 근거리 무선 통신을 통하여 보안 요소와 통신을 수행할 수 있다. 의료기관 전자장치(300)의 식별자는 상기 보안 요소에 저장될 수 있다.In various embodiments, the memory 322 of the electronic device 300 of the medical institution may include a secure element SE (not shown). The medical institution certificate 324 and the vaccination institution certificate 326 may be stored in the secure element. For example, the secure element may be restricted in direct communication with the external devices 100 , 200 , and 400 . The first application 322 may relay data transmission/reception between the secure element and the external devices 100 , 200 , and 400 . In another example, the external devices 100 , 200 , and 400 may communicate with the secure element through short-range wireless communication through the communication circuit 330 . The identifier of the medical institution electronic device 300 may be stored in the secure element.
다양한 실시 예에서, 의료기관 전자장치(300)는 카메라(340)를 통해 접종할 백신을 촬영하거나, 접종자를 촬영할 수 있다. 예를 들어, 의료기관 전자장치(300)는 카메라(340)를 통해 백신 및/또는 접종자 개인을 식별할 수 있다.In various embodiments, the electronic device 300 of a medical institution may photograph a vaccine to be inoculated through the camera 340 or may photograph a person inoculated. For example, the electronic device 300 of a medical institution may identify an individual vaccine and/or inoculation recipient through the camera 340 .
일 실시 예에서, 개인 전자장치(400)는 프로세서(410), 메모리(420), 통신회로(430), 카메라(440), 디스플레이(450)를 포함할 수 있다. 프로세서(410)는 개인 전자장치(400)의 동작 전반을 제어할 수 있다. 개인 전자장치(400)는 통신회로(430)를 통하여 시스템(10)의 다른 주제들(100, 200, 300)과 데이터를 송수신할 수 있다.In an embodiment, the personal electronic device 400 may include a processor 410 , a memory 420 , a communication circuit 430 , a camera 440 , and a display 450 . The processor 410 may control overall operations of the personal electronic device 400 . The personal electronic device 400 may transmit/receive data to and from other subjects 100 , 200 , and 300 of the system 10 through the communication circuit 430 .
일 실시 예에서, 메모리(420)는 제2 어플리케이션(422)을 저장할 수 있다. 개인 전자장치(400)는 제2 어플리케이션(422)을 실행시키고, 제2 어플리케이션(422)의 실행 화면을 디스플레이(450)를 통하여 출력할 수 있다.In an embodiment, the memory 420 may store the second application 422 . The personal electronic device 400 may execute the second application 422 and output an execution screen of the second application 422 through the display 450 .
제2 어플리케이션(422)은 시스템(10) 상에서 개인에게 제공되는 신원 인증 기능 및 백신 접종 인증 기능 구동하기 위한 어플리케이션으로 이해될 수 있다.The second application 422 may be understood as an application for driving an identity authentication function and a vaccination authentication function provided to an individual on the system 10 .
일 실시 예에서 메모리(420)는 신원 인증서(424) 및 접종 인증서(426)를 저장할 수 있다. 신원 인증서(424)는 신원인증서버(100)에 의하여 발행된 것일 수 있다. 접종 인증서(426)는 백신접종관리서버(300)에 의하여 발행된 것일 수 있다.In one embodiment, the memory 420 may store the identity certificate 424 and the inoculation certificate 426 . The identity certificate 424 may be issued by the identity authentication server 100 . The vaccination certificate 426 may be issued by the vaccination management server 300 .
신원 인증서(424) 및 접종 인증서(426)는 개인 전자장치(400)내에 저장되고, 신원인증서버(100), 백신접종관리서버(200), 및 의료기관 전자장치(300)에 저장되지 않는다. 개인 전자장치(400)의 소유자는 일단 인증서를 발급 받은 후에는, 다른 신뢰기관과의 통신 없이 직접 자신의 전자장치(400)에 저장된 인증서를 활용하여 주체적으로 자신의 신원이나 백신 접종 여부를 증명할 수 있다. 또한 개인 전자장치(400)는 가공된 인증서를 발행함으로써, 필요한 정보만 포함한 인증서를 생성하고 제3자에게 공유할 수 있다. 이로서 데이터에 대한 개인의 주권이 강화될 수 있다. The identity certificate 424 and the inoculation certificate 426 are stored in the personal electronic device 400 , and are not stored in the identity authentication server 100 , the vaccination management server 200 , and the medical institution electronic device 300 . Once the certificate is issued, the owner of the personal electronic device 400 can directly prove his/her identity or vaccination status by using the certificate stored in his/her electronic device 400 directly without communication with other trusted organizations. have. Also, by issuing the processed certificate, the personal electronic device 400 may generate a certificate including only necessary information and share it with a third party. In this way, individual sovereignty over data can be strengthened.
다양한 실시 예에서, 의료기관 전자장치(400)의 메모리(422)는 보안 요소(secure element)(SE)(미도시)를 포함할 수 있다. 신원 인증서(424) 및 접종 인증서(426)는 보안 요소에 저장될 수 있다. 예를 들어, 보안 요소는 외부 장치(100, 200, 300)와 직접 통신이 제한될 수 있다. 제2 어플리케이션(422)은 보안 요소와 외부 장치(100, 200, 300) 사이의 데이터 송수신을 중계할 수 있다. 다른 예에서, 외부 장치(100, 200, 300)는 통신 회로(430)를 통한 근거리 무선 통신을 통하여 보안 요소와 통신을 수행할 수 있다.In various embodiments, the memory 422 of the electronic device 400 of the medical institution may include a secure element SE (not shown). The identity certificate 424 and the inoculation certificate 426 may be stored in the secure element. For example, the secure element may be restricted in direct communication with the external devices 100 , 200 , and 300 . The second application 422 may relay data transmission/reception between the secure element and the external devices 100 , 200 , and 300 . In another example, the external devices 100 , 200 , and 300 may communicate with the secure element through short-range wireless communication through the communication circuit 430 .
일 실시 예에서, 개인 전자장치(300)는 통신 회로(330)를 통하여 저장된 인증서 또는 가공된 인증서를 제3 자에게 공유할 수 있다. In an embodiment, the personal electronic device 300 may share a stored certificate or a processed certificate with a third party through the communication circuit 330 .
일 실시 예에서, 메모리(420)는 제2 어플리케이션(422)을 저장할 수 있다. 개인 전자장치(400)는 제2 어플리케이션(422)을 실행시키고, 제2 어플리케이션(422)의 실행 화면을 디스플레이(450)를 통하여 출력할 수 있다.In an embodiment, the memory 420 may store the second application 422 . The personal electronic device 400 may execute the second application 422 and output an execution screen of the second application 422 through the display 450 .
제2 어플리케이션(422)은 시스템(10) 상에서 제공되는 인증 서비스를 제공받기 위한 어플리케이션으로 이해될 수 있다. 제2 어플리케이션(422)은 신원 인증서 및 접종 인증서의 발행 요청 기능, 개인 전자장치(400)에 저장된 인증서 공유 기능 등 인증 서비스를 사용하기 위하여 필요한 기능들을 포함할 수 있다. 제2 어플리케이션(422)은 개인의 식별자(예: DID)를 저장할 수 있다.The second application 422 may be understood as an application for receiving an authentication service provided on the system 10 . The second application 422 may include functions necessary to use the authentication service, such as a function to request issuance of an identity certificate and an inoculation certificate, and a function to share a certificate stored in the personal electronic device 400 . The second application 422 may store an individual identifier (eg, DID).
일 실시 예에서, 제1 어플리케이션(322) 및 제2 어플리케이션(422)는 블록체인 네트워크(600)와 통신하기 위한 지갑(wallet)을 포함할 수 있다. 지갑은 블록체인 네트워크(600)상의 계정을 포함할 수 있다. 예를 들어, 의료기관 전자장치(300)와 개인 전자장치(400)는 각각의 개인 키를 메모리(320, 420)에 저장할 수 있다. 의료기관 전자장치(300)와 개인 전자장치(400)가 인증서를 발행할 때 자신의 개인키로 서명을 수행할 수 있다.In an embodiment, the first application 322 and the second application 422 may include a wallet for communicating with the blockchain network 600 . The wallet may include accounts on the blockchain network 600 . For example, the medical institution electronic device 300 and the personal electronic device 400 may store respective private keys in the memories 320 and 420 . When the medical institution electronic device 300 and the personal electronic device 400 issue a certificate, signing may be performed with their own private key.
다양한 실시 예에서, 제1 어플리케이션(322) 및 제2 어플리케이션(422)은 DID 에이전트(DID agent)를 포함할 수 있다. 제1 어플리케이션(322) 및 제2 어플리케이션(422)은 블록체인 네트워크(600)상의 DID를 발급 받고, DID를 조회하고, DID를 변경할 수 있다. In various embodiments, the first application 322 and the second application 422 may include a DID agent. The first application 322 and the second application 422 may receive a DID on the block chain network 600, inquire the DID, and change the DID.
이하, 시스템(10)상에서 발행되는 인증서가 W3C 표준 규약에 따른 검증가능한 크레덴셜(이하, VC)인 경우를 예를 들어 설명한다. 또한 VC로부터 가공되어 생성된 인증서를 W3C 표준 규약에 따라 설계된 검증가능한 프레젠테이션(이하, VP)인 경우를 예를 들어 설명한다. Hereinafter, a case in which the certificate issued on the system 10 is a verifiable credential (hereinafter, VC) according to the W3C standard will be described as an example. In addition, the case of a verifiable presentation (hereinafter referred to as VP) designed according to the W3C standard protocol will be described as an example of the certificate generated by processing from the VC.
도 4는 일 실시 예에 따른 신원인증서버(100)가 개인 전자장치(400)에 신원 인증서를 발급하는 방법에 대한 신호 흐름도이다. 4 is a signal flow diagram illustrating a method for the identity authentication server 100 to issue an identity certificate to the personal electronic device 400 according to an embodiment.
개인 전자장치(400)는 신원인증서버(100)에 신원인증VC(상술한, 신원 인증서) 발행을 요청할 수 있다(4010). 개인 전자장치(400)는 제2 어플리케이션(422)를 구동시키고, 제2 어플리케이션(422)을 통해 상기 요청을 신원인증서버(100)로 전송할 수 있다. 동작 4010에서 개인 전자장치(300)는 자신의 DID(이하, 개인 DID)를 전송할 수 있다. 신원인증서버(100)는 수신된 DID를 개인신원DB(122) 블록체인 네트워크(600)를 통해 확인할 수 있다. 신원인증서버(100)는 개인 전자장치(300)로 본인 확인 요청을 전송할 수 있다(4020). 상기 본인 확인 요청은 신원 인증 VC를 발행하기 이전에, 개인 전자장치(300)의 소유자가 신원 인증 VC를 발급할 특정 개인인지 여부를 식별하기 위하여 수행될 수 있다.The personal electronic device 400 may request the identity authentication server 100 to issue an identity authentication VC (the above-mentioned identity certificate) ( 4010 ). The personal electronic device 400 may drive the second application 422 and transmit the request to the identity authentication server 100 through the second application 422 . In operation 4010, the personal electronic device 300 may transmit its own DID (hereinafter, personal DID). The identity authentication server 100 may confirm the received DID through the personal identity DB 122 block chain network 600 . The identity authentication server 100 may transmit an identity verification request to the personal electronic device 300 ( 4020 ). Before issuing the identity authentication VC, the identity confirmation request may be performed to identify whether the owner of the personal electronic device 300 is a specific individual to whom the identity authentication VC is issued.
신원인증서버(100)는 개인 정보를 획득할 수 있다(4030). 예를 들어 신원인증서버(100)는 본인 인증 서비스를 제공하는 제3의 서비스로부터 개인 전자장치(300)의 소유자의 개인 정보를 획득할 수 있다. 상기 개인 정보는 이름, 성별, 생년월일, 휴대폰번호, 국적, 개인식별번호를 포함할 수 있다(예: 표 1의 데이터). 신원인증서버(100)는 획득한 개인 정보를 개인신원DB(122)에 저장된 데이터와 비교하고, 양자가 일치하는지 여부를 확인할 수 있다. 이를 통해 신원인증서버(100)는 신원인증VC 발행 요청이 정당한 사용자에 의한 것인지 여부를 확인할 수 있다.저장할 수 있다.The identity authentication server 100 may acquire personal information ( 4030 ). For example, the identity authentication server 100 may acquire the personal information of the owner of the personal electronic device 300 from a third service that provides the identity authentication service. The personal information may include name, gender, date of birth, mobile phone number, nationality, and personal identification number (eg, data in Table 1). The identity authentication server 100 may compare the acquired personal information with data stored in the personal identity DB 122 and check whether the two match. Through this, the identity authentication server 100 can check whether the identity authentication VC issuance request is made by a legitimate user. It can be stored.
신원인증서버(100)는 신원인증VC를 발행할 수 있다(4040). 신원인증VC신원인증서버(100)는 개인 전자장치(400)로부터 수신한 개인 DID와 개인 정보를 포함할 수 있다.한 VC를 발행할 수 있다. 신원인증VC는 신원인증서버(100)의 식별자로 디지털 신원을 위한 식별자(Identifier)로 디지털 서명될 수 있다. 상기 식별자는 예를 들어, 신원인증서버(100)의 블록체인 네트워크(600)의 계정의 비밀 키(DID)일 수 있다.The identity authentication server 100 may issue an identity authentication VC (4040). Identity Authentication VC The identity authentication server 100 may include the personal DID and personal information received from the personal electronic device 400. One VC may be issued. The identity authentication VC may be digitally signed as an identifier for a digital identity as an identifier of the identity authentication server 100 . The identifier may be, for example, a secret key (DID) of an account of the blockchain network 600 of the identity authentication server 100 .
신원인증서버(100)와 개인 전자장치(400)는 상호 데이터 전송을 위한 통신 채널을 형성할 수 있다(4050). 신원인증서버(100)는 상기 통신 채널을 통해 신원인증VC를 개인 전자장치(400)에 전송할 수 있다. 개인 전자장치(400)는 수신한 신원인증VC를 메모리(420)에 저장할 수 있다. 신원인증VC는 도 3의 신원 인증서(424)로 참조될 수 있다.The identity authentication server 100 and the personal electronic device 400 may form a communication channel for mutual data transmission ( 4050 ). The identity authentication server 100 may transmit the identity authentication VC to the personal electronic device 400 through the communication channel. The personal electronic device 400 may store the received identity authentication VC in the memory 420 . The identity authentication VC may be referred to as the identity certificate 424 of FIG. 3 .
일 예에서, 상기 통신 채널은 DID 간 암호화 비밀 통신 채널일 수 있다. 예를 들어, 상기 통신 채널은 DIDComm 통신 채널일 수 있다. 이하, VC가 유통되기 위하여 형성되는 통신 채널은 DID 간 암호화 비밀 통신 채널로 이해될 수 있다. 신원인증VC는 DIDComm 통신 채널을 통해 VC의 발급 대상인 DID를 소유한 개인 전자장치(400)의 제2 어플리케이션(422)으로 전달될 수 있다. 예를 들어, 신원인증서버(100)는 제2 어플리케이션(422)과 연결된 웹 소켓을 이용할 수 있다. 또는 신원인증서버(100)는 상기 웹소켓이 없는 경우, 제2 어플리케이션(422)에 푸시 알림(push notification)를 보낸 후에 메시지 큐를 이용할 수 있다In one example, the communication channel may be an inter-DID encrypted secret communication channel. For example, the communication channel may be a DIDComm communication channel. Hereinafter, a communication channel formed to distribute VCs may be understood as an encrypted secret communication channel between DIDs. The identity authentication VC may be delivered to the second application 422 of the personal electronic device 400 possessing the DID, which is the issuance target of the VC, through the DIDComm communication channel. For example, the identity authentication server 100 may use a web socket connected to the second application 422 . Alternatively, the identity authentication server 100 may use the message queue after sending a push notification to the second application 422 when the websocket does not exist.
신원인증서버(100)는 개인신원DB(122)에 신원인증 VC를 발급한 사용자에 대한 개인신원DB(122)를 갱신개인 정보를 저장할 수 있다(4070). 예를 들어, 신원인증서버(100)는 개인신원DB(122)에 4010 단계에서 획득한 DID, 4030단계에서 획득한 개인 정보를 개인신원DB(122)에 저장할 수 있다. 따라서 상기 DID와 상기 개인 정보가 서로 맵핑되어 저장될 수 있다. 또한 개인신원DB(122)에 신원인증VC의 발급 여부를 기록할 수 있다.The identity authentication server 100 may update the personal identity DB 122 for the user who has issued the identity authentication VC to the personal identity DB 122 and store personal information (4070). For example, the identity authentication server 100 may store the DID obtained in step 4010 and the personal information obtained in step 4030 in the personal identity DB 122 in the personal identity DB 122 . Accordingly, the DID and the personal information may be mapped to each other and stored. In addition, it is possible to record whether the identity authentication VC is issued in the personal identity DB 122 .
신원인증서버(100)는 개인 전자장치(400)의 제2 어플리케이션(422)으로부터 푸시알림 토큰을 수신 받아 저장할 수 있다(4080). 신원인증서버(100)는 푸시알림 토큰 및 제2 어플리케이션(422)을 통해 개인 전자장치(400)에 푸시알림을 보낼 수 있다.The identity authentication server 100 may receive and store the push notification token from the second application 422 of the personal electronic device 400 ( 4080 ). The identity authentication server 100 may send a push notification to the personal electronic device 400 through the push notification token and the second application 422 .
개인 전자장치(400)에 저장된 푸시알림토큰은 제2 어플리케이션(422)이 구동될 때마다 갱신 사항을 신원인증서버(100)에 업데이트할 수 있다(4090).The push notification token stored in the personal electronic device 400 may update the identity authentication server 100 with updates whenever the second application 422 is driven ( 4090 ).
다양한 실시 예에서, 신원인증서버(100)는 블록체인 네트워크(600)의 제1 레지스트리(610)에 사용자 DID에 대한 신원인증VC 발급 사실을 기록할 수 있다. 따라서 해당 DID에 대하여 신원인증기관에 의하여 신원인증VC가 발급했다는 사실이 검증될 수 있다.In various embodiments, the identity authentication server 100 may record the identity authentication VC issuance fact for the user DID in the first registry 610 of the blockchain network 600 . Therefore, the fact that the identity authentication VC issued by the identity authentication authority for the corresponding DID can be verified.
도 4의 신원 인증서 발급 방법은 의료기관 전자장치(300)에 의료기관 인증서를 발급 방법에 유사하게 적용될 수 있다. The method of issuing an identity certificate of FIG. 4 may be similarly applied to a method of issuing a medical institution certificate to the medical institution electronic device 300 .
의료기관 전자장치(300)는 의료기관인증VC(상술한 의료기관 인증서) 발행 요청을 요청할 수 있다(예: 동작(4010)). 의료기관 전자장치(300)는 제1 어플리케이션(322)를 구동시키고, 제1 어플리케이션(322)을 통해 상기 요청을 신원인증서버(100)로 전송할 수 있다. 이때, 의료기관 전자장치(300)는 의료기관에 대한 기본 정보 및 제1 어플리케이션(322)에 저장된 의료기관의 DID를 신원인증서버(100)로 전송할 수 있다.The medical institution electronic device 300 may request a medical institution authentication VC (the aforementioned medical institution certificate) issuance request (eg, operation 4010 ). The medical institution electronic device 300 may drive the first application 322 and transmit the request to the identity authentication server 100 through the first application 322 . In this case, the medical institution electronic device 300 may transmit basic information about the medical institution and the DID of the medical institution stored in the first application 322 to the identity authentication server 100 .
신원인증서버(100)는 수신된 기본 정보를 기초로 의료기관DB(124)에 저장된 정보를 비교할 수 있다. 이를 통해 신원인증서버(100)는 의료기관인증VC 발행 요청이 정당한 사용자에 의한 것인지 여부를 확인할 수 있다. 신원인증서버(100)는 의료기관DB(124)에 저장된 정보와 수신된 기본 정보가 일치하는 경우 상기 의료기관의 식별자DID 및 신원인증기관의 식별자를 포함한 의료기관인증VC를 발급할 수 있다.The identity authentication server 100 may compare information stored in the medical institution DB 124 based on the received basic information. Through this, the identity authentication server 100 can check whether the medical institution authentication VC issuance request is made by a legitimate user. When the information stored in the medical institution DB 124 and the received basic information match, the identity authentication server 100 may issue a medical institution authentication VC including the identifier DID of the medical institution and the identifier of the identity authentication institution.
신원인증서버(100)와 의료기관 전자장치(300)는 상호 데이터 전송을 위한 통신 채널을 형성할 수 있다(예: 동작 4050). 신원인증서버(100)는 상기 통신 채널을 통해 의료기관인증VC를 의료기관 전자장치(300)에 전송할 수 있다. 의료기관 전자장치(200)는 수신한 의료기관인증VC를 메모리(320)에 저장할 수 있다. 의료기관 인증VC는 도 3의 의료기관 인증서(324)로 참조될 수 있다. 신원인증서버(100)는 의료기관DB(124)에 의료기관인증VC를 발급한 의료기관에 대한 기본 정보 및 의료기관 DID를 맵핑하여 저장할 수 있다(예: 동작 4070) 또한 의료기관DB(124)에 의료기관인증VC의 발급 여부를 기록할 수 있다.The identity authentication server 100 and the medical institution electronic device 300 may form a communication channel for mutual data transmission (eg, operation 4050). The identity authentication server 100 may transmit the medical institution authentication VC to the medical institution electronic device 300 through the communication channel. The medical institution electronic device 200 may store the received medical institution authentication VC in the memory 320 . The medical institution authentication VC may be referred to as the medical institution certificate 324 of FIG. 3 . The identity authentication server 100 may map and store basic information about the medical institution that issued the medical institution authentication VC and the medical institution DID to the medical institution DB 124 (eg, operation 4070). You can record whether or not it is issued.
다양한 실시 예에서, 신원인증서버(100)는 블록체인 네트워크(600)의 제1 레지스트리(610)에 의료기관 DID에 대한 의료기관인증VC 발급 사실을 기록할 수 있다. 따라서 해당 DID에 대하여 신원인증기관에 의하여 의료기관인증VC가 발급했다는 사실이 검증될 수 있다.In various embodiments, the identity authentication server 100 may record the fact that the medical institution authentication VC is issued for the medical institution DID in the first registry 610 of the blockchain network 600 . Therefore, the fact that the medical institution authentication VC issued the DID by the identity authentication institution can be verified.
도 4의 동작 4080 내지 4090은 신원인증서버(100)와 의료기관 전자장치(300)의 제1 어플리케이션(322)을 통해 동일하게 수행될 수 있다. 이를 통해 신원인증서버(100)는 제1 어플리케이션(322)을 통해 의료기관 전자장치(300)에 푸시 알림을 전송할 수 있다. Operations 4080 to 4090 of FIG. 4 may be equally performed through the identity authentication server 100 and the first application 322 of the electronic device 300 of the medical institution. Through this, the identity authentication server 100 may transmit a push notification to the medical institution electronic device 300 through the first application 322 .
도 5는 일 실시 예에 따른 백신접종관리서버(200)가 의료기관 전자장치(300)에 백신접종기관 인증서를 발급하는 방법에 대한 신호 흐름도이다. 백신접종기관이란 백신 접종을 수행할 수 있도록 허가된 의료기관으로 이해될 수 있다. 백신접종기관의 목록은 미리 지정되어 백신접종관리서버(200)의 백신접종기관(DB)(224)에 저장될 수 있다. 백신접종기관은 백신접종기관 인증서로서 백신 접종이 가능한 의료기관임을 증명할 수 있다.5 is a signal flow diagram illustrating a method by which the vaccination management server 200 issues a vaccination institution certificate to the electronic device 300 of a medical institution according to an embodiment. A vaccination institution may be understood as a medical institution licensed to perform vaccination. The list of vaccination institutions may be designated in advance and stored in the vaccination institution (DB) 224 of the vaccination management server 200 . The vaccination institution can prove that it is a medical institution that can vaccinate with the certificate of the vaccination institution.
의료기관 전자장치(300)는 의료기관인증 VC(예: 도 3의 의료기관 인증서(324))를 포함한 백신접종기관인증VC 발행 요청을 백신접종관리서버(200)에 전송할 수 있다(5010). 상기 요청은 의료기관인증 VC(예: 도 3의 의료기관 인증서(324))를 포함할 수 있다. 다양한 실시 예에서, 의료기관 전자장치(300)는 의료기관 DID로 의료기관인증VC에 서명을 수행할 수 있고, 디지털 서명된 의료기관인증VC를 백신접종관리서버(200)로 전송할 수 있다. 백신접종관리서버(200)는 디지털 서명과 의료기관인증 VC에 저장된 의료기관 DID의 일치여부를 확인함으로써, 상기 의료기관인증VC가 그 VC를 소유할 정당한 권한이 있는 자로부터 전송되었는지 여부를 확인할 수 있다. 만약, 타 의료기관이 상기 의료기관인증VC를 가지고 부당한 백신접종기관인증VC 발행요청을 한 경우에, 동작 5010에서 수신된 의료기관인증VC에 상기 VC 저장된 의료기관 DID에 의한 서명이 포함되지 않았으므로, 백신접종관리서버(200)는 VC발행요청을 거부할 수 있다.The medical institution electronic device 300 may transmit a vaccination institution authentication VC issuance request including the medical institution authentication VC (eg, the medical institution certificate 324 of FIG. 3 ) to the vaccination management server 200 ( 5010 ). The request may include a medical institution authentication VC (eg, the medical institution certificate 324 of FIG. 3 ). In various embodiments, the medical institution electronic device 300 may sign the medical institution authentication VC with the medical institution DID and transmit the digitally signed medical institution authentication VC to the vaccination management server 200 . The vaccination management server 200 may check whether the medical institution authentication VC is transmitted from a person having a legitimate authority to own the VC by checking whether the digital signature matches the medical institution DID stored in the medical institution authentication VC. If another medical institution makes an unreasonable issuance of a vaccination institution authentication VC with the medical institution authentication VC, since the medical institution authentication VC received in operation 5010 does not include a signature by the medical institution DID stored in the VC, vaccination management The server 200 may reject the VC issuance request.
의료기관 전자장치(300)는 백신접종기관인증VC를 신청하기 이전에, 도 4를 통해 상술된 방법으로 의료기관인증VC를 발급받을 수 있다. 의료기관 전자장치(300)는 백신접종관리서버(200)에 의료기관인증VC를 제출함으로써, 신원인증을 수행할 수 있다. 예를 들어, 의료기관의 대표(개인)는 의료기관 전자장치(300)에 제1 어플리케이션(322)을 다운로드 한 후에 의료기관 자신의 DID를 생성할 수 있다. 대표자가 의료기관 전자장치(300)의 제1 어플리케이션(322)을 통해 로컬에서 생성한 DID는 블록체인 네트워크(600)의 제2 레지스트리(620)에 저장등록될 수 있다. 다양한 실시 예에서, 의료기관 DID는 의료기관의 대표자 개인의 DID로 대체될 수 있다. 이 경우, 의료기관 전자장치(300)는 생성된 DID를 신원인증서버(100)로 전송하고, 대표자 개인에 대한 신원인증 VC는 의료기관인증VC로 취급될 수 있다.를 발급받을 수 있다. The medical institution electronic device 300 may receive a medical institution authentication VC by the method described above with reference to FIG. 4 before applying for the vaccination institution authentication VC. The medical institution electronic device 300 may perform identity authentication by submitting the medical institution authentication VC to the vaccination management server 200 . For example, a representative (individual) of a medical institution may download the first application 322 to the electronic device 300 of the medical institution and then generate the medical institution's own DID. The DID generated locally by the representative through the first application 322 of the electronic device 300 of the medical institution may be stored and registered in the second registry 620 of the blockchain network 600 . In various embodiments, the medical institution DID may be replaced with a DID of an individual representative of the medical institution. In this case, the medical institution electronic device 300 transmits the generated DID to the identity authentication server 100, and the identity authentication VC for the individual representative may be treated as a medical institution authentication VC.
백신접종관리서버(200)는 수신된 의료기관인증VC를 검증할 수 있다(5020). 백신접종관리서버(200)는 의료기관인증VC의 신원인증서버(100)의 디지털 서명을 검증할 수 있다. 예를 들어, 백신접종관리서버(200)는 의료기관인증 VC에 서명한 DID가 블록체인 네트워크(600)의 제1 레지스트리(610)에 등록된 신뢰기관의 DID 인지 여부를 확인할 수 있다. 되었는지, 블록체인 네틍워크(600)를 통해 개시된 DID 소유자를 블록체인 네트워크(600)를 통해 확인할 수 있다.The vaccination management server 200 may verify the received medical institution authentication VC (5020). The vaccination management server 200 may verify the digital signature of the identity authentication server 100 of the medical institution authentication VC. For example, the vaccination management server 200 may check whether the DID that signed the medical institution authentication VC is the DID of the trusted institution registered in the first registry 610 of the blockchain network 600 . It is possible to check the DID owner initiated through the blockchain network 600 through the blockchain network 600 .
백신접종관리서버(200)는 백신접종기관DB(224)의 정보와 의료기관인증VC의 정보를 비교할 수 있다(5020). 백신접종관리서버(200)는 백신접종기관DB(224)에 의료기관인증VC와 일치하는 정보가 있는 경우, VC 신청을 한 의료 기관이 미리 백신접종기관으로 인증된 의료기관임을 확인할 수 있다. 백신접종관리서버(200)는 백신접종기관 VC를 발행할 수 있다(5030). 백신접종기관VC는 백신접종관리기관의 식별자 및 의료기관의 식별자를 포함할 수 있다.The vaccination management server 200 may compare the information of the vaccination institution DB 224 with the information of the medical institution authentication VC (5020). When the vaccination management server 200 has information matching the medical institution authentication VC in the vaccination institution DB 224 , it can confirm that the medical institution that has applied for the VC is a medical institution that has been previously authenticated as a vaccination institution. The vaccination management server 200 may issue a vaccination institution VC (5030). Vaccination institution VC may include an identifier of a vaccination management institution and an identifier of a medical institution.
백신접종관리서버(200)와 의료기관 전자장치(300)는 상호 데이터 전송을 위한 통신 채널을 형성할 수 있다(5040). 백신접종관리서버(200)는 상기 통신 채널을 통해 백신접종기관VC를 의료기관 전자장치(300)에 전송할 수 있다. 의료기관 전자장치(300)는 수신한 백신접종기관VC를 메모리(320)에 저장할 수 있다. 백신접종기관VC는 도 3의 백신접종기관 인증서(326)로 참조될 수 있다.The vaccination management server 200 and the medical institution electronic device 300 may form a communication channel for mutual data transmission (5040). The vaccination management server 200 may transmit the vaccination institution VC to the electronic device 300 of the medical institution through the communication channel. The medical institution electronic device 300 may store the received vaccination institution VC in the memory 320 . The vaccination institution VC may be referred to as the vaccination institution certificate 326 of FIG. 3 .
일 예에서, 동작 5040의 통신 채널은 암호화 통신 채널일 수 있다. 예를 들어, 상기 통신 채널은 DIDComm 통신 채널일 수 있다. 백신접종기관VC는 DIDComm 통신 채널을 통해 VC의 발급 대상인 DID를 소유한 의료기관 전자장치(300)의 제1 어플리케이션(322)으로 전달될 수 있다. 예를 들어, 백신접종관리서버(200)는 제1 어플리케이션(322)과 연결된 웹 소켓을 이용할 수 있다. 또는 백신접종관리서버(200)는 상기 웹소켓이 없는 경우, 제1 어플리케이션(322)에 푸시 알림(push notification)를 보낸 후에 메시지 큐를 이용할 수 있다In one example, the communication channel of operation 5040 may be an encrypted communication channel. For example, the communication channel may be a DIDComm communication channel. The vaccination institution VC may be transmitted to the first application 322 of the medical institution electronic device 300 possessing the DID, which is the issuance target of the VC, through the DIDComm communication channel. For example, the vaccination management server 200 may use a web socket connected to the first application 322 . Alternatively, the vaccination management server 200 may use the message queue after sending a push notification to the first application 322 when the websocket does not exist.
백신접종관리서버(200)는 VC발급 이력을 백신접종기관DB에 저장할 수 있다(5060). 다양한 실시 예에서, 백신접종관리서버(200)는 블록체인 네트워크(600)의 제1 레지스트리(610)에 의료기관 DID에 대한 백신접종기관인증VC 발급 사실을 기록할 수 있다. 따라서 해당 DID에 대하여 백신접종관리기관에 의하여 백신접종기관인증VC가 발급했다는 사실이 검증될 수 있다.The vaccination management server 200 may store the VC issuance history in the vaccination institution DB (5060). In various embodiments, the vaccination management server 200 may record the fact that the vaccination institution authentication VC is issued for the medical institution DID in the first registry 610 of the blockchain network 600 . Therefore, it can be verified that the DID was issued by the vaccination agency certification VC by the vaccination management agency.
백신접종관리서버(200)는 의료기관 전자장치(300)의 제1 어플리케이션(322)으로부터 푸시알림 토큰을 수신 받아 저장할 수 있다(5070). 백신접종관리서버(200)는 푸시알림 토큰 및 제1 어플리케이션(322)을 통해 의료기관 전자장치(300)에 푸시알림을 보낼 수 있다.The vaccination management server 200 may receive and store the push notification token from the first application 322 of the electronic device 300 of the medical institution ( 5070 ). The vaccination management server 200 may send a push notification to the medical institution electronic device 300 through the push notification token and the first application 322 .
의료기관 전자장치(300)에 저장된 푸시알림토큰은 제1 어플리케이션(322)이 구동될 때마다 갱신 사항을 백신접종기관서버(200)에 업데이트할 수 있다(4090).The push notification token stored in the electronic device 300 of the medical institution may update the update information to the vaccination institution server 200 whenever the first application 322 is driven ( 4090 ).
다양한 실시 예에서, 의료기관인증VC는 의료기관의 대표자 개인의 신원인증VC로 대체될 수 있다. 대표자 개인에 대한 정보는 백신접종관리서버(200)의 백신접종기관DB(224)에 저장될 수 있다(예: 표 2). 대표자 개인은 자신의 DID로 발급된 신원인증VC를 제출하고, 백신접종기관VC를 발급받을 수 있다. In various embodiments, the medical institution authentication VC may be replaced with the identity authentication VC of the individual representative of the medical institution. Information on the individual representative may be stored in the vaccination agency DB 224 of the vaccination management server 200 (eg, Table 2). Individual representatives can submit the identity authentication VC issued by their DID and receive a vaccination agency VC.
도 6은 일 실시 예에 따른 백신접종관리서버(200)에 백신 접종의 실무자를 등록하는 방법에 대한 신호 흐름도이다. 의료기관 전자장치(300)는 해당 의료기관의 의료인들 중 백신접종을 진행할 실무자에 대한 리스트를 관리할 수 있다. 의료기관 전자장치(300)는 백신접종 실무자 목록(328)에 상기 실무자들에 대한 정보를 저장할 수 있다. 실무자에 대해 변동사항이 발생한 경우, 의료기관 전자장치(300)는 상기 변경 정보를 백신접종 실무자 목록(328)에 즉시 업데이트될 수 있다.6 is a signal flow diagram for a method of registering a practitioner of vaccination in the vaccination management server 200 according to an embodiment. The medical institution electronic device 300 may manage a list of practitioners to be vaccinated among medical personnel of the corresponding medical institution. The medical institution electronic device 300 may store information about the practitioners in the vaccination practitioner list 328 . When a change occurs in the practitioner, the medical institution electronic device 300 may immediately update the changed information in the vaccination practitioner list 328 .
의료기관 전자장치(300)는 백신접종 실무자 목록을 백신접종관리서버(200)에 전송할 수 있다(6010). 백신접종관리서버(200)는 백신접종기관DB(224)를 업데이트할 수 있다. 백신접종 실무자 목록은 의료기관과 맵핑되어 저장될 수 있다.The medical institution electronic device 300 may transmit the vaccination practitioner list to the vaccination management server 200 (6010). The vaccination management server 200 may update the vaccination institution DB 224 . The list of vaccination practitioners may be stored in a mapping with a medical institution.
백신접종 실무자인 의료인은 본인이 소지한 전자장치(300-1)(이하 의료인 전자장치(300-1))에 제1 어플리케이션(322)를 다운로드하고 DID를 생성할 수 있다. 의료인 전자장치(300-1)는 로컬에서 생성한 DID를 블록체인 네트워크(600)에 등록할 수 있다. 의료인 전자장치(300-1)는 의료인에 대한 신원인증VC를 신원인증 서버(100)로부터 발행 받을 수 있다. 시스템(10)의 인증서비스를 제공받기 위하여, 의료인 전자장치(300-1)에는 제1 어플리케이션(322)이 설치될 수 있다. 의료인 전자장치(300-1)는 도 3의 의료기관 전자장치(300)와 동일한 블록도를 가질 수 있다.로 참조될 수 있다.A medical practitioner who is a vaccination practitioner may download the first application 322 to an electronic device 300-1 (hereinafter, referred to as medical practitioner electronic device 300-1) possessed by the person and may generate a DID. The medical personnel electronic device 300 - 1 may register the locally generated DID in the blockchain network 600 . The medical personnel electronic device 300 - 1 may receive an identity authentication VC for the medical personnel from the identity authentication server 100 . In order to receive the authentication service of the system 10 , a first application 322 may be installed in the medical personnel electronic device 300 - 1 . The medical personnel electronic device 300 - 1 may have the same block diagram as the medical institution electronic device 300 of FIG. 3 .
의료인 전자장치(300-1)는 신원인증VC를 백신접종관리서버(200)로 전송할 수 있다(6030). 백신접종관리서버(200)는 신원인증VC의 신원인증서버(100)의 디지털 서명을 검증할 수 있다. 백신접종관리서버(200)는 백신접종기관DB(224)의 실무자 정보와 신원인증VC의 정보를 비교할 수 있다. 백신접종관리서버(200)는 백신접종기관DB(224)에 신원인증VC와 일치하는 정보가 있는 경우, VC 신청을 한 의료인이 미리 접종 실무자로 인증된 의료인임을 확인할 수 있다(6040). 백신접종관리서버(200)는 특정 의료인에 대해 백신접종기관 VC를 발행할 수 있다(6050). 이 때, 백신접종기관VC는 의료기관의 DID, 의료인의 DID를 포함할 수 있다.The medical personnel electronic device 300 - 1 may transmit the identity authentication VC to the vaccination management server 200 ( 6030 ). The vaccination management server 200 may verify the digital signature of the identity authentication server 100 of the identity authentication VC. The vaccination management server 200 may compare the information of the practitioner in the vaccination institution DB 224 and the information of the identity authentication VC. When there is information matching the identity authentication VC in the vaccination institution DB 224, the vaccination management server 200 may confirm that the medical person who applied for the VC is a medical person who has been previously authenticated as a vaccination practitioner (6040). The vaccination management server 200 may issue a vaccination institution VC to a specific medical person (6050). In this case, the vaccination institution VC may include the DID of the medical institution and the DID of the medical personnel.
백신접종관리서버(200)와 의료인 전자장치(300-1)는 상호 데이터 통신을 위한 통신 채널을 형성할 수 있다(6060). 백신접종관리서버(200)는 상기 통신 채널을 통해 백신접종기관VC를 의료인 전자장치(300-1)에 전송할 수 있다. 의료인 전자장치(300-1)는 수신한 백신접종기관VC를 메모리(예: 도 3의 메모리(320))에 저장할 수 있다. 백신접종기관VC는 도 3의 백신접종기관 인증서(326)로 참조될 수 있다.The vaccination management server 200 and the medical personnel electronic device 300-1 may form a communication channel for data communication with each other (6060). The vaccination management server 200 may transmit the vaccination institution VC to the healthcare provider electronic device 300-1 through the communication channel. The healthcare provider electronic device 300 - 1 may store the received vaccination institution VC in a memory (eg, the memory 320 of FIG. 3 ). The vaccination institution VC may be referred to as the vaccination institution certificate 326 of FIG. 3 .
백신접종관리서버(200)는 VC발급 이력을 백신접종기관DB(224)에 저장할 수 있다(6080). 다양한 실시 예에서, 백신접종관리서버(200)는 블록체인 네트워크(600)의 제1 레지스트리(610)에 의료인 DID에 대한 백신접종기관VC 발급 사실을 기록할 수 있다. 따라서 해당 DID에 대하여 백신접종관리기관에 의하여 백신접종기관VC가 발급했다는 사실이 검증될 수 있다.The vaccination management server 200 may store the VC issuance history in the vaccination institution DB 224 (6080). In various embodiments, the vaccination management server 200 may record the fact that the vaccination institution VC is issued for the healthcare provider DID in the first registry 610 of the blockchain network 600 . Therefore, the fact that the Vaccination Agency VC issued the DID by the Vaccination Management Agency can be verified.
다양한 실시 예에 따라 백신접종 실무자 목록에서 서 특정 백신접종 실무자가 삭제된 경우, 의료기관 전자장치(300)는 백신접종 실무자 삭제 업데이트 요청을 백신접종관리서버(200)로 송신할 수 있다. 백신접종관리서버(200)는 백신접종기관DB(224)에서 상기 실무자를 삭제하고, 삭제된 실무자의 DID를 블록체인 네트워크(600)의 제1 레지스트리(610)에서 삭제되도록 할 수 있다(6080). 이후에 삭제된 실무자의 DID에 대해 발급된 백신접종기관VC는 사용이 불가능하게 된다. 따라서 의료인 전자장치(300-1)에 의하여 를 통한 접종 인증서 발급은 불가능하게 된다.According to various embodiments, when a specific vaccination practitioner is deleted from the vaccination practitioner list, the electronic device 300 of the medical institution may transmit a vaccination practitioner deletion update request to the vaccination management server 200 . The vaccination management server 200 may delete the practitioner from the vaccination institution DB 224 and cause the deleted practitioner's DID to be deleted from the first registry 610 of the block chain network 600 (6080) . Vaccination agency VC issued for the deleted practitioner's DID will be unavailable. Therefore, it becomes impossible to issue an inoculation certificate through the electronic device 300-1 for medical personnel.
도 7은 일 실시 예에 따른 접종 인증서를 발급하는 방법에 대한 신호 흐름도이다.7 is a signal flow diagram for a method of issuing an inoculation certificate according to an embodiment.
다양한 실시 예에서, 의료기관 전자장치(300) 및 의료인 전자장치(300-1)는 백신 접종 후 접종 인증서 발급을 요청할 수 있는 주체일 수 있다. 도 7을 통해 의료기관 전자장치(300)가 접종 인증서 발급 요청을 수행하는 예시가 도시 되었으나, 의료인 전자장치(300-1)에 동일한 절차가 적용될 수 있다.In various embodiments, the medical institution electronic device 300 and the medical personnel electronic device 300 - 1 may be subjects that can request issuance of an inoculation certificate after vaccination. Although an example in which the medical institution electronic device 300 performs a request for issuing an inoculation certificate is illustrated through FIG. 7 , the same procedure may be applied to the medical care provider electronic device 300-1.
의료기관 전자장치(300)는 사용할 백신을 식별할 수 있다(7010). 예를 들어, 의료기관 전자장치(300)는 제1 어플리케이션(322)를 구동시키고, 접종 대상인 백신을 식별할 수 있다. 여기서 식별의 대상인 백신은 접종자에게 직접 접종될 백신일 수 있다. 의료기관 전자장치(300)는 사용할 백신에 대한 정보, 예를 들어, 백신 종류, 시리얼 넘버, 해당 백신의 유통 정보와 같은 정보(예: 표 3의 데이터)를 획득할 수 있다. 식별 절차는 수동 입력 의해 이루어질 수 있고, 바코드/QR 코드 인식에 의하여 이루어질 수 있다.The medical institution electronic device 300 may identify a vaccine to be used ( 7010 ). For example, the electronic device 300 of a medical institution may drive the first application 322 and identify a vaccine to be inoculated. Here, the vaccine to be identified may be a vaccine to be directly vaccinated to the vaccinated person. The medical institution electronic device 300 may acquire information about a vaccine to be used, for example, information such as a vaccine type, a serial number, and distribution information of the corresponding vaccine (eg, data in Table 3). The identification procedure may be performed by manual input or by barcode/QR code recognition.
의료기관 전자장치(300)는 접종자가 소지한 개인 전자장치(400)로부터 신원인증VC를 수신할 수 있다(7020). 신원인증VC는 개인의 DID의 디지털 서명을 포함할 수 있다. 의료기관 전자장치(300)는 상기 디지털 서명 및 신원인증VC를 통해 접종자를 식별할 수 있다. The medical institution electronic device 300 may receive the identity authentication VC from the personal electronic device 400 possessed by the inoculator ( 7020 ). The identity authentication VC may include a digital signature of the individual's DID. The medical institution electronic device 300 may identify the inoculator through the digital signature and identity authentication VC.
접종이 완료되면, 의료기관 전자장치(300)는 접종 정보, 접종자의 신원인증VC, 의료기관의 백신접종기관인증VC를 백신접종관리서버(200)로 전송하고, 접종인증VC 발급을 요청할 수 있다(7030). 이 때, 의료기관 전자장치(300)의 사용자 DID로 백신 식별 정보, 신원인증VC 및 백신접종기관인증VC에 디지털 서명할 수 있다. 동작 7030에서, 의료기관 전자장치(300)는 백신접종관리기관에 접종한 백신에 대한 정보 및 접종자 개인에 대한 정보를 취합한 후 전송할 수 있다.When the inoculation is completed, the medical institution electronic device 300 may transmit the inoculation information, the identity authentication VC of the inoculator, and the vaccination institution authentication VC of the medical institution to the vaccination management server 200, and may request issuance of the inoculation authentication VC (7030). ). In this case, the vaccine identification information, the identity authentication VC, and the vaccination institution authentication VC may be digitally signed with the user DID of the medical institution electronic device 300 . In operation 7030, the electronic device 300 of the medical institution may collect and transmit information on a vaccine inoculated to a vaccination management institution and information on an individual inoculation.
접종 정보란, 식별된 백신 정보, 접종 시간, 접종 장소 등 접종과 연관되어 기록 되어야할 필요가 있는 의료정보를 포함할 수 있다.The inoculation information may include medical information that needs to be recorded in relation to inoculation, such as identified vaccine information, inoculation time, and inoculation location.
백신접종관리서버(200)는 수신된 정보를 검증할 수 있다. 백신접종관리서버(200)는 수신된 백신접종기관VC 및 의료기관 전자장치(300)의 디지털 서명을 검증할 수 있다(7040). 즉 백신접종기관에 의한 디지털 서명인지 여부가 검증될 수 있다.The vaccination management server 200 may verify the received information. The vaccination management server 200 may verify the received digital signatures of the received vaccination institution VC and the electronic device 300 of the medical institution ( 7040 ). That is, whether it is a digital signature by the vaccination institution can be verified.
다양한 실시 예에서, 백신접종관리서버(200)는 수신된 백신 정보와 백신DB(222)를 비교하여 해당 의료기관으로 유통된 올바른 백신 정보가 입력되었는지 여부를 확인할 수 있다. 백신접종관리서버(200)는 수신된 신원인증VC가 유효한 지 여부를 확인할 수 있다. 해당 정보에 보완이 필요하다고 판단된 경우, 백신접종관리서버(200)는 의료기관 전자장치(300)로 보완 요청을 전송할 수 있다.In various embodiments, the vaccination management server 200 may compare the received vaccine information with the vaccine DB 222 to confirm whether the correct vaccine information distributed to the corresponding medical institution is input. The vaccination management server 200 may check whether the received identity authentication VC is valid. When it is determined that the corresponding information needs to be supplemented, the vaccination management server 200 may transmit a supplementation request to the electronic device 300 of the medical institution.
수신된 정보에 대한 검증이 완료되면, 백신접종관리서버(200)는 접종인증VC를 발행할 수 있다(7050). 백신접종관리서버(200)는 발행된 접종인증VC를 개인 전자장치(400)로 전송할 수 있다. 개인 전자장치(400)는 접종인증VC를 저장할 수 있다. 접종인증VC는 접종 인증서(426)으로 참조될 수 있다. When the verification of the received information is completed, the vaccination management server 200 may issue an inoculation authentication VC (7050). The vaccination management server 200 may transmit the issued vaccination authentication VC to the personal electronic device 400 . The personal electronic device 400 may store the inoculation authentication VC. The inoculation certification VC may be referred to as an inoculation certificate 426 .
개인 전자장치(400)의 사용자는 제2 어플리케이션(422)를 통해, 접종된 백신에 대한 상세 정보 확인할 수 있다. 접종 인증서(426)는 백신 종류, 접종 일자, 접종 시간, 백신 접종을 수행한 의료기관 정보, 백신 접종을 수행한 의료인 정보를 포함할 수 있다.The user of the personal electronic device 400 may check detailed information about the inoculated vaccine through the second application 422 . The inoculation certificate 426 may include a vaccine type, an inoculation date, an inoculation time, information on a medical institution that performed the vaccination, and information on a medical person who performed the vaccination.
백신접종관리서버(200)는 백신접종이력DB(226)에 해당 접종 이력을 저장할 수 있다.The vaccination management server 200 may store the vaccination history in the vaccination history DB 226 .
도 8은 일 실시 예에 따른 백신 접종 여부를 인증하는 방법에 대한 신호 흐름도이다.8 is a signal flow diagram for a method of authenticating whether vaccination is performed according to an embodiment.
접종을 완료한 개인은 개인 전자장치(400)에 접종 인증서(426)를 소지하게 된다. 개인 전자장치(400)의 제2 어플리케이션(422)을 통해 백신 접종 여부에 대한 인증을 요구하는 주체에 대해 접종 여부를 인증할 수 있다.An individual who has completed the inoculation holds the inoculation certificate 426 in the personal electronic device 400 . Through the second application 422 of the personal electronic device 400 , it is possible to authenticate whether a subject has been vaccinated or not with respect to a subject that requests authentication of whether or not to vaccinate.
도 8을 참조하면, 개인 A와 개인 B 사이에 백신 접종 여부를 인증하는 예시가 도시 되었다. 그러나 백신 접종 여부에 대한 인증은 회사, 서비스 등 어느 제3자에 의해서도 수행될 수 있다. 접종 인증 기능을 제공하는 제2 어플리케이션(422)이 설치된 전자장치(400)를 소지한 주체는 누구든지 상기 인증을 수행할 수 있다.Referring to FIG. 8 , an example of authenticating whether or not vaccination is performed between individual A and individual B is illustrated. However, certification of whether or not vaccination is performed can be performed by any third party, such as a company or service. Any subject possessing the electronic device 400 in which the second application 422 providing the inoculation authentication function is installed may perform the authentication.
A 전자장치(400a)와 B 전자장치(400b)사이에 백신 접종 여부의 인증 요청이 발생할 수 있다(8010). 예를 들어, A 전자장치(400a)와 B 전자장치(400b)는 제2 어플리케이션(422)을 실행시키고, 인증을 요청하는 화면을 출력할 수 있다. A 전자장치(400a)와 B 전자장치(400b)는 서로의 화면을 스캔함으로써 인증 요청을 발생시킬 수 있다. 또 다른 예를 들어, A 전자장치(400a)와 B 전자장치(400b)가 일정 거리 이상 가깝게 위치되는 경우, 인증 요청이 발생할 수 있다.A request for authentication of whether to vaccinate or not may occur between the electronic device A 400a and the electronic device B 400b ( 8010 ). For example, the electronic device A 400a and the electronic device B 400b may execute the second application 422 and output a screen requesting authentication. The electronic device A 400a and the electronic device B 400b may generate an authentication request by scanning each other's screens. As another example, when the electronic device A 400a and the electronic device B 400b are located close to each other by a predetermined distance or more, an authentication request may occur.
인증 요청이 발생되면, A 전자장치(400a)와 B 전자장치(400b)는 암호화 통신 채널을 형성할 수 있다(8020). When an authentication request is generated, the electronic device A 400a and the electronic device B 400b may establish an encrypted communication channel ( 8020 ).
접종 인증서(426)는 접종과 연관된 다양한 정보를 포함하므로, A 전자장치(400a)는 접종 인증서(426)에 포함되는 일부 정보만을 포함하는 가공된 접종 인증서를 발행할 수 있다. 가공된 접종 인증서는 상술한 바와 같이 VP로 참조될 수 있다.Since the inoculation certificate 426 includes various information related to inoculation, the electronic device A 400a may issue a processed inoculation certificate including only some information included in the inoculation certificate 426 . The processed inoculation certificate may be referred to as VP as described above.
예를 들어, A 전자장치(400a)는 백신 접종 여부에 대한 정보만을 포함하는 VP를 발행할 수 있다(8030). A 전자장치(400a)는 백신 접종 여부에 대한 VP를 B 전자장치(400b)로 전송할 수 있다. VP는 백신접종관리기관에 의하여 디지털 서명되어 있으므로, 개인 B는 이를 신뢰할 수 있다. 이와 같이 백신 접종 여부에 대한 정보만을 인증하는 영지식 증명(zero-knowledge proof)을 사용함으로써 개인 정보의 노출을 최소화할 수 있다.For example, the electronic device A 400a may issue a VP including only information on whether or not vaccination has been performed ( 8030 ). The electronic device A 400a may transmit the VP for whether or not to vaccinate to the electronic device B 400b. Since the VP is digitally signed by the vaccination management agency, Person B can trust it. As described above, exposure of personal information can be minimized by using a zero-knowledge proof that only authenticates information on whether or not vaccination is performed.
다양한 실시 예에서, A 전자장치(400a)는 신원인증VC 와 접종인증VC 중 백신접종여부만을 포함하는 VP를 발행할 수 있다. A 전자장치(400a)는 신원 정보와 백신 접종 여부를 모두 요구하는 주체에 대해 해당 VP를 전송할 수 있다.In various embodiments, the electronic device A 400a may issue a VP including only whether or not vaccination is performed among the identity authentication VC and the inoculation authentication VC. The electronic device A 400a may transmit a corresponding VP to a subject requesting both identity information and whether to vaccinate.
블록체인 네트워크(600)기반의 시스템(10)은 오픈형 시스템이므로, 동일한 DID 에이전트를 사용하는 누구라도 시스템(10)이 제공하는 인증 서비스를 사용할 수 있다. 또한 국가 기관이나 특정 신뢰기관을 중개자로 하지 않고도, 민간 영역에서 자유롭게 인증이 수행될 수 있다.Since the system 10 based on the blockchain network 600 is an open system, anyone using the same DID agent can use the authentication service provided by the system 10 . In addition, certification can be freely performed in the private sector without a national agency or a specific trusted agency as an intermediary.
본 문서에 개시된 다양한 실시예들에 따른 전자장치는 다양한 형태의 장치가 될 수 있다. 전자장치는, 예를 들면, 휴대용 통신 장치 (예: 스마트폰), 컴퓨터 장치, 휴대용 멀티미디어 장치, 휴대용 의료 기기, 카메라, 웨어러블 장치, 또는 가전 장치를 포함할 수 있다. 본 문서의 실시예에 따른 전자장치는 전술한 기기들에 한정되지 않는다.The electronic device according to various embodiments disclosed in this document may be a device of various types. The electronic device may include, for example, a portable communication device (eg, a smartphone), a computer device, a portable multimedia device, a portable medical device, a camera, a wearable device, or a home appliance device. The electronic device according to the embodiment of the present document is not limited to the above-described devices.
본 문서의 다양한 실시예들 및 이에 사용된 용어들은 본 문서에 기재된 기술적 특징들을 특정한 실시예들로 한정하려는 것이 아니며, 해당 실시예의 다양한 변경, 균등물, 또는 대체물을 포함하는 것으로 이해되어야 한다. 도면의 설명과 관련하여, 유사한 또는 관련된 구성요소에 대해서는 유사한 참조 부호가 사용될 수 있다. 아이템에 대응하는 명사의 단수 형은 관련된 문맥상 명백하게 다르게 지시하지 않는 한, 상기 아이템 한 개 또는 복수 개를 포함할 수 있다. 본 문서에서, "A 또는 B", "A 및 B 중 적어도 하나", "A 또는 B 중 적어도 하나,""A, B 또는 C," "A, B 및 C 중 적어도 하나,"및 "A, B, 또는 C 중 적어도 하나"와 같은 문구들 각각은 그 문구들 중 해당하는 문구에 함께 나열된 항목들의 모든 가능한 조합을 포함할 수 있다. "제 1", "제 2", 또는 "첫째" 또는 "둘째"와 같은 용어들은 단순히 해당 구성요소를 다른 해당 구성요소와 구분하기 위해 사용될 수 있으며, 해당 구성요소들을 다른 측면(예: 중요성 또는 순서)에서 한정하지 않는다. 어떤(예: 제 1) 구성요소가 다른(예: 제 2) 구성요소에, "기능적으로" 또는 "통신적으로"라는 용어와 함께 또는 이런 용어 없이, "커플드" 또는 "커넥티드"라고 언급된 경우, 그것은 상기 어떤 구성요소가 상기 다른 구성요소에 직접적으로(예: 유선으로), 무선으로, 또는 제 3 구성요소를 통하여 연결될 수 있다는 것을 의미한다.The various embodiments of this document and terms used therein are not intended to limit the technical features described in this document to specific embodiments, but it should be understood to include various modifications, equivalents, or substitutions of the embodiments. In connection with the description of the drawings, like reference numerals may be used for similar or related components. The singular form of the noun corresponding to the item may include one or more of the item, unless the relevant context clearly dictates otherwise. As used herein, "A or B", "at least one of A and B", "at least one of A or B," "A, B or C," "at least one of A, B and C," and "A , B, or C" each may include all possible combinations of items listed together in the corresponding one of the phrases. Terms such as "first", "second", or "first" or "second" may simply be used to distinguish an element from other elements in question, and may refer elements to other aspects (e.g., importance or order) is not limited. It is said that one (eg, first) component is “coupled” or “connected” to another (eg, second) component, with or without the terms “functionally” or “communicatively”. When referenced, it means that one component can be connected to the other component directly (eg by wire), wirelessly, or through a third component.
본 문서에서 사용된 용어 "모듈"은 하드웨어, 소프트웨어 또는 펌웨어로 구현된 유닛을 포함할 수 있으며, 예를 들면, 로직, 논리 블록, 부품, 또는 회로 등의 용어와 상호 호환적으로 사용될 수 있다. 모듈은, 일체로 구성된 부품 또는 하나 또는 그 이상의 기능을 수행하는, 상기 부품의 최소 단위 또는 그 일부가 될 수 있다. 예를 들면, 일실시예에 따르면, 모듈은 ASIC(application-specific integrated circuit)의 형태로 구현될 수 있다. As used herein, the term “module” may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit. A module may be an integrally formed part or a minimum unit or a part of the part that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).
본 문서의 다양한 실시예들은 기기(machine)(예: 전자장치(#01)) 의해 읽을 수 있는 저장 매체(storage medium)(예: 내장 메모리(#36) 또는 외장 메모리(#38))에 저장된 하나 이상의 명령어들을 포함하는 소프트웨어(예: 프로그램(#40))로서 구현될 수 있다. 예를 들면, 기기(예: 전자장치(#01))의 프로세서(예: 프로세서(#20))는, 저장 매체로부터 저장된 하나 이상의 명령어들 중 적어도 하나의 명령을 호출하고, 그것을 실행할 수 있다. 이것은 기기가 상기 호출된 적어도 하나의 명령어에 따라 적어도 하나의 기능을 수행하도록 운영되는 것을 가능하게 한다. 상기 하나 이상의 명령어들은 컴파일러에 의해 생성된 코드 또는 인터프리터에 의해 실행될 수 있는 코드를 포함할 수 있다. 기기로 읽을 수 있는 저장매체는, 비일시적(non-transitory) 저장매체의 형태로 제공될 수 있다. 여기서, ‘비일시적’은 저장매체가 실재(tangible)하는 장치이고, 신호(signal)(예: 전자기파)를 포함하지 않는다는 것을 의미할 뿐이며, 이 용어는 데이터가 저장매체에 반영구적으로 저장되는 경우와 임시적으로 저장되는 경우를 구분하지 않는다.Various embodiments of the present document are stored in a storage medium (eg, internal memory (#36) or external memory (#38)) readable by a machine (eg, electronic device #01). It may be implemented as software (eg, program #40) including one or more instructions. For example, a processor (eg, processor #20) of a device (eg, electronic device #01) may call at least one command among one or more commands stored from a storage medium and execute it. This makes it possible for the device to be operated to perform at least one function according to the called at least one command. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain a signal (eg, electromagnetic wave), and this term is used in cases where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.
일실시예에 따르면, 본 문서에 개시된 다양한 실시예들에 따른 방법은 컴퓨터 프로그램 제품(computer program product)에 포함되어 제공될 수 있다. 컴퓨터 프로그램 제품은 상품으로서 판매자 및 구매자 간에 거래될 수 있다. 컴퓨터 프로그램 제품은 기기로 읽을 수 있는 저장 매체(예: compact disc read only memory (CD-ROM))의 형태로 배포되거나, 또는 어플리케이션 스토어(예: 플레이 스토어TM)를 통해 또는 두개의 사용자 장치들(예: 스마트폰들) 간에 직접, 온라인으로 배포(예: 다운로드 또는 업로드)될 수 있다. 온라인 배포의 경우에, 컴퓨터 프로그램 제품의 적어도 일부는 제조사의 서버, 어플리케이션 스토어의 서버, 또는 중계 서버의 메모리와 같은 기기로 읽을 수 있는 저장 매체에 적어도 일시 저장되거나, 임시적으로 생성될 수 있다.According to one embodiment, the method according to various embodiments disclosed in this document may be provided as included in a computer program product. Computer program products may be traded between sellers and buyers as commodities. The computer program product is distributed in the form of a machine-readable storage medium (eg compact disc read only memory (CD-ROM)), or via an application store (eg Play Store TM ) or on two user devices ( It can be distributed (eg downloaded or uploaded) directly, online between smartphones (eg: smartphones). In the case of online distribution, at least a portion of the computer program product may be temporarily stored or temporarily generated in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a memory of a relay server.
다양한 실시예들에 따르면, 상기 기술한 구성요소들의 각각의 구성요소(예: 모듈 또는 프로그램)는 단수 또는 복수의 개체를 포함할 수 있다. 다양한 실시예들에 따르면, 전술한 해당 구성요소들 중 하나 이상의 구성요소들 또는 동작들이 생략되거나, 또는 하나 이상의 다른 구성요소들 또는 동작들이 추가될 수 있다. 대체적으로 또는 추가적으로, 복수의 구성요소들(예: 모듈 또는 프로그램)은 하나의 구성요소로 통합될 수 있다. 이런 경우, 통합된 구성요소는 상기 복수의 구성요소들 각각의 구성요소의 하나 이상의 기능들을 상기 통합 이전에 상기 복수의 구성요소들 중 해당 구성요소에 의해 수행되는 것과 동일 또는 유사하게 수행할 수 있다. 다양한 실시예들에 따르면, 모듈, 프로그램 또는 다른 구성요소에 의해 수행되는 동작들은 순차적으로, 병렬적으로, 반복적으로, 또는 휴리스틱하게 실행되거나, 상기 동작들 중 하나 이상이 다른 순서로 실행되거나, 생략되거나, 또는 하나 이상의 다른 동작들이 추가될 수 있다.According to various embodiments, each component (eg, a module or a program) of the above-described components may include a singular or a plurality of entities. According to various embodiments, one or more components or operations among the above-described corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or a program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, or omitted. , or one or more other operations may be added.

Claims (7)

  1. 퍼블릭 분산 원장을 포함하는 블록체인 네트워크, 제1 사용자와 연관된 제1 전자장치 및 제2 사용자와 연관된 제2 전자장치를 포함하는 인증 방법에 있어서,An authentication method comprising a blockchain network including a public distributed ledger, a first electronic device associated with a first user, and a second electronic device associated with a second user, the authentication method comprising:
    상기 블록체인 네트워크는, 상기 제1 사용자와 연관된 제1 사용자 식별자, 적어도 하나의 신뢰기관에 대응되는 제1 기관 식별자를 저장하고, 및The blockchain network stores a first user identifier associated with the first user, a first organization identifier corresponding to at least one trusted organization, and
    상기 제1 전자장치는 상기 적어도 하나의 신뢰기관으로부터 발급되고, 신뢰기관의 제1 기관 디지털 서명, 상기 제1 사용자 식별자, 및 제1 사용자의 백신 접종과 연관된 정보를 포함하는 제1 접종 인증서를 포함함; The first electronic device includes a first inoculation certificate issued by the at least one trusted organization, the first inoculation certificate including a first digital signature of the trusted organization, the first user identifier, and information related to vaccination of the first user box;
    상기 방법은,The method is
    상기 제1 전자장치가 제2 접종 인증서를 생성하는 단계를 포함하되, 상기 제2 접종 인증서는 상기 백신 접종과 연관된 정보 중 백신 접종 여부, 상기 제1 기관 디지털 서명, 및 상기 제1 전자장치에 저장되고, 상기 제1 사용자와 연관된 제1 식별자를 기초로 생성된 제1 디지털 서명을 포함함;and generating, by the first electronic device, a second inoculation certificate, wherein the second inoculation certificate is stored in the first electronic device including whether or not vaccination is performed, the digital signature of the first institution, and the information related to the vaccination. and comprising a first digital signature generated based on a first identifier associated with the first user;
    상기 제1 전자장치가 상기 제2 전자장치로 상기 제2 접종 인증서를 전송하는 단계;transmitting, by the first electronic device, the second inoculation certificate to the second electronic device;
    상기 제2 전자장치가 상기 제2 접종 인증서에 포함된 제1 기관 디지털 서명을 상기 블록체인 네트워크에 저장된 제1 기관 식별자를 기초로 검증하는 단계; verifying, by the second electronic device, the first institution digital signature included in the second inoculation certificate based on the first institution identifier stored in the blockchain network;
    상기 제2 전자장치가 상기 제2 접종 인증서에 포함된 제1 디지털 서명을 상기 블록체인 네트워크에 저장된 제1 사용자 식별자를 기초로 검증하는 단계; 및verifying, by the second electronic device, a first digital signature included in the second inoculation certificate based on a first user identifier stored in the blockchain network; and
    상기 제1 기관 디지털 서명에 대한 검증 결과 및 상기 제1 디지털 서명에 대한 검증 결과를 기초로, 상기 제2 전자장치가 상기 백신 접종 여부에 대한 정보를 획득하는 단계를 포함하는 인증 방법.and obtaining, by the second electronic device, information on whether or not the vaccination has been performed, based on a verification result of the first institution digital signature and a verification result of the first digital signature.
  2. 청구항 1에 있어서,The method according to claim 1,
    상기 제1 전자장치가 제2 접종 인증서를 생성하는 단계는,The step of generating the second inoculation certificate by the first electronic device includes:
    상기 제1 접종 인증서의 적어도 일부 데이터에 대한 선택 입력을 수신하는 단계; 및 receiving a selection input for at least some data of the first inoculation certificate; and
    상기 제1 전자장치에 저장되고, 상기 제1 식별자를 기초로 상기 제2 접종 인증서에 디지털 서명을 수행하는 단계;를 포함하는, 인증 방법.Stored in the first electronic device, the step of performing a digital signature on the second inoculation certificate based on the first identifier; Containing, the authentication method.
  3. 청구항 1에 있어서,The method according to claim 1,
    상기 제2 접종 인증서에 포함된 제1 기관 디지털 서명을 검증하는 단계는,The step of verifying the digital signature of the first institution included in the second inoculation certificate,
    상기 제2 전자장치가 상기 제2 접종 인증서에 포함된 제1 기관 디지털 서명으로부터 도출된 식별자를 상기 블록체인 네트워크에 저장된 제1 기관 식별자를 비교하는 단계를 포함하고,Comprising the step of the second electronic device comparing the identifier derived from the first institution digital signature included in the second inoculation certificate with the first institution identifier stored in the blockchain network,
    상기 제2 접종 인증서에 포함된 제2 사용자 디지털 서명을 검증하는 단계는,The step of verifying the second user digital signature included in the second inoculation certificate,
    상기 제2 전자장치가 상기 제2 접종 인증서에 포함된 상기 제1 디지털 서명으로부터 도출된 상기 제1 식별자를 상기 블록체인 네트워크에 저장된 제1 사용자 식별자와 비교하는 단계를 포함하는 인증 방법.and comparing, by the second electronic device, the first identifier derived from the first digital signature included in the second inoculation certificate with a first user identifier stored in the blockchain network.
  4. 청구항 1에 있어서,The method according to claim 1,
    상기 적어도 하나의 신뢰기관과 연관된 신뢰기관서버, 및 의료기관과 연관된 의료기관 전자장치를 더 포함하고, 상기 블록체인 네트워크는 상기 의료기관과 연관된 제1 의료기관 식별자를 저장함;a trusted institution server associated with the at least one trusted institution, and a medical institution electronic device associated with a medical institution, wherein the block chain network stores a first medical institution identifier associated with the medical institution;
    상기 방법은,The method is
    상기 제1 전자장치가 제1 신원 인증서를 상기 의료기관 전자장치로 전송하는 단계 - 상기 제1 신원 인증서는 적어도 하나 신뢰기관으로부터 발급되고, 상기 제1 기관 디지털 서명, 상기 제1 사용자와 연관된 신원 정보, 및 상기 제1 식별자를 기초로 생성된 상기 제1 디지털 서명을 포함함;transmitting, by the first electronic device, a first identity certificate to the medical institution electronic device, wherein the first identity certificate is issued by at least one trusted organization, the first institution digital signature, identity information associated with the first user; and the first digital signature generated based on the first identifier;
    상기 의료기관 전자장치가 상기 제1 디지털 서명을 상기 블록체인 네트워크에 저장된 제1 사용자 식별자를 기초로 검증하는 단계;verifying, by the medical institution electronic device, the first digital signature based on a first user identifier stored in the blockchain network;
    상기 제1 디지털 서명에 대한 검증 결과를 기초로, 상기 의료기관 전자장치가 제1 사용자에게 접종될 백신 정보를 획득하는 단계;obtaining, by the electronic device of the medical institution, information on a vaccine to be inoculated to a first user based on a result of verifying the first digital signature;
    상기 제1 신원 인증서, 상기 백신 정보, 및 상기 의료기관 전자장치에 저장된 제2 식별자를 기초로 생성된 제2 디지털 서명을 포함하는 접종 인증서 발급 요청을 상기 신뢰기관서버로 전송하는 단계;transmitting an inoculation certificate issuance request including a second digital signature generated based on the first identity certificate, the vaccine information, and a second identifier stored in the electronic device of the medical institution to the trusted institution server;
    상기 접종 인증서 발급 요청에 응답하여, 상기 신뢰기관서버가 상기 제2 디지털 서명을 상기 블록체인 네트워크에 저장된 상기 제1 의료기관 식별자를 기초로 검증하는 단계;in response to the inoculation certificate issuance request, verifying, by the trusted institution server, the second digital signature based on the first medical institution identifier stored in the blockchain network;
    상기 제2 디지털 서명에 대한 검증 결과를 기초로 상기 제1 신원 인증서에 포함된 정보 중 적어도 일부, 상기 백신 정보 중 적어도 일부, 및 상기 제1 기관 디지털 서명을 포함하는 상기 제1 접종 인증서를 생성하는 단계; 및Generating the first inoculation certificate including at least some of the information included in the first identity certificate, at least some of the vaccine information, and the first institution digital signature based on the verification result for the second digital signature step; and
    상기 신뢰기관서버가 상기 제1 접종 인증서를 상기 제1 전자장치로 전송하는 단계를 더 포함하는 인증방법.The authentication method further comprising the step of transmitting, by the trusted authority server, the first inoculation certificate to the first electronic device.
  5. 청구항 4에 있어서,5. The method according to claim 4,
    상기 의료기관 전자장치가 백신접종기관 인증서 발행 요청을 상기 신뢰기관서버로 전송하는 단계 - 상기 백신접종기관 인증서 발행 요청은 상기 제2 식별자를 기초로 생성된 상기 제2 디지털 서명 및 의료 기관 인증서를 포함하고, 상기 의료 기관 인증서는 상기 적어도 하나의 신뢰기관으로부터 발급되고, 상기 제1 기관 디지털 서명 및 상기 의료기관과 연관된 기본 정보를 포함함;transmitting, by the medical institution electronic device, a request for issuing a vaccination institution certificate to the trusted institution server, wherein the request for issuing a vaccination institution certificate includes the second digital signature generated based on the second identifier and a medical institution certificate, , the medical institution certificate is issued by the at least one trusted institution, and includes the first institution digital signature and basic information associated with the medical institution;
    상기 백신접종기관 인증서 발행 요청에 응답하여, 상기 신뢰기관서버가 상기 백신접종기관 인증서 발행 요청에 포함된 상기 제1 기관 디지털 서명을 상기 블록체인 네트워크에 저장된 상기 제1 기관 식별자를 기초로 검증하는 단계;In response to the vaccination institution certificate issuance request, the trusted institution server verifies the first institution digital signature included in the vaccination institution certificate issuance request based on the first institution identifier stored in the blockchain network; ;
    상기 백신접종기관 인증서 발행 요청에 응답하여, 상기 신뢰기관서버가 상기 제2 디지털 서명을 상기 블록체인 네트워크에 저장된 상기 제1 의료기관 식별자를 기초로 검증하는 단계; in response to the vaccination institution certificate issuance request, verifying, by the trusted institution server, the second digital signature based on the first medical institution identifier stored in the blockchain network;
    상기 검증의 결과를 기초로 상기 신뢰기관서버가 백신접종기관 인증서를 생성하는 단계 - 상기 백신접종기관 인증서는 상기 제1 기관 디지털 서명, 상기 제1 의료기관 식별자를 포함함; 및generating, by the trusted authority server, a vaccination authority certificate based on a result of the verification, wherein the vaccination authority certificate includes the first authority digital signature and the first medical facility identifier; and
    상기 신뢰기관서버가 상기 제1 의료기관 식별자를 상기 블록체인 네트워크에 업로드하고, 상기 백신접종기관 인증서를 상기 의료기관 전자장치에 전송하는 단계를 더 포함하는, 인증 방법.The method further comprising the step of uploading, by the trusted institution server, the first medical institution identifier to the block chain network, and transmitting the vaccination institution certificate to the medical institution electronic device.
  6. 청구항 4에 있어서,5. The method according to claim 4,
    상기 블록체인 네트워크는,The blockchain network is
    상기 제1 사용자 식별자, 상기 제1 기관 식별자를 저장하는 제1 레지스트리를 포함하고,a first registry storing the first user identifier and the first organization identifier;
    상기 제1 레지스트리는 상기 신뢰기관서버에 의해서만 수정 가능하도록 구성된, 인증 방법.The first registry is configured to be modifiable only by the trusted authority server.
  7. 청구항 1에 있어서,The method according to claim 1,
    상기 제2 접종 인증서를 전송하는 단계는,Transmitting the second inoculation certificate,
    상기 제1 전자장치는 디스플레이를 통해 상기 제2 접종 인증서에 대응되는 코드를 출력하는 단계; 및outputting, by the first electronic device, a code corresponding to the second inoculation certificate through a display; and
    상기 제2 전자장치가 카메라를 통해 상기 코드를 인식하는 단계;를 포함하는, 인증 방법.Recognizing, by the second electronic device, the code through a camera;
PCT/KR2021/003519 2021-03-15 2021-03-22 Method and system for issuing and certifying digital vaccination certificate WO2022196850A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020210033409A KR102478963B1 (en) 2021-03-15 2021-03-15 A system and method for issuing and verifying digital vaccination certificates
KR10-2021-0033409 2021-03-15

Publications (1)

Publication Number Publication Date
WO2022196850A1 true WO2022196850A1 (en) 2022-09-22

Family

ID=83320523

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/003519 WO2022196850A1 (en) 2021-03-15 2021-03-22 Method and system for issuing and certifying digital vaccination certificate

Country Status (2)

Country Link
KR (1) KR102478963B1 (en)
WO (1) WO2022196850A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180129027A (en) * 2017-05-24 2018-12-05 라온시큐어(주) Authentification methods and system based on programmable blockchain and one-id
KR20200062100A (en) * 2020-05-19 2020-06-03 주식회사 코인플러그 Method for sso service through blockchain, and terminal and server using the same
KR20200065940A (en) * 2018-11-30 2020-06-09 사단법인 전국은행연합회 Apparatus and method for certificate status management by multiple certificate authorities

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200101211A (en) * 2019-02-19 2020-08-27 삼성전자주식회사 Electronic device and method for providing digital signature service of block chain using the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180129027A (en) * 2017-05-24 2018-12-05 라온시큐어(주) Authentification methods and system based on programmable blockchain and one-id
KR20200065940A (en) * 2018-11-30 2020-06-09 사단법인 전국은행연합회 Apparatus and method for certificate status management by multiple certificate authorities
KR20200062100A (en) * 2020-05-19 2020-06-03 주식회사 코인플러그 Method for sso service through blockchain, and terminal and server using the same

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"arXiv.org", vol. 7, 1 January 1900, CORNELL UNIVERSITY LIBRARY,, 201 Olin Library Cornell University Ithaca, NY 14853, article HALPIN HARRY: "Vision: A Critique of Immunity Passports and W3C Decentralized Identifiers", pages: 148 - 168, XP047590255, DOI: 10.1007/978-3-030-64357-7_7 *
SCHLAGENHAUF PATRICIA, PATEL DIPTI, RODRIGUEZ-MORALES ALFONSO J., GAUTRET PHILIPPE, GROBUSCH MARTIN P., LEDER KARIN: "Variants, vaccines and vaccination passports: Challenges and chances for travel medicine in 2021", TRAVEL MEDICINE AND INFECTIOUS DISEASE, ELSEVIER, AMSTERDAM, NL, vol. 40, 1 March 2021 (2021-03-01), AMSTERDAM, NL , pages 101996, XP055967755, ISSN: 1477-8939, DOI: 10.1016/j.tmaid.2021.101996 *

Also Published As

Publication number Publication date
KR20220128812A (en) 2022-09-22
KR102478963B1 (en) 2022-12-20

Similar Documents

Publication Publication Date Title
WO2018124857A1 (en) Blockchain database-based method and terminal for authenticating user non-face-to-face by utilizing mobile id, and server utilizing method and terminal
WO2018030707A1 (en) Authentication system and method, and user equipment, authentication server, and service server for performing same method
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
WO2020062642A1 (en) Blockchain-based method, device, and equipment for electronic contract signing, and storage medium
WO2018194379A1 (en) Method for approving use of card by using token id on basis of blockchain and merkle tree structure associated therewith, and server using same
WO2021010766A1 (en) Electronic authentication device and method using blockchain
WO2020004859A1 (en) Escrow non-face-to-face cryptocurrency transaction device and method using phone number
WO2017094998A1 (en) Biometric information personal identity authenticating system and method using financial card information stored in mobile communication terminal
KR101686167B1 (en) Apparatus and Method for Certificate Distribution of the Internet of Things Equipment
WO2019132272A1 (en) Id as blockchain based service
WO2020147384A1 (en) Blockchain-based safe transaction method, device and apparatus, and storage medium
KR20080043646A (en) Method and apparatus of transmitting private information using trusted apparatus
WO2020034527A1 (en) User personal information encryption and authorisation method, apparatus, and device, and readable storage medium
KR20160085143A (en) Method for providing anonymous service and method for managing user information and system therefor
WO2020222475A1 (en) Document authentication method and document authentication system in which authentication function is enhanced by inquiry history information and document authentication information
WO2020032351A1 (en) Method for establishing anonymous digital identity
CN112398920A (en) Medical privacy data protection method based on block chain technology
WO2022196851A1 (en) Method and system for providing certification of vaccine inoculation and post-inoculation management
WO2022114290A1 (en) Non-contact personal authentication system and method therefor
WO2020222476A1 (en) Document authentication system and document authentication method having enhanced authentication function by inquiry history notice
WO2022196850A1 (en) Method and system for issuing and certifying digital vaccination certificate
WO2021205660A1 (en) Authentication server, authentication system, authentication server control method, and storage medium
WO2020222406A1 (en) Authentication system for providing biometrics-based login service
JPH1165443A (en) Management element system for individual authentication information
WO2022055301A1 (en) On-boarding method, apparatus, and program for group authenticator

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21931794

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21931794

Country of ref document: EP

Kind code of ref document: A1