WO2022252992A1 - User data authorization method and user data authorization system - Google Patents

User data authorization method and user data authorization system Download PDF

Info

Publication number
WO2022252992A1
WO2022252992A1 PCT/CN2022/093793 CN2022093793W WO2022252992A1 WO 2022252992 A1 WO2022252992 A1 WO 2022252992A1 CN 2022093793 W CN2022093793 W CN 2022093793W WO 2022252992 A1 WO2022252992 A1 WO 2022252992A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
user
client
verifiable statement
identity
Prior art date
Application number
PCT/CN2022/093793
Other languages
French (fr)
Chinese (zh)
Inventor
孙善禄
李书博
Original Assignee
支付宝(杭州)信息技术有限公司
蚂蚁区块链科技(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司, 蚂蚁区块链科技(上海)有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2022252992A1 publication Critical patent/WO2022252992A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Definitions

  • One or more embodiments of this specification relate to the technical field of terminals, and in particular, to a user data authorization method and a user data authorization system.
  • the application in the client needs to obtain user data, it only needs to be authenticated by the authenticator corresponding to the client, and the data provider will follow the authentication result of the authenticator and return its information to the corresponding application.
  • the requested user data It is not difficult to see that in the process of obtaining user data in related technologies, the user cannot control the scope of the user data returned by the data provider.
  • one or more embodiments of this specification provide a user data authorization method and a user data authorization system.
  • a user data authorization method including: when the client receives an authorization instruction from the user , issuing a verifiable statement based on the identity private key of the user, the distributed digital identity information of the user, and the distributed digital identity information of the target application in the client, and the verifiable statement is used to indicate that the The target application acquires the user data of the user; and, the client sends a data acquisition request including the verifiable statement to the data provider, and the data acquisition request or the verifiable statement included in the data acquisition request Signed by the identity private key of the target application; the data provider reads the verifiable statement from the received data acquisition request, and according to the distributed number of the authorized party contained in the read verifiable statement
  • the identity information obtains the corresponding identity public key from the blockchain system to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and if
  • a user data authorization system including: a client and a data provider; wherein, when the client receives an authorization instruction from the user, based on The user's identity private key, the user's distributed digital identity information, and the distributed digital identity information of the target application in the client issue a verifiable statement, and the verifiable statement is used to indicate that the target application is allowed to Obtain the user data of the user; and, the client sends a data acquisition request containing the verifiable statement to the data provider, and the data acquisition request or the verifiable statement contained in the data acquisition request Signed by the identity private key of the target application; the data provider reads the verifiable statement from the received data acquisition request, and according to the distribution of authorized parties contained in the read verifiable statement
  • the digital identity information obtains the corresponding identity public key from the blockchain system, so as to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key,
  • Fig. 1 is a flowchart of a user data authorization method provided by an exemplary embodiment.
  • Fig. 2 is a schematic diagram of a user data authorization system provided by an exemplary embodiment.
  • Fig. 3 is an interaction diagram of a user login method provided by an exemplary embodiment.
  • Fig. 4 is an interaction diagram of a user data authorization method provided by an exemplary embodiment.
  • the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification.
  • the method may include more or less steps than those described in this specification.
  • a single step described in this specification may be decomposed into multiple steps for description in other embodiments; multiple steps described in this specification may also be combined into a single step in other embodiments describe.
  • the application in the client needs to obtain the user data of the user
  • only the authenticator corresponding to the client needs to complete the authentication of the user, and can instruct the corresponding data provider to provide the user data of the user to the above-mentioned application.
  • the data provider in the related technology is equivalent to returning user data to the application according to the authentication result of the authenticator, which makes it impossible for the user to control the data provider's operation of providing user data for the application, which in turn leads to the data provider's direction to the application.
  • provision there is only a distinction between provision and non-provision, but the scope of the provided user data cannot be controlled.
  • the data provider since the data provider directly obeys the authentication result of the authorizer for authorization, there is no authorization certificate, so the data provider cannot self-certify the above authorization process in the subsequent traceability process.
  • this specification proposes a user data authorization method, which enables users to control the authorization scope of user data open to applications from data providers, and avoids the problem of being unable to control the authorization scope of user data in related technologies.
  • Fig. 1 is a flow chart of a user data authorization method shown in an exemplary embodiment of this specification.
  • the method may include the following steps: Step 102, when the client receives the user's authorization instruction, based on the user's identity private key, the user's distributed digital identity information and the target application in the client
  • the distributed digital identity information issues a verifiable statement, and the verifiable statement is used to indicate that the target application is allowed to obtain the user data of the user; and, the client sends to the data provider a message containing the verifiable statement
  • a data acquisition request, and the data acquisition request or the verifiable statement contained in the data acquisition request is signed by the identity private key of the target application.
  • this disclosure no longer relies on the authentication result of the above-mentioned authenticator to authorize user data, but through the user
  • the VC may contain information such as the authorizer, the authorized party, and authorized content.
  • the authorizing party is the user corresponding to the client
  • the authorized party is the application requesting to obtain user data
  • the authorized content may include the scope of the authorized user data.
  • DID Decentralized Identifiers, distributed digital identity
  • DID distributed digital identity
  • this manual is equivalent to relying on the distributed architecture of the blockchain system to carry out user data
  • Authorization avoids the problems caused by relying on centralized services in related technologies.
  • the DIDs of the above-mentioned users, clients, applications, etc. can be pre-registered in the blockchain system for issuing VC and verifying VC.
  • a corresponding registration transaction can be generated based on the description information and identity public key of any object, and the generated registration transaction can be sent to the blockchain system; the blockchain system can Execute the received registration transaction to generate the DID and DID document corresponding to any object, and maintain the identity public key and description information contained in the registration transaction in the DID document.
  • any device needs to authenticate any object, it only needs to provide the DID of any object, and then it can obtain the identity public key of any object from the blockchain system, based on The identity public key verifies the signature information signed by the identity private key of any object, and then completes the identity authentication for any object.
  • the client after receiving the user data authorization request initiated by the target application, the client can communicate the user data authorization request to the user, so that the user can determine whether to grant the target application access to the corresponding data.
  • the client after receiving the user's authorization instruction, the client can further determine whether the user is already logged in. If the user is already logged in, the user's identity private key, the user's distributed digital identity information and the The distributed digital identity information of the target application issues the above verifiable statement; otherwise, the verifiable statement is not issued.
  • this manual may also include the steps for the user to log in on the client:
  • the user can Log in through the method in related technologies, that is, based on centralized services.
  • the client can display a login interface to the user so that the user can enter corresponding user authentication information, such as account number and password; on this basis, the client can generate a corresponding authentication request based on the user authentication information and send it to the At the authenticator corresponding to the client, after verifying the user authentication information, the authenticator can return login authorization information to the client to instruct the client to mark the user's login status as logged in.
  • users can log in through their own DID pre-registered in the blockchain system.
  • the client when receiving a login request from a user, the client can initiate a login request to the authenticator corresponding to the client based on the user's identity private key and DID; and the authenticator, after receiving the login request, immediately Based on the DID contained in it, the user's identity public key can be obtained from the blockchain system to verify the login request, and if the verification is passed, the login authorization information is returned to the client; the client receives the login After authorizing information, the user's login status can be marked as logged in.
  • the user authentication information such as account number and password
  • it essentially compares the authentication information entered by the user with the pre-registered authentication information in the centralized server to determine whether the user has successfully logged in.
  • the data stored in the centralized server is controlled by the service provider and is easily tampered with, making the entire login process unreliable.
  • the user's pre-registered DID in the blockchain system is used as the login credential, and since the DID is registered in the blockchain system (equivalent to the login credential having the endorsement of the blockchain system), it has an inherent The nature of tampering makes this embodiment more reliable than logging in through centralized services.
  • the application that requests to obtain user data is named the target application.
  • the target application may be a native application provided by the native server of the client, or a third-party application provided by a third-party server different from the native server.
  • the third-party application may be a small program, an H5 page, etc. running in the client.
  • the target application when the client is an instant messaging client, if the above-mentioned target application is the above-mentioned native application, the target application can be an instant messaging application running on the instant messaging client; if the above-mentioned target application is the above-mentioned third-party application, the The target application may be a shopping application provided by a shopping platform service provider running on the instant messaging client (for example, it may be presented in the form of a small program or an H5 page).
  • a shopping platform service provider running on the instant messaging client (for example, it may be presented in the form of a small program or an H5 page).
  • this example is only illustrative, and the specific application of the above-mentioned target application and third-party application can be determined by those skilled in the art according to the actual situation.
  • the target application can initiate a data authorization request to the user through the client, for example, by displaying the data authorization request on the interface, or by broadcasting the data authorization request, the user can be notified that the target application requests to obtain user data ; and the user can respond to the data authorization request to send an authorization instruction for the target application to the client.
  • the client can issue a VC based on the user's identity private key, the user's DID, and the target application's DID.
  • the VC is used to indicate that the target application is allowed to obtain the user's user data; after completing the VC issuance, the client That is, a data acquisition request including the VC can be further sent to the data provider, and the data acquisition request or the VC contained in the data acquisition request is signed by the identity private key of the target application.
  • Step 104 the data provider reads the verifiable statement from the received data acquisition request, and obtains it from the blockchain system according to the distributed digital identity information of the authorized party contained in the read verifiable statement
  • the corresponding identity public key is used to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and if the signature verification is successful, it will indicate in the read verifiable statement
  • the user data is returned to the client for provision to the target application.
  • the data provider when the data provider receives the above data acquisition request, it can read the VC from it, and obtain the authorized party's identity public key from the blockchain system according to the authorized party's DID contained in the VC, The data acquisition request or VC can be verified through the identity public key. If the signature verification is successful, it proves that the target application is the issued party in the VC, and the user data indicated in the VC can be returned to the client to be provided to the target application.
  • VC must be issued based on the DID registered in the blockchain system, which is inherently reliable, so there is no need to verify whether the VC is credible; and this manual focuses on "whether the target application has obtained user data authorization", but It doesn't care about "who grants this permission”.
  • the authorizing party included in the VC of this specification can be the above-mentioned user itself, or other objects that can authorize the user data of the user. Therefore, in this manual, when issuing a VC, the user only needs to verify the signature through the identity private key of the target application; Signature verification is performed to determine whether the target application has permission to obtain the corresponding user data.
  • the authorizing party in the VC can also be verified, and only between the authorizing party and the authorized party If both parties pass the verification, then return the user data indicated in the VC to the client.
  • the VC issued by the user is signed by the identity private key of the target application, it can be further signed by the user's identity private key; on this basis, after receiving the VC, the data provider can, according to the The DID of the authorizer obtains the identity public key of the authorizer from the blockchain system to verify the signature of the VC based on the identity public key. If the verification is successful, it proves that the authorizer in the VC is the user. In this embodiment, the data provider only transfers the corresponding user data to Return to client.
  • the above method of verifying both the authorizer and the authorized party in VC is equivalent to strict standards for the target application to obtain user data authorization, that is, only when it is determined that the user itself grants the target application the permission to obtain its user data , the data provider provides the user data indicated in the VC to the target application.
  • the issued VC has a certain timeliness, and whether the VC is valid can be determined according to the preset valid time, or can be changed according to the user's instruction. This can be determined by those skilled in the art according to actual needs, and the present disclosure does not limit it.
  • the state information of VC can be maintained by registering VC to the blockchain system, so that the data provider can determine the validity of VC through the state information maintained in the blockchain system after receiving the VC. sex. Among them, the data provider returns the user data indicated in the VC to the client only when it is determined that the state information maintained in the blockchain system indicates that the VC is valid and the verification of the verifiable statement is successful.
  • the data provider can obtain VC status information in a variety of ways. For example, after the user completes the issuance of VC, the client can generate a corresponding registration transaction and send it to the blockchain system for The system generates the DID corresponding to the VC, and stores the VC's DID and status information in association. On this basis, after receiving the VC, the data provider can provide the VC's DID to the blockchain system to According to the DID, the blockchain system obtains the status information of the VC and returns it to the data provider.
  • this example is only illustrative, and how to obtain the status information of the VC can be determined by those skilled in the art according to actual needs, and this specification does not limit it.
  • the client in this specification needs to register a VC with the blockchain system, it can generate a registration request for the VC and send the generated registration request to the authenticator; after the authenticator receives the registration request, it can Based on the VC contained in the registration request, a registration transaction is generated and sent to the blockchain system; the blockchain system can execute the registration transaction to store the VC contained in the transaction and maintain the status information of the VC .
  • whether or not VC is valid can be changed according to the user's instruction.
  • the user after registering VC to the blockchain system, if the user needs to invalidate the registered VC, he can send a revocation request for the registered VC to the client.
  • the client After receiving the revocation request, the client can Instruct the blockchain system to change the status information of the registered VC to the revoked status, which is used to indicate that the VC has been invalidated by the above-mentioned user.
  • the above-mentioned data provider can be either a blockchain system or a data server different from the blockchain system.
  • the data server may belong to a certain data network.
  • the client can preferentially send the VC to the transit server corresponding to the data network, so that the transit server can determine the user data indicated in the VC from several data servers included in the data network according to the user's DID. data server, and send the VC to the determined data server.
  • the client can generate a corresponding data acquisition transaction based on VC and send it to the blockchain system, so that the blockchain system can use the user's DID or user data contained in the VC to The description information of , obtain the user data that needs to be returned to the client from the maintained chain data.
  • the VC should contain the description information of the user data to be obtained, so that after receiving the VC, the data provider can obtain the stored first data about the user according to the description information in it, and return to the Client user data.
  • the user's user data contains a large amount of private data, which is usually inconvenient to be directly disclosed to the target application. Therefore, if the target application requires the obtained data to contain private data, the user can also Further, the form in which the data provider provides the user data to the target application is restricted. For example, it may be stipulated that: after obtaining the stored second data about the user according to the description information in the VC, process the second data according to the instruction in the VC, and use the processing result as the user data that needs to be returned to the client. For example, when the target application needs to confirm whether the user is an adult, the user data it requests may be the age of the user.
  • the data provider in this disclosure can determine whether the age of the user is More than 18, and return the conclusion of "whether it is an adult" to the client according to the judgment result as the above user data. It should be understood that, in this manner, leakage of the user's private data can be avoided, and the security of the user data is improved.
  • the data provider may further perform processing operations on the second data in a TEE (Trusted execution environment, trusted execution environment).
  • TEE Trusted execution environment, trusted execution environment
  • the VC issued by the user may also include: an indication that secure calculation needs to be performed on the acquired second data, and indication information of a TEE used for performing secure calculation.
  • the data provider can encrypt the obtained second data based on the identity public key of the TEE indicated in the VC, and transmit it to the TEE, so that the TEE can obtain the second data based on its own identity.
  • security calculations are performed on the second data according to the pre-deployed calculation tasks indicated in the VC. Then, the data provider can use the security calculation result generated by the TEE as the user data that needs to be returned to the client.
  • the above TEE can be deployed in both privacy blockchains and off-chain privacy computing nodes.
  • the above TEE is an on-chain TEE.
  • the data provider can encrypt the obtained second data based on the identity public key of the on-chain TEE indicated in the VC, and based on the encrypted second data and the computing tasks contained in the VC
  • a secure computing transaction is generated, and the secure computing transaction is sent to the privacy blockchain; after the privacy blockchain receives the secure computing transaction, it can execute the secure computing transaction in the TEE on the chain maintained by itself, so as to pass the chain
  • the identity private key on the TEE decrypts the second data, it calls the pre-deployed smart contract for completing the above calculation tasks, and performs secure calculation on the decrypted second data.
  • the privacy blockchain can be either the above-mentioned blockchain system or other blockchain systems different from the above-mentioned blockchain system. How to deploy the privacy blockchain can be determined by those skilled in the art. It is determined according to the actual situation, and this specification does not limit it.
  • the security calculation result can be encrypted with the identity public key of the target application first, and then the security calculation result can be output and transmitted to the client , to further ensure the security of user data.
  • the blockchain system in this specification can be carried on the traditional architecture of blockchain technology, that is, all nodes in the blockchain system can deploy the blockchain code on the corresponding physical equipment Formed, in most cases, each node corresponds to a physical device; the technical solution in this manual can also be carried on the BaaS (Blockchain as a Service) architecture in blockchain technology, that is, all Nodes are formed by deploying blockchain codes on virtual machines implemented in the cloud through cloud services, and blockchain nodes do not need to correspond to corresponding physical devices one by one.
  • the BaaS Blockchain as a Service
  • each blockchain node it is also included for each blockchain node to provide
  • the blockchain-as-a-service BaaS platform (or BaaS cloud) can provide pre-written software through activities that occur on the blockchain (such as subscriptions and notifications, user verification, database management, and remote updates).
  • the client-side computing equipment connected to the BaaS platform provides easy-to-use, one-click deployment, fast verification, flexible and customizable blockchain services, which can accelerate the development, testing, and launch of blockchain business applications and help various industry regions The landing of blockchain business application scenarios.
  • the fast signature verification of VC can be realized through the BaaS platform to improve the efficiency of data acquisition.
  • the client when this manual needs to provide user data to the application in the client, it will firstly use the user's identity private key, distributed digital identity information, and the distributed digital identity of the application under the user's consent. information, issuing verifiable claims.
  • the verifiable statement is used to indicate that the above-mentioned application is allowed to obtain the user data of the above-mentioned user.
  • the client can further send a data acquisition request containing the verifiable statement to the data provider, and the data acquisition request or the verifiable statement is signed by the identity private key of the target application.
  • the data provider can obtain the identity public key of the authorized party according to the distributed digital identity information of the authorized party contained in the verifiable statement, so as to respond to the verifiable statement or data acquisition request. Check the signature.
  • the data provider in this specification verifies the verifiable statement or data acquisition request based on the identity public key of the authorized party, which is equivalent to verifying whether the authorized party in the verifiable statement is requesting to obtain user data target application. Obviously, if the signature verification is successful, it can be proved that the target application has obtained the permission to obtain the user data indicated in the verifiable statement. It can be seen that this manual uses the verifiable statement as the certificate for the user to authorize the user data of the target application. The user can clearly indicate in the verifiable statement which user data to provide to the above-mentioned application, so that the user can control the scope of user data authorization.
  • the provider can self-certify to the traceable party that the user data authorization process is completed under the user's instructions, avoiding the lack of authorization credentials in related technologies, which makes the data provider unable to self-certify the user data authorization operation The problem.
  • related technologies log in through centralized services, and the authenticator and data provider are provided by the same service provider, and the data provider follows the authentication results of the authenticator to authorize user data, that is, the authenticator and data provider in related technologies They are bound to each other and cannot be decoupled.
  • the data provider returns user data to the client based on the issued verifiable statement, without relying on the authentication result of the authenticator. It can be seen that the technical solution in this specification realizes the decoupling of the authenticator and the data provider. The two can be provided by different service parties, which improves the applicability of the user data authorization method.
  • the data provider in this manual obtains the data indicated by the verifiable statement, it can further process the obtained data, and only return the processing result to the client without returning the original data
  • the problem of leakage of user privacy data in related technologies is avoided.
  • This specification also proposes a user data authorization system for implementing the above user data authorization method. It should be declared that most of the operation methods in the next embodiment, such as how to issue a verifiable statement, how to verify the verifiable statement, how to perform secure calculation, etc., are similar to the previous embodiment, and the specific operation methods are all Reference may be made to the introduction of the previous embodiment, which will not be described in detail below.
  • Fig. 2 is a schematic diagram of a user data authorization system shown in an exemplary embodiment of this specification.
  • the system may include: a client 21 and a data provider 22; wherein, when the client 21 receives the user's authorization instruction, based on the user's identity private key, the user's distributed digital identity information and the client's
  • the distributed digital identity information of the target application in the terminal 21 issues a verifiable statement, and the verifiable statement is used to indicate that the target application is allowed to obtain the user data of the user; and, the client 21 sends to the data provider A data acquisition request containing the verifiable statement, and the data acquisition request or the verifiable statement contained in the data acquisition request is signed by the identity private key of the target application;
  • the data provider 22 receives from Read the verifiable statement in the data acquisition request, and obtain the corresponding identity public key from the blockchain system according to the distributed digital identity information of the authorized party contained in the read verifiable statement, so as to obtain The received identity public key verifies
  • the user needs to be in the logged-in state in the client 21 before receiving the application's user data authorization request. Therefore, the operation of the user logging in on the client 21 may also be included in this description.
  • the user can log in through a method in related technologies, that is, based on a centralized service.
  • users can log in through their own DID pre-registered in the blockchain system.
  • the client 21 may initiate a login request to the authenticator corresponding to the client 21 based on the user's identity private key and DID when receiving the user's login request; and the authenticator, after receiving the login request, , the user’s identity public key can be obtained from the blockchain system based on the DID contained therein to verify the login request, and return the login authorization information to the client 21 if the signature verification is passed; on this basis
  • the client 21 after receiving the login authorization information, the client 21 can mark the user's login status as logged in.
  • the target application may be a native application provided by the native server of the client 21, or a third-party application provided by a third-party server different from the native server.
  • this specification can only verify the authorized party in the VC, or can verify both the authorizing party and the authorized party in the VC as in the related art.
  • the issued VC has a certain timeliness, and whether the VC is valid can be determined according to the preset valid time, or can be changed according to the user's instruction. This can be determined by those skilled in the art according to actual needs, and the present disclosure does not limit it.
  • this specification can maintain the status information of VC by registering the VC in the blockchain system, so that the data provider 22 can determine the status information of the VC through the status information maintained in the blockchain system when receiving the VC. effectiveness.
  • the data provider 22 returns the user data indicated in the VC to the client 21 only when it is determined that the status information maintained in the blockchain system indicates that the VC is valid and the verification of the verifiable statement is successful.
  • the client 21 in this specification when the client 21 in this specification needs to register the VC to the blockchain system, it can generate a registration request for the VC, and send the generated registration request to the authenticator; after the authenticator receives the registration request , based on the VC contained in the registration request, a registration transaction can be generated and sent to the blockchain system; the blockchain system can execute the registration transaction to deposit the VC contained in the transaction and maintain the VC status information.
  • the client 21 in this specification can also instruct the blockchain system to change the status information of the registered VC to the revoked state when receiving the revocation request sent by the user for the registered VC.
  • the data provider 22 in this specification can be either a blockchain system or a data server different from the blockchain system.
  • the client 21 can preferentially send the VC to the transit server corresponding to the data network, so that the transit server can obtain the VC contained in the data network according to the DID of the user.
  • the data provider 22 storing the user data indicated in the VC is determined among the several data providers 22, and the VC is sent to the determined data provider 22.
  • the data provider 22 can obtain the stored first data about the user according to the instructions of the VC as the user data to be returned to the client 21; Instruct to acquire the stored second data about the user, and process the second data according to the instructions of the VC, so as to use the processing result as the user data to be returned to the client 21 .
  • the data provider 22 may further perform processing operations on the second data in the TEE.
  • the VC issued by the user may also include: an indication that secure calculation needs to be performed on the acquired second data, and indication information of a TEE used for performing secure calculation. Then, after obtaining the second data, the data provider 22 can encrypt the obtained second data based on the identity public key of the TEE indicated in the VC, and transmit it to the TEE, so that the TEE can encrypt the obtained second data based on its own identity public key.
  • security calculations are performed on the second data according to the pre-deployed calculation tasks indicated in the VC. Then, the data provider 22 can use the security calculation result generated by the TEE as the user data to be returned to the client 21 .
  • the technical solution in this manual uses the verifiable statement issued under the instruction of the user as the credential for user data authorization, so that the user can use the verifiable statement to control the data provider's authorization of the application's user data. control, which avoids the problem in related technologies that the user cannot control the authorized scope of user data.
  • Fig. 3 is an interaction diagram of a user login method shown in an exemplary embodiment of this specification.
  • the method may include the following steps: Step 301, the client displays a login interface.
  • the client after the user opens a certain client, the corresponding login interface can be displayed in the client.
  • the client may be a client of a web page or an application program.
  • the client generates a login request based on the user's DID after receiving the user's login instruction.
  • the user's DID is used to log in. Therefore, only a control of whether to log in may be displayed on the login interface, so that the user can instruct the client to log in by triggering the control.
  • the client After the client receives the user's login instruction, it can generate a login request based on the pre-stored user's DID, and sign the generated login request based on the user's identity private key.
  • Step 303 the client signs the login request based on the user's identity private key.
  • Step 304 the client sends the signed login request to the authenticator.
  • the signed login request can be sent to the authenticator, so that the authenticator can verify the signature based on the user's identity public key.
  • Step 305 after receiving the login request, the authenticator generates a public key acquisition transaction based on the user's DID.
  • the user's DID is obtained by pre-registering in the blockchain system, and the blockchain system generates a DID document corresponding to the DID during the process of registering the DID for the user to maintain the user's identity public key.
  • the authenticator can generate a corresponding public key acquisition transaction based on the user's DID to obtain the user's identity public key from the blockchain system.
  • Step 306 the authenticator sends the public key acquisition transaction to the blockchain system.
  • Step 307 the blockchain system obtains the DID included in the transaction based on the obtained public key, obtains the user's identity public key and returns it to the authenticator.
  • the blockchain system After the blockchain system receives the above-mentioned public key acquisition transaction, it can read the user's DID contained in it, so as to find the corresponding DID document according to the DID, so that the identity contained in the DID document The public key is returned to the authenticator.
  • step 308 the authenticator verifies the login request based on the returned identity public key.
  • the authenticator after receiving the identity public key returned by the blockchain system, the authenticator can verify the received VC based on the identity public key.
  • step 309 the authenticator returns login authorization information to the client if the signature verification is successful.
  • login authorization information may be returned to the client to instruct the client to mark the user's login status as logged in.
  • Step 310 after receiving the login authorization information, the client marks the user's login status as logged in.
  • the user who requests to log in can be authenticated by using the DID of the user pre-registered in the blockchain system.
  • DID must rely on the blockchain system. Therefore, user login through DID is equivalent to completing user login based on the blockchain system. Since the data in the blockchain system cannot be tampered with, the identity based on DID The authentication has strong reliability, which avoids the problem of unreliable login process caused by the authentication of the user through the centralized service in the related technology.
  • Fig. 4 is an interaction diagram of a user data authorization method shown in an exemplary embodiment of this specification.
  • the method may include the following steps: Step 401, the client runs a third-party application under the instruction of the logged-in user.
  • the third-party application running on the client requests to obtain the user data of the logged-in user
  • the third-party application running on the client requests to obtain the user data of the logged-in user
  • the client in this embodiment may be an instant messaging client.
  • the application running on the client is a native application provided by the client's native server, such as an instant messaging application.
  • the native application running on the client can usually obtain most of the user data of the logged-in user, and only a small part of the data can only be obtained after obtaining authorization;
  • the third-party application provided by the third-party service provider if it needs to obtain the user data of the logged-in user, it must first obtain the authorization of the logged-in user.
  • the third-party application running in the instant messaging client can be a shopping application provided by the shopping platform service provider.
  • the shopping application needs to obtain the data of the logged-in user, which must be authorized by the logged-in user. .
  • Step 402 the client receives and displays the user data acquisition request initiated by the third-party application.
  • the above shopping application can initiate a user data acquisition request to the client, for example, the request can be displayed on the client interface, so that the logged-in user can determine whether to grant the shopping application permission to obtain its own user data.
  • Step 403 the client receives an authorization instruction from the logged-in user.
  • this specification relies on a different user data authorization framework, wherein the related technology relies on a centralized server to implement data authorization, while this
  • the manual relies on the distributed architecture (including blockchain system, data provider, authenticator, client, etc.) to realize user data authorization, which essentially modifies the user data authorization process at the protocol level, or in other words, is A new user data authorization protocol is proposed. Therefore, when VC is actually issued, it is issued in the form of a token, that is, what the user actually issues is a VC token.
  • the logged-in user is user A and has decided to authorize his own user data to shopping application B, he can trigger the authorization control displayed on the client interface to instruct the client to generate an indication "allow The shopping app B gets the VC token of user A's user data".
  • Step 404 the client issues a VC token based on the DID of the user and the DID of the third-party application.
  • the authorization of user data is implemented based on the DID. Therefore, in the issued VC token, the DID of each object actually represents the corresponding object.
  • the DID of user A is a1fdg4 and the DID of shopping application B is saff5d
  • user A can be represented by a1fdg4 and shopping application B can be represented by saff5d in the VC token.
  • the scope of user data that user A opens to shopping application B can be further restricted.
  • the user data of user A may include: user name, nickname, instant messaging records, user avatar, user age and so on.
  • the shopping application B is only allowed to obtain the user name and user avatar.
  • Step 405 the client signs the VC token based on the identity private key of the third-party application.
  • the client in order to facilitate the data provider to verify whether the VC token is issued to a third-party application after obtaining the VC token, in this step, the client can verify the VC token based on the identity private key of the third-party application.
  • the token is signed.
  • the VC token can be further signed by the identity private key of the above-mentioned user A. Whether this step needs to be performed can be determined by those skilled in the art according to actual needs, which is not limited in this embodiment.
  • Step 406 the client sends the signed VC token to the authenticator.
  • the VC token can also be registered in the blockchain system, so that the blockchain system can maintain the status information used to indicate whether the VC token is valid .
  • the blockchain technology provider usually only allows the service party that has a cooperative relationship with it to interact with the blockchain system, therefore, in this embodiment, the VC token can be sent to the Provided by the authenticator, the authenticator generates a corresponding registration transaction to register the VC token into the blockchain system.
  • Step 407 the authenticator generates a registration transaction based on the signed VC token and sends it to the blockchain system.
  • the blockchain system can directly register the VC token upon receiving it, or, in the case of the VC token being signed by user A’s identity private key, it can preferentially register the user according to the VC token.
  • A's DID obtains the identity public key of user A stored on the chain to verify the VC token, and only if the verification is successful, then registers the VC token to the blockchain system and checks its status information is maintained. What needs to be declared is that the status information of the successfully registered VC token is marked as valid. If in the subsequent process, user A no longer authorizes the corresponding user data to shopping application B, he can send a revocation to the blockchain system.
  • the transaction method changes the status information of the VC token to the revoked status.
  • user A can also indicate the validity period of the VC token in the VC token in advance, then the blockchain system can periodically revoke the VC token after the registration is completed.
  • Step 408 the blockchain system registers the VC token, and marks the status information of the registered VC token as valid.
  • Step 409 the blockchain system returns the DID of the registered VC token to the authenticator.
  • the blockchain system when the blockchain system registers the VC token, it can generate a DID corresponding to the VC token, so that the data provider can obtain the status information of the VC token according to the DID.
  • this embodiment only uses the DID of the VC token to obtain the status information of the VC token as an example.
  • the blockchain system only needs to return the unique identification information corresponding to the VC token , that is, the status information can be obtained in the subsequent verification process.
  • the unique identification information can be the hash value of the VC token in addition to the DID of the VC token. What kind of identification is used to obtain the VC token in this embodiment?
  • the status information of the card can be determined by those skilled in the art according to the actual situation, which is not limited in this embodiment.
  • Step 410 the authenticator returns the DID of the VC token to the client.
  • Step 411 the client generates a data acquisition request based on the signed VC token and the DID of the VC token.
  • the client after the client receives the returned DID of the VC token, it can generate a data acquisition request based on the signed VC token and the DID, and send it to the data provider.
  • Step 412 the client sends a data acquisition request to the data provider.
  • the data provider may be other data servers that are different from the authentication party and the blockchain system described above.
  • the data provider verifies the VC token through the DID registered in the blockchain system, instead of following the authentication result of the authenticator.
  • Step 413 the data provider generates a verification voucher based on the DID of the third-party application and the DID of the VC token to obtain the transaction.
  • the data provider can read the signed VC token and the DID of the VC token from the request, and further obtain the DID of the shopping application B from the VC token.
  • the identity public key of shopping application B can be obtained from the blockchain system based on the DID of shopping application B to verify whether the authorized party in the VC token is shopping application B; and based on the VC token DID obtains the status information of the VC token from the blockchain system to determine whether the VC token is valid.
  • Step 414 the data provider sends the verification certificate acquisition transaction to the blockchain system.
  • both the state information of the VC token and the identity public key of the third-party application are used to verify the VC token. Therefore, both the state information of the VC token and the identity public key of the third-party application can be called as a verification certificate.
  • the data provider usually does not obtain the state information of the VC token and the identity public key of the third-party application through two interactions, but obtains the state information of the VC token and the identity of the third-party application through one interaction public key.
  • the data provider can generate a verification credential acquisition transaction based on the DID of the VC token and the DID of the third-party application, and send the verification credential acquisition transaction to the blockchain system.
  • a verification voucher transaction is generated based on the DID of the VC token and the DID of the shopping application B, and sent to the blockchain system.
  • Step 415 the blockchain system executes the verification credential acquisition transaction to obtain the identity public key of the third-party application according to the DID of the third-party application, and obtain the status information of the VC token according to the DID of the VC token.
  • the blockchain system After the blockchain system receives the above-mentioned verification certificate acquisition transaction, it can read the DID of the VC token and the DID of the shopping application B, and obtain the identity public key of the shopping application B according to the DID of the shopping application B 1. Obtain the state information of the VC token according to the DID of the VC token.
  • Step 416 the blockchain system returns the identity public key of the third-party application and the state information of the VC token to the data provider.
  • Step 417 the data provider verifies the VC token based on the identity public key of the third-party application, and determines whether the status information indicates that the VC token is valid; if the verification is successful and the VC token is valid, then go to step 418.
  • the data provider can determine whether the VC token is valid according to the status information, and through the shopping application B B's identity public key verifies the signed VC token. If it is determined that the VC token is valid and the signature verification is successful, it proves that the shopping application B has the authority to obtain the user data indicated in the VC token, and the data provider can obtain the corresponding user data according to the indication in the VC token and return it to the client to be provided to the shopping application B by the client.
  • Step 418 the data provider returns the user data indicated in the VC token to the client.
  • this embodiment can issue a VC token for a third-party application running in the client under the instruction of the user, so as to instruct the data provider to return the corresponding user data to the client through the VC token, and provided to third-party applications. It should be understood that this embodiment is equivalent to using the above-mentioned VC token as a data authorization credential to control the user data authorization process, which avoids the problem in the related art that the user cannot control the user data authorization process.
  • the VC token can be further registered in the blockchain system, so that the state data of the VC token can be maintained by the blockchain system.
  • the data provider can obtain the status information of the VC token through the blockchain system to determine whether the VC token is valid, thereby avoiding the problem of providing user data to third-party applications based on invalid VC tokens. Issues that lead to user data leakage.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions
  • the device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in computer-readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read-only memory (ROM) or flash RAM. Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash random access memory
  • Computer-readable media including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information.
  • Information may be computer readable instructions, data structures, modules of a program, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by computing devices.
  • computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.
  • one or more embodiments of this specification may be provided as a method, system or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may employ a computer program embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The form of the product.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • program modules may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote computer storage media including storage devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

A user data authorization method and a user data authorization system. The method may comprise: a client issuing a verifiable claim on the basis of an identity private key and distributed digital identity information of a user, and distributed digital identity information of a target application in the client, wherein the verifiable claim is used for indicating that the target application is allowed to acquire user data of the user, and the client signing the verifiable claim by means of an identity private key of the target application, and adding the signed verifiable claim to a data acquisition request, so as to send the data acquisition request to a data provider (102); and after receiving the data acquisition request, the data provider acquiring an identity public key of an authorized party on the basis of distributed digital identity information of the authorized party that is included in the verifiable claim, so as to perform signature verification on the verifiable claim by means of the identity public key, and returning, to the client, the user data that is indicated in the verifiable claim when the signature verification is passed, so as to provide the user data to the target application (104).

Description

用户数据授权方法及用户数据授权系统User data authorization method and user data authorization system 技术领域technical field
本说明书一个或多个实施例涉及终端技术领域,尤其涉及一种用户数据授权方法及用户数据授权系统。One or more embodiments of this specification relate to the technical field of terminals, and in particular, to a user data authorization method and a user data authorization system.
背景技术Background technique
在相关技术中,若客户端中的应用需要获取用户数据,只需该客户端所对应的认证方对用户的身份进行认证即可,数据提供方听从认证方的认证结果,向相应应用返回其所请求获取的用户数据。不难看出,相关技术在获取用户数据的过程中,用户无法对数据提供方返回的用户数据的范围进行控制。In related technologies, if the application in the client needs to obtain user data, it only needs to be authenticated by the authenticator corresponding to the client, and the data provider will follow the authentication result of the authenticator and return its information to the corresponding application. The requested user data. It is not difficult to see that in the process of obtaining user data in related technologies, the user cannot control the scope of the user data returned by the data provider.
发明内容Contents of the invention
有鉴于此,本说明书一个或多个实施例提供一种用户数据授权方法及用户数据授权系统。In view of this, one or more embodiments of this specification provide a user data authorization method and a user data authorization system.
本说明书一个或多个实施例提供技术方案如下:根据本说明书一个或多个实施例的第一方面,提出了一种用户数据授权方法,包括:客户端在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中的目标应用的分布式数字身份信息颁发可验证声明,所述可验证声明用于指示允许所述目标应用获取所述用户的用户数据;以及,所述客户端向数据提供方发送包含所述可验证声明的数据获取请求,且所述数据获取请求或所述数据获取请求中包含的可验证声明由所述目标应用的身份私钥进行签名;数据提供方从接收到的所述数据获取请求中读取可验证声明,并根据读取到的可验证声明中所含被授权方的分布式数字身份信息从区块链系统处获取相应的身份公钥,以通过获取到的身份公钥对接收到的数据获取请求或读取的可验证声明进行验签,并在验签成功的情况下,将读取的可验证声明中指示的用户数据返回所述客户端以提供至所述目标应用。One or more embodiments of this specification provide the following technical solutions: According to the first aspect of one or more embodiments of this specification, a user data authorization method is proposed, including: when the client receives an authorization instruction from the user , issuing a verifiable statement based on the identity private key of the user, the distributed digital identity information of the user, and the distributed digital identity information of the target application in the client, and the verifiable statement is used to indicate that the The target application acquires the user data of the user; and, the client sends a data acquisition request including the verifiable statement to the data provider, and the data acquisition request or the verifiable statement included in the data acquisition request Signed by the identity private key of the target application; the data provider reads the verifiable statement from the received data acquisition request, and according to the distributed number of the authorized party contained in the read verifiable statement The identity information obtains the corresponding identity public key from the blockchain system to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and if the signature verification is successful, User data indicated in the read verifiable statement is returned to the client for provision to the target application.
根据本说明书一个或多个实施例的第二方面,提出了一种用户数据授权系统,包括:客户端和数据提供方;其中,所述客户端在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中的目标应用的分布式数字身份信息颁发可验证声明,所述可验证声明用于指示允许所述目标应用获取所述用 户的用户数据;以及,所述客户端向所述数据提供方发送包含所述可验证声明的数据获取请求,且所述数据获取请求或所述数据获取请求中包含的可验证声明由所述目标应用的身份私钥进行签名;所述数据提供方从接收到的所述数据获取请求中读取可验证声明,并根据读取到的可验证声明中所含被授权方的分布式数字身份信息从区块链系统处获取相应的身份公钥,以通过获取到的身份公钥对接收到的数据获取请求或读取的可验证声明进行验签,并在验签成功的情况下,将读取的可验证声明中指示的用户数据返回所述客户端以提供至所述目标应用。According to a second aspect of one or more embodiments of the present specification, a user data authorization system is proposed, including: a client and a data provider; wherein, when the client receives an authorization instruction from the user, based on The user's identity private key, the user's distributed digital identity information, and the distributed digital identity information of the target application in the client issue a verifiable statement, and the verifiable statement is used to indicate that the target application is allowed to Obtain the user data of the user; and, the client sends a data acquisition request containing the verifiable statement to the data provider, and the data acquisition request or the verifiable statement contained in the data acquisition request Signed by the identity private key of the target application; the data provider reads the verifiable statement from the received data acquisition request, and according to the distribution of authorized parties contained in the read verifiable statement The digital identity information obtains the corresponding identity public key from the blockchain system, so as to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and when the signature verification is successful Next, the user data indicated in the read verifiable statement is returned to the client for provision to the target application.
附图说明Description of drawings
图1是一示例性实施例提供的一种用户数据授权方法的流程图。Fig. 1 is a flowchart of a user data authorization method provided by an exemplary embodiment.
图2是一示例性实施例提供的一种用户数据授权系统的示意图。Fig. 2 is a schematic diagram of a user data authorization system provided by an exemplary embodiment.
图3是一示例性实施例提供的一种用户登录方法的交互图。Fig. 3 is an interaction diagram of a user login method provided by an exemplary embodiment.
图4是一示例性实施例提供的一种用户数据授权方法的交互图。Fig. 4 is an interaction diagram of a user data authorization method provided by an exemplary embodiment.
具体实施方式Detailed ways
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书一个或多个实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书一个或多个实施例的一些方面相一致的装置和方法的例子。Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. Implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of this specification. Rather, they are merely examples of apparatuses and methods consistent with aspects of one or more embodiments of the present specification as recited in the appended claims.
需要说明的是:在其他实施例中并不一定按照本说明书示出和描述的顺序来执行相应方法的步骤。在一些其他实施例中,其方法所包括的步骤可以比本说明书所描述的更多或更少。此外,本说明书中所描述的单个步骤,在其他实施例中可能被分解为多个步骤进行描述;而本说明书中所描述的多个步骤,在其他实施例中也可能被合并为单个步骤进行描述。It should be noted that in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or less steps than those described in this specification. In addition, a single step described in this specification may be decomposed into multiple steps for description in other embodiments; multiple steps described in this specification may also be combined into a single step in other embodiments describe.
在相关技术中,若客户端中的应用需要获取用户的用户数据时,只需客户端所对应的认证方完成针对用户的认证,即可指示相应的数据提供方向将用户的用户数据提供至上述应用。In the related technology, if the application in the client needs to obtain the user data of the user, only the authenticator corresponding to the client needs to complete the authentication of the user, and can instruct the corresponding data provider to provide the user data of the user to the above-mentioned application.
应当理解的是,相关技术中的数据提供方相当于听从认证方的认证结果向应用返回 用户数据,这使得用户无法对数据提供方为应用提供用户数据的操作进行控制,进而导致数据提供方向应用提供用户数据时,仅存在提供或不提供的区分,而无法对所提供的用户数据的范围进行控制。除此之外,由于数据提供方直接听从授权方的认证结果进行授权,不存在任何授权凭证,导致数据提供方在后续追溯过程中,无法对上述授权过程进行自证。It should be understood that the data provider in the related technology is equivalent to returning user data to the application according to the authentication result of the authenticator, which makes it impossible for the user to control the data provider's operation of providing user data for the application, which in turn leads to the data provider's direction to the application. When providing user data, there is only a distinction between provision and non-provision, but the scope of the provided user data cannot be controlled. In addition, since the data provider directly obeys the authentication result of the authorizer for authorization, there is no authorization certificate, so the data provider cannot self-certify the above authorization process in the subsequent traceability process.
为解决上述问题,本说明书提出了一种用户数据授权方法,使得用户能够控制数据提供方向应用开放的用户数据的授权范围,避免了相关技术中无法对用户数据的授权范围进行控制的问题。In order to solve the above problems, this specification proposes a user data authorization method, which enables users to control the authorization scope of user data open to applications from data providers, and avoids the problem of being unable to control the authorization scope of user data in related technologies.
图1是本说明书一示例性实施例示出的一种用户数据授权方法的流程图。该方法可以包括以下步骤:步骤102,客户端在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中的目标应用的分布式数字身份信息颁发可验证声明,所述可验证声明用于指示允许所述目标应用获取所述用户的用户数据;以及,所述客户端向数据提供方发送包含所述可验证声明的数据获取请求,且所述数据获取请求或所述数据获取请求中包含的可验证声明由所述目标应用的身份私钥进行签名。Fig. 1 is a flow chart of a user data authorization method shown in an exemplary embodiment of this specification. The method may include the following steps: Step 102, when the client receives the user's authorization instruction, based on the user's identity private key, the user's distributed digital identity information and the target application in the client The distributed digital identity information issues a verifiable statement, and the verifiable statement is used to indicate that the target application is allowed to obtain the user data of the user; and, the client sends to the data provider a message containing the verifiable statement A data acquisition request, and the data acquisition request or the verifiable statement contained in the data acquisition request is signed by the identity private key of the target application.
鉴于相关技术中的技术问题是由于数据提供方听从认证方的认证结果,向应用提供用户数据而导致的,本公开不再依赖于上述认证方的认证结果进行用户数据授权,而是通过由用户向请求获取用户数据的应用发放VC(Verifiable Claim,可验证声明)的方式,指示数据提供方对该应用进行用户数据授权。其中,在该VC中可以包含授权方、被授权方、以及授权内容等信息。具体的,在本说明书发放的VC中,该授权方即为客户端所对应的用户,被授权方即为请求获取用户数据的应用,而授权内容则可以包括授权的用户数据中的范围。In view of the technical problems in related technologies caused by the fact that the data provider obeys the authentication result of the authenticator and provides user data to the application, this disclosure no longer relies on the authentication result of the above-mentioned authenticator to authorize user data, but through the user The method of issuing VC (Verifiable Claim) to the application requesting to obtain user data, instructing the data provider to authorize the user data of the application. Wherein, the VC may contain information such as the authorizer, the authorized party, and authorized content. Specifically, in the VC issued in this manual, the authorizing party is the user corresponding to the client, and the authorized party is the application requesting to obtain user data, and the authorized content may include the scope of the authorized user data.
应当理解的是,由于本说明书通过发放VC的方式指示数据提供方进行用户数据授权,使得本说明书中的用户可以对自身数据的授权范围等内容进行控制,避免了相关技术中用户对数据授权操作不可控,而导致用户数据授权范围过大,进而造成信息泄露过多的问题。其次,由于数据提供方基于VC进行用户数据授权,使得在后续追溯过程中,可以通过VC向追溯方证明:自身是基于用户的指示向相应的应用开放获取用户数据的权限。换言之,通过本说明书的技术方案使得数据提供方能够在后续追溯过程中,对数据授权操作进行自证。It should be understood that since this specification instructs the data provider to authorize user data by issuing VC, users in this specification can control the scope of authorization of their own data and other content, avoiding the need for users to authorize data in related technologies. Uncontrollable, resulting in too large user data authorization scope, which in turn leads to excessive information leakage. Secondly, since the data provider authorizes user data based on VC, in the subsequent traceability process, VC can prove to the traceable party that it is based on the user's instruction to open the permission to the corresponding application to obtain user data. In other words, through the technical solution of this specification, the data provider can self-certify the data authorization operation in the subsequent traceability process.
需要声明的是,VC需要基于DID(Decentralized Identifiers,分布式数字身份)颁发, 而DID注册于区块链系统中,可见,本说明书相当于依托于区块链系统这一分布式架构进行用户数据授权,避免了相关技术中依托于中心化服务而导致的问题。在实际操作中,可以预先在区块链系统中注册上述用户、客户端、应用等的DID,以用于颁发VC和验证VC。具体的,在为任一对象注册DID时,可以基于该任一对象的描述信息和身份公钥生成相应的注册交易,并将生成的注册交易发送至区块链系统;区块链系统即可执行接收到的注册交易,以生成与该任一对象对应的DID和DID文档,并将注册交易中包含的身份公钥、描述信息等维护于该DID文档中。在此基础上,任一设备在需要对该任一对象进行身份认证时,只需提供该任一对象的DID,即可从区块链系统中获取该任一对象的身份公钥,以基于该身份公钥对通过该任一对象的身份私钥进行签名后的签名信息进行验签,进而完成针对该任一对象的身份认证。What needs to be declared is that VC needs to be issued based on DID (Decentralized Identifiers, distributed digital identity), and DID is registered in the blockchain system. It can be seen that this manual is equivalent to relying on the distributed architecture of the blockchain system to carry out user data Authorization avoids the problems caused by relying on centralized services in related technologies. In actual operation, the DIDs of the above-mentioned users, clients, applications, etc. can be pre-registered in the blockchain system for issuing VC and verifying VC. Specifically, when registering a DID for any object, a corresponding registration transaction can be generated based on the description information and identity public key of any object, and the generated registration transaction can be sent to the blockchain system; the blockchain system can Execute the received registration transaction to generate the DID and DID document corresponding to any object, and maintain the identity public key and description information contained in the registration transaction in the DID document. On this basis, when any device needs to authenticate any object, it only needs to provide the DID of any object, and then it can obtain the identity public key of any object from the blockchain system, based on The identity public key verifies the signature information signed by the identity private key of any object, and then completes the identity authentication for any object.
在本说明书中,客户端在接收到目标应用发起的用户数据授权请求之后,即可将该用户数据授权请求传达给用户,以便用户确定是否向目标应用开放相应数据的获取权限。其中,客户端在接收到用户的授权指示后,还可以进一步判断该用户是否已经处于登录状态,若已处于登录状态,则基于用户的身份私钥、用户的分布式数字身份信息以及客户端中的目标应用的分布式数字身份信息颁发上述可验证声明;否则,不颁发该可验证声明。In this specification, after receiving the user data authorization request initiated by the target application, the client can communicate the user data authorization request to the user, so that the user can determine whether to grant the target application access to the corresponding data. Among them, after receiving the user's authorization instruction, the client can further determine whether the user is already logged in. If the user is already logged in, the user's identity private key, the user's distributed digital identity information and the The distributed digital identity information of the target application issues the above verifiable statement; otherwise, the verifiable statement is not issued.
在该前提下,为了使客户端可以在获得用户授权的情况下,正常执行颁发可验证声明的操作,本说明书还可以包括用户在客户端上进行登录的步骤:在一实施例中,用户可以通过相关技术中方式,即基于中心化服务进行登录。具体的,客户端可以向用户展示登录界面,以便用户输入相应的用户认证信息,如账号、密码等;在此基础上,客户端即可基于用户认证信息生成相应的认证请求,并发送至该客户端所对应的认证方处,认证方在对用户认证信息进行验证后,即可向客户端返回登录授权信息,以指示客户端将用户的登录状态标记为已登录。On this premise, in order to enable the client to normally execute the operation of issuing a verifiable statement under the condition of obtaining the authorization of the user, this manual may also include the steps for the user to log in on the client: In one embodiment, the user can Log in through the method in related technologies, that is, based on centralized services. Specifically, the client can display a login interface to the user so that the user can enter corresponding user authentication information, such as account number and password; on this basis, the client can generate a corresponding authentication request based on the user authentication information and send it to the At the authenticator corresponding to the client, after verifying the user authentication information, the authenticator can return login authorization information to the client to instruct the client to mark the user's login status as logged in.
在另一实施例中,用户可以通过自身预先注册于区块链系统中的DID进行登录。具体的,客户端可以在接收到用户的登录请求的情况下,基于用户的身份私钥以及DID,向客户端所对应的认证方发起登录请求;而认证方在接收到该登录请求后,即可基于其中包含的DID从区块链系统处获取用户的身份公钥,以对登录请求进行验签,并在验签通过的情况下,向客户端返回登录授权信息;客户端在接收到登录授权信息后,即可将用户的登录状态标记为已登录。In another embodiment, users can log in through their own DID pre-registered in the blockchain system. Specifically, when receiving a login request from a user, the client can initiate a login request to the authenticator corresponding to the client based on the user's identity private key and DID; and the authenticator, after receiving the login request, immediately Based on the DID contained in it, the user's identity public key can be obtained from the blockchain system to verify the login request, and if the verification is passed, the login authorization information is returned to the client; the client receives the login After authorizing information, the user's login status can be marked as logged in.
应当理解的是,若通过账号、密码等用户认证信息进行登录,其本质上是将用户输 入的认证信息与中心化服务器中预先注册的认证信息进行比对,以确定用户是否登录成功。而中心化服务器中存储的数据受服务提供方控制,极易被篡改,而导致整个登录过程不可靠。而在本实施例中,将用户预先注册于区块链系统中的DID作为登录凭证,而DID由于注册于区块链系统中(相当于登录凭证具有区块链系统的背书),本身具有不可篡改的特性,致使本实施例相较于通过中心化服务进行登录的方式,更具可靠性。It should be understood that if the user authentication information such as account number and password is used to log in, it essentially compares the authentication information entered by the user with the pre-registered authentication information in the centralized server to determine whether the user has successfully logged in. However, the data stored in the centralized server is controlled by the service provider and is easily tampered with, making the entire login process unreliable. In this embodiment, the user's pre-registered DID in the blockchain system is used as the login credential, and since the DID is registered in the blockchain system (equivalent to the login credential having the endorsement of the blockchain system), it has an inherent The nature of tampering makes this embodiment more reliable than logging in through centralized services.
在本说明书中,将请求获取用户数据的应用命名为目标应用。在实际应用中,该目标应用既可以为客户端的原生服务方提供的原生应用,也可以为区别于该原生服务方的第三方服务方提供的第三方应用。其中,在目标应用为第三方应用时,该第三方应用可以为运行于客户端中的小程序、H5页面等。In this specification, the application that requests to obtain user data is named the target application. In practical applications, the target application may be a native application provided by the native server of the client, or a third-party application provided by a third-party server different from the native server. Wherein, when the target application is a third-party application, the third-party application may be a small program, an H5 page, etc. running in the client.
举例而言,在客户端为即时通讯客户端时,若上述目标应用为上述原生应用,该目标应用可以为运行于该即时通讯客户端的即时通讯应用;若上述目标应用为上述第三方应用,该目标应用可以为运行于该即时通讯客户端上的、由某一购物平台服务方提供的购物应用(如可以以小程序、或H5页面的形式呈现)。当然,该举例仅是示意性的,上述目标应用和第三方应用具体为何种应用可以由本领域技术人员根据实际情况确定。For example, when the client is an instant messaging client, if the above-mentioned target application is the above-mentioned native application, the target application can be an instant messaging application running on the instant messaging client; if the above-mentioned target application is the above-mentioned third-party application, the The target application may be a shopping application provided by a shopping platform service provider running on the instant messaging client (for example, it may be presented in the form of a small program or an H5 page). Of course, this example is only illustrative, and the specific application of the above-mentioned target application and third-party application can be determined by those skilled in the art according to the actual situation.
在本说明书中,目标应用可以通过客户端向用户发起数据授权请求,例如,可以通过在界面中展示该数据授权请求,或者通过播报该数据授权请求的方式,告知用户:目标应用请求获取用户数据;而用户则可以响应该数据授权请求,以向客户端发送针对该目标应用的授权指示。在此基础上,客户端即可基于用户的身份私钥、用户的DID,以及目标应用的DID颁发VC,该VC用于指示允许目标应用获取用户的用户数据;在完成VC颁发后,客户端即可进一步向数据提供方发送包含该VC的数据获取请求,且该数据获取请求或该数据获取请求中包含的VC由目标应用的身份私钥进行签名。In this specification, the target application can initiate a data authorization request to the user through the client, for example, by displaying the data authorization request on the interface, or by broadcasting the data authorization request, the user can be notified that the target application requests to obtain user data ; and the user can respond to the data authorization request to send an authorization instruction for the target application to the client. On this basis, the client can issue a VC based on the user's identity private key, the user's DID, and the target application's DID. The VC is used to indicate that the target application is allowed to obtain the user's user data; after completing the VC issuance, the client That is, a data acquisition request including the VC can be further sent to the data provider, and the data acquisition request or the VC contained in the data acquisition request is signed by the identity private key of the target application.
步骤104,数据提供方从接收到的所述数据获取请求中读取可验证声明,并根据读取到的可验证声明中所含被授权方的分布式数字身份信息从区块链系统处获取相应的身份公钥,以通过获取到的身份公钥对接收到的数据获取请求或读取的可验证声明进行验签,并在验签成功的情况下,将读取的可验证声明中指示的用户数据返回所述客户端以提供至所述目标应用。 Step 104, the data provider reads the verifiable statement from the received data acquisition request, and obtains it from the blockchain system according to the distributed digital identity information of the authorized party contained in the read verifiable statement The corresponding identity public key is used to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and if the signature verification is successful, it will indicate in the read verifiable statement The user data is returned to the client for provision to the target application.
在本说明书中,当数据提供方接收到上述数据获取请求后,即可从中读取VC,并根据VC中包含的被授权方的DID从区块链系统中获取被授权方的身份公钥,以通过该身份公钥对数据获取请求或VC进行验签。若验签成功,则证明目标应用即为VC中的被颁发方,可以将VC中指示的用户数据返回至客户端,以提供至目标应用。In this specification, when the data provider receives the above data acquisition request, it can read the VC from it, and obtain the authorized party's identity public key from the blockchain system according to the authorized party's DID contained in the VC, The data acquisition request or VC can be verified through the identity public key. If the signature verification is successful, it proves that the target application is the issued party in the VC, and the user data indicated in the VC can be returned to the client to be provided to the target application.
需要声明的是,尽管相关技术在对VC进行验证时,需要对VC中包含的授权方、被授权方均进行验证,而在本说明书中则只需对被授权方进行验证即可。原因在于:VC必然需要基于区块链系统中注册的DID进行颁发,本身具有可靠性,因此无需验证VC是否可信;且本说明书关注的重点为“目标应用是否获得了用户数据授权”,但并不关注“该权限由谁授予”。换言之,本说明书的VC中包含的授权方既可以是上述用户自身,也可以是其他具有对该用户的用户数据进行授权的其他对象。因此,在本说明书中,用户在颁发VC时,只需通过目标应用的身份私钥进行验签;相应的,数据提供方在验证VC时,则只需基于被授权方的身份公钥对VC进行验签,即可确定目标应用是否有权限获取相应的用户数据。It needs to be declared that although related technologies need to verify both the authorizer and the authorized party included in the VC when verifying the VC, in this specification, only the authorized party needs to be verified. The reason is: VC must be issued based on the DID registered in the blockchain system, which is inherently reliable, so there is no need to verify whether the VC is credible; and this manual focuses on "whether the target application has obtained user data authorization", but It doesn't care about "who grants this permission". In other words, the authorizing party included in the VC of this specification can be the above-mentioned user itself, or other objects that can authorize the user data of the user. Therefore, in this manual, when issuing a VC, the user only needs to verify the signature through the identity private key of the target application; Signature verification is performed to determine whether the target application has permission to obtain the corresponding user data.
应当理解的是,尽管本说明书可以仅对VC中的被授权方进行验证,但在实际应用中,也可以如相关技术,对VC中的授权方也进行验证,且仅在授权方和被授权方均验证通过的情况下,再将VC中指示的用户数据返回至客户端。具体的,用户颁发的VC在经由目标应用的身份私钥签名的同时,可以进一步经由用户的身份私钥进行签名;在此基础上,数据提供方在接收到VC之后,即可根据VC中包含的授权方的DID从区块链系统处获取授权方的身份公钥,以基于该身份公钥对VC进行验签,若验签成功,则证明VC中的授权方为该用户。在该实施例中,数据提供方仅在基于授权方的身份公钥执行的验签操作、以及基于被授权方的身份公钥执行的验签操作均通过的情况下,才将相应的用户数据返回至客户端。It should be understood that although this specification can only verify the authorized party in the VC, in practical applications, as in related technologies, the authorizing party in the VC can also be verified, and only between the authorizing party and the authorized party If both parties pass the verification, then return the user data indicated in the VC to the client. Specifically, while the VC issued by the user is signed by the identity private key of the target application, it can be further signed by the user's identity private key; on this basis, after receiving the VC, the data provider can, according to the The DID of the authorizer obtains the identity public key of the authorizer from the blockchain system to verify the signature of the VC based on the identity public key. If the verification is successful, it proves that the authorizer in the VC is the user. In this embodiment, the data provider only transfers the corresponding user data to Return to client.
上述对VC中的授权方和被授权方均进行验证的方法,相当于严格了目标应用获取用户数据授权的标准,即仅在确定是由用户本身授予目标应用获取其用户数据的权限的情况下,数据提供方才将VC中指示的用户数据提供至目标应用。The above method of verifying both the authorizer and the authorized party in VC is equivalent to strict standards for the target application to obtain user data authorization, that is, only when it is determined that the user itself grants the target application the permission to obtain its user data , the data provider provides the user data indicated in the VC to the target application.
在实际应用中,颁发的VC存在一定的时效性,VC是否有效既可以根据预先设定的有效时间确定,也可以根据用户的指示进行变更。对此,可由本领域技术人员根据实际需求确定,本公开对此不作限制。In practical applications, the issued VC has a certain timeliness, and whether the VC is valid can be determined according to the preset valid time, or can be changed according to the user's instruction. This can be determined by those skilled in the art according to actual needs, and the present disclosure does not limit it.
在本说明书中,可以通过将VC注册至区块链系统的方式,维护VC的状态信息,以便数据提供方在接收到VC的情况下,通过区块链系统中维护的状态信息确定VC的有效性。其中,数据提供方唯有在确定区块链系统中维护的状态信息表明该VC有效、且针对可验证声明的验签成功的情况下,将VC中指示的用户数据返回至客户端。In this specification, the state information of VC can be maintained by registering VC to the blockchain system, so that the data provider can determine the validity of VC through the state information maintained in the blockchain system after receiving the VC. sex. Among them, the data provider returns the user data indicated in the VC to the client only when it is determined that the state information maintained in the blockchain system indicates that the VC is valid and the verification of the verifiable statement is successful.
在实际应用中,数据提供方可以通过多种方式获取VC的状态信息,例如,客户端在用户完成VC颁发之后,可以生成相应的注册交易,并发送至区块链系统,以由区块 链系统生成对应于该VC的DID,并对该VC的DID和状态信息进行关联存储,在此基础上,数据提供方在接收到VC之后,即可将VC的DID提供至区块链系统,以由区块链系统根据该DID获取VC的状态信息并返回至数据提供方。当然,该举例仅是示意性的,具体如何获取VC的状态信息可由本领域技术人员根据实际需求确定,本说明书对此不作限制。In practical applications, the data provider can obtain VC status information in a variety of ways. For example, after the user completes the issuance of VC, the client can generate a corresponding registration transaction and send it to the blockchain system for The system generates the DID corresponding to the VC, and stores the VC's DID and status information in association. On this basis, after receiving the VC, the data provider can provide the VC's DID to the blockchain system to According to the DID, the blockchain system obtains the status information of the VC and returns it to the data provider. Of course, this example is only illustrative, and how to obtain the status information of the VC can be determined by those skilled in the art according to actual needs, and this specification does not limit it.
需要声明的是,尽管上述在区块链系统中注册VC的操作可由客户端和区块链系统直接交互完成。然而,在现今的大多数区块链架构中,通常仅允许与区块链技术提供方存在合作关系的服务方能够与区块链系统进行交互,而该服务方可以为上述负责对用户认证信息进行认证的认证方。因此,本说明书中的客户端在需要将VC注册至区块链系统时,可以生成针对该VC的注册请求,并将生成的注册请求发送至认证方;认证方接收到注册请求后,即可基于该注册请求中包含的VC,生成注册交易,并发送至区块链系统;区块链系统则可以通过执行该注册交易,以对交易中包含的VC进行存证并维护该VC的状态信息。It needs to be declared that although the above operation of registering VC in the blockchain system can be completed by direct interaction between the client and the blockchain system. However, in most of today's blockchain architectures, usually only the service party that has a cooperative relationship with the blockchain technology provider is allowed to interact with the blockchain system, and the service party can be responsible for the above-mentioned user authentication information The authenticating party performing the authentication. Therefore, when the client in this specification needs to register a VC with the blockchain system, it can generate a registration request for the VC and send the generated registration request to the authenticator; after the authenticator receives the registration request, it can Based on the VC contained in the registration request, a registration transaction is generated and sent to the blockchain system; the blockchain system can execute the registration transaction to store the VC contained in the transaction and maintain the status information of the VC .
正如上文所述,VC是否有效可以根据用户的指示进行变更。相应的,在将VC注册至区块链系统之后,若用户需要将已注册的VC无效化,即可向客户端发送针对该已注册VC的吊销请求,客户端在接收到吊销请求后,可以指示区块链系统将该已注册VC的状态信息变更为吊销状态,以用于表征该VC已被上述用户无效化。As mentioned above, whether or not VC is valid can be changed according to the user's instruction. Correspondingly, after registering VC to the blockchain system, if the user needs to invalidate the registered VC, he can send a revocation request for the registered VC to the client. After receiving the revocation request, the client can Instruct the blockchain system to change the status information of the registered VC to the revoked status, which is used to indicate that the VC has been invalidated by the above-mentioned user.
在本说明书中,上述数据提供方既可以为区块链系统,也可以为区别于区块链系统的数据服务器。In this specification, the above-mentioned data provider can be either a blockchain system or a data server different from the blockchain system.
其中,在上述数据提供方为区别于区块链系统的数据服务器时,该数据服务器可以归属于某一数据网络。在该情况下,客户端可以优先将VC发送至该数据网络对应的中转服务器,以由该中转服务器根据用户的DID从数据网络包含的若干数据服务器中确定出存储有VC中指示的用户数据的数据服务器,并将该VC发送至确定出的数据服务器处。Wherein, when the above-mentioned data provider is a data server different from the blockchain system, the data server may belong to a certain data network. In this case, the client can preferentially send the VC to the transit server corresponding to the data network, so that the transit server can determine the user data indicated in the VC from several data servers included in the data network according to the user's DID. data server, and send the VC to the determined data server.
而在上述数据提供方为区块链系统时,客户端可以基于VC生成相应的数据获取交易,并发送至区块链系统,以由区块链系统根据VC中包含的用户的DID或者用户数据的描述信息,从维护的链上数据中获取所需返回至客户端的用户数据。When the above-mentioned data provider is a blockchain system, the client can generate a corresponding data acquisition transaction based on VC and send it to the blockchain system, so that the blockchain system can use the user's DID or user data contained in the VC to The description information of , obtain the user data that needs to be returned to the client from the maintained chain data.
当然,上述举例均是示意性的,具体如何从数据提供方处获取VC中所指示的用户数据,可由本领域技术人员根据实际情况确定,本说明书对此不作限制。Of course, the above examples are all illustrative, how to obtain the user data indicated in the VC from the data provider can be determined by those skilled in the art according to the actual situation, and this specification does not limit it.
在本说明书中,VC中应当包含所需获取的用户数据的描述信息,以便数据提供方在接收到VC后,可以根据其中的描述信息获取存储的关于用户的第一数据,以作为需要返回至客户端的用户数据。In this specification, the VC should contain the description information of the user data to be obtained, so that after receiving the VC, the data provider can obtain the stored first data about the user according to the description information in it, and return to the Client user data.
然而,在实际应用中,用户的用户数据中包含大量的隐私数据,这些数据通常不方便直接透露给目标应用,因此,若目标应用要求获取的数据包含隐私数据,用户在颁发VC时,还可以进一步在其中约束数据提供方在向目标应用提供用户数据时的形式。例如,可以规定:在根据VC中的描述信息获取到存储的关于用户的第二数据后,按照VC中的指示对该第二数据进行处理,并将处理结果作为需要返回至客户端的用户数据。例如,当目标应用需要确认用户是否成年时,其请求的用户数据可能为用户的年龄,此时,本公开中的数据提供方可以在VC的指示下,获取年龄信息之后,判断用户的年龄是否超过18,并根据判断结果向客户端返回“是否成年”的结论,以作为上述用户数据。应当理解的是,通过该方式可以避免用户的隐私数据被泄露,提高了用户数据的安全性。However, in practical applications, the user's user data contains a large amount of private data, which is usually inconvenient to be directly disclosed to the target application. Therefore, if the target application requires the obtained data to contain private data, the user can also Further, the form in which the data provider provides the user data to the target application is restricted. For example, it may be stipulated that: after obtaining the stored second data about the user according to the description information in the VC, process the second data according to the instruction in the VC, and use the processing result as the user data that needs to be returned to the client. For example, when the target application needs to confirm whether the user is an adult, the user data it requests may be the age of the user. At this time, the data provider in this disclosure can determine whether the age of the user is More than 18, and return the conclusion of "whether it is an adult" to the client according to the judgment result as the above user data. It should be understood that, in this manner, leakage of the user's private data can be avoided, and the security of the user data is improved.
为了进一步保证用户数据的安全性,在数据提供方获取到上述第二数据后,还可以进一步在TEE(Trusted execution environment,可信执行环境)中执行针对第二数据的处理操作。具体的,用户颁发的VC中还可以包含:需要对获取到的第二数据进行安全计算的指示,以及用于进行安全计算的TEE的指示信息。那么,数据提供方即可在获取到第二数据之后,基于VC中指示的TEE的身份公钥对获取到的第二数据进行加密,并传输至该TEE中,以由该TEE基于自身的身份私钥对加密后的第二数据进行解密后,按照VC中指示的预先部署的计算任务对第二数据执行安全计算。然后,数据提供方即可将该TEE生成的安全计算结果作为需返回至客户端的用户数据。In order to further ensure the security of user data, after the data provider obtains the above-mentioned second data, it may further perform processing operations on the second data in a TEE (Trusted execution environment, trusted execution environment). Specifically, the VC issued by the user may also include: an indication that secure calculation needs to be performed on the acquired second data, and indication information of a TEE used for performing secure calculation. Then, after obtaining the second data, the data provider can encrypt the obtained second data based on the identity public key of the TEE indicated in the VC, and transmit it to the TEE, so that the TEE can obtain the second data based on its own identity. After the private key decrypts the encrypted second data, security calculations are performed on the second data according to the pre-deployed calculation tasks indicated in the VC. Then, the data provider can use the security calculation result generated by the TEE as the user data that needs to be returned to the client.
在实际应用中,上述TEE既可以部署于隐私区块链中,可以部署于链下隐私计算节点中。In practical applications, the above TEE can be deployed in both privacy blockchains and off-chain privacy computing nodes.
其中,在部署于隐私区块链中时,上述TEE为链上TEE。数据提供方在获取到VC后,可以基于该VC中指示的链上TEE的身份公钥,对获取到的第二数据进行加密,并基于加密后的第二数据以及VC中所含的计算任务生成安全计算交易,该安全计算交易被发送至隐私区块链;隐私区块链在接收到该安全计算交易后,即可在自身维护的链上TEE中执行该安全计算交易,以在通过链上TEE的身份私钥对第二数据进行解密后,调用预先部署的用于完成上述计算任务的智能合约,对解密后的第二数据进行安全计算。Among them, when deployed in a privacy blockchain, the above TEE is an on-chain TEE. After obtaining the VC, the data provider can encrypt the obtained second data based on the identity public key of the on-chain TEE indicated in the VC, and based on the encrypted second data and the computing tasks contained in the VC A secure computing transaction is generated, and the secure computing transaction is sent to the privacy blockchain; after the privacy blockchain receives the secure computing transaction, it can execute the secure computing transaction in the TEE on the chain maintained by itself, so as to pass the chain After the identity private key on the TEE decrypts the second data, it calls the pre-deployed smart contract for completing the above calculation tasks, and performs secure calculation on the decrypted second data.
需要声明的是,该隐私区块链既可以为上述区块链系统,也可以为区别于上述区块链系统的其他区块链系统,具体如何部署该隐私区块链,可由本领域技术人员根据实际 情况确定,本说明书对此不作限制。What needs to be declared is that the privacy blockchain can be either the above-mentioned blockchain system or other blockchain systems different from the above-mentioned blockchain system. How to deploy the privacy blockchain can be determined by those skilled in the art. It is determined according to the actual situation, and this specification does not limit it.
当然,上述TEE无论部署于链上还是部署于链下,在完成安全计算后,可以优先通过目标应用的身份公钥对安全计算结果进行加密后,再将安全计算结果输出,并传输至客户端,以进一步保证用户数据的安全性。Of course, no matter whether the above TEE is deployed on-chain or off-chain, after completing the security calculation, the security calculation result can be encrypted with the identity public key of the target application first, and then the security calculation result can be output and transmitted to the client , to further ensure the security of user data.
其次,还需强调的是,本说明书中的区块链系统,既可以搭载于区块链技术的传统架构,即区块链系统中的所有节点均通过在相应实体设备上部署区块链代码而形成,大多数情况下,每个节点均对应于一个实体设备;本说明书的技术方案也可以搭载于区块链技术中的BaaS(Blockchain as a Service)架构,即区块链系统中的所有节点均通过云服务在云端实现的虚拟机上部署区块链代码而形成,区块链节点无需一一对应于相应的实体设备,在该架构中,还包括用于为各个区块链节点提供区块链即服务的BaaS平台(或称为BaaS云),可以通过区块链上发生的活动(诸如订阅和通知、用户验证、数据库管理和远程更新),提供预先编写的软件的方式,面向与BaaS平台连接的客户端侧计算设备,提供简单易用,一键部署,快速验证,灵活可定制的区块链服务,进而可以加速区块链业务应用开发、测试、上线,助力各行业区块链商业应用场景的落地。对应到本说明书中,即可通过BaaS平台实现VC的快速验签,以提高数据获取效率。Secondly, it also needs to be emphasized that the blockchain system in this specification can be carried on the traditional architecture of blockchain technology, that is, all nodes in the blockchain system can deploy the blockchain code on the corresponding physical equipment Formed, in most cases, each node corresponds to a physical device; the technical solution in this manual can also be carried on the BaaS (Blockchain as a Service) architecture in blockchain technology, that is, all Nodes are formed by deploying blockchain codes on virtual machines implemented in the cloud through cloud services, and blockchain nodes do not need to correspond to corresponding physical devices one by one. In this architecture, it is also included for each blockchain node to provide The blockchain-as-a-service BaaS platform (or BaaS cloud) can provide pre-written software through activities that occur on the blockchain (such as subscriptions and notifications, user verification, database management, and remote updates). The client-side computing equipment connected to the BaaS platform provides easy-to-use, one-click deployment, fast verification, flexible and customizable blockchain services, which can accelerate the development, testing, and launch of blockchain business applications and help various industry regions The landing of blockchain business application scenarios. Corresponding to this manual, the fast signature verification of VC can be realized through the BaaS platform to improve the efficiency of data acquisition.
由上述技术方案可知,本说明书在需要向客户端中的应用提供用户数据时,会优先在用户的授意下,基于用户的身份私钥和分布式数字身份信息、以及该应用的分布式数字身份信息,颁发可验证声明。其中,该可验证声明用于指示允许上述应用获取上述用户的用户数据。在此基础上,客户端即可进一步向数据提供方发送包含该可验证声明的数据获取请求,且该数据获取请求或者可验证声明经由目标应用的身份私钥签名。相应的,数据提供方在接收到该数据获取请求后,可以根据可验证声明中包含的被授权方的分布式数字身份信息获取被授权方的身份公钥,以对可验证声明或者数据获取请求进行验签。It can be seen from the above technical solution that when this manual needs to provide user data to the application in the client, it will firstly use the user's identity private key, distributed digital identity information, and the distributed digital identity of the application under the user's consent. information, issuing verifiable claims. Wherein, the verifiable statement is used to indicate that the above-mentioned application is allowed to obtain the user data of the above-mentioned user. On this basis, the client can further send a data acquisition request containing the verifiable statement to the data provider, and the data acquisition request or the verifiable statement is signed by the identity private key of the target application. Correspondingly, after receiving the data acquisition request, the data provider can obtain the identity public key of the authorized party according to the distributed digital identity information of the authorized party contained in the verifiable statement, so as to respond to the verifiable statement or data acquisition request. Check the signature.
应当理解的是,本说明书中的数据提供方基于被授权方的身份公钥对可验证声明或者数据获取请求进行验签,相当于验证了可验证声明中的被授权方是否为请求获取用户数据的目标应用。显然,在验签通过的情况下,即可证明目标应用已经获取了获取可验证声明中指示的用户数据的权限。可见,本说明书是将可验证声明作为用户对目标应用进行用户数据授权的凭证,用户可以在该可验证声明中明确指示将哪些用户数据提供给上述应用,使得用户可以对用户数据的授权范围进行控制,避免了相关技术中由于采用中心化服务进行用户数据授权,而导致用户无法对用户数据的授权范围进行控制的问题; 除此之外,由于可验证声明被发送至数据提供方,使得数据提供方可以在后续追溯过程中,向追溯方自证用户数据授权过程是在用户的指示下完成,避免了相关技术中由于缺乏授权凭证,而导致数据提供方无法对用户数据授权操作进行自证的问题。It should be understood that the data provider in this specification verifies the verifiable statement or data acquisition request based on the identity public key of the authorized party, which is equivalent to verifying whether the authorized party in the verifiable statement is requesting to obtain user data target application. Obviously, if the signature verification is successful, it can be proved that the target application has obtained the permission to obtain the user data indicated in the verifiable statement. It can be seen that this manual uses the verifiable statement as the certificate for the user to authorize the user data of the target application. The user can clearly indicate in the verifiable statement which user data to provide to the above-mentioned application, so that the user can control the scope of user data authorization. control, which avoids the problem that users cannot control the authorization scope of user data due to the use of centralized services for user data authorization in related technologies; in addition, since the verifiable statement is sent to the data provider, the data In the follow-up traceability process, the provider can self-certify to the traceable party that the user data authorization process is completed under the user's instructions, avoiding the lack of authorization credentials in related technologies, which makes the data provider unable to self-certify the user data authorization operation The problem.
进一步的,相关技术通过中心化服务进行登录,其认证方和数据提供方由同一服务方提供,数据提供方听从认证方的认证结果进行用户数据授权,即相关技术中的认证方和数据提供方相互绑定,无法解耦。而在本说明书中,数据提供方基于颁发的可验证声明向客户端返回用户数据,无需依赖于认证方的认证结果,可见,本说明书的技术方案实现了认证方与数据提供方的解耦,两者完全可以由不同的服务方提供,提高了该用户数据授权方法的适用性。Further, related technologies log in through centralized services, and the authenticator and data provider are provided by the same service provider, and the data provider follows the authentication results of the authenticator to authorize user data, that is, the authenticator and data provider in related technologies They are bound to each other and cannot be decoupled. In this specification, the data provider returns user data to the client based on the issued verifiable statement, without relying on the authentication result of the authenticator. It can be seen that the technical solution in this specification realizes the decoupling of the authenticator and the data provider. The two can be provided by different service parties, which improves the applicability of the user data authorization method.
再进一步的,本说明书中的数据提供方在获取到可验证声明所指示的数据后,可以进一步对获取到的数据进行处理,并仅将处理结果返回至客户端,而不会将原始数据返回,避免了相关技术中用户隐私数据泄露的问题。Furthermore, after the data provider in this manual obtains the data indicated by the verifiable statement, it can further process the obtained data, and only return the processing result to the client without returning the original data The problem of leakage of user privacy data in related technologies is avoided.
本说明书还提出了一种用户数据授权系统,以用于实现上述用户数据授权方法。需要声明的是,下一实施例中的大多操作方式,如,如何颁发可验证声明、如何对可验证声明进行验证、如何进行安全计算等,均与上一实施例相类似,具体操作方式均可参照上一实施例的介绍,在下文中不再赘述。This specification also proposes a user data authorization system for implementing the above user data authorization method. It should be declared that most of the operation methods in the next embodiment, such as how to issue a verifiable statement, how to verify the verifiable statement, how to perform secure calculation, etc., are similar to the previous embodiment, and the specific operation methods are all Reference may be made to the introduction of the previous embodiment, which will not be described in detail below.
图2是本说明书一示例性实施例示出的一种用户数据授权系统的示意图。该系统可以包括:客户端21和数据提供方22;其中,客户端21在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和客户端21中的目标应用的分布式数字身份信息颁发可验证声明,所述可验证声明用于指示允许所述目标应用获取所述用户的用户数据;以及,客户端21向所述数据提供方发送包含所述可验证声明的数据获取请求,且所述数据获取请求或所述数据获取请求中包含的可验证声明由所述目标应用的身份私钥进行签名;所述数据提供方22从接收到的所述数据获取请求中读取可验证声明,并根据读取到的可验证声明中所含被授权方的分布式数字身份信息从区块链系统处获取相应的身份公钥,以通过获取到的身份公钥对接收到的数据获取请求或读取的可验证声明进行验签,并在验签成功的情况下,将读取的可验证声明中指示的用户数据返回客户端21以提供至所述目标应用。Fig. 2 is a schematic diagram of a user data authorization system shown in an exemplary embodiment of this specification. The system may include: a client 21 and a data provider 22; wherein, when the client 21 receives the user's authorization instruction, based on the user's identity private key, the user's distributed digital identity information and the client's The distributed digital identity information of the target application in the terminal 21 issues a verifiable statement, and the verifiable statement is used to indicate that the target application is allowed to obtain the user data of the user; and, the client 21 sends to the data provider A data acquisition request containing the verifiable statement, and the data acquisition request or the verifiable statement contained in the data acquisition request is signed by the identity private key of the target application; the data provider 22 receives from Read the verifiable statement in the data acquisition request, and obtain the corresponding identity public key from the blockchain system according to the distributed digital identity information of the authorized party contained in the read verifiable statement, so as to obtain The received identity public key verifies the received data acquisition request or the read verifiable statement, and if the verification is successful, returns the user data indicated in the read verifiable statement to the client 21 to provide to the target application.
如上所述,在本说明书中,用户需要在客户端21中处于已登录的状态下,才会接收到应用的用户数据授权请求。因此,在本说明书中还可以包括用户在客户端21上登录的操作。在一实施例中,用户可以通过相关技术中方式,即基于中心化服务进行登录。 在另一实施例中,用户可以通过自身预先注册于区块链系统中的DID进行登录。具体的,客户端21可以在接收到用户的登录请求的情况下,基于用户的身份私钥以及DID,向客户端21所对应的认证方发起登录请求;而认证方在接收到该登录请求后,即可基于其中包含的DID从区块链系统处获取用户的身份公钥,以对登录请求进行验签,并在验签通过的情况下,向客户端21返回登录授权信息;在此基础上,客户端21在接收到登录授权信息后,即可将用户的登录状态标记为已登录。As mentioned above, in this specification, the user needs to be in the logged-in state in the client 21 before receiving the application's user data authorization request. Therefore, the operation of the user logging in on the client 21 may also be included in this description. In an embodiment, the user can log in through a method in related technologies, that is, based on a centralized service. In another embodiment, users can log in through their own DID pre-registered in the blockchain system. Specifically, the client 21 may initiate a login request to the authenticator corresponding to the client 21 based on the user's identity private key and DID when receiving the user's login request; and the authenticator, after receiving the login request, , the user’s identity public key can be obtained from the blockchain system based on the DID contained therein to verify the login request, and return the login authorization information to the client 21 if the signature verification is passed; on this basis Above, after receiving the login authorization information, the client 21 can mark the user's login status as logged in.
如上所述,本说明书将请求获取用户数据的应用命名为目标应用。其中,该目标应用既可以为客户端21的原生服务方提供的原生应用,也可以为区别于该原生服务方的第三方服务方提供的第三方应用。As described above, this specification names the application that requests user data as the target application. Wherein, the target application may be a native application provided by the native server of the client 21, or a third-party application provided by a third-party server different from the native server.
如上所述,本说明书既可以仅对VC中的被授权方进行验证,也可以如相关技术中对VC中的授权方和被授权方均进行验证。As mentioned above, this specification can only verify the authorized party in the VC, or can verify both the authorizing party and the authorized party in the VC as in the related art.
如上所述,颁发的VC存在一定的时效性,VC是否有效既可以根据预先设定的有效时间确定,也可以根据用户的指示进行变更。对此,可由本领域技术人员根据实际需求确定,本公开对此不作限制。具体的,本说明书可以通过将VC注册至区块链系统的方式,维护VC的状态信息,以便数据提供方22在接收到VC的情况下,通过区块链系统中维护的状态信息确定VC的有效性。其中,数据提供方22唯有在确定区块链系统中维护的状态信息表明该VC有效、且针对可验证声明的验签成功的情况下,将VC中指示的用户数据返回至客户端21。As mentioned above, the issued VC has a certain timeliness, and whether the VC is valid can be determined according to the preset valid time, or can be changed according to the user's instruction. This can be determined by those skilled in the art according to actual needs, and the present disclosure does not limit it. Specifically, this specification can maintain the status information of VC by registering the VC in the blockchain system, so that the data provider 22 can determine the status information of the VC through the status information maintained in the blockchain system when receiving the VC. effectiveness. Among them, the data provider 22 returns the user data indicated in the VC to the client 21 only when it is determined that the status information maintained in the blockchain system indicates that the VC is valid and the verification of the verifiable statement is successful.
如上所述,本说明书中的客户端21在需要将VC注册至区块链系统时,可以生成针对该VC的注册请求,并将生成的注册请求发送至认证方;认证方接收到注册请求后,即可基于该注册请求中包含的VC,生成注册交易,并发送至区块链系统;区块链系统则可以通过执行该注册交易,以对交易中包含的VC进行存证并维护该VC的状态信息。As mentioned above, when the client 21 in this specification needs to register the VC to the blockchain system, it can generate a registration request for the VC, and send the generated registration request to the authenticator; after the authenticator receives the registration request , based on the VC contained in the registration request, a registration transaction can be generated and sent to the blockchain system; the blockchain system can execute the registration transaction to deposit the VC contained in the transaction and maintain the VC status information.
如上所述,本说明书中的客户端21还可以在接收到用户发送的针对已注册VC的吊销请求的情况下,指示区块链系统将已注册VC的状态信息变更为吊销状态。As mentioned above, the client 21 in this specification can also instruct the blockchain system to change the status information of the registered VC to the revoked state when receiving the revocation request sent by the user for the registered VC.
如上所述,本说明书中的数据提供方22既可以为区块链系统,也可以为区别于区块链系统的数据服务器。As mentioned above, the data provider 22 in this specification can be either a blockchain system or a data server different from the blockchain system.
如上所述,在数据提供方22归属于某一数据网络的情况下,客户端21可以优先将VC发送至该数据网络对应的中转服务器,以由该中转服务器根据用户的DID从数据网络包含的若干数据提供方22中确定出存储有VC中指示的用户数据的数据提供方22, 并将该VC发送至确定出的数据提供方22处。As mentioned above, in the case that the data provider 22 belongs to a certain data network, the client 21 can preferentially send the VC to the transit server corresponding to the data network, so that the transit server can obtain the VC contained in the data network according to the DID of the user. The data provider 22 storing the user data indicated in the VC is determined among the several data providers 22, and the VC is sent to the determined data provider 22.
如上所述,在本说明书中,数据提供方22可以根据VC的指示获取存储的关于用户的第一数据,以作为需返回至客户端21的用户数据;或者,数据提供方22可以根据VC的指示获取存储的关于用户的第二数据,并按照VC的指示对该第二数据进行处理,以将处理结果作为需返回至客户端21的用户数据。As mentioned above, in this specification, the data provider 22 can obtain the stored first data about the user according to the instructions of the VC as the user data to be returned to the client 21; Instruct to acquire the stored second data about the user, and process the second data according to the instructions of the VC, so as to use the processing result as the user data to be returned to the client 21 .
如上所述,为了进一步保证用户数据的安全性,在数据提供方22获取到上述第二数据后,还可以进一步在TEE中执行针对第二数据的处理操作。具体的,用户颁发的VC中还可以包含:需要对获取到的第二数据进行安全计算的指示,以及用于进行安全计算的TEE的指示信息。那么,数据提供方22即可在获取到第二数据之后,基于VC中指示的TEE的身份公钥对获取到的第二数据进行加密,并传输至该TEE中,以由该TEE基于自身的身份私钥对加密后的第二数据进行解密后,按照VC中指示的预先部署的计算任务对第二数据执行安全计算。然后,数据提供方22即可将该TEE生成的安全计算结果作为需返回至客户端21的用户数据。As mentioned above, in order to further ensure the security of user data, after the data provider 22 acquires the above-mentioned second data, it may further perform processing operations on the second data in the TEE. Specifically, the VC issued by the user may also include: an indication that secure calculation needs to be performed on the acquired second data, and indication information of a TEE used for performing secure calculation. Then, after obtaining the second data, the data provider 22 can encrypt the obtained second data based on the identity public key of the TEE indicated in the VC, and transmit it to the TEE, so that the TEE can encrypt the obtained second data based on its own identity public key. After the identity private key decrypts the encrypted second data, security calculations are performed on the second data according to the pre-deployed calculation tasks indicated in the VC. Then, the data provider 22 can use the security calculation result generated by the TEE as the user data to be returned to the client 21 .
由上述技术方案可知,本说明书的技术方案,将在用户的指示下颁发的可验证声明作为用户数据授权的凭证,使得用户可以通过该可验证声明控制数据提供方对应用的用户数据授权范围进行控制,避免了相关技术中用户无法控制用户数据授权范围的问题。It can be seen from the above technical solution that the technical solution in this manual uses the verifiable statement issued under the instruction of the user as the credential for user data authorization, so that the user can use the verifiable statement to control the data provider's authorization of the application's user data. control, which avoids the problem in related technologies that the user cannot control the authorized scope of user data.
下面,以基于DID实现用户登录,并基于DID实现用户数据授权为例,对本说明书的技术方案进行介绍。In the following, the technical solution of this manual will be introduced by taking DID-based implementation of user login and DID-based implementation of user data authorization as examples.
图3是本说明书一示例性实施例示出的一种用户登录方法的交互图。该方法可以包括以下步骤:步骤301,客户端展示登录界面。Fig. 3 is an interaction diagram of a user login method shown in an exemplary embodiment of this specification. The method may include the following steps: Step 301, the client displays a login interface.
在本实施例中,用户在打开某一客户端后,即可在该客户端中展示相应的登录界面。例如,该客户端可以为Web页面或者某一应用程序的客户端,步骤302,客户端在接收到用户的登录指示的情况下,基于用户的DID生成登录请求。In this embodiment, after the user opens a certain client, the corresponding login interface can be displayed in the client. For example, the client may be a client of a web page or an application program. In step 302, the client generates a login request based on the user's DID after receiving the user's login instruction.
在本实施例中,通过用户的DID进行登录,因此,在登录界面中可以仅展示是否进行登录的控件,以便用户通过触发该控件指示客户端进行登录。当客户端接收到用户的登录指示之后,即可基于预先存储的用户的DID生成登录请求,并基于用户的身份私钥对生成的登录请求进行签名。In this embodiment, the user's DID is used to log in. Therefore, only a control of whether to log in may be displayed on the login interface, so that the user can instruct the client to log in by triggering the control. After the client receives the user's login instruction, it can generate a login request based on the pre-stored user's DID, and sign the generated login request based on the user's identity private key.
步骤303,客户端基于用户的身份私钥对登录请求进行签名。Step 303, the client signs the login request based on the user's identity private key.
步骤304,客户端将签名后的登录请求发送至认证方。Step 304, the client sends the signed login request to the authenticator.
本实施例在生成登录请求,并基于用户的身份私钥对登录请求进行签名之后,即可将签名后的登录请求发送至认证方,以由认证方基于用户的身份公钥进行验签。In this embodiment, after the login request is generated and signed based on the user's identity private key, the signed login request can be sent to the authenticator, so that the authenticator can verify the signature based on the user's identity public key.
步骤305,认证方在接收到登录请求后,基于用户的DID生成公钥获取交易。Step 305, after receiving the login request, the authenticator generates a public key acquisition transaction based on the user's DID.
应当理解的是,用户的DID通过预先在区块链系统中注册得到,且区块链系统在为用户注册DID的过程中,生成了对应于该DID的DID文档,用于维护该用户的身份公钥。It should be understood that the user's DID is obtained by pre-registering in the blockchain system, and the blockchain system generates a DID document corresponding to the DID during the process of registering the DID for the user to maintain the user's identity public key.
因此,认证方在接收到登录请求后,即可基于用户的DID生成相应的公钥获取交易,以从区块链系统处获取用户的身份公钥。Therefore, after receiving the login request, the authenticator can generate a corresponding public key acquisition transaction based on the user's DID to obtain the user's identity public key from the blockchain system.
步骤306,认证方将公钥获取交易发送至区块链系统。Step 306, the authenticator sends the public key acquisition transaction to the blockchain system.
步骤307,区块链系统基于获取到的公钥获取交易中包含的DID,获取用户的身份公钥并返回至认证方。Step 307, the blockchain system obtains the DID included in the transaction based on the obtained public key, obtains the user's identity public key and returns it to the authenticator.
在本实施例中,区块链系统在接收到上述公钥获取交易之后,即可读取其中包含的用户的DID,以根据该DID查找到相应的DID文档,以将DID文档中包含的身份公钥返回至认证方。In this embodiment, after the blockchain system receives the above-mentioned public key acquisition transaction, it can read the user's DID contained in it, so as to find the corresponding DID document according to the DID, so that the identity contained in the DID document The public key is returned to the authenticator.
步骤308,认证方基于返回的身份公钥对登录请求进行验签。In step 308, the authenticator verifies the login request based on the returned identity public key.
在本实施例中,认证方在接收到区块链系统返回的身份公钥之后,即可基于该身份公钥对接收到的VC进行验签。In this embodiment, after receiving the identity public key returned by the blockchain system, the authenticator can verify the received VC based on the identity public key.
步骤309,认证方在验签成功的情况下,向客户端返回登录授权信息。In step 309, the authenticator returns login authorization information to the client if the signature verification is successful.
在本实施例中,若验签成功,则证明请求登录的用户的身份可靠。此时,可以向客户端返回登录授权信息,以指示客户端将该用户的登录状态标记为已登录。In this embodiment, if the signature verification is successful, it proves that the identity of the user requesting to log in is reliable. At this point, login authorization information may be returned to the client to instruct the client to mark the user's login status as logged in.
步骤310,客户端在接收到登录授权信息后,将用户的登录状态标记为已登录。Step 310, after receiving the login authorization information, the client marks the user's login status as logged in.
由上述技术方案可知,本实施例可以通过预先注册于区块链系统中的用户的DID,对请求登录的用户进行身份验证。应当理解的是,DID必须依托于区块链系统,因此,通过DID实现用户登录,相当于是基于区块链系统完成用户登录,由于区块链系统中的数据不可篡改,使得基于DID进行的身份认证具有较强的可靠性,避免了相关技术中由于通过中心化服务对用户进行身份认证,而导致的登录过程不可靠的问题。It can be seen from the above technical solution that in this embodiment, the user who requests to log in can be authenticated by using the DID of the user pre-registered in the blockchain system. It should be understood that DID must rely on the blockchain system. Therefore, user login through DID is equivalent to completing user login based on the blockchain system. Since the data in the blockchain system cannot be tampered with, the identity based on DID The authentication has strong reliability, which avoids the problem of unreliable login process caused by the authentication of the user through the centralized service in the related technology.
图4是本说明书一示例性实施例示出的一种用户数据授权方法的交互图。该方法可以包括以下步骤:步骤401,客户端在已登录用户的指示下运行第三方应用。Fig. 4 is an interaction diagram of a user data authorization method shown in an exemplary embodiment of this specification. The method may include the following steps: Step 401, the client runs a third-party application under the instruction of the logged-in user.
在本实施例中,以“在客户端中运行的第三方应用请求获取已登录用户的用户数据”为例进行介绍。In this embodiment, "the third-party application running on the client requests to obtain the user data of the logged-in user" is taken as an example for introduction.
举例而言,本实施例中的客户端可以为即时通讯客户端,通常情况下,在该客户端上运行的应用为该客户端的原生服务方提供的原生应用,如,运行的为即时通讯应用。一般情况下,用户在完成登录后,客户端上运行的原生应用通常可以获取已登录用户的大多数用户数据,仅少部分数据需要在获得授权之后才能获取;而对于客户端上运行的由第三方服务方提供的第三方应用而言,若需要获取已登录用户的用户数据,必然需要优先获取该已登录用户的授权。For example, the client in this embodiment may be an instant messaging client. Usually, the application running on the client is a native application provided by the client's native server, such as an instant messaging application. . In general, after the user completes the login, the native application running on the client can usually obtain most of the user data of the logged-in user, and only a small part of the data can only be obtained after obtaining authorization; For the third-party application provided by the third-party service provider, if it needs to obtain the user data of the logged-in user, it must first obtain the authorization of the logged-in user.
承接上述举例,在该即时通讯客户端中运行的第三方应用可以为由购物平台服务方提供的购物应用,此时,该购物应用需要获取已登录用户的数据,必然需要经由已登录用户的授权。Following the above example, the third-party application running in the instant messaging client can be a shopping application provided by the shopping platform service provider. At this time, the shopping application needs to obtain the data of the logged-in user, which must be authorized by the logged-in user. .
步骤402,客户端接收并展示第三方应用发起的用户数据获取请求。Step 402, the client receives and displays the user data acquisition request initiated by the third-party application.
承接上述举例,上述购物应用可以向客户端发起用户数据获取请求,例如,可以将该请求展示于客户端的界面之中,以便已登录用户确定是否授予该购物应用获取自身用户数据的权限。Following the above example, the above shopping application can initiate a user data acquisition request to the client, for example, the request can be displayed on the client interface, so that the logged-in user can determine whether to grant the shopping application permission to obtain its own user data.
步骤403,客户端接收到已登录用户的授权指示。Step 403, the client receives an authorization instruction from the logged-in user.
在本实施例中,需要声明的是,本说明书相较于相关技术中的用户数据授权方法,依托于不同的用户数据授权架构,其中,相关技术是依托于中心化服务器实现数据授权,而本说明书则是依托于分布式架构(包含区块链系统、数据提供方、认证方、客户端等)实现用户数据授权,本质上是在协议层面对用户数据授权过程进行了修改,或者说,是提出了一种新的用户数据授权协议,因此,在实际颁发VC时,是以令牌的形式进行颁发,即用户实际颁发的为VC令牌。In this embodiment, it needs to be declared that, compared with the user data authorization method in the related technology, this specification relies on a different user data authorization framework, wherein the related technology relies on a centralized server to implement data authorization, while this The manual relies on the distributed architecture (including blockchain system, data provider, authenticator, client, etc.) to realize user data authorization, which essentially modifies the user data authorization process at the protocol level, or in other words, is A new user data authorization protocol is proposed. Therefore, when VC is actually issued, it is issued in the form of a token, that is, what the user actually issues is a VC token.
承接上述举例,若已登录用户为用户A,且已决定将自身的用户数据授权给购物应用B,则可以通过触发展示于客户端界面中的授权控件,以指示客户端生成用于指示“允许该购物应用B获取用户A的用户数据”的VC令牌。Continuing the above example, if the logged-in user is user A and has decided to authorize his own user data to shopping application B, he can trigger the authorization control displayed on the client interface to instruct the client to generate an indication "allow The shopping app B gets the VC token of user A's user data".
步骤404,客户端基于用户的DID和第三方应用的DID颁发VC令牌。Step 404, the client issues a VC token based on the DID of the user and the DID of the third-party application.
在本实施例中,是基于DID实现用户数据的授权,因此,在颁发的VC令牌中实际上都是通过各个对象的DID表征相应的对象。In this embodiment, the authorization of user data is implemented based on the DID. Therefore, in the issued VC token, the DID of each object actually represents the corresponding object.
承接上述举例,假设用户A的DID为a1fdg4,购物应用B的DID为saff5d,那么,在VC令牌中即可通过a1fdg4表征用户A,通过saff5d表征购物应用B。当然除了两者的DID之外,还可以进一步限制用户A向购物应用B开放的用户数据的范围。例如,用户A的用户数据可以包括:用户名、昵称、即时通讯记录、用户头像、用户年龄等。而在VC令牌中则可以表明仅将用户名和用户头像的获取权限开放给该购物应用B。Following the above example, assuming that the DID of user A is a1fdg4 and the DID of shopping application B is saff5d, then user A can be represented by a1fdg4 and shopping application B can be represented by saff5d in the VC token. Of course, in addition to the DIDs of the two, the scope of user data that user A opens to shopping application B can be further restricted. For example, the user data of user A may include: user name, nickname, instant messaging records, user avatar, user age and so on. However, in the VC token, it can be indicated that the shopping application B is only allowed to obtain the user name and user avatar.
步骤405,客户端基于第三方应用的身份私钥对VC令牌进行签名。Step 405, the client signs the VC token based on the identity private key of the third-party application.
在本实施例中,为方便数据提供方在获取到VC令牌后,验证该VC令牌是否是颁发给第三方应用,在本步骤中,客户端可以基于第三方应用的身份私钥对VC令牌进行签名。In this embodiment, in order to facilitate the data provider to verify whether the VC token is issued to a third-party application after obtaining the VC token, in this step, the client can verify the VC token based on the identity private key of the third-party application. The token is signed.
当然,在本步骤中,还可以进一步通过上述用户A的身份私钥对VC令牌进行签名,是否需要执行该步骤可由本领域技术人员根据实际需求确定,本实施例对此不作限制。Of course, in this step, the VC token can be further signed by the identity private key of the above-mentioned user A. Whether this step needs to be performed can be determined by those skilled in the art according to actual needs, which is not limited in this embodiment.
步骤406,客户端将完成签名的VC令牌发送至认证方。Step 406, the client sends the signed VC token to the authenticator.
在本实施例中,由于VC令牌存在时效性,因此,还可以将VC令牌注册至区块链系统中,以由区块链系统对用于表征VC令牌是否有效的状态信息进行维护。In this embodiment, due to the timeliness of the VC token, the VC token can also be registered in the blockchain system, so that the blockchain system can maintain the status information used to indicate whether the VC token is valid .
由于在实际应用中,区块链技术提供方通常仅允许与其存在合作关系的服务方与区块链系统进行交互,因此,在本实施例中,可以优先将VC令牌发送至由该服务方提供的认证方处,以由该认证方生成相应的注册交易,以将VC令牌注册至区块链系统中。Since in practical applications, the blockchain technology provider usually only allows the service party that has a cooperative relationship with it to interact with the blockchain system, therefore, in this embodiment, the VC token can be sent to the Provided by the authenticator, the authenticator generates a corresponding registration transaction to register the VC token into the blockchain system.
步骤407,认证方基于签名后的VC令牌生成注册交易,并发送至区块链系统。Step 407, the authenticator generates a registration transaction based on the signed VC token and sends it to the blockchain system.
承接上述举例,区块链系统可以在接收到VC令牌的情况下直接对其进行注册,或者,在VC令牌经由用户A的身份私钥签名的情况下,可以优先根据VC令牌中用户A的DID获取链上存储的用户A的身份公钥,以对VC令牌进行验签,且仅在验签成功的情况下,再将VC令牌注册至区块链系统,并对其状态信息进行维护。需要声明的是,注册成功的VC令牌的状态信息被标记为有效,若在后续过程中,用户A不再将相应的用户数据授权给购物应用B,则可以通过向区块链系统发送吊销交易的方式将该VC令牌的状态信息变更为吊销状态。当然,用户A也可以预先在VC令牌中指示该VC令牌的有效时长,那么,区块链系统即可在完成注册之后,定时对该VC令牌进行吊销。Following the above examples, the blockchain system can directly register the VC token upon receiving it, or, in the case of the VC token being signed by user A’s identity private key, it can preferentially register the user according to the VC token. A's DID obtains the identity public key of user A stored on the chain to verify the VC token, and only if the verification is successful, then registers the VC token to the blockchain system and checks its status information is maintained. What needs to be declared is that the status information of the successfully registered VC token is marked as valid. If in the subsequent process, user A no longer authorizes the corresponding user data to shopping application B, he can send a revocation to the blockchain system. The transaction method changes the status information of the VC token to the revoked status. Of course, user A can also indicate the validity period of the VC token in the VC token in advance, then the blockchain system can periodically revoke the VC token after the registration is completed.
步骤408,区块链系统对VC令牌进行注册,并将注册得到的VC令牌的状态信息标记为有效。Step 408, the blockchain system registers the VC token, and marks the status information of the registered VC token as valid.
步骤409,区块链系统将注册得到的VC令牌的DID返回至认证方。Step 409, the blockchain system returns the DID of the registered VC token to the authenticator.
在本实施例中,区块链系统在注册VC令牌时,可以生成对应于该VC令牌的DID,以便数据提供方可以根据该DID获取VC令牌的状态信息。In this embodiment, when the blockchain system registers the VC token, it can generate a DID corresponding to the VC token, so that the data provider can obtain the status information of the VC token according to the DID.
应当理解的是,本实施例仅仅是以通过VC令牌的DID获取VC令牌的状态信息为例进行介绍,在实际操作中,区块链系统只需返回对应于VC令牌的唯一标识信息,即可在后续验证过程中,获取该状态信息,例如,该唯一标识信息除了VC令牌的DID以外,还可以为VC令牌的hash值等,本实施例具体通过何种标识获取VC令牌的状态信息可由本领域技术人员根据实际情况确定,本实施例对此不作限制。It should be understood that this embodiment only uses the DID of the VC token to obtain the status information of the VC token as an example. In actual operation, the blockchain system only needs to return the unique identification information corresponding to the VC token , that is, the status information can be obtained in the subsequent verification process. For example, the unique identification information can be the hash value of the VC token in addition to the DID of the VC token. What kind of identification is used to obtain the VC token in this embodiment? The status information of the card can be determined by those skilled in the art according to the actual situation, which is not limited in this embodiment.
步骤410,认证方将VC令牌的DID返回至客户端。Step 410, the authenticator returns the DID of the VC token to the client.
步骤411,客户端基于签名后的VC令牌以及VC令牌的DID生成数据获取请求。Step 411, the client generates a data acquisition request based on the signed VC token and the DID of the VC token.
在本实施例中,当客户端接收到返回的VC令牌的DID之后,即可基于签名后的VC令牌以及该DID生成数据获取请求,并将其发送至数据提供方。In this embodiment, after the client receives the returned DID of the VC token, it can generate a data acquisition request based on the signed VC token and the DID, and send it to the data provider.
步骤412,客户端将数据获取请求发送至数据提供方。Step 412, the client sends a data acquisition request to the data provider.
在本实施例中,数据提供方可以为区别于上述认证方、区块链系统的其他数据服务器。该数据提供方通过区块链系统中注册的DID对VC令牌进行验证,而非听从认证方的认证结果。In this embodiment, the data provider may be other data servers that are different from the authentication party and the blockchain system described above. The data provider verifies the VC token through the DID registered in the blockchain system, instead of following the authentication result of the authenticator.
步骤413,数据提供方基于第三方应用的DID,以及VC令牌的DID生成验证凭证获取交易。Step 413, the data provider generates a verification voucher based on the DID of the third-party application and the DID of the VC token to obtain the transaction.
承接上述举例,数据提供方在获取到数据获取请求之后,即可从该请求中读取签名后的VC令牌和VC令牌的DID,并进一步从VC令牌中获取购物应用B的DID。在此基础上,即可基于购物应用B的DID从区块链系统中获取购物应用B的身份公钥,以验证VC令牌中的被授权方是否为购物应用B;并基于VC令牌的DID从区块链系统处获取VC令牌的状态信息,以确定VC令牌是否有效。Following the above example, after obtaining the data acquisition request, the data provider can read the signed VC token and the DID of the VC token from the request, and further obtain the DID of the shopping application B from the VC token. On this basis, the identity public key of shopping application B can be obtained from the blockchain system based on the DID of shopping application B to verify whether the authorized party in the VC token is shopping application B; and based on the VC token DID obtains the status information of the VC token from the blockchain system to determine whether the VC token is valid.
步骤414,数据提供方将验证凭证获取交易发送至区块链系统。Step 414, the data provider sends the verification certificate acquisition transaction to the blockchain system.
在本实施例中,VC令牌的状态信息、第三方应用的身份公钥均用于对VC令牌进行验证,因此,可以将VC令牌的状态信息、第三方应用的身份公钥均称作验证凭证。In this embodiment, both the state information of the VC token and the identity public key of the third-party application are used to verify the VC token. Therefore, both the state information of the VC token and the identity public key of the third-party application can be called as a verification certificate.
在实际操作中,数据提供方通常不会通过两次交互分别获取VC令牌的状态信息和第三方应用的身份公钥,而是通过一次交互获取VC令牌的状态信息和第三方应用的身 份公钥。具体的,数据提供方可以基于VC令牌的DID和第三方应用的DID生成验证凭证获取交易,并将该验证凭证获取交易发送至区块链系统。In actual operation, the data provider usually does not obtain the state information of the VC token and the identity public key of the third-party application through two interactions, but obtains the state information of the VC token and the identity of the third-party application through one interaction public key. Specifically, the data provider can generate a verification credential acquisition transaction based on the DID of the VC token and the DID of the third-party application, and send the verification credential acquisition transaction to the blockchain system.
承接上述举例,基于VC令牌的DID和购物应用B的DID生成验证凭证交易,并发送至区块链系统。Following the above example, a verification voucher transaction is generated based on the DID of the VC token and the DID of the shopping application B, and sent to the blockchain system.
步骤415,区块链系统执行验证凭证获取交易,以根据其中的第三方应用的DID获取第三方应用的身份公钥,根据其中的VC令牌的DID获取VC令牌的状态信息。Step 415, the blockchain system executes the verification credential acquisition transaction to obtain the identity public key of the third-party application according to the DID of the third-party application, and obtain the status information of the VC token according to the DID of the VC token.
承接上述举例,区块链系统在接收到上述验证凭证获取交易之后,即可从中读取VC令牌的DID和购物应用B的DID,并根据购物应用B的DID获取购物应用B的身份公钥、根据其中的VC令牌的DID获取VC令牌的状态信息。Following the above example, after the blockchain system receives the above-mentioned verification certificate acquisition transaction, it can read the DID of the VC token and the DID of the shopping application B, and obtain the identity public key of the shopping application B according to the DID of the shopping application B 1. Obtain the state information of the VC token according to the DID of the VC token.
步骤416,区块链系统将第三方应用的身份公钥和VC令牌的状态信息返回至数据提供方。Step 416, the blockchain system returns the identity public key of the third-party application and the state information of the VC token to the data provider.
步骤417,数据提供方基于第三方应用的身份公钥对VC令牌进行验签,并确定状态信息是否表明VC令牌有效;若验签成功且VC令牌有效,则跳转至步骤418。Step 417, the data provider verifies the VC token based on the identity public key of the third-party application, and determines whether the status information indicates that the VC token is valid; if the verification is successful and the VC token is valid, then go to step 418.
承接上述举例,数据提供方在接收到区块链系统返回的VC令牌的状态信息和购物应用B的身份公钥之后,即可根据该状态信息确定该VC令牌是否有效,以及通过购物应用B的身份公钥对签名后的VC令牌进行验签。若确定VC令牌有效且验签成功,则证明购物应用B具有获取VC令牌中指示的用户数据的权限,数据提供方可以根据VC令牌中的指示获取相应的用户数据,并将其返回至客户端,以由客户端提供给购物应用B。Following the above example, after receiving the status information of the VC token returned by the blockchain system and the identity public key of the shopping application B, the data provider can determine whether the VC token is valid according to the status information, and through the shopping application B B's identity public key verifies the signed VC token. If it is determined that the VC token is valid and the signature verification is successful, it proves that the shopping application B has the authority to obtain the user data indicated in the VC token, and the data provider can obtain the corresponding user data according to the indication in the VC token and return it to the client to be provided to the shopping application B by the client.
步骤418,数据提供方将VC令牌中指示的用户数据返回至客户端。Step 418, the data provider returns the user data indicated in the VC token to the client.
由上述技术方案可知,本实施例能够在用户的指示下为在客户端中运行的第三方应用颁发VC令牌,以通过该VC令牌指示数据提供方将相应的用户数据返回至客户端,并提供给第三方应用。应当理解的是,本实施例相当于将上述VC令牌作为数据授权凭证,以对用户数据授权过程进行控制,避免了相关技术中,用户无法对用户数据授权过程进行控制的问题。It can be seen from the above technical solution that this embodiment can issue a VC token for a third-party application running in the client under the instruction of the user, so as to instruct the data provider to return the corresponding user data to the client through the VC token, and provided to third-party applications. It should be understood that this embodiment is equivalent to using the above-mentioned VC token as a data authorization credential to control the user data authorization process, which avoids the problem in the related art that the user cannot control the user data authorization process.
进一步的,本实施例还可以进一步将VC令牌注册至区块链系统中,以由区块链系统对VC令牌的状态数据进行维护。在此基础上,数据提供方即可通过区块链系统获取VC令牌的状态信息,以确定VC令牌是否有效,进而避免了由于基于无效VC令牌将用户数据提供给第三方应用,而导致用户数据泄露的问题。Further, in this embodiment, the VC token can be further registered in the blockchain system, so that the state data of the VC token can be maintained by the blockchain system. On this basis, the data provider can obtain the status information of the VC token through the blockchain system to determine whether the VC token is valid, thereby avoiding the problem of providing user data to third-party applications based on invalid VC tokens. Issues that lead to user data leakage.
本说明书是参照根据本说明书实施例的方法、系统、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The specification is described with reference to flowchart illustrations and/or block diagrams of methods, systems, and computer program products according to embodiments of the specification. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer-readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read-only memory (ROM) or flash RAM. Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储、石墨烯存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by computing devices. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.
本领域技术人员应明白,本说明书一个或多个实施例可提供为方法、系统或计算机程序产品。因此,本说明书一个或多个实施例可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本说明书一个或多个实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that one or more embodiments of this specification may be provided as a method, system or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may employ a computer program embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The form of the product.
本说明书一个或多个实施例可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本本说明书一个或多个实施例,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。One or more embodiments of this specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本说明书的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, refer to part of the description of the method embodiment. In the description of this specification, descriptions with reference to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structures, materials or features are included in at least one embodiment or example of this specification. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the described specific features, structures, materials or characteristics may be combined in any suitable manner in any one or more embodiments or examples. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.
以上所述仅为本说明书一个或多个实施例的实施例而已,并不用于限制本本说明书一个或多个实施例。对于本领域技术人员来说,本说明书一个或多个实施例可以有各种更改和变化。凡在本说明书的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在权利要求范围之内。The above description is only an example of one or more embodiments of this specification, and is not intended to limit one or more embodiments of this specification. For those skilled in the art, various modifications and changes may occur in one or more embodiments of this description. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this specification shall be included in the scope of the claims.

Claims (14)

  1. 一种用户数据授权方法,包括:A user data authorization method, comprising:
    客户端在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中的目标应用的分布式数字身份信息颁发可验证声明,所述可验证声明用于指示允许所述目标应用获取所述用户的用户数据;以及,所述客户端向数据提供方发送包含所述可验证声明的数据获取请求,且所述数据获取请求或所述数据获取请求中包含的可验证声明由所述目标应用的身份私钥进行签名;After receiving the user's authorization instruction, the client issues a verifiable statement based on the user's identity private key, the user's distributed digital identity information, and the distributed digital identity information of the target application in the client , the verifiable statement is used to indicate that the target application is allowed to obtain the user data of the user; and, the client sends a data acquisition request including the verifiable statement to the data provider, and the data acquisition request Or the verifiable statement contained in the data acquisition request is signed by the identity private key of the target application;
    数据提供方从接收到的所述数据获取请求中读取可验证声明,并根据读取到的可验证声明中所含被授权方的分布式数字身份信息从区块链系统处获取相应的身份公钥,以通过获取到的身份公钥对接收到的数据获取请求或读取的可验证声明进行验签,并在验签成功的情况下,将读取的可验证声明中指示的用户数据返回所述客户端以提供至所述目标应用。The data provider reads the verifiable statement from the received data acquisition request, and obtains the corresponding identity from the blockchain system according to the distributed digital identity information of the authorized party contained in the read verifiable statement The public key is used to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and if the signature verification is successful, the user data indicated in the read verifiable statement will be read returned to the client for provisioning to the target application.
  2. 根据权利要求1所述的方法,The method according to claim 1,
    所述目标应用为所述客户端的原生服务方提供的原生应用;或者,The target application is a native application provided by the client's native server; or,
    所述目标应用为区别于所述原生服务方的第三方服务方提供的第三方应用。The target application is a third-party application provided by a third-party service provider different from the original service provider.
  3. 根据权利要求1所述的方法,所述客户端在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中的目标应用的分布式数字身份信息颁发可验证声明,包括:The method according to claim 1, when the client receives the user's authorization instruction, based on the user's identity private key, the user's distributed digital identity information and the target in the client Applied distributed digital identity information issues verifiable claims, including:
    所述客户端在接收到所述用户的授权指示后,判断所述用户的登录状态;After receiving the authorization instruction from the user, the client determines the login status of the user;
    在所述用户的登录状态为已登录的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中目标应用的分布式数字身份信息颁发可验证声明。If the user's login status is logged in, issue a verifiable statement based on the user's identity private key, the user's distributed digital identity information, and the distributed digital identity information of the target application in the client .
  4. 根据权利要求3所述的方法,还包括:The method according to claim 3, further comprising:
    所述客户端在接收到所述用户的登录请求的情况下,基于所述用户的身份私钥和分布式数字身份信息,向认证方发起登录请求;When the client receives the user's login request, it initiates a login request to the authenticator based on the user's identity private key and distributed digital identity information;
    所述认证方基于所述登录请求中包含的分布式数字身份信息从区块链系统处获取所述用户的身份公钥,以对所述登录请求进行验签,并在验签通过的情况下,向所述客户端返回登录授权信息;The authenticator obtains the user's identity public key from the blockchain system based on the distributed digital identity information contained in the login request to verify the signature of the login request, and if the verification passes , returning login authorization information to the client;
    所述客户端在接收到所述登录授权信息后,将所述用户的登录状态标记为已登录。After receiving the login authorization information, the client marks the login status of the user as logged in.
  5. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    所述客户端将所述可验证声明注册至所述区块链系统,以由所述区块链系统对所述可验证声明的状态信息进行维护;The client registers the verifiable statement with the blockchain system, so that the state information of the verifiable statement is maintained by the blockchain system;
    所述数据提供方在接收到所述可验证声明的情况下,从所述区块链系统中获取所述可验证声明的状态信息,并在所述状态信息表明所述可验证声明有效且针对所述可验证声明的验签成功的情况下,将所述用户数据返回至所述客户端。When the data provider receives the verifiable statement, it obtains the status information of the verifiable statement from the blockchain system, and when the status information indicates that the verifiable statement is valid and for If the verification of the verifiable statement is successful, the user data is returned to the client.
  6. 根据权利要求5所述的方法,所述客户端将所述可验证声明注册至所述区块链系统,以由所述区块链系统对所述可验证声明的状态信息进行维护,包括:According to the method according to claim 5, the client registers the verifiable statement with the blockchain system, so that the state information of the verifiable statement is maintained by the blockchain system, including:
    所述客户端生成针对所述可验证声明的注册请求,并发送至认证方;The client generates a registration request for the verifiable claim and sends it to the authenticator;
    所述认证方在接收到所述注册请求的情况下,生成包含所述可验证声明的注册交易并发送至所述区块链系统;After receiving the registration request, the authenticator generates a registration transaction containing the verifiable statement and sends it to the blockchain system;
    所述区块链系统执行所述注册交易,以对接收到的可验证声明进行存证并维护所述可验证声明的状态信息。The blockchain system executes the registration transaction to deposit the received verifiable statement and maintain the status information of the verifiable statement.
  7. 根据权利要求5所述的方法,还包括:The method according to claim 5, further comprising:
    所述客户端在接收到所述用户针对所述可验证声明的吊销请求的情况下,指示所述区块链系统将所述可验证信息的状态信息变更为吊销状态。The client instructs the blockchain system to change the state information of the verifiable information to a revoked state when receiving the user's revocation request for the verifiable statement.
  8. 根据权利要求1所述的方法,所述数据获取请求或所述数据获取请求中包含的可验证声明还经由所述用户的身份私钥进行签名;所述方法还包括:According to the method according to claim 1, the data acquisition request or the verifiable statement contained in the data acquisition request is also signed via the user's identity private key; the method further comprises:
    所述数据提供方在读取所述可验证声明之后,根据读取到的可验证声明中所含授权方的分布式数字身份信息从所述区块链系统处获取相应的身份公钥,以对所述可验证声明进行验签;After the data provider reads the verifiable statement, it obtains the corresponding identity public key from the blockchain system according to the distributed digital identity information of the authorized party contained in the read verifiable statement, to verify the signature of said verifiable statement;
    所述数据提供方仅在基于所述授权方的身份公钥执行的验签操作、以及基于所述被授权方的身份公钥执行的验签操作均通过的情况下,将所述用户数据返回至所述客户端。The data provider returns the user data only when the signature verification operation based on the identity public key of the authorizer and the signature verification operation based on the identity public key of the authorized party pass. to the client.
  9. 根据权利要求1所述的方法,所述数据提供方为区别于所述区块链系统的数据服务器,或者为所述区块链系统。According to the method according to claim 1, the data provider is a data server different from the blockchain system, or is the blockchain system.
  10. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    所述客户端将所述可验证声明发送至中转服务器;The client sends the verifiable statement to the transit server;
    所述中转服务器根据所述用户的分布式数字身份信息从数据网络包含的若干数据服务器中确定出存储有所述用户数据的数据服务器,以将确定出的数据服务器作为所述数据提供方。The transit server determines the data server storing the user data from among several data servers included in the data network according to the distributed digital identity information of the user, and uses the determined data server as the data provider.
  11. 根据权利要求1所述的方法,所述方法还包括:The method according to claim 1, said method further comprising:
    所述数据提供方获取存储的关于所述用户的第一数据,以作为所述用户数据;或者,The data provider acquires the stored first data about the user as the user data; or,
    所述数据提供方获取存储的关于所述用户的第二数据,并按照所述可验证声明的指示对所述第二数据进行处理,以将处理结果作为所述用户数据。The data provider acquires the stored second data about the user, and processes the second data according to the instruction of the verifiable statement, so as to use the processing result as the user data.
  12. 根据权利要求11所述的方法,所述数据提供方按照所述可验证声明的指示对所述第二数据进行处理,以将处理结果作为所述用户数据,包括:The method according to claim 11, wherein the data provider processes the second data according to the instruction of the verifiable statement, so as to use the processing result as the user data, comprising:
    所述数据提供方在所述可验证声明指示需要对所述第二数据进行安全计算的情况下,基于所述可验证声明中指示的可信执行环境身份公钥对所述第二数据进行加密传输,并将加密后的第二数据输入相应的可信执行环境中,以由所述可信执行环境在基于自身的身份私钥对加密后的第二数据进行解密后按照所述可验证声明指示的预先部署的计算任务执行安全计算;The data provider encrypts the second data based on the trusted execution environment identity public key indicated in the verifiable statement in the case that the verifiable statement indicates that the second data needs to be securely calculated transmission, and input the encrypted second data into the corresponding trusted execution environment, so that after the trusted execution environment decrypts the encrypted second data based on its own identity private key, according to the verifiable statement Instructed pre-deployed computing tasks to perform secure computations;
    所述数据提供方将所述可信执行环境生成的安全计算结果作为所述用户数据。The data provider uses the secure calculation result generated by the trusted execution environment as the user data.
  13. 根据权利要求12所述的方法,所述基于所述可验证声明中指示的可信执行环境身份公钥对所述第二数据进行加密传输,并将加密后的第二数据输入相应的可信执行环境中,以由所述可信执行环境在基于自身的身份私钥对加密后的第二数据进行解密后按照所述可验证声明指示的预先部署的计算任务执行安全计算,包括:The method according to claim 12, wherein said second data is encrypted and transmitted based on the trusted execution environment identity public key indicated in said verifiable statement, and the encrypted second data is input into the corresponding trusted In the execution environment, after the trusted execution environment decrypts the encrypted second data based on its own identity private key, the secure computing is performed according to the pre-deployed computing tasks indicated by the verifiable statement, including:
    所述数据提供方基于所述可验证声明中指示的链上可信执行环境的身份公钥,对所述第二数据进行加密,并基于加密后的第二数据以及所述可验证声明中所含的计算任务生成安全计算交易;The data provider encrypts the second data based on the identity public key of the on-chain trusted execution environment indicated in the verifiable statement, and based on the encrypted second data and the Included calculation tasks generate secure calculation transactions;
    隐私区块链在接收到所述安全计算交易的情况下,在自身维护的链上可信执行环境中执行所述安全计算交易,以在通过所述链上可信执行环境的身份私钥对所述第二数据进行解密后,调用预先部署的用于完成所述计算任务的智能合约,对解密后的第二数据进行安全计算。In the case of receiving the secure computing transaction, the privacy blockchain executes the secure computing transaction in the on-chain trusted execution environment maintained by itself, so as to pass the identity private key pair of the on-chain trusted execution environment After the second data is decrypted, a pre-deployed smart contract for completing the calculation task is invoked to perform secure calculation on the decrypted second data.
  14. 一种用户数据授权系统,包括客户端和数据提供方;其中,A user data authorization system, including a client and a data provider; wherein,
    所述客户端在接收到用户的授权指示的情况下,基于所述用户的身份私钥、所述用户的分布式数字身份信息和所述客户端中的目标应用的分布式数字身份信息颁发可验证声明,所述可验证声明用于指示允许所述目标应用获取所述用户的用户数据;以及,所述客户端向所述数据提供方发送包含所述可验证声明的数据获取请求,且所述数据获取请求或所述数据获取请求中包含的可验证声明由所述目标应用的身份私钥进行签名;When the client receives the user's authorization instruction, it issues an available license based on the user's identity private key, the user's distributed digital identity information, and the distributed digital identity information of the target application in the client. A verification statement, where the verifiable statement is used to indicate that the target application is allowed to obtain the user data of the user; and, the client sends a data acquisition request including the verifiable statement to the data provider, and the The data acquisition request or the verifiable statement contained in the data acquisition request is signed by the identity private key of the target application;
    所述数据提供方从接收到的所述数据获取请求中读取可验证声明,并根据读取到的可验证声明中所含被授权方的分布式数字身份信息从区块链系统处获取相应的身份公钥,以通过获取到的身份公钥对接收到的数据获取请求或读取的可验证声明进行验签,并在验签成功的情况下,将读取的可验证声明中指示的用户数据返回所述客户端以提供至所述目标应用。The data provider reads the verifiable statement from the received data acquisition request, and obtains the corresponding distributed digital identity information of the authorized party contained in the read verifiable statement from the blockchain system. The identity public key is used to verify the signature of the received data acquisition request or the read verifiable statement through the obtained identity public key, and if the verification is successful, the read verifiable statement User data is returned to the client for provision to the target application.
PCT/CN2022/093793 2021-06-01 2022-05-19 User data authorization method and user data authorization system WO2022252992A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110609107.6 2021-06-01
CN202110609107.6A CN113312664B (en) 2021-06-01 2021-06-01 User data authorization method and user data authorization system

Publications (1)

Publication Number Publication Date
WO2022252992A1 true WO2022252992A1 (en) 2022-12-08

Family

ID=77376923

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/093793 WO2022252992A1 (en) 2021-06-01 2022-05-19 User data authorization method and user data authorization system

Country Status (2)

Country Link
CN (1) CN113312664B (en)
WO (1) WO2022252992A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117407849A (en) * 2023-12-14 2024-01-16 四川省电子产品监督检验所 Industrial data security protection method and system based on industrial Internet technology

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113312664B (en) * 2021-06-01 2022-06-28 支付宝(杭州)信息技术有限公司 User data authorization method and user data authorization system
CN114513373B (en) * 2022-04-20 2022-11-15 北京掌趣无限科技有限公司 Trusted data exchange method, device, system, electronic equipment and storage medium
CN115208886B (en) * 2022-07-13 2024-05-10 上海柚子工道物联技术有限公司 DID-based data authorization method, system and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768865A (en) * 2019-01-18 2019-05-17 深圳市威赫科技有限公司 Block chain upper body part under credible performing environment digitizes realization method and system
CN110768968A (en) * 2019-10-11 2020-02-07 支付宝(杭州)信息技术有限公司 Authorization method, device, equipment and system based on verifiable statement
US20200076601A1 (en) * 2018-09-04 2020-03-05 Microsoft Technology Licensing, Llc Identity system for use with blockchain platform
CN112200585A (en) * 2020-11-10 2021-01-08 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN113312664A (en) * 2021-06-01 2021-08-27 支付宝(杭州)信息技术有限公司 User data authorization method and user data authorization system

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9225744B1 (en) * 2012-05-01 2015-12-29 Amazon Technologies, Inc. Constrained credentialed impersonation
US10637665B1 (en) * 2016-07-29 2020-04-28 Workday, Inc. Blockchain-based digital identity management (DIM) system
CN111095865B (en) * 2019-07-02 2023-08-04 创新先进技术有限公司 System and method for issuing verifiable claims
US11651082B2 (en) * 2019-07-11 2023-05-16 Battelle Memorial Institute Blockchain applicability framework
CN110795501A (en) * 2019-10-11 2020-02-14 支付宝(杭州)信息技术有限公司 Method, device, equipment and system for creating verifiable statement based on block chain
CN110768967B (en) * 2019-10-11 2021-06-01 支付宝(杭州)信息技术有限公司 Service authorization method, device, equipment, system and storage medium
CN111090876B (en) * 2020-03-18 2020-07-17 支付宝(杭州)信息技术有限公司 Contract calling method and device
CN111431936B (en) * 2020-04-17 2021-09-21 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment, system and storage medium based on verifiable statement
CN111539813B (en) * 2020-07-10 2020-12-11 支付宝(杭州)信息技术有限公司 Method, device, equipment and system for backtracking processing of business behaviors
CN113010870B (en) * 2020-10-10 2024-07-05 支付宝(杭州)信息技术有限公司 Service processing method, device and equipment based on digital certificate
CN112199714B (en) * 2020-12-04 2021-09-07 支付宝(杭州)信息技术有限公司 Privacy protection method and device based on block chain and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200076601A1 (en) * 2018-09-04 2020-03-05 Microsoft Technology Licensing, Llc Identity system for use with blockchain platform
CN109768865A (en) * 2019-01-18 2019-05-17 深圳市威赫科技有限公司 Block chain upper body part under credible performing environment digitizes realization method and system
CN110768968A (en) * 2019-10-11 2020-02-07 支付宝(杭州)信息技术有限公司 Authorization method, device, equipment and system based on verifiable statement
CN112200585A (en) * 2020-11-10 2021-01-08 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN113312664A (en) * 2021-06-01 2021-08-27 支付宝(杭州)信息技术有限公司 User data authorization method and user data authorization system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117407849A (en) * 2023-12-14 2024-01-16 四川省电子产品监督检验所 Industrial data security protection method and system based on industrial Internet technology
CN117407849B (en) * 2023-12-14 2024-02-23 四川省电子产品监督检验所 Industrial data security protection method and system based on industrial Internet technology

Also Published As

Publication number Publication date
CN113312664A (en) 2021-08-27
CN113312664B (en) 2022-06-28

Similar Documents

Publication Publication Date Title
EP3788523B1 (en) System and method for blockchain-based cross-entity authentication
WO2022252992A1 (en) User data authorization method and user data authorization system
US10027670B2 (en) Distributed authentication
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
WO2019127278A1 (en) Safe access blockchain method, apparatus, system, storage medium, and electronic device
JP5695120B2 (en) Single sign-on between systems
US20170244676A1 (en) Method and system for authentication
US9647998B2 (en) Geo-fencing cryptographic key material
US9654922B2 (en) Geo-fencing cryptographic key material
US11134069B2 (en) Method for authorizing access and apparatus using the method
US20150271156A1 (en) Geo-Fencing Cryptographic Key Material
US11909889B2 (en) Secure digital signing
CN115277168B (en) Method, device and system for accessing server
JP2023544529A (en) Authentication methods and systems
KR102012262B1 (en) Key management method and fido authenticator software authenticator
US11218317B1 (en) Secure enclave implementation of proxied cryptographic keys
CN113472790A (en) Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server
US11804957B2 (en) Exporting remote cryptographic keys
KR20220006234A (en) Method for creating decentralized identity able to manage user authority and system for managing user authority using the same
CN114666168A (en) Decentralized identity certificate verification method and device, and electronic equipment
LU93150B1 (en) Method for providing secure digital signatures
CN112235276B (en) Master-slave equipment interaction method, device, system, electronic equipment and computer medium
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN115242471A (en) Information transmission method and device, electronic equipment and computer readable storage medium
JP2024513521A (en) Secure origin of trust registration and identification management of embedded devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22815039

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22815039

Country of ref document: EP

Kind code of ref document: A1