WO2023095953A1 - Distributed id-based verification credential management device and method, and device verification method and apparatus - Google Patents

Distributed id-based verification credential management device and method, and device verification method and apparatus Download PDF

Info

Publication number
WO2023095953A1
WO2023095953A1 PCT/KR2021/017562 KR2021017562W WO2023095953A1 WO 2023095953 A1 WO2023095953 A1 WO 2023095953A1 KR 2021017562 W KR2021017562 W KR 2021017562W WO 2023095953 A1 WO2023095953 A1 WO 2023095953A1
Authority
WO
WIPO (PCT)
Prior art keywords
distributed
verification
credential
verification credential
document
Prior art date
Application number
PCT/KR2021/017562
Other languages
French (fr)
Korean (ko)
Inventor
배웅식
우정민
강의용
김광용
두상균
Original Assignee
주식회사 드림시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 드림시큐리티 filed Critical 주식회사 드림시큐리티
Publication of WO2023095953A1 publication Critical patent/WO2023095953A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems

Definitions

  • the present invention is a system configuration and credential management method capable of issuing distributed ID-based digital identities and credentials and providing identification and authentication services between edge devices and service providers in an IoT environment.
  • the present invention relates to a credential integrated management technology in a multi-distributed identity management service that performs authentication of a device using distributed ID-based credentials.
  • decentralized identifiers which allow users to manage and control their own identity information without a centralized registration authority, are being used in various digital industries.
  • distributed identifiers are used in various digital certificate services such as mobile driver's licenses and vaccine certificates along with the W3C's Verifiable Credential standard.
  • Patent Document 1 Korean Registered Patent Publication No. 10-2139645 (Title of Invention: Blockchain-based Identity Verification System and Driving Method thereof)
  • An object of the present invention is to perform authentication of an edge device in an IoT environment using distributed ID-based credentials.
  • an object of the present invention is to provide a convenient user experience for integrated management and inquiry/use of credentials in multi-distributed identity management services.
  • a distributed ID-based verification credential management method includes the steps of registering IoT device connection information including a first verification credential corresponding to an IoT device, Receiving a corresponding second verification credential, and registering the issued second verification credential to the IoT device.
  • the registering of the IoT device connection information includes requesting the first verification credential from the IoT device, receiving a verification presentation including the first verification credential, and the first verification step. and verifying credentials and digital signatures of the verification presentation.
  • the verifying of the electronic signature may include verifying the digital signature based on the distributed ID document corresponding to each of the first verification credential and the verification presentation.
  • the distributed ID document corresponding to each of the first verification credential and the verification presentation results from requesting distributed ID resolving to the distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation. can be obtained based on
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the step of issuing the second verification credential includes generating a distributed ID, a distributed ID document, and a digital signature of the user, registering the distributed ID of the user in a distributed ID storage, and a second corresponding to the user.
  • the method may include requesting issuance of a verification credential, and verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential.
  • the second verification credential may include information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
  • the step of requesting issuance of the second verification credential includes generating information necessary for issuing the second verification credential, encrypting the information necessary for issuing the second verification credential, and sending the credential issuing server Transmitting, and receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user.
  • the step of verifying the digital signature of the second verification credential includes requesting distributed ID resolving for the issuer distributed ID of the second verification credential, and the distributed ID of the distributed ID storage corresponding to the issuer distributed ID.
  • registering the issued second verification credential may include requesting registration of the second verification credential from the device, and receiving a registration result of the second verification credential of the device. there is.
  • the registration request message of the second verification credential may include the second verification credential full text and meta data.
  • the device may perform a redundancy check on the second verification credential based on the registration request of the second verification credential.
  • a distributed ID-based device verification method for achieving the above object includes receiving a verification request for an IoT device, and detecting an IoT device based on a distributed ID included in the verification request. Identifying, requesting distributed ID resolving to a distributed ID resolver, receiving a resolution result including a distributed ID document from the distributed ID resolver, and generating a digital signature using the public key of the distributed ID document. It includes a verification step.
  • the verification request of the IoT device may include a verification presentation corresponding to the IoT device.
  • the verification presentation may include a first verification credential corresponding to the device, a second verification credential corresponding to the user, and an electronic signature.
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the distributed ID document may include distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
  • the digital signature in the verifying the digital signature, may be verified for each of the verification presentation, the first verification credential, and the second verification credential.
  • the distributed ID-based device verification method may transmit a verification result to the IoT device based on the verification result of the digital signature.
  • authentication of an edge device can be performed in an IoT environment using distributed ID-based credentials.
  • the present invention can provide a convenient user experience for integrated management and inquiry/use of credentials on multi-distributed identity management services.
  • the present invention can easily provide an integrated environment with other distributed ID systems by using a distributed ID-based authentication process.
  • 1 is a diagram conceptually illustrating a distributed identity management service environment based on distributed ID.
  • FIG. 2 is a diagram conceptually illustrating a multi-distributed identity management service environment.
  • FIG. 3 is a diagram illustrating an IoT environment composed of sensor-based edge device nodes by way of example.
  • BLE Bluetooth Low Energy
  • FIG. 5 is a diagram conceptually illustrating a credential management method in a multi-distributed identity management service environment.
  • FIG. 6 is a diagram conceptually illustrating authentication between IoT devices using a common authentication method.
  • FIG. 7 is a flowchart illustrating a distributed ID-based verification credential management method according to an embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating a distributed ID-based device authentication method according to an embodiment of the present invention.
  • FIG. 9 is a diagram conceptually illustrating a distributed ID and credential-based verification system according to an embodiment of the present invention.
  • 10 to 11 are flowcharts showing in detail a process of registering device connection information according to an embodiment of the present invention.
  • 12 to 14 are flowcharts showing in detail a membership VC issuing process according to an embodiment of the present invention.
  • 15 is a flowchart showing in detail a membership VC registration process according to an embodiment of the present invention.
  • 16 is a flowchart illustrating in detail a process of performing device verification according to an embodiment of the present invention.
  • 17 is a diagram showing the configuration of a computer system according to an embodiment.
  • first or second is used to describe various elements, these elements are not limited by the above terms. Such terms may only be used to distinguish one component from another. Therefore, the first component mentioned below may also be the second component within the technical spirit of the present invention.
  • 1 is a diagram conceptually illustrating a distributed identity management service environment based on distributed ID.
  • a distributed identity management service environment is composed of entities such as an issuer, a user, a verifier, and a trust store.
  • the issuer issues credentials to the user, and the user manages the issued credentials and submits the credentials necessary for service use to the verifier.
  • the verifier requests the credential required to provide the service from the user and provides the service by verifying the credential submitted by the user.
  • the trust store stores and manages distributed identifiers (IDs) and distributed identifier documents that represent the identities of issuers, users, and verifiers.
  • IDs distributed identifiers
  • distributed identifier documents that represent the identities of issuers, users, and verifiers.
  • FIG. 2 is a diagram conceptually illustrating a multi-distributed identity management service environment.
  • a multi-distributed identity management service environment that provides
  • FIG. 3 is a diagram illustrating an IoT environment composed of sensor-based edge device nodes by way of example.
  • the modern era is called the era of the 4th industrial revolution, and various cutting-edge technologies such as ICBM technology (IoT, Cloud Computing, Big Data, Mobile), artificial intelligence, autonomous driving, and smart city, which are core technologies, are emerging.
  • ICBM technology IoT, Cloud Computing, Big Data, Mobile
  • artificial intelligence autonomous driving
  • smart city which are core technologies
  • the Internet of Things In the case of the Internet of Things (IoT), a hyper-connected technology is required to connect millions of devices in areas such as home/daily life/industry.
  • 5G technology the 5th generation mobile communication, supports ultra-high-speed transmission and ultra-low latency, including ultra-connectivity capable of connecting 1 million devices per unit area (1km2), so it is an essential technology optimized for communication between edge devices in the Internet of Things environment. is getting attention as
  • BLE Bluetooth Low Energy
  • Bluetooth is drawing attention as a suitable short-distance wireless communication. From Bluetooth 4.0 or higher, both classic Bluetooth, high-speed (up to 24Mbps) Bluetooth, and low-power Bluetooth (BLE) are supported. With the advent of BLE, beacons, which previously had problems with power supply and mobility, also developed, and in the case of BLE beacons, they can operate for up to two years with only one mercury battery, further raising the possibility of the IoT industry.
  • a packet transmission/reception process of a central device corresponding to a client and a peripheral device corresponding to a server can be confirmed.
  • FIG. 5 is a diagram conceptually illustrating a credential management method in a multi-distributed identity management service environment.
  • the user needs to manage identity qualifications (credentials) by installing separate applications provided by each service.
  • the service provider also bears the burden of building and managing a communication system with the distributed ID storage. Therefore, there is a need for a method to securely manage and search/use credentials in a multi-distributed identity management service environment.
  • FIG. 6 is a diagram conceptually illustrating authentication between IoT devices using a common authentication method.
  • the current IoT security certification system evaluates security measures differently depending on the size of the device and assigns different certification levels. This can cause difficulties in the mutual authentication process of devices. In the future, at least millions of IoT devices will be used for IoT services in various industries, and for this purpose, as shown in FIG.
  • FIG. 7 is a flowchart illustrating a distributed ID-based verification credential management method according to an embodiment of the present invention.
  • a distributed ID-based verification credential management method may be performed in a distributed ID-based authentication system.
  • IoT device connection information including a first verification credential corresponding to the IoT device is registered (S110).
  • the step of registering the IoT device connection information includes requesting the first verification credential from the IoT device, receiving a verification presentation including the first verification credential, and the and verifying a first verification credential and a digital signature of the verification presentation.
  • the verifying of the electronic signature may include verifying the digital signature based on the distributed ID document corresponding to each of the first verification credential and the verification presentation.
  • the distributed ID document corresponding to each of the first verification credential and the verification presentation results from requesting distributed ID resolving to the distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation. can be obtained based on
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the step of issuing the second verification credential includes generating a distributed ID, a distributed ID document, and a digital signature of the user, registering the distributed ID of the user in a distributed ID storage, and a second corresponding to the user.
  • the method may include requesting issuance of a verification credential, and verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential.
  • the second verification credential may include information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
  • requesting issuance of the second verification credential includes generating information necessary for issuing the second verification credential, encrypting information necessary for issuing the second verification credential, and
  • the method may include transmitting to an issuing server, and receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user.
  • the step of verifying the digital signature of the second verification credential includes requesting distributed ID resolving for the issuer distributed ID of the second verification credential, and the distributed ID of the distributed ID storage corresponding to the issuer distributed ID.
  • registering the issued second verification credential includes requesting registration of the second verification credential from the device and receiving a registration result of the second verification credential of the device.
  • the registration request message of the second verification credential may include the second verification credential full text and meta data.
  • the device may perform a redundancy check on the second verification credential based on the registration request of the second verification credential.
  • FIG. 8 is a flowchart illustrating a distributed ID-based device authentication method according to an embodiment of the present invention.
  • a device verification method based on a distributed ID includes receiving a verification request for an IoT device (S210), and detecting the IoT device based on the distributed ID included in the verification request. Identifying (S220), requesting distributed ID resolving to a distributed ID resolver (S230), receiving a resolution result including a distributed ID document from the distributed ID resolver (S240), and the distributed ID document and verifying the digital signature using the public key of (S250).
  • the verification request of the IoT device may include a verification presentation corresponding to the IoT device.
  • the verification presentation may include a first verification credential corresponding to the device, a second verification credential corresponding to the user, and an electronic signature.
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the distributed ID document may include distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
  • the digital signatures may be verified for each of the verification presentation, the first verification credential, and the second verification credential.
  • the distributed ID-based device verification method may further include transmitting a verification result to the IoT device based on the verification result of the electronic signature.
  • FIG. 9 is a diagram conceptually illustrating a distributed ID and credential-based verification system according to an embodiment of the present invention.
  • the system includes an edge device 10, a device identity management app 20, a distributed ID management server 30, a distributed ID resolver 40, a service provider (home IoT service 50), distributed trust store A 60, and distributed trust store B 70.
  • the device identity management app 20 may correspond to an app running on a user terminal, for example, a smart phone, a personal computer, a laptop computer, a tablet PC, and the like.
  • a smart phone for example, a smart phone, a personal computer, a laptop computer, a tablet PC, and the like.
  • the edge device 10 refers to a manufacturer's IoT device, and the manufacturer's device VC (Verifiable Credential) is embedded at the time of shipment.
  • the edge device 10 may request a service from a service provider using a device VC and a membership VC.
  • the device VC and the membership VC may correspond to the first verification credential and the second verification credential, respectively, as an embodiment of the present invention.
  • the device identity management app 20 is an entity that performs identity management and service setting for service use in a device.
  • the device identity management app 20 may receive a membership VC for authentication when using the service and register it in the device.
  • the device identity management app 20 may inquire the device VC and membership VC in the device setting window.
  • the membership VC can be issued and deleted, but the device VC can be set to be deleted as a basic setting in the device.
  • the distributed ID management server 30 is an entity that registers and manages distributed IDs in a distributed trust store.
  • the distributed ID management server 30 may be used for registration, inquiry, renewal, and discard of distributed IDs for each service domain.
  • the distributed ID resolver 40 is an entity that provides a distributed ID search function managed by a distributed trust store for each service domain.
  • the distributed ID resolver 40 may check the location of the distributed trust storage to be searched based on the distributed ID information.
  • the service provider 50 is an entity that issues a service credential (membership VC) required for a device to request a service to a user and performs service request processing.
  • a service credential membership VC
  • Distributed trust stores 60 and 70 are entities in which each distributed ID and its corresponding data (public key, distributed ID document, metadata, etc.) are registered.
  • a user can use a home IoT service through a mobile device.
  • a refrigerator has an edge device (hereinafter referred to as a device) built in, and a verification credential (hereinafter referred to as a VC) used for device authentication is installed in the device.
  • a VC verification credential
  • This device VC is issued by the device manufacturer and is pre-built into the device.
  • the user can manage VCs in the device by connecting to the device via mobile through BLE communication.
  • Membership VC can be issued from a refrigerator home service provider, and device VC verification is required to obtain membership VC.
  • the user sends the device VC to the refrigerator home service provider to obtain the membership VC, and to verify this, the refrigerator home service provider must access the distributed ID trust storage of the device manufacturer and inquire the distributed ID mapped with the device VC.
  • Different distributed identity management services can be interlocked through the distributed ID resolver, and the service certification process is based on the W3C standard distributed ID/VC system through signature data transmission and reception between the issuer-user-verifier (service provider) and signature verification. It is done.
  • BLE communication is used for data transmission and reception between the device and user mobile, and general Internet communication is used otherwise.
  • 10 to 11 are flowcharts showing in detail a process of registering device connection information according to an embodiment of the present invention.
  • the user accesses the device management screen in the identity management app 20 and presses the 'add device' button (S302).
  • the mobile device searches for a device that can be connected using BLE technology, a low-power wireless communication supported by Bluetooth 4.0 or higher (S304).
  • S304 a low-power wireless communication supported by Bluetooth 4.0 or higher
  • a BLE connection is executed (S306). If the connection is successful, the identity management app 20 requests the device VC for trusted device authentication from the device 10 (S308).
  • the device 10 generates a device VC request response message for transmitting the requested device VC to the mobile (S310).
  • the VC is not delivered as it is, but the VP is delivered as a structure in which the device VC is injected into the VP (Verifiable Presentation) value (S312).
  • VP Verifiable Presentation
  • a value digitally signed with a private key corresponding to the device distributed ID may be added to the VP.
  • the identity management app 20 verifies digital signature values for the VP received from the device 10 and the device VC included therein (S314 and S316).
  • the public key required to verify each signature value is stored in the document of each distributed ID, and must be obtained from each distributed trust storage.
  • the identity management app 20 requests distributed ID document inquiry to the distributed ID management server 30 (S318).
  • the distributed ID management server 30 checks the service domain from the delivered distributed ID value (S320). In the case of the same domain, inquiry can be made through the distributed ID management server, and in the case of heterogeneous domains, the distributed ID document is inquired through the distributed ID resolver 40 (S322). Since the distributed ID managed by the manufacturer corresponds to the heterogeneous domain area, the distributed ID management server 30 requests distributed ID document inquiry from the distributed ID resolver 40 (distributed ID resolving).
  • the distributed ID resolver 40 analyzes the received distributed ID values to identify a domain and finds a driver to connect to the corresponding domain (S322).
  • the distributed ID resolver 40 requests a distributed ID search through a driver to a domain matching the distributed ID value (S326) and obtains a document according to the search result (S328, S330).
  • the obtained document is transmitted as a value of the resolving request response text of the distributed ID management server (332, S334).
  • the distributed ID management server 30 generates a response statement containing the distributed ID documents (manufacturer distributed ID document / device distributed ID document) of the response message received from the distributed ID resolver 40 (S336, S338), and the identity management app 20 ) and sends a response (S340).
  • the identity management app 20 proceeds with the delivered distributed ID documents (S342, S344) to verify the electronic signature of each VP/VC (S346), and the signature verification process utilizes the public key in each distributed ID document.
  • the digital signature value of VP is the public key of the distributed ID of the device
  • the digital signature value of the VC is the public key of the distributed ID of the manufacturer.
  • the identity management app stores the device identification information and uses it as connection information later (S348, S350).
  • the device identification information may consist of a device distributed ID, a device VC ID, and a device model name.
  • the device VC ID is an ID generated by a manufacturer to manage device VC issue information and generally has a URL format.
  • 12 to 14 are flowcharts showing in detail a membership VC issuing process according to an embodiment of the present invention.
  • the user requests the service provider 50 to issue a membership VC in the identity management app 20 to use the home IoT service.
  • a secure connection is established in advance (S402), and DID Authentication technology is used.
  • S402 secure connection
  • DID Authentication technology is used for security between the membership VC issuance process.
  • This is a technique used in the distributed ID system.
  • the session key used for end-to-end (E2E) communication is made common by each entity using the distributed ID value of each entity, and then symmetric with it. It refers to communication technology that performs encrypted communication.
  • the user When the DID Authentication process is established, the user performs the process of registering the distributed ID to be used in the home IoT service domain. After creating a distributed ID and a document for a service user in the identity management app 20, the document is digitally signed with a private key corresponding to the distributed ID (S404).
  • the identity management app requests the distributed ID management server 30 to register a distributed ID for service users (S406). These values are registered in the distributed trust storage within the service domain through the distributed ID management server 30 (S408).
  • the distributed trust storage B 70 the digital signature value of the distributed ID document value to be registered is performed through self-sign verification, and if the verification is successful, the digital signature value of the document is excluded and registered in the distributed trust storage (S410, S412, S414). ).
  • the distributed trust storage B 70 transmits a response message to the distributed ID management server 30 (S416).
  • the distributed ID management server 30 receiving the response text delivers the response text to the identity management app 20 (S418).
  • the identity management app 20 When the distributed ID for user service is registered, the identity management app 20 requests the service provider 50 to issue a membership VC (S420).
  • the service provider 50 sends the information necessary for issuing the membership VC in the form of a request, which is initially transmitted to the identity management app 20 in an encrypted state with the session key shared through the DID Authentication connection ( S422).
  • the identity management app 20 decrypts the request sent through the session key (S424), checks the information necessary for the membership VC, and fills in the corresponding values (S426). There are three types of necessary information.
  • the three types of information are information necessary for association between user and device information, and are distributed ID for service users, which is a distributed ID directly mapped to membership VC, and device distributed ID and device VC ID, which are information mapped to device VC.
  • the identity management app 20 After filling the corresponding values, the identity management app 20 transmits a response message to the service provider (S428), and in this process, it is also sent in an encrypted form using a session key.
  • the challenge-response authentication process is performed every time to prevent replay attacks.
  • the service provider 50 decrypts the received encrypted response message (S430) and extracts three ID values necessary for issuing the membership VC. Among them, a search request is made to the distributed ID resolver 40 with the distributed ID value for the service user, and confirmation is made as to whether the distributed ID is actually registered (S432).
  • the service provider 50 requests the distributed ID resolver 40 to resolve the distributed ID for the service user (S434).
  • the distributed ID resolver 40 requests the distributed trust storage B 70 to retrieve the distributed ID document for the service user (S436), and receives a response of the distributed ID document for the service user according to the search result (S438) (S440). .
  • the distributed ID resolver 40 transmits a distributed ID resolving response for the service user to the service provider (S442).
  • the service provider 50 proceeds with a membership VC issuance procedure.
  • the service provider 50 creates a membership VC associated with the device (S446).
  • the membership VC contains specific device and user information, and the information is injected into the credentialSubject field of the VC.
  • a digital signature value is added using a private key corresponding to the distributed ID of the service provider 50.
  • the VC issuance process has a VC issuing server separately managed for each service provider, and the structure may be different for each service provider, and the scope of the present invention is not limited thereto.
  • the membership VC created by the service provider 50 is included in the VC issuance request response statement to be sent to the identity management app 20, and is transmitted in the form of an encrypted response statement through the session key (S448).
  • the identity management app 20 receiving the encrypted response text decrypts the response text with the session key to obtain the membership VC (S450).
  • the issuer field is a distributed ID value of the VC issuer, and a document value obtained by requesting distributed ID resolving (S452, S454) for this value, that is, the public key of the VC issuer can be obtained.
  • the distributed ID resolver 40 requests distributed ID document inquiry to the distributed trust storage A 60 corresponding to the heterogeneous domain (S456), and receives a distributed ID document search result (S458) (S460).
  • the distributed ID resolver 40 transmits the heterogeneous domain distributed ID resolving response to the distributed ID management server 30 (S462), and the distributed ID management server 30 transmits the response to the identity management app 20.
  • the identity management app 20 verifies the digital signature value of the issued membership VC with the obtained public key of the VC issuer (S466).
  • the purpose of this verification process is to check whether the membership VC received by the user is the correct VC issuer.
  • the identity management app can store the membership VC and utilize the VC when using the home IoT service afterwards.
  • 15 is a flowchart showing in detail a membership VC registration process according to an embodiment of the present invention.
  • BLE communication when transmitting membership VC from the identity management app 20 to the device 10, BLE communication is used (S502).
  • membership VC can be registered in the device.
  • the membership VC registration button is clicked (S506), a list of transmittable membership VCs appears, and the user selects a membership VC (S508).
  • the identity management app 20 creates a registration request to transmit the membership VC (S510), and the full membership VC and meta information of the membership VC are inserted into the registration request. Meta information may be used as information to be used instead of the VC full text when outputting the VC management list in the device 10.
  • the request is transmitted to the device in the form of BLE communication (S512).
  • BLE communication BLE communication
  • the start packet is the header of the membership VC registration request, and the packet structure is in the form of ⁇ SOF ⁇ + [number of data packets].
  • the total number of transmitted data packets can be confirmed by checking the start packet, and the number of data packets is calculated as follows.
  • the device 10 which is the receiving side, needs to know the order of assembling the data, and for this, the data packet structure is composed of ⁇ NUM_ + [data packet sequence] + ⁇ + [data].
  • the end packet is the last packet sent when there is no more transmission data, and the structure of the end packet is composed of ⁇ EOF ⁇ .
  • the device When the device completes receiving the end packet, it saves the transmitted packets as a file and sends a notification packet notifying the identity management app that the reception has been completed.
  • the notification packet structure is in the form of ⁇ ALL_RCV ⁇ , and the identity management app 20 terminates the transmission mode by receiving the corresponding packet. If the identity management app 20 does not receive this notification packet for a certain period of time, it determines that it is a transmission error and retransmits the packets. A total of 3 attempts are made, and if all 3 attempts fail, the transmission failure is notified to the user.
  • the device 10 After receiving the membership VC registration request, the device 10 checks whether membership VCs are duplicated (S514). The redundancy check is conducted with three pieces of information from the membership VC. First, it is checked whether the vcId field value of the membership VC overlaps with other VCs in the device. Next, it is checked whether deviceDid and deviceVcId have duplicate values among the credentialSubject fields of the membership VC.
  • the device stores the received membership VC (S516), creates a registration response statement, and transmits it to the identity management app 20 (S518).
  • the identity management app checks the result of the registration response statement and outputs a registration success message if successful (S520).
  • 16 is a flowchart illustrating in detail a process of performing device verification according to an embodiment of the present invention.
  • the user can use the identity management app 20 to set the refrigerator home IoT service.
  • menu management is provided with a touch screen screen.
  • the quantity of specific ingredients can be checked through a sensor that detects the ingredients, and if the ingredients are insufficient, the item can be purchased once by a preset number. It is said that there is a service that automatically connects to an online market and performs payment.
  • the device 10 When checking ingredients suitable for the next day's diet, as a result of the sensor detection, if the ingredients are insufficient, a notification requiring product purchase is transmitted to the device 10 .
  • the device 10 generates a product order request statement to be submitted to the service provider based on the received notification (S602).
  • the product order request contains information necessary for product order details, IoT equipment, and payment user authentication.
  • Information necessary for authentication is included in the request in the form of a VP containing the device VC and membership VC, and transmitted to the service provider (S604).
  • the transmitting VP creates a digital signature with the private key corresponding to the device distributed ID and sends it in addition to the original VP text.
  • the online service provider 50 Upon receiving the request, the online service provider 50 confirms the product order request (S606) and performs an authentication process based on the VP information of the product order request (S608).
  • a total of three digital signature values must be authenticated, and the subject of each digital signature and its distributed ID value are as follows.
  • the service provider 50 sends a distributed ID resolving batch request to the distributed ID resolver 40 to retrieve the public key of each distributed ID (S610).
  • the distributed ID resolver 40 finds the distributed trust storage 70 suitable for the distributed ID domain with the distributed IDs received and performs distributed ID document inquiry (S612, S614).
  • the distributed ID resolver 40 puts the searched distributed ID documents in a response message and delivers them to the service provider (S618).
  • the service provider 50 extracts the public key from the document of each distributed ID and verifies the digital signature values of the device VC, membership VC, and VP, respectively (S620).
  • the service provider 50 processes the product order through the online market according to the requested product order details (S622).
  • the service provider 50 transmits a response to the product order request to the device (S624).
  • the device Upon receiving the product order response, the device processes a screen indicating that the product order was successful on the touch screen screen of the refrigerator (S626).
  • 17 is a diagram showing the configuration of a computer system according to an embodiment.
  • the identity management app of the distributed ID-based verification credential management and device verification method according to the embodiment may be implemented in the computer system 1000 such as a computer-readable recording medium.
  • Computer system 1000 may include one or more processors 1010, memory 1030, user interface input devices 1040, user interface output devices 1050, and storage 1060 that communicate with each other over a bus 1020. can In addition, computer system 1000 may further include a network interface 1070 coupled to network 1080 .
  • the processor 1010 may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory 1030 or the storage 1060 .
  • the memory 1030 and the storage 1060 may be storage media including at least one of volatile media, nonvolatile media, removable media, non-removable media, communication media, and information delivery media.
  • memory 1030 may include ROM 1031 or RAM 1032 .

Abstract

A distributed ID-based verification credential management method for achieving the above objective, according to one embodiment of the present invention, comprises the steps of: registering IoT device connection information including first verification credentials corresponding to an IoT device; issuing second verification credentials corresponding to a user; and registering the issued second verification credentials with the IoT device.

Description

분산 ID 기반 검증 크리덴셜 관리 및 디바이스 검증 방법 및 장치Distributed ID-based verification credential management and device verification method and apparatus
본 발명은 분산 ID 기반의 디지털 신원과 자격증명을 발급하고, 사물인터넷 환경에서 엣지 디바이스와 서비스 제공자 간에 식별 및 인증 서비스를 제공할 수 있는 시스템 구성 및 크리덴셜 관리 방법이다.The present invention is a system configuration and credential management method capable of issuing distributed ID-based digital identities and credentials and providing identification and authentication services between edge devices and service providers in an IoT environment.
구체적으로, 본 발명은 분산 ID 기반 크리덴셜을 사용하여 디바이스의 인증을 수행하는 다중 분산 신원관리 서비스상의 크리덴셜 통합 관리 기술에 관한 것이다.Specifically, the present invention relates to a credential integrated management technology in a multi-distributed identity management service that performs authentication of a device using distributed ID-based credentials.
최근, 중앙집중화된 등록기관 없이 사용자가 스스로 자신의 신원정보를 관리하고 통제할 수 있는 분산 식별자(Decentralized Identifier)가 다양한 디지털 산업 분야에서 활용되고 있다. 특히 분산 식별자는 W3C의 검증 가능한 크리덴셜(Verifiable Credential) 표준과 함께 모바일 운전면허증, 백신 증명서와 같은 다양한 디지털 증명서 서비스에 활용되고 있다.Recently, decentralized identifiers, which allow users to manage and control their own identity information without a centralized registration authority, are being used in various digital industries. In particular, distributed identifiers are used in various digital certificate services such as mobile driver's licenses and vaccine certificates along with the W3C's Verifiable Credential standard.
하지만, 현재 다중 분산 신원관리 서비스 환경에서 사용자는 각 서비스에서 제공하는 별도의 어플리케이션을 설치하여 크리덴셜을 관리해야한다. 이때, 사용자가 관리해야하는 어플리케이션의 범위가 증가하면 각 어플리케이션에 상응하는 크리덴셜에 대한 관리 및 사용의 불편이 예상된다. 또한, 서비스 제공자도 분산 ID 저장소와 통신 시스템을 구축 관리하는 부담을 지게 된다. 따라서, 다중 분산 신원관리 환경에서 크리덴셜을 통합 관리할 수 있는 기술에 대한 필요성이 절실히 대두된다.However, in the current multi-distributed identity management service environment, users have to install separate applications provided by each service to manage credentials. At this time, when the range of applications to be managed by the user increases, inconvenience in managing and using credentials corresponding to each application is expected. In addition, service providers also bear the burden of building and managing distributed ID storage and communication systems. Therefore, there is an urgent need for a technology capable of integrated management of credentials in a multi-distributed identity management environment.
선행기술 문헌: (특허문헌 1) 국내 등록특허공보 제10-2139645호(발명의 명칭: 블록체인 기반의 신원증명 시스템 및 그 구동방법)Prior Art Document: (Patent Document 1) Korean Registered Patent Publication No. 10-2139645 (Title of Invention: Blockchain-based Identity Verification System and Driving Method thereof)
본 발명의 목적은 분산 ID 기반 크리덴셜을 이용하여 사물인터넷 환경에서 엣지 디바이스의 인증을 수행하는 것이다.An object of the present invention is to perform authentication of an edge device in an IoT environment using distributed ID-based credentials.
또한, 본 발명의 목적은 다중 분산 신원관리 서비스상에서 크리덴셜의 통합 관리 및 조회/사용이 편리한 사용자 경험을 제공하는 것이다.In addition, an object of the present invention is to provide a convenient user experience for integrated management and inquiry/use of credentials in multi-distributed identity management services.
상기한 목적을 달성하기 위한 본 발명의 일 실시예에 따른 분산 ID 기반 검증 크리덴셜 관리 방법은 사물인터넷 디바이스에 상응하는 제1 검증 크리덴셜을 포함하는 사물인터넷 디바이스 연결 정보를 등록하는 단계, 사용자에 상응하는 제2 검증 크리덴셜을 발급받는 단계, 및 상기 사물인터넷 디바이스에 발급된 제2 검증 크리덴셜을 등록하는 단계를 포함한다.In order to achieve the above object, a distributed ID-based verification credential management method according to an embodiment of the present invention includes the steps of registering IoT device connection information including a first verification credential corresponding to an IoT device, Receiving a corresponding second verification credential, and registering the issued second verification credential to the IoT device.
이때, 상기 사물인터넷 디바이스 연결 정보를 등록하는 단계는 상기 사물인터넷 디바이스에게 상기 제1 검증 크리덴셜을 요청하는 단계, 상기 제1 검증 크리덴셜을 포함하는 검증 프레젠테이션을 수신하는 단계, 및 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션의 전자서명을 검증하는 단계를 포함할 수 있다.In this case, the registering of the IoT device connection information includes requesting the first verification credential from the IoT device, receiving a verification presentation including the first verification credential, and the first verification step. and verifying credentials and digital signatures of the verification presentation.
이때, 상기 전자서명을 검증하는 단계는 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID 문서에 기반하여 전자서명을 검증할 수 있다.In this case, the verifying of the electronic signature may include verifying the digital signature based on the distributed ID document corresponding to each of the first verification credential and the verification presentation.
이때, 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID 문서는 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID에 대하여 분산 ID 리졸버에 분산 ID 리졸빙을 요청한 결과에 기반하여 획득될 수 있다.At this time, the distributed ID document corresponding to each of the first verification credential and the verification presentation results from requesting distributed ID resolving to the distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation. can be obtained based on
이때, 상기 분산 ID 리졸버는 상기 분산 ID 리졸빙 요청에 기반하여 상기 분산 ID에 상응하는 분산 ID 저장소에 상기 분산 ID 문서를 요청하고, 상기 분산 ID 저장소의 응답에 기반하여 상기 분산 ID 문서를 획득할 수 있다.At this time, the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage. can
이때, 상기 제2 검증 크리덴셜을 발급받는 단계는 사용자의 분산 ID, 분산 ID 문서, 및 전자서명을 생성하는 단계, 상기 사용자의 분산 ID를 분산 ID 저장소에 등록하는 단계, 사용자에 상응하는 제2 검증 크리덴셜의 발급을 요청하는 단계, 및 발급된 제2 검증 크리덴셜의 발급자 분산 ID에 기반하여 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계를 포함할 수 있다.At this time, the step of issuing the second verification credential includes generating a distributed ID, a distributed ID document, and a digital signature of the user, registering the distributed ID of the user in a distributed ID storage, and a second corresponding to the user. The method may include requesting issuance of a verification credential, and verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential.
이때, 상기 제2 검증 크리덴셜은 사용자에 상응하는 분산 ID, 디바이스에 상응하는 분산 ID, 및 제1 검증 크리덴셜 ID에 관한 정보를 포함할 수 있다.In this case, the second verification credential may include information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
이때, 상기 제2 검증 크리덴셜의 발급을 요청하는 단계는 상기 제2 검증 크리덴셜의 발급에 필요한 정보를 생성하는 단계, 상기 제2 검증 크리덴셜의 발급에 필요한 정보를 암호화하여 크리덴셜 발급 서버에 전송하는 단계, 및 상기 사용자에 상응하는 분산 ID를 이용한 검증 결과에 기반하여 상기 디바이스에 매핑된 제2 검증 크리덴셜 발급 정보를 수신하는 단계를 포함할 수 있다.At this time, the step of requesting issuance of the second verification credential includes generating information necessary for issuing the second verification credential, encrypting the information necessary for issuing the second verification credential, and sending the credential issuing server Transmitting, and receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user.
이때, 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계는 상기 제2 검증 크리덴셜의 발급자 분산 ID에 대하여 분산 ID 리졸빙을 요청하는 단계, 상기 발급자 분산 ID에 상응하는 분산 ID 저장소의 분산 ID 조회 결과에 기반하여 분산 ID 문서를 포함하는 분산 ID 리졸빙 응답을 수신하는 단계, 및 상기 분산 ID 문서의 공개키를 이용하여 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계를 포함할 수 있다.At this time, the step of verifying the digital signature of the second verification credential includes requesting distributed ID resolving for the issuer distributed ID of the second verification credential, and the distributed ID of the distributed ID storage corresponding to the issuer distributed ID. Receiving a distributed ID resolving response including a distributed ID document based on a search result, and verifying the digital signature of the second verification credential using a public key of the distributed ID document. .
이때, 상기 발급된 제2 검증 크리덴셜을 등록하는 단계는 상기 디바이스에 상기 제2 검증 크리덴셜의 등록을 요청하는 단계, 및 상기 디바이스의 제2 검증 크리덴셜 등록 결과를 수신하는 단계를 포함할 수 있다.In this case, registering the issued second verification credential may include requesting registration of the second verification credential from the device, and receiving a registration result of the second verification credential of the device. there is.
이때, 상기 제2 검증 크리덴셜의 등록 요청 메시지는 상기 제2 검증 크리덴셜 전문 및 메타 데이터를 포함할 수 있다.At this time, the registration request message of the second verification credential may include the second verification credential full text and meta data.
이때, 상기 디바이스는 상기 제2 검증 크리덴셜의 등록 요청에 기반하여 상기 제2 검증 크리덴셜에 대한 중복 검사를 수행할 수 있다.In this case, the device may perform a redundancy check on the second verification credential based on the registration request of the second verification credential.
또한, 상기한 목적을 달성하기 위한 본 발명의 일 실시예에 따른 분산 ID 기반 디바이스 검증 방법은 사물인터넷 디바이스의 검증 요청을 수신하는 단계, 상기 검증 요청에 포함된 분산 ID에 기반하여 사물인터넷 디바이스를 식별하는 단계, 분산 ID 리졸버에게 분산 ID 리졸빙을 요청하는 단계, 상기 분산 ID 리졸버로부터 분산 ID 문서를 포함하는 리졸빙 결과를 수신하는 단계, 및 상기 분산 ID 문서의 공개키를 이용하여 전자서명을 검증하는 단계를 포함한다.In addition, a distributed ID-based device verification method according to an embodiment of the present invention for achieving the above object includes receiving a verification request for an IoT device, and detecting an IoT device based on a distributed ID included in the verification request. Identifying, requesting distributed ID resolving to a distributed ID resolver, receiving a resolution result including a distributed ID document from the distributed ID resolver, and generating a digital signature using the public key of the distributed ID document. It includes a verification step.
이때, 상기 사물인터넷 디바이스의 검증 요청은 상기 사물인터넷 디바이스에 상응하는 검증 프레젠테이션을 포함할 수 있다.In this case, the verification request of the IoT device may include a verification presentation corresponding to the IoT device.
이때, 상기 검증 프레젠테이션은 디바이스에 상응하는 제1 검증 크리덴셜, 사용자에 상응하는 제2 검증 크리덴셜, 및 전자서명을 포함할 수 있다.In this case, the verification presentation may include a first verification credential corresponding to the device, a second verification credential corresponding to the user, and an electronic signature.
이때, 상기 분산 ID 리졸버는 상기 분산 ID 리졸빙 요청에 기반하여 상기 분산 ID에 상응하는 분산 ID 저장소에 상기 분산 ID 문서를 요청하고, 상기 분산 ID 저장소의 응답에 기반하여 상기 분산 ID 문서를 획득할 수 있다.At this time, the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage. can
이때, 상기 분산 ID 문서는 상기 검증 프레젠테이션, 상기 제1 검증 크리덴셜, 및 상기 제2 검증 크리덴셜에 각각에 상응하는 분산 ID 문서를 포함할 수 있다.In this case, the distributed ID document may include distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
이때, 상기 전자서명을 검증하는 단계는 상기 검증 프레젠테이션, 상기 제1 검증 크리덴셜, 및 상기 제2 검증 크리덴셜에 대하여 각각 전자서명을 검증할 수 있다.In this case, in the verifying the digital signature, the digital signature may be verified for each of the verification presentation, the first verification credential, and the second verification credential.
이때, 본 발명의 일 실시예에 따른 분산 ID 기반 디바이스 검증 방법은 상기 전자서명의 검증 결과에 기반하여 상기 사물인터넷 디바이스에게 검증 결과를 전송할 수 있다.In this case, the distributed ID-based device verification method according to an embodiment of the present invention may transmit a verification result to the IoT device based on the verification result of the digital signature.
본 발명에 따르면, 분산 ID 기반 크리덴셜을 이용하여 사물인터넷 환경에서 엣지 디바이스의 인증을 수행할 수 있다.According to the present invention, authentication of an edge device can be performed in an IoT environment using distributed ID-based credentials.
또한, 본 발명은 다중 분산 신원관리 서비스상에서 크리덴셜의 통합 관리 및 조회/사용이 편리한 사용자 경험을 제공할 수 있다. In addition, the present invention can provide a convenient user experience for integrated management and inquiry/use of credentials on multi-distributed identity management services.
또한, 본 발명은 분산 ID 기반 인증 과정을 이용하여 다른 분산 ID 시스템과의 통합 환경을 용이하게 제공할 수 있다.In addition, the present invention can easily provide an integrated environment with other distributed ID systems by using a distributed ID-based authentication process.
도 1은 분산 ID 기반의 분산 신원관리 서비스 환경을 개념적으로 나타낸 도면이다.1 is a diagram conceptually illustrating a distributed identity management service environment based on distributed ID.
도 2는 다중 분산 신원관리 서비스 환경을 개념적으로 나타낸 도면이다.2 is a diagram conceptually illustrating a multi-distributed identity management service environment.
도 3은 센서 기반 엣지 디바이스 노드들로 구성된 사물인터넷 환경을 예시적으로 나타낸 도면이다.3 is a diagram illustrating an IoT environment composed of sensor-based edge device nodes by way of example.
도 4는 저전력 블루투스(BLE)의 통신 과정을 개념적으로 나타낸 도면이다.4 is a diagram conceptually illustrating a communication process of Bluetooth Low Energy (BLE).
도 5는 다중 분산 신원관리 서비스 환경에서 크리덴셜 관리 방법을 개념적으로 나타낸 도면이다.5 is a diagram conceptually illustrating a credential management method in a multi-distributed identity management service environment.
도 6은 공통 인증 방식으로 사물인터넷 기기 간 인증을 수행하는 것을 개념적으로 나타낸 도면이다.6 is a diagram conceptually illustrating authentication between IoT devices using a common authentication method.
도 7은 본 발명의 일실시예에 따른 분산 ID 기반 검증 크리덴셜 관리 방법을 나타낸 흐름도이다.7 is a flowchart illustrating a distributed ID-based verification credential management method according to an embodiment of the present invention.
도 8은 본 발명의 일실시예에 따른 분산 ID 기반 디바이스 인증 방법을 나타낸 흐름도이다.8 is a flowchart illustrating a distributed ID-based device authentication method according to an embodiment of the present invention.
도 9는 본 발명의 일실시예에 따른 분산 ID 및 크리덴셜 기반 검증 시스템을 개념적으로 나타낸 도면이다.9 is a diagram conceptually illustrating a distributed ID and credential-based verification system according to an embodiment of the present invention.
도 10 내지 11은 본 발명의 일실시예에 따른 디바이스 연결 정보 등록하는 과정을 상세히 나타낸 흐름도이다.10 to 11 are flowcharts showing in detail a process of registering device connection information according to an embodiment of the present invention.
도 12 내지 14는 본 발명의 일실시예에 따른 멤버십 VC 발급 과정을 상세히 나타낸 흐름도이다.12 to 14 are flowcharts showing in detail a membership VC issuing process according to an embodiment of the present invention.
도 15는 본 발명의 일실시예에 따른 멤버십 VC 등록 과정을 상세히 나타낸 흐름도이다.15 is a flowchart showing in detail a membership VC registration process according to an embodiment of the present invention.
도 16은 본 발명의 일실시예에 따라 디바이스의 검증을 수행하는 과정을 상세히 나타낸 흐름도이다.16 is a flowchart illustrating in detail a process of performing device verification according to an embodiment of the present invention.
도 17은 실시예에 따른 컴퓨터 시스템의 구성을 나타낸 도면이다.17 is a diagram showing the configuration of a computer system according to an embodiment.
본 발명의 이점 및 특징, 그리고 그것들을 달성하는 방법은 첨부되는 도면과 함께 상세하게 후술되어 있는 실시예들을 참조하면 명확해질 것이다. 그러나 본 발명은 이하에서 개시되는 실시예들에 한정되는 것이 아니라 서로 다른 다양한 형태로 구현될 것이며, 단지 본 실시예들은 본 발명의 개시가 완전하도록 하며, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 발명의 범주를 완전하게 알려주기 위해 제공되는 것이며, 본 발명은 청구항의 범주에 의해 정의될 뿐이다. 명세서 전체에 걸쳐 동일 참조 부호는 동일 구성 요소를 지칭한다.Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in various different forms, only these embodiments make the disclosure of the present invention complete, and common knowledge in the art to which the present invention belongs. It is provided to fully inform the holder of the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numbers designate like elements throughout the specification.
비록 "제1" 또는 "제2" 등이 다양한 구성요소를 서술하기 위해서 사용되나, 이러한 구성요소는 상기와 같은 용어에 의해 제한되지 않는다. 상기와 같은 용어는 단지 하나의 구성요소를 다른 구성요소와 구별하기 위하여 사용될 수 있다. 따라서, 이하에서 언급되는 제1 구성요소는 본 발명의 기술적 사상 내에서 제2 구성요소일 수도 있다.Although "first" or "second" is used to describe various elements, these elements are not limited by the above terms. Such terms may only be used to distinguish one component from another. Therefore, the first component mentioned below may also be the second component within the technical spirit of the present invention.
본 명세서에서 사용된 용어는 실시예를 설명하기 위한 것이며 본 발명을 제한하고자 하는 것은 아니다. 본 명세서에서, 단수형은 문구에서 특별히 언급하지 않는 한 복수형도 포함한다. 명세서에서 사용되는 "포함한다(comprises)" 또는 "포함하는(comprising)"은 언급된 구성요소 또는 단계가 하나 이상의 다른 구성요소 또는 단계의 존재 또는 추가를 배제하지 않는다는 의미를 내포한다.Terms used in this specification are for describing embodiments and are not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. As used herein, "comprises" or "comprising" implies that a stated component or step does not preclude the presence or addition of one or more other components or steps.
다른 정의가 없다면, 본 명세서에서 사용되는 모든 용어는 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 공통적으로 이해될 수 있는 의미로 해석될 수 있다. 또한, 일반적으로 사용되는 사전에 정의되어 있는 용어들은 명백하게 특별히 정의되어 있지 않는 한 이상적으로 또는 과도하게 해석되지 않는다.Unless otherwise defined, all terms used herein may be interpreted as meanings commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.
이하, 첨부된 도면을 참조하여 본 발명의 실시예들을 상세히 설명하기로 하며, 도면을 참조하여 설명할 때 동일하거나 대응하는 구성 요소는 동일한 도면 부호를 부여하고 이에 대한 중복되는 설명은 생략하기로 한다.Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, and when describing with reference to the drawings, the same or corresponding components are given the same reference numerals, and overlapping descriptions thereof will be omitted. .
도 1은 분산 ID 기반의 분산 신원관리 서비스 환경을 개념적으로 나타낸 도면이다.1 is a diagram conceptually illustrating a distributed identity management service environment based on distributed ID.
도 1을 참조하면, 분산 신원관리 서비스 환경은 발급자, 사용자, 검증자 및 신뢰 저장소와 같은 실체(entity)들로 구성된다. 발급자는 사용자에게 크리덴셜을 발급하고, 사용자는 발급된 크리덴셜을 관리하고 서비스 이용 시에 필요한 크리덴셜을 검증자에게 제출한다. 검증자는 서비스 제공에 필요한 크리덴셜을 사용자에게 요청하고 사용자가 제출한 크리덴셜을 검증하여 서비스를 제공한다. 신뢰 저장소는 발급자와 사용자, 검증자의 신원을 나타내는 분산 식별자(ID)와 분산 식별자 문서를 저장 관리한다.Referring to FIG. 1, a distributed identity management service environment is composed of entities such as an issuer, a user, a verifier, and a trust store. The issuer issues credentials to the user, and the user manages the issued credentials and submits the credentials necessary for service use to the verifier. The verifier requests the credential required to provide the service from the user and provides the service by verifying the credential submitted by the user. The trust store stores and manages distributed identifiers (IDs) and distributed identifier documents that represent the identities of issuers, users, and verifiers.
도 2는 다중 분산 신원관리 서비스 환경을 개념적으로 나타낸 도면이다.2 is a diagram conceptually illustrating a multi-distributed identity management service environment.
최근 다양한 분야에서 분산 신원관리 서비스를 활용함에 따라, 사용자는 두 개 이상의 분산 신원관리 서비스를 통해 발급받은 크리덴셜을 관리하고 검증자는 서로 다른 분산 신원관리 서비스로부터 발급된 사용자의 크리덴셜을 검증하여 서비스를 제공하는 다중 분산 신원관리 서비스 환경이 도래했다.Recently, as distributed identity management services are being used in various fields, users manage credentials issued through two or more distributed identity management services, and verifiers verify users' credentials issued from different distributed identity management services. A multi-distributed identity management service environment that provides
도 3은 센서 기반 엣지 디바이스 노드들로 구성된 사물인터넷 환경을 예시적으로 나타낸 도면이다.3 is a diagram illustrating an IoT environment composed of sensor-based edge device nodes by way of example.
현대는 4차 산업혁명 시대로 불리며, 핵심 기술인 ICBM 기술(IoT, Cloud Computing, Big Data, Mobile) 및 인공지능, 자율주행, 스마트시티 등 각종 첨단 기술들이 등장하고 있다. 이러한 디지털 사회에서 사용되는 데이터의 크기는 더욱 커지고 있고, 데이터의 처리를 위한 데이터 전송 간 초고속 및 초저지연 기술이 필요하다.The modern era is called the era of the 4th industrial revolution, and various cutting-edge technologies such as ICBM technology (IoT, Cloud Computing, Big Data, Mobile), artificial intelligence, autonomous driving, and smart city, which are core technologies, are emerging. The size of data used in this digital society is getting bigger, and ultra-high-speed and ultra-low latency technology is required between data transmissions for data processing.
사물인터넷의 경우 가정/일상/산업 등 분야에서의 수백만 대의 장비가 연결되는 초연결이 가능한 기술이 필요하다. 5세대 이동통신인 5G 기술은 단위면적(1㎢) 당 100만 기기의 연결 접속이 가능한 초연결성을 포함한 초고속 전송, 초저지연성을 지원하므로 사물인터넷 환경에서의 엣지 디바이스 간 통신에 최적화되고 필수적인 기술로 주목받고 있다.In the case of the Internet of Things (IoT), a hyper-connected technology is required to connect millions of devices in areas such as home/daily life/industry. 5G technology, the 5th generation mobile communication, supports ultra-high-speed transmission and ultra-low latency, including ultra-connectivity capable of connecting 1 million devices per unit area (1km2), so it is an essential technology optimized for communication between edge devices in the Internet of Things environment. is getting attention as
도 4는 저전력 블루투스(BLE)의 통신 과정을 개념적으로 나타낸 도면이다.4 is a diagram conceptually illustrating a communication process of Bluetooth Low Energy (BLE).
또한, 디지털 사회로 발전하면서 전자장비들은 점점 소형화되고 그에 맞게 저전력 사양을 갖춘 장비들이 나타나고 있다. 소형의 저전력 디바이스들의 출시가 잇따르면서 그에 맞는 근거리 무선 통신으로 블루투스가 주목받고 있는데, 블루투스 4.0 이상부터는 클래식 블루투스와 하이스피드(최대 24Mbps) 블루투스, 저전력 블루투스(BLE)를 모두 지원하고 있다. BLE의 등장으로 기존에 전력공급 및 이동성 문제를 겪던 비콘 또한 발전하였고, BLE 비콘의 경우 수은전지 하나만으로 최대 2년 이상 동작할 수 있어 사물인터넷 산업의 가능성을 더욱 일구어냈다.In addition, as electronic equipment develops into a digital society, electronic equipment is gradually miniaturized, and equipment with low power specifications is appearing accordingly. As small, low-power devices are released one after another, Bluetooth is drawing attention as a suitable short-distance wireless communication. From Bluetooth 4.0 or higher, both classic Bluetooth, high-speed (up to 24Mbps) Bluetooth, and low-power Bluetooth (BLE) are supported. With the advent of BLE, beacons, which previously had problems with power supply and mobility, also developed, and in the case of BLE beacons, they can operate for up to two years with only one mercury battery, further raising the possibility of the IoT industry.
도 4를 참조하면, 클라이언트에 해당하는 Central Device와 서버에 해당하는 Peripheral device의 패킷 송/수신 과정을 확인할 수 있다.Referring to FIG. 4 , a packet transmission/reception process of a central device corresponding to a client and a peripheral device corresponding to a server can be confirmed.
도 5는 다중 분산 신원관리 서비스 환경에서 크리덴셜 관리 방법을 개념적으로 나타낸 도면이다.5 is a diagram conceptually illustrating a credential management method in a multi-distributed identity management service environment.
도 5를 참조하면, 사용자는 각 서비스에서 제공하는 별도의 응용 앱을 설치하여 신원 자격(크리덴셜)을 관리해야 한다.Referring to FIG. 5 , the user needs to manage identity qualifications (credentials) by installing separate applications provided by each service.
이러한 사용자 환경은 사용자가 크리덴셜을 활용한 서비스 이용 시에 적절한 크리덴셜을 편리하게 조회하고 제출하기 어렵다. 향후 다양한 서비스 분야에 분산 신원관리 서비스 기능이 적용될 경우, 사용자가 관리해야 하는 응용 앱의 범위가 더욱 증가하여 크리덴셜에 대한 관리 및 사용의 불편이 증가할 것으로 예상된다.Such a user environment makes it difficult for users to conveniently search for and submit appropriate credentials when using services using credentials. In the future, when the distributed identity management service function is applied to various service fields, it is expected that the range of application apps that users need to manage will further increase, increasing the inconvenience of managing and using credentials.
또한 서비스 제공자도 직접 분산 ID 저장소와의 통신 시스템을 구축 관리해야 하는 부담을 지게 된다. 따라서 다중 분산 신원관리 서비스 환경에서 크리덴셜을 안전하게 통합 관리 및 조회/사용할 수 있는 방안이 필요하다.In addition, the service provider also bears the burden of building and managing a communication system with the distributed ID storage. Therefore, there is a need for a method to securely manage and search/use credentials in a multi-distributed identity management service environment.
도 6은 공통 인증 방식으로 사물인터넷 기기 간 인증을 수행하는 것을 개념적으로 나타낸 도면이다.6 is a diagram conceptually illustrating authentication between IoT devices using a common authentication method.
현행 사물인터넷 보안 인증제는 기기 크기에 따라 보안 조치항목을 달리 평가하고 인증등급을 다르게 부여하고 있다. 이것은 기기의 상호 인증 과정에 있어서 어려움을 초래할 수 있다. 향후 최소 수백만 대에 이르는 사물인터넷 기기들이 다양한 산업군에서 사물인터넷 서비스를 위해 사용될 것이고, 이를 위해 도 6에서 보이는 것처럼 기기에 종속되지 않는 공통 인증 방식으로 사물인터넷 기기 간 인증을 수행할 방안이 필요하다.The current IoT security certification system evaluates security measures differently depending on the size of the device and assigns different certification levels. This can cause difficulties in the mutual authentication process of devices. In the future, at least millions of IoT devices will be used for IoT services in various industries, and for this purpose, as shown in FIG.
도 7은 본 발명의 일실시예에 따른 분산 ID 기반 검증 크리덴셜 관리 방법을 나타낸 흐름도이다.7 is a flowchart illustrating a distributed ID-based verification credential management method according to an embodiment of the present invention.
본 발명의 일실시예에 따른 분산 ID 기반 검증 크리덴셜 관리 방법은 분산 ID 기반 인증 시스템에서 수행될 수 있다.A distributed ID-based verification credential management method according to an embodiment of the present invention may be performed in a distributed ID-based authentication system.
다만, 이하에서는 디바이스 신원관리(크리덴셜) 어플리케이션에서 수행되는 과정을 중심으로 실시예에 따른 방법을 상세히 설명한다.However, hereinafter, the method according to the embodiment will be described in detail, focusing on a process performed in a device identity management (credential) application.
도 7을 참조하면, 실시예에 따른 분산 ID 기반 검증 크리덴셜 관리 방법은 사물인터넷 디바이스에 상응하는 제1 검증 크리덴셜을 포함하는 사물인터넷 디바이스 연결 정보를 등록한다(S110).Referring to FIG. 7 , in the distributed ID-based verification credential management method according to the embodiment, IoT device connection information including a first verification credential corresponding to the IoT device is registered (S110).
다음으로, 사용자에 상응하는 제2 검증 크리덴셜의 발급을 요청하고(S120), 상기 사물인터넷 디바이스에 발급된 제2 검증 크리덴셜을 등록한다(S130).Next, issuance of a second verification credential corresponding to the user is requested (S120), and the issued second verification credential is registered in the IoT device (S130).
이때, 상기 사물인터넷 디바이스 연결 정보를 등록하는 단계(S110)는 상기 사물인터넷 디바이스에게 상기 제1 검증 크리덴셜을 요청하는 단계, 상기 제1 검증 크리덴셜을 포함하는 검증 프레젠테이션을 수신하는 단계, 및 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션의 전자서명을 검증하는 단계를 포함할 수 있다.At this time, the step of registering the IoT device connection information (S110) includes requesting the first verification credential from the IoT device, receiving a verification presentation including the first verification credential, and the and verifying a first verification credential and a digital signature of the verification presentation.
이때, 상기 전자서명을 검증하는 단계는 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID 문서에 기반하여 전자서명을 검증할 수 있다. In this case, the verifying of the electronic signature may include verifying the digital signature based on the distributed ID document corresponding to each of the first verification credential and the verification presentation.
이때, 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID 문서는 상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID에 대하여 분산 ID 리졸버에 분산 ID 리졸빙을 요청한 결과에 기반하여 획득될 수 있다.At this time, the distributed ID document corresponding to each of the first verification credential and the verification presentation results from requesting distributed ID resolving to the distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation. can be obtained based on
이때, 상기 분산 ID 리졸버는 상기 분산 ID 리졸빙 요청에 기반하여 상기 분산 ID에 상응하는 분산 ID 저장소에 상기 분산 ID 문서를 요청하고, 상기 분산 ID 저장소의 응답에 기반하여 상기 분산 ID 문서를 획득할 수 있다.At this time, the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage. can
이때, 상기 제2 검증 크리덴셜을 발급받는 단계는 사용자의 분산 ID, 분산 ID 문서, 및 전자서명을 생성하는 단계, 상기 사용자의 분산 ID를 분산 ID 저장소에 등록하는 단계, 사용자에 상응하는 제2 검증 크리덴셜의 발급을 요청하는 단계, 및 발급된 제2 검증 크리덴셜의 발급자 분산 ID에 기반하여 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계를 포함할 수 있다.At this time, the step of issuing the second verification credential includes generating a distributed ID, a distributed ID document, and a digital signature of the user, registering the distributed ID of the user in a distributed ID storage, and a second corresponding to the user. The method may include requesting issuance of a verification credential, and verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential.
이때, 상기 제2 검증 크리덴셜은 사용자에 상응하는 분산 ID, 디바이스에 상응하는 분산 ID, 및 제1 검증 크리덴셜 ID에 관한 정보를 포함할 수 있다.In this case, the second verification credential may include information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
이때, 상기 제2 검증 크리덴셜의 발급을 요청하는 단계(S120)는 상기 제2 검증 크리덴셜의 발급에 필요한 정보를 생성하는 단계, 상기 제2 검증 크리덴셜의 발급에 필요한 정보를 암호화하여 크리덴셜 발급 서버에 전송하는 단계, 및 상기 사용자에 상응하는 분산 ID를 이용한 검증 결과에 기반하여 상기 디바이스에 매핑된 제2 검증 크리덴셜 발급 정보를 수신하는 단계를 포함할 수 있다.At this time, requesting issuance of the second verification credential (S120) includes generating information necessary for issuing the second verification credential, encrypting information necessary for issuing the second verification credential, and The method may include transmitting to an issuing server, and receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user.
이때, 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계는 상기 제2 검증 크리덴셜의 발급자 분산 ID에 대하여 분산 ID 리졸빙을 요청하는 단계, 상기 발급자 분산 ID에 상응하는 분산 ID 저장소의 분산 ID 조회 결과에 기반하여 분산 ID 문서를 포함하는 분산 ID 리졸빙 응답을 수신하는 단계, 및 상기 분산 ID 문서의 공개키를 이용하여 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계를 포함할 수 있다.At this time, the step of verifying the digital signature of the second verification credential includes requesting distributed ID resolving for the issuer distributed ID of the second verification credential, and the distributed ID of the distributed ID storage corresponding to the issuer distributed ID. Receiving a distributed ID resolving response including a distributed ID document based on a search result, and verifying the digital signature of the second verification credential using a public key of the distributed ID document. .
이때, 상기 발급된 제2 검증 크리덴셜을 등록하는 단계(S130)는 상기 디바이스에 상기 제2 검증 크리덴셜의 등록을 요청하는 단계, 및 상기 디바이스의 제2 검증 크리덴셜 등록 결과를 수신하는 단계를 포함할 수 있다.At this time, registering the issued second verification credential (S130) includes requesting registration of the second verification credential from the device and receiving a registration result of the second verification credential of the device. can include
이때, 상기 제2 검증 크리덴셜의 등록 요청 메시지는 상기 제2 검증 크리덴셜 전문 및 메타 데이터를 포함할 수 있다.At this time, the registration request message of the second verification credential may include the second verification credential full text and meta data.
이때, 상기 디바이스는 상기 제2 검증 크리덴셜의 등록 요청에 기반하여 상기 제2 검증 크리덴셜에 대한 중복 검사를 수행할 수 있다.In this case, the device may perform a redundancy check on the second verification credential based on the registration request of the second verification credential.
도 8은 본 발명의 일실시예에 따른 분산 ID 기반 디바이스 인증 방법을 나타낸 흐름도이다.8 is a flowchart illustrating a distributed ID-based device authentication method according to an embodiment of the present invention.
도 8을 참조하면, 본 발명의 일 실시예에 따른 분산 ID 기반 디바이스 검증 방법은 사물인터넷 디바이스의 검증 요청을 수신하는 단계(S210), 상기 검증 요청에 포함된 분산 ID에 기반하여 사물인터넷 디바이스를 식별하는 단계(S220), 분산 ID 리졸버에게 분산 ID 리졸빙을 요청하는 단계(S230), 상기 분산 ID 리졸버로부터 분산 ID 문서를 포함하는 리졸빙 결과를 수신하는 단계(S240), 및 상기 분산 ID 문서의 공개키를 이용하여 전자서명을 검증하는 단계(S250)를 포함한다.Referring to FIG. 8 , a device verification method based on a distributed ID according to an embodiment of the present invention includes receiving a verification request for an IoT device (S210), and detecting the IoT device based on the distributed ID included in the verification request. Identifying (S220), requesting distributed ID resolving to a distributed ID resolver (S230), receiving a resolution result including a distributed ID document from the distributed ID resolver (S240), and the distributed ID document and verifying the digital signature using the public key of (S250).
이때, 상기 사물인터넷 디바이스의 검증 요청은 상기 사물인터넷 디바이스에 상응하는 검증 프레젠테이션을 포함할 수 있다.In this case, the verification request of the IoT device may include a verification presentation corresponding to the IoT device.
이때, 상기 검증 프레젠테이션은 디바이스에 상응하는 제1 검증 크리덴셜, 사용자에 상응하는 제2 검증 크리덴셜, 및 전자서명을 포함할 수 있다.In this case, the verification presentation may include a first verification credential corresponding to the device, a second verification credential corresponding to the user, and an electronic signature.
이때, 상기 분산 ID 리졸버는 상기 분산 ID 리졸빙 요청에 기반하여 상기 분산 ID에 상응하는 분산 ID 저장소에 상기 분산 ID 문서를 요청하고, 상기 분산 ID 저장소의 응답에 기반하여 상기 분산 ID 문서를 획득할 수 있다.At this time, the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage. can
이때, 상기 분산 ID 문서는 상기 검증 프레젠테이션, 상기 제1 검증 크리덴셜, 및 상기 제2 검증 크리덴셜에 각각에 상응하는 분산 ID 문서를 포함할 수 있다.In this case, the distributed ID document may include distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
이때, 상기 전자서명을 검증하는 단계(S250)는 상기 검증 프레젠테이션, 상기 제1 검증 크리덴셜, 및 상기 제2 검증 크리덴셜에 대하여 각각 전자서명을 검증할 수 있다.At this time, in the step of verifying the digital signature ( S250 ), the digital signatures may be verified for each of the verification presentation, the first verification credential, and the second verification credential.
도 8에는 도시되지 않았지만, 본 발명의 일실시예에 따른 분산 ID 기반 디바이스 검증 방법은 상기 전자서명의 검증 결과에 기반하여 상기 사물인터넷 디바이스에게 검증 결과를 전송하는 단계를 더 포함할 수 있다.Although not shown in FIG. 8 , the distributed ID-based device verification method according to an embodiment of the present invention may further include transmitting a verification result to the IoT device based on the verification result of the electronic signature.
도 9는 본 발명의 일실시예에 따른 분산 ID 및 크리덴셜 기반 검증 시스템을 개념적으로 나타낸 도면이다.9 is a diagram conceptually illustrating a distributed ID and credential-based verification system according to an embodiment of the present invention.
도 9를 참조하면, 본 발명의 실시예에 따른 시스템은 엣지 디바이스(10), 디바이스 신원관리 앱(20), 분산 ID 관리 서버(30), 분산 ID 리졸버(40), 서비스 제공자(홈 사물인터넷 서비스, 50), 분산 신뢰 저장소 A(60), 및 분산 신뢰 저장소 B(70)를 포함할 수 있다.Referring to FIG. 9 , the system according to an embodiment of the present invention includes an edge device 10, a device identity management app 20, a distributed ID management server 30, a distributed ID resolver 40, a service provider (home IoT service 50), distributed trust store A 60, and distributed trust store B 70.
이때, 상기 디바이스 신원관리 앱(20)은 사용자 단말, 예를 들어, 스마트폰, 개인용 컴퓨터, 노트북, 태블릿PC 등에서 실행되는 앱에 상응할 수 있다. 이하, 본 발명의 실시예에 따른 시스템의 구성요소를 상세히 설명한다.In this case, the device identity management app 20 may correspond to an app running on a user terminal, for example, a smart phone, a personal computer, a laptop computer, a tablet PC, and the like. Hereinafter, components of a system according to an embodiment of the present invention will be described in detail.
엣지 디바이스(10)는 제조사 사물인터넷 기기를 말하며, 출고 시 제조사 디바이스 VC(Verifiable Credential)가 내장되어 있다.The edge device 10 refers to a manufacturer's IoT device, and the manufacturer's device VC (Verifiable Credential) is embedded at the time of shipment.
이때, 상기 엣지 디바이스(10)는 디바이스 VC와 멤버십 VC를 사용하여 서비스 제공자에게 서비스를 요청할 수 있다.At this time, the edge device 10 may request a service from a service provider using a device VC and a membership VC.
이때, 상기 디바이스 VC와 멤버십 VC는 본발명의 일실시예로써, 각각 상기 제1 검증 크리덴셜 및 상기 제2 검증 크리덴셜에 상응할 수 있다.In this case, the device VC and the membership VC may correspond to the first verification credential and the second verification credential, respectively, as an embodiment of the present invention.
디바이스 신원관리 앱(20)은 디바이스에서 서비스 이용을 위한 신원증명 관리 및 서비스 설정을 수행하는 엔티티이다.The device identity management app 20 is an entity that performs identity management and service setting for service use in a device.
이때, 상기 디바이스 신원관리 앱(20)은 서비스 이용 시 자격증명을 위한 멤버십 VC를 발급받고 디바이스에 등록할 수 있다.At this time, the device identity management app 20 may receive a membership VC for authentication when using the service and register it in the device.
또한, 상기 디바이스 신원관리 앱(20)은 디바이스 설정 창에서 디바이스 VC와 멤버십 VC를 조회할 수 있다.In addition, the device identity management app 20 may inquire the device VC and membership VC in the device setting window.
이때, 상기 멤버십 VC는 발급 및 삭제할 수 있지만 상기 디바이스 VC는 디바이스 내 기본 세팅으로 삭제할 수 없도록 설정될 수 있다.At this time, the membership VC can be issued and deleted, but the device VC can be set to be deleted as a basic setting in the device.
분산 ID 관리 서버(30)는 분산 ID를 분산 신뢰 저장소에 등록하고 관리하는 엔티티이다.The distributed ID management server 30 is an entity that registers and manages distributed IDs in a distributed trust store.
이때, 상기 분산 ID 관리 서버(30)는 서비스 도메인 별 분산 ID의 등록, 조회, 갱신, 및 폐기 등을 위해 사용될 수 있다.At this time, the distributed ID management server 30 may be used for registration, inquiry, renewal, and discard of distributed IDs for each service domain.
분산 ID 리졸버(40)는 각 서비스 도메인별 분산 신뢰 저장소에서 관리하는 분산 ID 조회 기능을 제공하는 엔티티이다.The distributed ID resolver 40 is an entity that provides a distributed ID search function managed by a distributed trust store for each service domain.
이때, 상기 분산 ID 리졸버(40)는 분산 ID 정보를 토대로 조회해야 할 분산 신뢰 저장소 위치를 확인할 수 있다.At this time, the distributed ID resolver 40 may check the location of the distributed trust storage to be searched based on the distributed ID information.
서비스 제공자(50)는 디바이스가 서비스를 요청하는 데에 필요한 서비스 자격증명(멤버십 VC)을 사용자에게 발급하고 서비스 요청 처리를 수행하는 엔티티이다.The service provider 50 is an entity that issues a service credential (membership VC) required for a device to request a service to a user and performs service request processing.
분산 신뢰 저장소(60, 70)는 각각의 분산 ID 및 이에 상응하는 데이터(공개키, 분산 ID 문서, 메타데이터 등)가 등록되는 엔티티이다.Distributed trust stores 60 and 70 are entities in which each distributed ID and its corresponding data (public key, distributed ID document, metadata, etc.) are registered.
모바일 디바이스를 통해 사용자는 홈 사물인터넷 서비스를 이용할 수 있다. 예를 들어, 냉장고에는 엣지 디바이스(이하 디바이스)가 내장되어 있고, 디바이스에는 디바이스 인증에 사용되는 검증 크리덴셜(이하 VC)이 탑재되어 있다. 이 디바이스 VC는 디바이스 제조사에서 발급하고, 디바이스에 미리 내장되어 있다.A user can use a home IoT service through a mobile device. For example, a refrigerator has an edge device (hereinafter referred to as a device) built in, and a verification credential (hereinafter referred to as a VC) used for device authentication is installed in the device. This device VC is issued by the device manufacturer and is pre-built into the device.
사용자는 BLE 통신을 통해 모바일로 디바이스와 연결하여 디바이스에 있는 VC들의 관리가 가능하다. 관리 가능한 VC는 2개로, 디바이스 제조사의 제조 증명에 필요한 디바이스 VC와 홈 사물인터넷 냉장고 서비스 사용자 인증에 필요한 멤버십 VC가 있다. 멤버십 VC는 냉장고 홈서비스 제공자로부터 발급받을 수 있으며, 멤버십 VC를 발급받기 위해서는 디바이스 VC의 검증이 필요하다.The user can manage VCs in the device by connecting to the device via mobile through BLE communication. There are two VCs that can be managed: a device VC required for manufacturing certification by a device manufacturer and a membership VC required for home IoT refrigerator service user authentication. Membership VC can be issued from a refrigerator home service provider, and device VC verification is required to obtain membership VC.
사용자는 멤버십 VC를 발급받기 위해 냉장고 홈서비스 제공자에게 디바이스 VC를 보내고 이에 대한 검증을 위해 냉장고 홈서비스 제공자는 디바이스 제조사 측의 분산 ID 신뢰 저장소에 접근하여 디바이스 VC와 매핑된 분산 ID를 조회해야 한다. 분산 ID 리졸버를 통해 서로 다른 분산 신원관리 서비스의 연동이 가능하며, 서비스 자격증명 절차는 W3C 표준 분산 ID/VC 체계 기반의 발급자-사용자-검증자(서비스 제공자) 간 서명 데이터 송수신 및 서명검증을 통해 이루어진다.The user sends the device VC to the refrigerator home service provider to obtain the membership VC, and to verify this, the refrigerator home service provider must access the distributed ID trust storage of the device manufacturer and inquire the distributed ID mapped with the device VC. Different distributed identity management services can be interlocked through the distributed ID resolver, and the service certification process is based on the W3C standard distributed ID/VC system through signature data transmission and reception between the issuer-user-verifier (service provider) and signature verification. It is done.
디바이스와 사용자 모바일 간 데이터 송수신에는 BLE 통신이 사용되고, 그 이외에는 일반 인터넷 통신을 사용한다.BLE communication is used for data transmission and reception between the device and user mobile, and general Internet communication is used otherwise.
도 10 내지 11은 본 발명의 일실시예에 따른 디바이스 연결 정보 등록하는 과정을 상세히 나타낸 흐름도이다.10 to 11 are flowcharts showing in detail a process of registering device connection information according to an embodiment of the present invention.
도 10 내지 11을 참조하면, 사용자는 신원관리 앱(20)에서 디바이스 관리 화면에 접속하여 '디바이스 추가' 버튼을 누른다(S302). 10 to 11, the user accesses the device management screen in the identity management app 20 and presses the 'add device' button (S302).
디바이스 관리 화면에서는 분산 ID 및 VC 상태를 확인할 수 있고, 디바이스 분산 ID 및 멤버십 VC의 등록 및 삭제가 가능하다.On the device management screen, you can check the distributed ID and VC status, and register and delete the device distributed ID and membership VC.
모바일에서는 블루투스 4.0 이상에서 지원하는 저전력 무선 통신인 BLE 기술을 사용해 연결 가능한 디바이스를 찾는다(S304). 연결 가능한 디바이스를 찾으면 BLE 연결을 실행한다(S306). 연결이 성공하면 신원관리 앱(20)은 디바이스(10)에게 신뢰 장치 인증을 위한 디바이스 VC를 요청한다(S308).The mobile device searches for a device that can be connected using BLE technology, a low-power wireless communication supported by Bluetooth 4.0 or higher (S304). When a connectable device is found, a BLE connection is executed (S306). If the connection is successful, the identity management app 20 requests the device VC for trusted device authentication from the device 10 (S308).
디바이스(10)에서는 요청된 디바이스 VC를 모바일로 전달하기 위한 디바이스 VC 요청 응답문을 생성(S310)한다.The device 10 generates a device VC request response message for transmitting the requested device VC to the mobile (S310).
이때, VC를 그대로 전달하지 않고 VP(Verifiable Presentation) 값에 디바이스 VC를 주입한 구조로서 VP를 전달한다(S312). 이때, 상기 VP에는 디바이스 분산 ID에 대응하는 개인키로 전자서명한 값이 추가되어 있을 수 있다.At this time, the VC is not delivered as it is, but the VP is delivered as a structure in which the device VC is injected into the VP (Verifiable Presentation) value (S312). At this time, a value digitally signed with a private key corresponding to the device distributed ID may be added to the VP.
신원관리 앱(20)에서는 디바이스(10)로부터 전달받은 VP와 그 안에 들어있는 디바이스 VC에 대한 전자서명 값들의 검증을 수행한다(S314, S316). 각 서명값들의 검증에 필요한 공개키는 각 분산 ID의 문서에 저장되어 있고, 이것은 각 분산 신뢰 저장소에서 획득해야 한다. The identity management app 20 verifies digital signature values for the VP received from the device 10 and the device VC included therein (S314 and S316). The public key required to verify each signature value is stored in the document of each distributed ID, and must be obtained from each distributed trust storage.
신원관리 앱(20)은 분산 ID 관리 서버(30)에게 분산 ID 문서 조회를 요청한다(S318).The identity management app 20 requests distributed ID document inquiry to the distributed ID management server 30 (S318).
분산 ID 관리 서버(30)는 전달받은 분산 ID 값에서 서비스 도메인을 확인한다(S320). 동일 도메인의 경우 분산 ID 관리 서버를 통해 조회를 할 수 있고, 만약 이종 도메인의 경우라면 분산 ID 리졸버(40)를 통해 분산 ID 문서를 조회한다(S322). 제조사에서 관리하는 분산 ID는 이종 도메인 영역에 해당되므로 분산 ID 관리 서버(30)는 분산 ID 리졸버(40)에게 분산 ID 문서 조회를 요청(분산 ID 리졸빙)한다.The distributed ID management server 30 checks the service domain from the delivered distributed ID value (S320). In the case of the same domain, inquiry can be made through the distributed ID management server, and in the case of heterogeneous domains, the distributed ID document is inquired through the distributed ID resolver 40 (S322). Since the distributed ID managed by the manufacturer corresponds to the heterogeneous domain area, the distributed ID management server 30 requests distributed ID document inquiry from the distributed ID resolver 40 (distributed ID resolving).
분산 ID 리졸버(40)는 전달받은 분산 ID 값들을 분석하여 도메인을 확인하고, 해당 도메인에 연결할 드라이버를 찾는다(S322). 분산 ID 리졸버(40)는 분산 ID 값에 맞는 도메인에 드라이버를 통해 분산 ID 조회를 요청(S326)하고 조회 결과에 따라 문서를 획득한다(S328, S330).The distributed ID resolver 40 analyzes the received distributed ID values to identify a domain and finds a driver to connect to the corresponding domain (S322). The distributed ID resolver 40 requests a distributed ID search through a driver to a domain matching the distributed ID value (S326) and obtains a document according to the search result (S328, S330).
획득된 문서는 분산 ID 관리 서버의 리졸빙 요청 응답문 값으로 넣어 전송한다(332, S334). 분산 ID 관리 서버(30)는 분산 ID 리졸버(40)로부터 받은 응답문의 분산 ID 문서들(제조사 분산 ID 문서 / 디바이스 분산 ID 문서)을 담아 응답문을 생성하고(S336, S338) 신원관리 앱(20)으로 응답 전송한다(S340).The obtained document is transmitted as a value of the resolving request response text of the distributed ID management server (332, S334). The distributed ID management server 30 generates a response statement containing the distributed ID documents (manufacturer distributed ID document / device distributed ID document) of the response message received from the distributed ID resolver 40 (S336, S338), and the identity management app 20 ) and sends a response (S340).
신원관리 앱(20)은 전달받은 분산 ID 문서들을 가지고(S342, S344) 각각 VP/VC의 전자서명 검증(S346)을 진행하며, 서명검증 과정은 각 분산 ID 문서 안에 있는 공개키를 활용한다. VP의 전자서명값은 디바이스 분산 ID의 공개키로, VC의 전자서명값은 제조사 분산 ID의 공개키로 서명 검증을 수행한다. 서명 검증이 완료되면 신원관리 앱은 디바이스 식별 정보를 저장하여 추후 연결 정보로 활용한다(S348, S350). The identity management app 20 proceeds with the delivered distributed ID documents (S342, S344) to verify the electronic signature of each VP/VC (S346), and the signature verification process utilizes the public key in each distributed ID document. The digital signature value of VP is the public key of the distributed ID of the device, and the digital signature value of the VC is the public key of the distributed ID of the manufacturer. When the signature verification is completed, the identity management app stores the device identification information and uses it as connection information later (S348, S350).
이때, 상기 디바이스 식별 정보는 디바이스 분산 ID, 디바이스 VC ID, 및 디바이스 모델명으로 구성될 수 있으며, 디바이스 VC ID는 제조사가 디바이스 VC 발급 정보를 관리하기 위해 생성하는 ID이고 일반적으로 URL 형식을 지닌다.In this case, the device identification information may consist of a device distributed ID, a device VC ID, and a device model name. The device VC ID is an ID generated by a manufacturer to manage device VC issue information and generally has a URL format.
도 12 내지 14는 본 발명의 일실시예에 따른 멤버십 VC 발급 과정을 상세히 나타낸 흐름도이다.12 to 14 are flowcharts showing in detail a membership VC issuing process according to an embodiment of the present invention.
도 12 내지 14를 참조하면, 사용자는 홈 사물인터넷 서비스 이용을 위해 신원관리 앱(20)에서 서비스 제공자(50)에게 멤버십 VC 발급을 요청한다. 멤버십 VC 발급 과정 간 보안성을 위해 사전에 보안 연결을 수립하며(S402), DID Authentication 기술을 사용한다. 이것은 분산 ID 체계에서 사용되는 기술로, 엔드투엔드(End-to-End, E2E) 간 통신에 사용하는 세션키를 각 엔티티들이 가진 분산 ID 값을 사용하여 각 엔티티가 공통적으로 만든 후 이를 가지고 대칭 암호 통신을 하는 통신 기술을 말한다.Referring to FIGS. 12 to 14 , the user requests the service provider 50 to issue a membership VC in the identity management app 20 to use the home IoT service. For security between the membership VC issuance process, a secure connection is established in advance (S402), and DID Authentication technology is used. This is a technique used in the distributed ID system. The session key used for end-to-end (E2E) communication is made common by each entity using the distributed ID value of each entity, and then symmetric with it. It refers to communication technology that performs encrypted communication.
DID Authentication 과정이 수립되면, 사용자가 홈 사물인터넷 서비스 도메인에서 사용할 분산 ID를 등록하는 과정을 수행한다. 신원관리 앱(20)에서 서비스 사용자용 분산 ID와 문서를 만든 후 해당 분산 ID에 대응되는 개인키로 문서에 전자서명을 한다(S404). 신원관리 앱은 분산 ID 관리 서버(30)에 서비스 사용자용 분산 ID의 등록을 요청한다(S406). 이 값들을 분산 ID 관리 서버(30)를 통해 서비스 도메인 내 분산 신뢰 저장소에 등록된다(S408). 분산 신뢰 저장소 B(70)에서는 등록할 분산 ID 문서 값의 전자서명값을 셀프사인 검증을 통해 수행한 후 검증 성공하면 문서의 전자서명값을 제외하여 분산 신뢰 저장소에 등록한다(S410, S412, S414). 등록이 완료되면 분산 신뢰 저장소 B(70)는 분산 ID 관리 서버(30)에 응답문을 전송한다(S416). 응답문을 전송 받은 분산 ID 관리 서버(30)는 신원관리 앱(20)에 응답문을 전달한다(S418).When the DID Authentication process is established, the user performs the process of registering the distributed ID to be used in the home IoT service domain. After creating a distributed ID and a document for a service user in the identity management app 20, the document is digitally signed with a private key corresponding to the distributed ID (S404). The identity management app requests the distributed ID management server 30 to register a distributed ID for service users (S406). These values are registered in the distributed trust storage within the service domain through the distributed ID management server 30 (S408). In the distributed trust storage B 70, the digital signature value of the distributed ID document value to be registered is performed through self-sign verification, and if the verification is successful, the digital signature value of the document is excluded and registered in the distributed trust storage (S410, S412, S414). ). When the registration is completed, the distributed trust storage B 70 transmits a response message to the distributed ID management server 30 (S416). The distributed ID management server 30 receiving the response text delivers the response text to the identity management app 20 (S418).
신원관리 앱(20)은 사용자 서비스용 분산 ID가 등록되면 이후 서비스 제공자(50)에게 멤버십 VC 발급을 요청한다(S420). 서비스 제공자(50)는 멤버십 VC 발급에 필요한 정보들을 요청문 형태로 보내는데, 이 요청문은 최초에 DID Authentication 연결을 통해 공유된 세션키를 가지고 암호화된 상태로 신원관리 앱(20)에게 전달한다(S422). 신원관리 앱(20)은 세션키를 통해 전달받은 요청문을 복호화(S424)하여 멤버십 VC에 필요한 정보들을 확인하고 해당 값을 채우는데(S426), 필요 정보는 크게 3가지이다.When the distributed ID for user service is registered, the identity management app 20 requests the service provider 50 to issue a membership VC (S420). The service provider 50 sends the information necessary for issuing the membership VC in the form of a request, which is initially transmitted to the identity management app 20 in an encrypted state with the session key shared through the DID Authentication connection ( S422). The identity management app 20 decrypts the request sent through the session key (S424), checks the information necessary for the membership VC, and fills in the corresponding values (S426). There are three types of necessary information.
3가지 정보는 사용자와 디바이스 정보의 연관에 필요한 정보들로, 멤버십 VC와 직접적으로 매핑되는 분산 ID인 서비스 사용자용 분산 ID, 그리고 디바이스 VC와 매핑되는 정보들인 디바이스 분산 ID와 디바이스 VC ID이다.The three types of information are information necessary for association between user and device information, and are distributed ID for service users, which is a distributed ID directly mapped to membership VC, and device distributed ID and device VC ID, which are information mapped to device VC.
신원관리 앱(20)은 해당 값들을 채운 후 서비스 제공자에게 응답문을 전송(S428)하며, 이 과정에서도 역시 세션키를 사용한 암호화 형태로 보내게 된다. 세션키를 통한 암복호화 전송 과정에서는 Replay Attack 방지를 위해 매번 Challenge-Response 인증과정을 수행한다.After filling the corresponding values, the identity management app 20 transmits a response message to the service provider (S428), and in this process, it is also sent in an encrypted form using a session key. In the process of encryption/decryption transmission through the session key, the challenge-response authentication process is performed every time to prevent replay attacks.
서비스 제공자(50)는 전달받은 암호화된 응답문을 복호화(S430)하여 멤버십 VC 발급에 필요한 3가지 ID값들을 추출한다. 이 중 서비스 사용자용 분산 ID 값을 가지고 분산 ID 리졸버(40)에 조회 요청을 하여 실제로 등록되어 있는 분산 ID 인지에 대한 확인을 거친다(S432). The service provider 50 decrypts the received encrypted response message (S430) and extracts three ID values necessary for issuing the membership VC. Among them, a search request is made to the distributed ID resolver 40 with the distributed ID value for the service user, and confirmation is made as to whether the distributed ID is actually registered (S432).
서비스 제공자(50)는 분산 ID 리졸버(40)에 서비스 사용자용 분산 ID 리졸빙을 요청한다(S434). 분산 ID 리졸버(40)는 분산 신뢰 저장소 B(70)에 서비스 사용자용 분산 ID 문서의 조회를 요청하고(S436), 조회 결과(S438)에 따라 서비스 사용자용 분산 ID 문서 응답을 수신한다(S440). 분산 ID 리졸버(40)는 서비스 사용자용 분산 ID 리졸빙 응답을 서비스 제공자에게 전송한다(S442). 해당 분산 ID가 등록되어 있는 것이 확인되면(S444) 서비스 제공자(50)는 멤버십 VC 발급 절차를 진행한다. 서비스 제공자(50)는 디바이스와 연계된 멤버십 VC를 생성한다(S446).The service provider 50 requests the distributed ID resolver 40 to resolve the distributed ID for the service user (S434). The distributed ID resolver 40 requests the distributed trust storage B 70 to retrieve the distributed ID document for the service user (S436), and receives a response of the distributed ID document for the service user according to the search result (S438) (S440). . The distributed ID resolver 40 transmits a distributed ID resolving response for the service user to the service provider (S442). When it is confirmed that the corresponding distributed ID is registered (S444), the service provider 50 proceeds with a membership VC issuance procedure. The service provider 50 creates a membership VC associated with the device (S446).
멤버십 VC에는 사용되는 특정 디바이스 및 사용자 정보가 들어있으며, 해당 정보는 VC의 credentialSubject 필드에 주입된다. 멤버십 VC 발급 시에는 서비스 제공자(50)의 분산 ID에 대응하는 개인키를 사용하여 전자서명 값을 추가한다. 일반적으로, VC 발급 과정은 서비스 제공자마다 별도로 관리하는 VC 발급 서버가 있고 서비스 제공자마다 그 구조도 다를 수 있으며, 본 발명의 범위가 이에 제한되지 않는다.The membership VC contains specific device and user information, and the information is injected into the credentialSubject field of the VC. When issuing membership VC, a digital signature value is added using a private key corresponding to the distributed ID of the service provider 50. In general, the VC issuance process has a VC issuing server separately managed for each service provider, and the structure may be different for each service provider, and the scope of the present invention is not limited thereto.
서비스 제공자(50)가 만든 멤버십 VC는 신원관리 앱(20)에 보낼 VC 발급요청 응답문에 담기게 되며, 세션키를 통한 암호화된 응답문의 형태로 전송한다(S448). 암호화된 응답문을 받은 신원관리 앱(20)은 세션키로 응답문을 복호화하여 멤버십 VC를 획득한다(S450). 멤버십 VC의 필드 중 issuer라는 필드는 VC 발급자의 분산 ID 값이며, 이 값을 분산 ID 리졸빙 요청(S452, S454)하여 획득한 문서 값, 즉 VC 발급자의 공개키를 획득할 수 있다.The membership VC created by the service provider 50 is included in the VC issuance request response statement to be sent to the identity management app 20, and is transmitted in the form of an encrypted response statement through the session key (S448). The identity management app 20 receiving the encrypted response text decrypts the response text with the session key to obtain the membership VC (S450). Among the fields of the membership VC, the issuer field is a distributed ID value of the VC issuer, and a document value obtained by requesting distributed ID resolving (S452, S454) for this value, that is, the public key of the VC issuer can be obtained.
구체적으로, 분산 ID 리졸버(40)는 이종 도메인에 상응하는 분산 신뢰 저장소 A(60)에 분산 ID 문서 조회를 요청하고(S456), 분산 ID 문서 조회 결과(S458)를 수신한다(S460). 분산 ID 리졸버(40)는 이종 도메인 분산 ID 리졸빙 응답을 분산 ID 관리 서버(30)에 전송하고(S462), 분산 ID 관리 서버(30)는 신원관리 앱(20)에 전송한다.Specifically, the distributed ID resolver 40 requests distributed ID document inquiry to the distributed trust storage A 60 corresponding to the heterogeneous domain (S456), and receives a distributed ID document search result (S458) (S460). The distributed ID resolver 40 transmits the heterogeneous domain distributed ID resolving response to the distributed ID management server 30 (S462), and the distributed ID management server 30 transmits the response to the identity management app 20.
신원관리 앱(20)은 획득한 VC 발급자의 공개키를 가지고 발급된 멤버십 VC의 전자서명 값을 검증한다(S466). 이 검증 과정의 목적은 사용자가 전달받은 멤버십 VC가 올바른 VC 발급자가 맞는지에 대한 확인을 하기 위함이다. 멤버십 VC의 전자서명 검증이 완료되면, 신원관리 앱은 멤버십 VC를 저장하고 이후 홈 사물인터넷 서비스 이용 시 해당 VC를 활용할 수 있다.The identity management app 20 verifies the digital signature value of the issued membership VC with the obtained public key of the VC issuer (S466). The purpose of this verification process is to check whether the membership VC received by the user is the correct VC issuer. When the digital signature verification of the membership VC is completed, the identity management app can store the membership VC and utilize the VC when using the home IoT service afterwards.
도 15는 본 발명의 일실시예에 따른 멤버십 VC 등록 과정을 상세히 나타낸 흐름도이다.15 is a flowchart showing in detail a membership VC registration process according to an embodiment of the present invention.
도 15를 참조하면, 신원관리 앱(20)에서 디바이스(10)로 멤버십 VC를 전송할 때는 BLE 통신을 사용한다(S502). 사용자가 디바이스와의 BLE 무선 연결을 확인(S504)하면 디바이스에 멤버십 VC를 등록할 수 있다. 멤버십 VC 등록 버튼을 클릭하면(S506) 전송 가능한 멤버십 VC 목록이 나오고, 사용자는 멤버십 VC를 선택한다(S508). 신원관리 앱(20)에서 멤버십 VC를 전송하기 위한 등록 요청문을 만들며(S510), 등록 요청문에는 멤버십 VC 전문과 멤버십 VC의 메타정보가 삽입된다. 메타정보는 디바이스(10)에서 VC 관리 목록을 출력할 때 VC 전문 대신 사용할 정보로 활용될 수 있다.Referring to FIG. 15 , when transmitting membership VC from the identity management app 20 to the device 10, BLE communication is used (S502). When the user confirms the BLE wireless connection with the device (S504), membership VC can be registered in the device. When the membership VC registration button is clicked (S506), a list of transmittable membership VCs appears, and the user selects a membership VC (S508). The identity management app 20 creates a registration request to transmit the membership VC (S510), and the full membership VC and meta information of the membership VC are inserted into the registration request. Meta information may be used as information to be used instead of the VC full text when outputting the VC management list in the device 10.
멤버십 VC 등록 요청문을 만들면 BLE 통신 형태로 디바이스에 요청문을 전송한다(S512). 이때, 전송 패킷 종류는 크게 3가지로 나뉘는데, 시작 패킷, 데이터 패킷, 종료 패킷으로 구분한다. 시작 패킷은 멤버십 VC 등록 요청문의 헤더로, 패킷 구조는 ^SOF^ + [데이터 패킷 수] 형태로 이루어져 있다. 시작 패킷을 확인하여 총 전송되는 데이터 패킷 수를 확인할 수 있으며, 데이터 패킷 수의 계산은 아래과 같이 수행한다.When the membership VC registration request is made, the request is transmitted to the device in the form of BLE communication (S512). At this time, there are three types of transport packets, which are divided into start packets, data packets, and end packets. The start packet is the header of the membership VC registration request, and the packet structure is in the form of ^SOF^ + [number of data packets]. The total number of transmitted data packets can be confirmed by checking the start packet, and the number of data packets is calculated as follows.
[멤버십 VC 등록 요청문 사이즈] / [데이터 패킷 1개 전송 사이즈][Membership VC registration request size] / [Transmission size of one data packet]
데이터 패킷은 실제 전송되는 멤버십 VC 등록 요청문 데이터를 쪼개놓은 형태로 여러 개가 전송되며, 순서는 보장되지 않는다. 따라서 수신 측인 다비이스(10)에서 데이터 조립 순서를 알 수 있도록 해야 하며, 이를 위해 데이터 패킷 구조는 ^NUM_ + [데이터 패킷 순번] + ^ + [데이터] 형태로 구성된다.Several data packets are transmitted in the form of splitting the actually transmitted membership VC registration request data, and the order is not guaranteed. Therefore, the device 10, which is the receiving side, needs to know the order of assembling the data, and for this, the data packet structure is composed of ^NUM_ + [data packet sequence] + ^ + [data].
종료 패킷은 전송 데이터가 더 이상 없을 때 마지막으로 보내는 패킷으로, 종료 패킷 구조는 ^EOF^ 로 구성된다. 디바이스는 종료 패킷 수신이 완료되면 전송 패킷들을 파일로 저장하며, 신원관리 앱에 수신이 완료되었음을 알리는 노티 패킷을 보내게 된다. 노티 패킷 구조는 ^ALL_RCV^ 형태이며, 신원관리 앱(20)은 해당 패킷을 받음으로써 전송 모드를 종료한다. 만약 신원관리 앱(20)이 이 노티 패킷을 일정 시간 동안 받지 못한다면 전송 오류로 판단하고 패킷들을 재전송한다. 총 3회를 시도하며, 3번 모두 실패 시에는 사용자에게 전송 실패를 알린다.The end packet is the last packet sent when there is no more transmission data, and the structure of the end packet is composed of ^EOF^. When the device completes receiving the end packet, it saves the transmitted packets as a file and sends a notification packet notifying the identity management app that the reception has been completed. The notification packet structure is in the form of ^ALL_RCV^, and the identity management app 20 terminates the transmission mode by receiving the corresponding packet. If the identity management app 20 does not receive this notification packet for a certain period of time, it determines that it is a transmission error and retransmits the packets. A total of 3 attempts are made, and if all 3 attempts fail, the transmission failure is notified to the user.
디바이스(10)는 멤버십 VC 등록 요청문을 전달받은 후 멤버십 VC의 중복 여부 검사를 수행한다(S514). 중복 검사는 멤버십 VC의 정보 중 3가지를 가지고 진행한다. 먼저, 멤버십 VC의 vcId 필드값이 디바이스 내에 있는 다른 VC와 중복되는지 확인한다. 다음으로, 멤버십 VC의 credentialSubject 필드 중 deviceDid 및 deviceVcId의 중복값이 있는지 확인한다. After receiving the membership VC registration request, the device 10 checks whether membership VCs are duplicated (S514). The redundancy check is conducted with three pieces of information from the membership VC. First, it is checked whether the vcId field value of the membership VC overlaps with other VCs in the device. Next, it is checked whether deviceDid and deviceVcId have duplicate values among the credentialSubject fields of the membership VC.
멤버십 VC의 중복 검사 이상이 없으면, 디바이스는 전달받은 멤버십 VC를 저장(S516)하고 등록 응답문을 만들어 신원관리 앱(20)에 전송한다(S518). 신원관리 앱은 등록 응답문 결과를 확인한 후 성공 시 등록 성공 메시지를 출력한다(S520).If there is no abnormality in the membership VC duplicate check, the device stores the received membership VC (S516), creates a registration response statement, and transmits it to the identity management app 20 (S518). The identity management app checks the result of the registration response statement and outputs a registration success message if successful (S520).
도 16은 본 발명의 일실시예에 따라 디바이스의 검증을 수행하는 과정을 상세히 나타낸 흐름도이다.16 is a flowchart illustrating in detail a process of performing device verification according to an embodiment of the present invention.
이하, 도 16을 참조하여 본 발명의 일실시예로 냉장고 홈 사물인터넷서비스 과정을 상세히 설명한다.Hereinafter, a refrigerator home IoT service process will be described in detail as an embodiment of the present invention with reference to FIG. 16 .
사용자는 신원관리 앱(20)을 사용하여 냉장고 홈 사물인터넷 서비스 설정이 가능하다. 예를 들어 홈 사물인터넷 냉장고에서 터치스크린 화면으로 식단 관리를 제공하는데, 냉장고 내 식재로 감지 센서를 통해 특정 식재료들의 수량을 확인할 수 있고 식단 재료가 모자라면 해당 물품 1회 구매를 미리 설정해 둔 개수만큼 자동으로 온라인 마켓에 연결되어 결제를 수행하는 서비스가 있다고 한다.The user can use the identity management app 20 to set the refrigerator home IoT service. For example, in a home IoT refrigerator, menu management is provided with a touch screen screen. In the refrigerator, the quantity of specific ingredients can be checked through a sensor that detects the ingredients, and if the ingredients are insufficient, the item can be purchased once by a preset number. It is said that there is a service that automatically connects to an online market and performs payment.
다음날 식단에 맞는 식재료를 확인하는데 센서 감지 결과 재료가 부족하다면, 물품 구매 필요 알림을 디바이스(10)에 전달한다. 디바이스(10)는 전달받은 알림을 토대로 서비스 제공자에 제출할 물품 주문 요청문을 생성한다(S602). 물품 주문 요청문에는 물품 주문 내역과 사물인터넷 장비 및 결제 사용자 인증에 필요한 정보를 담는다. 인증에 필요한 정보는 디바이스 VC와 멤버십 VC를 담은 VP 형태로 요청문에 포함시켜 서비스 제공자에게 전송한다(S604). When checking ingredients suitable for the next day's diet, as a result of the sensor detection, if the ingredients are insufficient, a notification requiring product purchase is transmitted to the device 10 . The device 10 generates a product order request statement to be submitted to the service provider based on the received notification (S602). The product order request contains information necessary for product order details, IoT equipment, and payment user authentication. Information necessary for authentication is included in the request in the form of a VP containing the device VC and membership VC, and transmitted to the service provider (S604).
이때, 전송하는 VP는 디바이스 분산 ID에 대응하는 개인키로 전자서명을 만든 후 VP 원문에 덧붙여서 보낸다.At this time, the transmitting VP creates a digital signature with the private key corresponding to the device distributed ID and sends it in addition to the original VP text.
요청문을 받은 온라인 서비스 제공자(50)는 물품 주문 요청을 확인하고(S606) 물품 주문 요청문의 VP 정보를 토대로 인증 과정을 수행한다(S608). 총 3가지의 전자서명값을 인증해야 하며, 각 전자서명의 주체와 그 분산 ID 값은 다음과 같다.Upon receiving the request, the online service provider 50 confirms the product order request (S606) and performs an authentication process based on the VP information of the product order request (S608). A total of three digital signature values must be authenticated, and the subject of each digital signature and its distributed ID value are as follows.
- VP의 전자서명 : 디바이스 - VP's digital signature: device
- 디바이스 분산 ID : VP의 Issuer 값- Device Distributed ID: Issuer value of VP
- 디바이스 VC의 전자서명 : 디바이스 제조사 - Electronic signature of device VC: device manufacturer
- 제조사 분산 ID : 디바이스 VC의 Issuer 값- Manufacturer Distributed ID: Issuer value of device VC
- 멤버십 VC의 전자서명 : 서비스 제공자 - Digital signature of membership VC: service provider
- 서비스 제공자 분산 ID : 멤버십 VC의 Issuer값- Distributed ID of service provider: Issuer value of membership VC
다음으로, 서비스 제공자(50)는 각 분산 ID의 공개키 조회를 위해 분산 ID 리졸버(40)에게 분산 ID 리졸빙 일괄 요청을 보낸다(S610). 분산 ID 리졸버(40)는 전달받은 분산 ID들을 가지고 분산 ID 도메인에 맞는 분산 신뢰 저장소(70)를 찾아 분산 ID 문서 조회를 수행한다(S612, S614). 분산 ID 리졸버(40)는 조회된 분산 ID 문서들을 응답문에 담아 서비스 제공자에게 전달한다(S618).Next, the service provider 50 sends a distributed ID resolving batch request to the distributed ID resolver 40 to retrieve the public key of each distributed ID (S610). The distributed ID resolver 40 finds the distributed trust storage 70 suitable for the distributed ID domain with the distributed IDs received and performs distributed ID document inquiry (S612, S614). The distributed ID resolver 40 puts the searched distributed ID documents in a response message and delivers them to the service provider (S618).
서비스 제공자(50)는 각 분산 ID의 문서에서 공개키를 추출하여 각각 디바이스 VC, 멤버십 VC 및 VP의 전자서명 값을 검증한다(S620). 서명 검증이 완료되면 서비스 제공자(50)는 요청된 물품 주문 내역에 맞게 온라인 마켓으로 물품 주문 처리를 수행한다(S622). 물품 주문 처리가 끝나면 서비스 제공자(50)는 디바이스에 물품 주문 요청에 대한 응답을 전송한다(S624). 디바이스는 물품 주문 응답을 전달받으면 냉장고 터치스크린 화면에 물품 주문이 성공되었음을 화면 처리한다(S626).The service provider 50 extracts the public key from the document of each distributed ID and verifies the digital signature values of the device VC, membership VC, and VP, respectively (S620). When the signature verification is completed, the service provider 50 processes the product order through the online market according to the requested product order details (S622). When the product order processing is finished, the service provider 50 transmits a response to the product order request to the device (S624). Upon receiving the product order response, the device processes a screen indicating that the product order was successful on the touch screen screen of the refrigerator (S626).
도 17은 실시예에 따른 컴퓨터 시스템의 구성을 나타낸 도면이다.17 is a diagram showing the configuration of a computer system according to an embodiment.
실시예에 따른 분산 ID 기반 검증 크리덴셜 관리 및 디바이스 검증 방법의 신원관리 앱은 컴퓨터로 읽을 수 있는 기록매체와 같은 컴퓨터 시스템(1000)에서 구현될 수 있다.The identity management app of the distributed ID-based verification credential management and device verification method according to the embodiment may be implemented in the computer system 1000 such as a computer-readable recording medium.
컴퓨터 시스템(1000)은 버스(1020)를 통하여 서로 통신하는 하나 이상의 프로세서(1010), 메모리(1030), 사용자 인터페이스 입력 장치(1040), 사용자 인터페이스 출력 장치(1050) 및 스토리지(1060)를 포함할 수 있다. 또한, 컴퓨터 시스템(1000)은 네트워크(1080)에 연결되는 네트워크 인터페이스(1070)를 더 포함할 수 있다. 프로세서(1010)는 중앙 처리 장치 또는 메모리(1030)나 스토리지(1060)에 저장된 프로그램 또는 프로세싱 인스트럭션들을 실행하는 반도체 장치일 수 있다. 메모리(1030) 및 스토리지(1060)는 휘발성 매체, 비휘발성 매체, 분리형 매체, 비분리형 매체, 통신 매체, 또는 정보 전달 매체 중에서 적어도 하나 이상을 포함하는 저장 매체일 수 있다. 예를 들어, 메모리(1030)는 ROM(1031)이나 RAM(1032)을 포함할 수 있다. Computer system 1000 may include one or more processors 1010, memory 1030, user interface input devices 1040, user interface output devices 1050, and storage 1060 that communicate with each other over a bus 1020. can In addition, computer system 1000 may further include a network interface 1070 coupled to network 1080 . The processor 1010 may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory 1030 or the storage 1060 . The memory 1030 and the storage 1060 may be storage media including at least one of volatile media, nonvolatile media, removable media, non-removable media, communication media, and information delivery media. For example, memory 1030 may include ROM 1031 or RAM 1032 .
본 발명에서 설명하는 특정 실행들은 실시예들로서, 어떠한 방법으로도 본 발명의 범위를 한정하는 것은 아니다. 명세서의 간결함을 위하여, 종래 전자적인 구성들, 제어시스템들, 소프트웨어, 상기 시스템들의 다른 기능적인 측면들의 기재는 생략될 수 있다. 또한, 도면에 도시된 구성 요소들 간의 선들의 연결 또는 연결 부재들은 기능적인 연결 및/또는 물리적 또는 회로적 연결들을 예시적으로 나타낸 것으로서, 실제 장치에서는 대체 가능하거나 추가의 다양한 기능적인 연결, 물리적인 연결, 또는 회로 연결들로서 나타내어질 수 있다. 또한, “필수적인”, “중요하게” 등과 같이 구체적인 언급이 없다면 본 발명의 적용을 위하여 반드시 필요한 구성 요소가 아닐 수 있다.The specific implementations described herein are examples and do not limit the scope of the present invention in any way. For brevity of the specification, description of conventional electronic components, control systems, software, and other functional aspects of the systems may be omitted. In addition, the connection of lines or connecting members between the components shown in the drawings are examples of functional connections and / or physical or circuit connections, which can be replaced in actual devices or additional various functional connections, physical connection, or circuit connections. In addition, if there is no specific reference such as “essential” or “important”, it may not be a component necessarily required for the application of the present invention.
따라서, 본 발명의 사상은 상기 설명된 실시예에 국한되어 정해져서는 아니되며, 후술하는 특허청구범위뿐만 아니라 이 특허청구범위와 균등한 또는 이로부터 등가적으로 변경된 모든 범위는 본 발명의 사상의 범주에 속한다고 할 것이다.Therefore, the spirit of the present invention should not be limited to the above-described embodiments and should not be determined, and all scopes equivalent to or equivalently changed from the claims as well as the claims to be described later are within the scope of the spirit of the present invention. will be said to belong to

Claims (19)

  1. 사물인터넷 디바이스에 상응하는 제1 검증 크리덴셜을 포함하는 사물인터넷 디바이스 연결 정보를 등록하는 단계;registering IoT device connection information including first verification credentials corresponding to the IoT device;
    사용자에 상응하는 제2 검증 크리덴셜을 발급받는 단계; 및issuing a second verification credential corresponding to the user; and
    상기 사물인터넷 디바이스에 발급된 제2 검증 크리덴셜을 등록하는 단계;registering a second verification credential issued to the IoT device;
    를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising a.
  2. 청구항 1에 있어서,The method of claim 1,
    상기 사물인터넷 디바이스 연결 정보를 등록하는 단계는The step of registering the IoT device connection information is
    상기 사물인터넷 디바이스에게 상기 제1 검증 크리덴셜을 요청하는 단계;requesting the first verification credential from the IoT device;
    상기 제1 검증 크리덴셜을 포함하는 검증 프레젠테이션을 수신하는 단계; 및receiving a verification presentation including the first verification credential; and
    상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션의 전자서명을 검증하는 단계;verifying the digital signature of the first verification credential and the verification presentation;
    를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising a.
  3. 청구항 2에 있어서,The method of claim 2,
    상기 전자서명을 검증하는 단계는The step of verifying the digital signature is
    상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID 문서에 기반하여 전자서명을 검증하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method, characterized in that for verifying the electronic signature based on the first verification credential and the distributed ID document corresponding to each of the verification presentation.
  4. 청구항 3에 있어서,The method of claim 3,
    상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID 문서는 The distributed ID document corresponding to each of the first verification credential and the verification presentation is
    상기 제1 검증 크리덴셜 및 상기 검증 프레젠테이션 각각에 상응하는 분산 ID에 대하여 분산 ID 리졸버에 분산 ID 리졸빙을 요청한 결과에 기반하여 획득되는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method, characterized in that obtained based on a result of requesting distributed ID resolving to a distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation.
  5. 청구항 4에 있어서,The method of claim 4,
    상기 분산 ID 리졸버는The distributed ID resolver is
    상기 분산 ID 리졸빙 요청에 기반하여 상기 분산 ID에 상응하는 분산 ID 저장소에 상기 분산 ID 문서를 요청하고, 상기 분산 ID 저장소의 응답에 기반하여 상기 분산 ID 문서를 획득하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Based on the distributed ID resolving request, the distributed ID document is requested from a distributed ID storage corresponding to the distributed ID, and the distributed ID document is obtained based on a response from the distributed ID storage. How to manage verification credentials.
  6. 청구항 1에 있어서,The method of claim 1,
    상기 사용자에 상응하는 제2 검증 크리덴셜을 발급받는 단계는The step of issuing a second verification credential corresponding to the user
    사용자의 분산 ID, 분산 ID 문서, 및 전자서명을 생성하는 단계;generating a user's decentralized ID, distributed ID document, and digital signature;
    상기 사용자의 분산 ID를 분산 ID 저장소에 등록하는 단계;registering the distributed ID of the user in a distributed ID storage;
    상기 제2 검증 크리덴셜의 발급을 요청하는 단계; 및requesting issuance of the second verification credential; and
    발급된 제2 검증 크리덴셜의 발급자 분산 ID에 기반하여 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계;verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential;
    를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising a.
  7. 청구항 6에 있어서,The method of claim 6,
    상기 제2 검증 크리덴셜은The second verification credential is
    사용자에 상응하는 분산 ID, 디바이스에 상응하는 분산 ID, 및 제1 검증 크리덴셜 ID에 관한 정보를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
  8. 청구항 7에 있어서,The method of claim 7,
    상기 제2 검증 크리덴셜의 발급을 요청하는 단계는The step of requesting issuance of the second verification credential is
    상기 제2 검증 크리덴셜의 발급에 필요한 정보를 생성하는 단계;generating information necessary for issuance of the second verification credential;
    상기 제2 검증 크리덴셜의 발급에 필요한 정보를 암호화하여 크리덴셜 발급 서버에 전송하는 단계; 및encrypting information necessary for issuing the second verification credential and transmitting the encrypted information to a credential issuing server; and
    상기 사용자에 상응하는 분산 ID를 이용한 검증 결과에 기반하여 상기 디바이스에 매핑된 제2 검증 크리덴셜 발급 정보를 수신하는 단계;Receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user;
    를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising a.
  9. 청구항 8에 있어서,The method of claim 8,
    상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계는The step of verifying the electronic signature of the second verification credential
    상기 제2 검증 크리덴셜의 발급자 분산 ID에 대하여 분산 ID 리졸빙을 요청하는 단계;requesting distributed ID resolving for an issuer distributed ID of the second verification credential;
    상기 발급자 분산 ID에 상응하는 분산 ID 저장소의 분산 ID 조회 결과에 기반하여 분산 ID 문서를 포함하는 분산 ID 리졸빙 응답을 수신하는 단계; 및receiving a distributed ID resolving response including a distributed ID document based on a distributed ID search result of a distributed ID storage corresponding to the issuer distributed ID; and
    상기 분산 ID 문서의 공개키를 이용하여 상기 제2 검증 크리덴셜의 전자서명을 검증하는 단계;verifying the digital signature of the second verification credential using the public key of the distributed ID document;
    를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising a.
  10. 청구항 1에 있어서,The method of claim 1,
    상기 발급된 제2 검증 크리덴셜을 등록하는 단계는Registering the issued second verification credential
    상기 디바이스에 상기 제2 검증 크리덴셜의 등록을 요청하는 단계; 및requesting the device to register the second verification credential; and
    상기 디바이스의 제2 검증 크리덴셜 등록 결과를 수신하는 단계;receiving a second verification credential registration result of the device;
    를 포함하고,including,
    상기 제2 검증 크리덴셜의 등록 요청 메시지는The registration request message of the second verification credential is
    상기 제2 검증 크리덴셜 전문 및 메타 데이터를 포함하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method comprising the second verification credential full text and meta data.
  11. 청구항 10에 있어서,The method of claim 10,
    상기 디바이스는The device
    상기 제2 검증 크리덴셜의 등록 요청에 기반하여 상기 제2 검증 크리덴셜에 대한 중복 검사를 수행하는 것을 특징으로 하는 분산 ID 기반 검증 크리덴셜 관리 방법.Distributed ID-based verification credential management method, characterized in that performing a duplicate check on the second verification credential based on the registration request of the second verification credential.
  12. 사물인터넷 디바이스의 검증 요청을 수신하는 단계;Receiving a verification request of an IoT device;
    상기 검증 요청에 포함된 분산 ID에 기반하여 사물인터넷 디바이스를 식별하는 단계;identifying an IoT device based on a distributed ID included in the verification request;
    분산 ID 리졸버에게 분산 ID 리졸빙을 요청하는 단계;requesting distributed ID resolving to a distributed ID resolver;
    상기 분산 ID 리졸버로부터 분산 ID 문서를 포함하는 리졸빙 결과를 수신하는 단계; 및 receiving a resolution result including a distributed ID document from the distributed ID resolver; and
    상기 분산 ID 문서의 공개키를 이용하여 전자서명을 검증하는 단계;verifying the digital signature using the public key of the distributed ID document;
    를 포함하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Distributed ID-based device verification method comprising a.
  13. 청구항 12에 있어서,The method of claim 12,
    상기 사물인터넷 디바이스의 검증 요청은 상기 사물인터넷 디바이스에 상응하는 검증 프레젠테이션을 포함하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Wherein the verification request of the IoT device includes a verification presentation corresponding to the IoT device.
  14. 청구항 13에 있어서,The method of claim 13,
    상기 검증 프레젠테이션은The verification presentation
    디바이스에 상응하는 제1 검증 크리덴셜, 사용자에 상응하는 제2 검증 크리덴셜, 및 전자서명을 포함하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Distributed ID-based device verification method comprising a first verification credential corresponding to a device, a second verification credential corresponding to a user, and an electronic signature.
  15. 청구항 14에 있어서,The method of claim 14,
    상기 분산 ID 리졸버는The distributed ID resolver is
    상기 분산 ID 리졸빙 요청에 기반하여 상기 분산 ID에 상응하는 분산 ID 저장소에 상기 분산 ID 문서를 요청하고, 상기 분산 ID 저장소의 응답에 기반하여 상기 분산 ID 문서를 획득하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Based on the distributed ID resolving request, the distributed ID document is requested from a distributed ID storage corresponding to the distributed ID, and the distributed ID document is obtained based on a response from the distributed ID storage. Device verification method.
  16. 청구항 15에 있어서,The method of claim 15
    상기 분산 ID 문서는The distributed ID document is
    상기 검증 프레젠테이션, 상기 제1 검증 크리덴셜, 및 상기 제2 검증 크리덴셜에 각각에 상응하는 분산 ID 문서를 포함하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Distributed ID-based device verification method comprising distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
  17. 청구항 16에 있어서,The method of claim 16
    상기 전자서명을 검증하는 단계는The step of verifying the digital signature is
    상기 검증 프레젠테이션, 상기 제1 검증 크리덴셜, 및 상기 제2 검증 크리덴셜에 대하여 각각 전자서명을 검증하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Distributed ID-based device verification method, characterized in that for verifying the digital signature for each of the verification presentation, the first verification credential, and the second verification credential.
  18. 청구항 17에 있어서,The method of claim 17
    상기 전자서명의 검증 결과에 기반하여 상기 사물인터넷 디바이스에게 검증 결과를 전송하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 방법.Distributed ID-based device verification method, characterized in that for transmitting the verification result to the IoT device based on the verification result of the electronic signature.
  19. 적어도 하나의 프로그램이 기록된 메모리; 및a memory in which at least one program is recorded; and
    상기 프로그램을 실행하는 프로세서Processor running the program
    를 포함하며,Including,
    상기 프로그램은said program
    사물인터넷 디바이스의 검증 요청을 수신하는 단계;Receiving a verification request of an IoT device;
    상기 검증 요청에 포함된 분산 ID에 기반하여 사물인터넷 디바이스를 식별하는 단계;identifying an IoT device based on a distributed ID included in the verification request;
    분산 ID 리졸버에게 분산 ID 리졸빙을 요청하는 단계;requesting distributed ID resolving to a distributed ID resolver;
    상기 분산 ID 리졸버로부터 분산 ID 문서를 포함하는 리졸빙 결과를 수신하는 단계; 및 receiving a resolution result including a distributed ID document from the distributed ID resolver; and
    상기 분산 ID 문서의 공개키를 이용하여 전자서명을 검증하는 단계;verifying the digital signature using the public key of the distributed ID document;
    의 수행을 위한 명령을 포함하는 것을 특징으로 하는 분산 ID 기반 디바이스 검증 장치.Distributed ID-based device verification apparatus comprising a command for the execution of.
PCT/KR2021/017562 2021-11-24 2021-11-25 Distributed id-based verification credential management device and method, and device verification method and apparatus WO2023095953A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020210163321A KR102612463B1 (en) 2021-11-24 2021-11-24 Method and apparatus for managing verifiable credential and device authentication based on decentralized identifier
KR10-2021-0163321 2021-11-24

Publications (1)

Publication Number Publication Date
WO2023095953A1 true WO2023095953A1 (en) 2023-06-01

Family

ID=86539815

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/017562 WO2023095953A1 (en) 2021-11-24 2021-11-25 Distributed id-based verification credential management device and method, and device verification method and apparatus

Country Status (2)

Country Link
KR (1) KR102612463B1 (en)
WO (1) WO2023095953A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210091677A (en) * 2020-01-14 2021-07-22 베이징 바이두 넷컴 사이언스 앤 테크놀로지 코., 엘티디. Method and apparatus for verifying digital identity, device and storage medium
KR20210095061A (en) * 2020-01-22 2021-07-30 주식회사 코인플러그 Method for providing authentification service by using decentralized identity and server using the same
KR102303254B1 (en) * 2021-03-09 2021-09-17 주식회사 에프원시큐리티 Authentication system for blockchain did
KR102323523B1 (en) * 2020-11-10 2021-11-09 (주)소프트제국 Blockchain credential-based identity authentication system and its control method
KR102323522B1 (en) * 2020-11-10 2021-11-09 (주)소프트제국 DID system that can be verified on a browser using credentials and its control method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102139645B1 (en) 2020-04-13 2020-07-30 주식회사 한국정보보호경영연구소 System for Certificating identity based on Blockchain and Driving method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210091677A (en) * 2020-01-14 2021-07-22 베이징 바이두 넷컴 사이언스 앤 테크놀로지 코., 엘티디. Method and apparatus for verifying digital identity, device and storage medium
KR20210095061A (en) * 2020-01-22 2021-07-30 주식회사 코인플러그 Method for providing authentification service by using decentralized identity and server using the same
KR102323523B1 (en) * 2020-11-10 2021-11-09 (주)소프트제국 Blockchain credential-based identity authentication system and its control method
KR102323522B1 (en) * 2020-11-10 2021-11-09 (주)소프트제국 DID system that can be verified on a browser using credentials and its control method
KR102303254B1 (en) * 2021-03-09 2021-09-17 주식회사 에프원시큐리티 Authentication system for blockchain did

Also Published As

Publication number Publication date
KR20230076419A (en) 2023-05-31
KR102612463B1 (en) 2023-12-11

Similar Documents

Publication Publication Date Title
WO2013025085A2 (en) Apparatus and method for supporting family cloud in cloud computing system
WO2020171538A1 (en) Electronic device and method for providing digital signature service of block chain using the same
WO2014200240A1 (en) Method and apparatus for registering wireless device in wireless communication system
WO2020189926A1 (en) Method and server for managing user identity by using blockchain network, and method and terminal for user authentication using blockchain network-based user identity
WO2015020360A1 (en) Method and device for registering and certifying device in wireless communication system
WO2020189927A1 (en) Method and server for managing identity of user by using blockchain network, and method and terminal for authenticating user by using user identity on basis of blockchain network
WO2017111383A1 (en) Biometric data-based authentication device, control server linked to same, and biometric data-based login method for same
WO2020147383A1 (en) Process examination and approval method, device and system employing blockchain system, and non-volatile storage medium
WO2015126124A1 (en) Method and device for transmitting and receiving authentication information in wireless communication system
WO2012005555A2 (en) Method for creating/issuing electronic document distribution certificate, method for verifying electronic document distribution certificate, and system for distributing electronic document
WO2022102930A1 (en) Did system using browser-based security pin authentication and control method thereof
WO2021107256A1 (en) Method for providing interface for interoperation between different types of iot platform devices and system for providing interface for interoperation between different types of iot platform devices
WO2017054443A1 (en) Remote control method, server and network attached storage
WO2012099330A2 (en) System and method for issuing an authentication key for authenticating a user in a cpns environment
WO2012044072A2 (en) Method of assigning a user key in a convergence network
WO2020042464A1 (en) Data interaction method, apparatus and device, and readable storage medium
WO2020141782A1 (en) Method and server for managing identity of user by using blockchain network, and method and terminal for authenticating user by using user identity based on blockchain network
WO2017111483A1 (en) Biometric data-based authentication device, control server and application server linked to same, and method for operating same
WO2020141783A1 (en) Method and server for managing user identity using blockchain network, and method and terminal for authenticating user using blockchain network-based user identity
WO2021235893A1 (en) Electronic device and method for electronic device to provide ranging-based service
WO2023095953A1 (en) Distributed id-based verification credential management device and method, and device verification method and apparatus
WO2021049681A1 (en) Electronic device for performing authentication on basis of cloud server and control method therefor
WO2018021864A1 (en) Method for providing cloud-based service
WO2021085954A1 (en) Electronic device for ensuring integrity of electronic device intrinsic information, and operating method therefor
WO2022035161A1 (en) Computer network hacking prevention system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21965740

Country of ref document: EP

Kind code of ref document: A1