WO2023095953A1 - Dispositif et procédé de gestion de justificatif d'identité de vérification basée sur un id distribué, et procédé et appareil de vérification de dispositif - Google Patents

Dispositif et procédé de gestion de justificatif d'identité de vérification basée sur un id distribué, et procédé et appareil de vérification de dispositif Download PDF

Info

Publication number
WO2023095953A1
WO2023095953A1 PCT/KR2021/017562 KR2021017562W WO2023095953A1 WO 2023095953 A1 WO2023095953 A1 WO 2023095953A1 KR 2021017562 W KR2021017562 W KR 2021017562W WO 2023095953 A1 WO2023095953 A1 WO 2023095953A1
Authority
WO
WIPO (PCT)
Prior art keywords
distributed
verification
credential
verification credential
document
Prior art date
Application number
PCT/KR2021/017562
Other languages
English (en)
Korean (ko)
Inventor
배웅식
우정민
강의용
김광용
두상균
Original Assignee
주식회사 드림시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 드림시큐리티 filed Critical 주식회사 드림시큐리티
Publication of WO2023095953A1 publication Critical patent/WO2023095953A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems

Definitions

  • the present invention is a system configuration and credential management method capable of issuing distributed ID-based digital identities and credentials and providing identification and authentication services between edge devices and service providers in an IoT environment.
  • the present invention relates to a credential integrated management technology in a multi-distributed identity management service that performs authentication of a device using distributed ID-based credentials.
  • decentralized identifiers which allow users to manage and control their own identity information without a centralized registration authority, are being used in various digital industries.
  • distributed identifiers are used in various digital certificate services such as mobile driver's licenses and vaccine certificates along with the W3C's Verifiable Credential standard.
  • Patent Document 1 Korean Registered Patent Publication No. 10-2139645 (Title of Invention: Blockchain-based Identity Verification System and Driving Method thereof)
  • An object of the present invention is to perform authentication of an edge device in an IoT environment using distributed ID-based credentials.
  • an object of the present invention is to provide a convenient user experience for integrated management and inquiry/use of credentials in multi-distributed identity management services.
  • a distributed ID-based verification credential management method includes the steps of registering IoT device connection information including a first verification credential corresponding to an IoT device, Receiving a corresponding second verification credential, and registering the issued second verification credential to the IoT device.
  • the registering of the IoT device connection information includes requesting the first verification credential from the IoT device, receiving a verification presentation including the first verification credential, and the first verification step. and verifying credentials and digital signatures of the verification presentation.
  • the verifying of the electronic signature may include verifying the digital signature based on the distributed ID document corresponding to each of the first verification credential and the verification presentation.
  • the distributed ID document corresponding to each of the first verification credential and the verification presentation results from requesting distributed ID resolving to the distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation. can be obtained based on
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the step of issuing the second verification credential includes generating a distributed ID, a distributed ID document, and a digital signature of the user, registering the distributed ID of the user in a distributed ID storage, and a second corresponding to the user.
  • the method may include requesting issuance of a verification credential, and verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential.
  • the second verification credential may include information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
  • the step of requesting issuance of the second verification credential includes generating information necessary for issuing the second verification credential, encrypting the information necessary for issuing the second verification credential, and sending the credential issuing server Transmitting, and receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user.
  • the step of verifying the digital signature of the second verification credential includes requesting distributed ID resolving for the issuer distributed ID of the second verification credential, and the distributed ID of the distributed ID storage corresponding to the issuer distributed ID.
  • registering the issued second verification credential may include requesting registration of the second verification credential from the device, and receiving a registration result of the second verification credential of the device. there is.
  • the registration request message of the second verification credential may include the second verification credential full text and meta data.
  • the device may perform a redundancy check on the second verification credential based on the registration request of the second verification credential.
  • a distributed ID-based device verification method for achieving the above object includes receiving a verification request for an IoT device, and detecting an IoT device based on a distributed ID included in the verification request. Identifying, requesting distributed ID resolving to a distributed ID resolver, receiving a resolution result including a distributed ID document from the distributed ID resolver, and generating a digital signature using the public key of the distributed ID document. It includes a verification step.
  • the verification request of the IoT device may include a verification presentation corresponding to the IoT device.
  • the verification presentation may include a first verification credential corresponding to the device, a second verification credential corresponding to the user, and an electronic signature.
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the distributed ID document may include distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
  • the digital signature in the verifying the digital signature, may be verified for each of the verification presentation, the first verification credential, and the second verification credential.
  • the distributed ID-based device verification method may transmit a verification result to the IoT device based on the verification result of the digital signature.
  • authentication of an edge device can be performed in an IoT environment using distributed ID-based credentials.
  • the present invention can provide a convenient user experience for integrated management and inquiry/use of credentials on multi-distributed identity management services.
  • the present invention can easily provide an integrated environment with other distributed ID systems by using a distributed ID-based authentication process.
  • 1 is a diagram conceptually illustrating a distributed identity management service environment based on distributed ID.
  • FIG. 2 is a diagram conceptually illustrating a multi-distributed identity management service environment.
  • FIG. 3 is a diagram illustrating an IoT environment composed of sensor-based edge device nodes by way of example.
  • BLE Bluetooth Low Energy
  • FIG. 5 is a diagram conceptually illustrating a credential management method in a multi-distributed identity management service environment.
  • FIG. 6 is a diagram conceptually illustrating authentication between IoT devices using a common authentication method.
  • FIG. 7 is a flowchart illustrating a distributed ID-based verification credential management method according to an embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating a distributed ID-based device authentication method according to an embodiment of the present invention.
  • FIG. 9 is a diagram conceptually illustrating a distributed ID and credential-based verification system according to an embodiment of the present invention.
  • 10 to 11 are flowcharts showing in detail a process of registering device connection information according to an embodiment of the present invention.
  • 12 to 14 are flowcharts showing in detail a membership VC issuing process according to an embodiment of the present invention.
  • 15 is a flowchart showing in detail a membership VC registration process according to an embodiment of the present invention.
  • 16 is a flowchart illustrating in detail a process of performing device verification according to an embodiment of the present invention.
  • 17 is a diagram showing the configuration of a computer system according to an embodiment.
  • first or second is used to describe various elements, these elements are not limited by the above terms. Such terms may only be used to distinguish one component from another. Therefore, the first component mentioned below may also be the second component within the technical spirit of the present invention.
  • 1 is a diagram conceptually illustrating a distributed identity management service environment based on distributed ID.
  • a distributed identity management service environment is composed of entities such as an issuer, a user, a verifier, and a trust store.
  • the issuer issues credentials to the user, and the user manages the issued credentials and submits the credentials necessary for service use to the verifier.
  • the verifier requests the credential required to provide the service from the user and provides the service by verifying the credential submitted by the user.
  • the trust store stores and manages distributed identifiers (IDs) and distributed identifier documents that represent the identities of issuers, users, and verifiers.
  • IDs distributed identifiers
  • distributed identifier documents that represent the identities of issuers, users, and verifiers.
  • FIG. 2 is a diagram conceptually illustrating a multi-distributed identity management service environment.
  • a multi-distributed identity management service environment that provides
  • FIG. 3 is a diagram illustrating an IoT environment composed of sensor-based edge device nodes by way of example.
  • the modern era is called the era of the 4th industrial revolution, and various cutting-edge technologies such as ICBM technology (IoT, Cloud Computing, Big Data, Mobile), artificial intelligence, autonomous driving, and smart city, which are core technologies, are emerging.
  • ICBM technology IoT, Cloud Computing, Big Data, Mobile
  • artificial intelligence autonomous driving
  • smart city which are core technologies
  • the Internet of Things In the case of the Internet of Things (IoT), a hyper-connected technology is required to connect millions of devices in areas such as home/daily life/industry.
  • 5G technology the 5th generation mobile communication, supports ultra-high-speed transmission and ultra-low latency, including ultra-connectivity capable of connecting 1 million devices per unit area (1km2), so it is an essential technology optimized for communication between edge devices in the Internet of Things environment. is getting attention as
  • BLE Bluetooth Low Energy
  • Bluetooth is drawing attention as a suitable short-distance wireless communication. From Bluetooth 4.0 or higher, both classic Bluetooth, high-speed (up to 24Mbps) Bluetooth, and low-power Bluetooth (BLE) are supported. With the advent of BLE, beacons, which previously had problems with power supply and mobility, also developed, and in the case of BLE beacons, they can operate for up to two years with only one mercury battery, further raising the possibility of the IoT industry.
  • a packet transmission/reception process of a central device corresponding to a client and a peripheral device corresponding to a server can be confirmed.
  • FIG. 5 is a diagram conceptually illustrating a credential management method in a multi-distributed identity management service environment.
  • the user needs to manage identity qualifications (credentials) by installing separate applications provided by each service.
  • the service provider also bears the burden of building and managing a communication system with the distributed ID storage. Therefore, there is a need for a method to securely manage and search/use credentials in a multi-distributed identity management service environment.
  • FIG. 6 is a diagram conceptually illustrating authentication between IoT devices using a common authentication method.
  • the current IoT security certification system evaluates security measures differently depending on the size of the device and assigns different certification levels. This can cause difficulties in the mutual authentication process of devices. In the future, at least millions of IoT devices will be used for IoT services in various industries, and for this purpose, as shown in FIG.
  • FIG. 7 is a flowchart illustrating a distributed ID-based verification credential management method according to an embodiment of the present invention.
  • a distributed ID-based verification credential management method may be performed in a distributed ID-based authentication system.
  • IoT device connection information including a first verification credential corresponding to the IoT device is registered (S110).
  • the step of registering the IoT device connection information includes requesting the first verification credential from the IoT device, receiving a verification presentation including the first verification credential, and the and verifying a first verification credential and a digital signature of the verification presentation.
  • the verifying of the electronic signature may include verifying the digital signature based on the distributed ID document corresponding to each of the first verification credential and the verification presentation.
  • the distributed ID document corresponding to each of the first verification credential and the verification presentation results from requesting distributed ID resolving to the distributed ID resolver for the distributed ID corresponding to each of the first verification credential and the verification presentation. can be obtained based on
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the step of issuing the second verification credential includes generating a distributed ID, a distributed ID document, and a digital signature of the user, registering the distributed ID of the user in a distributed ID storage, and a second corresponding to the user.
  • the method may include requesting issuance of a verification credential, and verifying a digital signature of the second verification credential based on an issuer distributed ID of the issued second verification credential.
  • the second verification credential may include information about a distributed ID corresponding to a user, a distributed ID corresponding to a device, and a first verification credential ID.
  • requesting issuance of the second verification credential includes generating information necessary for issuing the second verification credential, encrypting information necessary for issuing the second verification credential, and
  • the method may include transmitting to an issuing server, and receiving second verification credential issuance information mapped to the device based on a verification result using a distributed ID corresponding to the user.
  • the step of verifying the digital signature of the second verification credential includes requesting distributed ID resolving for the issuer distributed ID of the second verification credential, and the distributed ID of the distributed ID storage corresponding to the issuer distributed ID.
  • registering the issued second verification credential includes requesting registration of the second verification credential from the device and receiving a registration result of the second verification credential of the device.
  • the registration request message of the second verification credential may include the second verification credential full text and meta data.
  • the device may perform a redundancy check on the second verification credential based on the registration request of the second verification credential.
  • FIG. 8 is a flowchart illustrating a distributed ID-based device authentication method according to an embodiment of the present invention.
  • a device verification method based on a distributed ID includes receiving a verification request for an IoT device (S210), and detecting the IoT device based on the distributed ID included in the verification request. Identifying (S220), requesting distributed ID resolving to a distributed ID resolver (S230), receiving a resolution result including a distributed ID document from the distributed ID resolver (S240), and the distributed ID document and verifying the digital signature using the public key of (S250).
  • the verification request of the IoT device may include a verification presentation corresponding to the IoT device.
  • the verification presentation may include a first verification credential corresponding to the device, a second verification credential corresponding to the user, and an electronic signature.
  • the distributed ID resolver requests the distributed ID document from the distributed ID storage corresponding to the distributed ID based on the distributed ID resolving request, and obtains the distributed ID document based on a response from the distributed ID storage.
  • the distributed ID document may include distributed ID documents respectively corresponding to the verification presentation, the first verification credential, and the second verification credential.
  • the digital signatures may be verified for each of the verification presentation, the first verification credential, and the second verification credential.
  • the distributed ID-based device verification method may further include transmitting a verification result to the IoT device based on the verification result of the electronic signature.
  • FIG. 9 is a diagram conceptually illustrating a distributed ID and credential-based verification system according to an embodiment of the present invention.
  • the system includes an edge device 10, a device identity management app 20, a distributed ID management server 30, a distributed ID resolver 40, a service provider (home IoT service 50), distributed trust store A 60, and distributed trust store B 70.
  • the device identity management app 20 may correspond to an app running on a user terminal, for example, a smart phone, a personal computer, a laptop computer, a tablet PC, and the like.
  • a smart phone for example, a smart phone, a personal computer, a laptop computer, a tablet PC, and the like.
  • the edge device 10 refers to a manufacturer's IoT device, and the manufacturer's device VC (Verifiable Credential) is embedded at the time of shipment.
  • the edge device 10 may request a service from a service provider using a device VC and a membership VC.
  • the device VC and the membership VC may correspond to the first verification credential and the second verification credential, respectively, as an embodiment of the present invention.
  • the device identity management app 20 is an entity that performs identity management and service setting for service use in a device.
  • the device identity management app 20 may receive a membership VC for authentication when using the service and register it in the device.
  • the device identity management app 20 may inquire the device VC and membership VC in the device setting window.
  • the membership VC can be issued and deleted, but the device VC can be set to be deleted as a basic setting in the device.
  • the distributed ID management server 30 is an entity that registers and manages distributed IDs in a distributed trust store.
  • the distributed ID management server 30 may be used for registration, inquiry, renewal, and discard of distributed IDs for each service domain.
  • the distributed ID resolver 40 is an entity that provides a distributed ID search function managed by a distributed trust store for each service domain.
  • the distributed ID resolver 40 may check the location of the distributed trust storage to be searched based on the distributed ID information.
  • the service provider 50 is an entity that issues a service credential (membership VC) required for a device to request a service to a user and performs service request processing.
  • a service credential membership VC
  • Distributed trust stores 60 and 70 are entities in which each distributed ID and its corresponding data (public key, distributed ID document, metadata, etc.) are registered.
  • a user can use a home IoT service through a mobile device.
  • a refrigerator has an edge device (hereinafter referred to as a device) built in, and a verification credential (hereinafter referred to as a VC) used for device authentication is installed in the device.
  • a VC verification credential
  • This device VC is issued by the device manufacturer and is pre-built into the device.
  • the user can manage VCs in the device by connecting to the device via mobile through BLE communication.
  • Membership VC can be issued from a refrigerator home service provider, and device VC verification is required to obtain membership VC.
  • the user sends the device VC to the refrigerator home service provider to obtain the membership VC, and to verify this, the refrigerator home service provider must access the distributed ID trust storage of the device manufacturer and inquire the distributed ID mapped with the device VC.
  • Different distributed identity management services can be interlocked through the distributed ID resolver, and the service certification process is based on the W3C standard distributed ID/VC system through signature data transmission and reception between the issuer-user-verifier (service provider) and signature verification. It is done.
  • BLE communication is used for data transmission and reception between the device and user mobile, and general Internet communication is used otherwise.
  • 10 to 11 are flowcharts showing in detail a process of registering device connection information according to an embodiment of the present invention.
  • the user accesses the device management screen in the identity management app 20 and presses the 'add device' button (S302).
  • the mobile device searches for a device that can be connected using BLE technology, a low-power wireless communication supported by Bluetooth 4.0 or higher (S304).
  • S304 a low-power wireless communication supported by Bluetooth 4.0 or higher
  • a BLE connection is executed (S306). If the connection is successful, the identity management app 20 requests the device VC for trusted device authentication from the device 10 (S308).
  • the device 10 generates a device VC request response message for transmitting the requested device VC to the mobile (S310).
  • the VC is not delivered as it is, but the VP is delivered as a structure in which the device VC is injected into the VP (Verifiable Presentation) value (S312).
  • VP Verifiable Presentation
  • a value digitally signed with a private key corresponding to the device distributed ID may be added to the VP.
  • the identity management app 20 verifies digital signature values for the VP received from the device 10 and the device VC included therein (S314 and S316).
  • the public key required to verify each signature value is stored in the document of each distributed ID, and must be obtained from each distributed trust storage.
  • the identity management app 20 requests distributed ID document inquiry to the distributed ID management server 30 (S318).
  • the distributed ID management server 30 checks the service domain from the delivered distributed ID value (S320). In the case of the same domain, inquiry can be made through the distributed ID management server, and in the case of heterogeneous domains, the distributed ID document is inquired through the distributed ID resolver 40 (S322). Since the distributed ID managed by the manufacturer corresponds to the heterogeneous domain area, the distributed ID management server 30 requests distributed ID document inquiry from the distributed ID resolver 40 (distributed ID resolving).
  • the distributed ID resolver 40 analyzes the received distributed ID values to identify a domain and finds a driver to connect to the corresponding domain (S322).
  • the distributed ID resolver 40 requests a distributed ID search through a driver to a domain matching the distributed ID value (S326) and obtains a document according to the search result (S328, S330).
  • the obtained document is transmitted as a value of the resolving request response text of the distributed ID management server (332, S334).
  • the distributed ID management server 30 generates a response statement containing the distributed ID documents (manufacturer distributed ID document / device distributed ID document) of the response message received from the distributed ID resolver 40 (S336, S338), and the identity management app 20 ) and sends a response (S340).
  • the identity management app 20 proceeds with the delivered distributed ID documents (S342, S344) to verify the electronic signature of each VP/VC (S346), and the signature verification process utilizes the public key in each distributed ID document.
  • the digital signature value of VP is the public key of the distributed ID of the device
  • the digital signature value of the VC is the public key of the distributed ID of the manufacturer.
  • the identity management app stores the device identification information and uses it as connection information later (S348, S350).
  • the device identification information may consist of a device distributed ID, a device VC ID, and a device model name.
  • the device VC ID is an ID generated by a manufacturer to manage device VC issue information and generally has a URL format.
  • 12 to 14 are flowcharts showing in detail a membership VC issuing process according to an embodiment of the present invention.
  • the user requests the service provider 50 to issue a membership VC in the identity management app 20 to use the home IoT service.
  • a secure connection is established in advance (S402), and DID Authentication technology is used.
  • S402 secure connection
  • DID Authentication technology is used for security between the membership VC issuance process.
  • This is a technique used in the distributed ID system.
  • the session key used for end-to-end (E2E) communication is made common by each entity using the distributed ID value of each entity, and then symmetric with it. It refers to communication technology that performs encrypted communication.
  • the user When the DID Authentication process is established, the user performs the process of registering the distributed ID to be used in the home IoT service domain. After creating a distributed ID and a document for a service user in the identity management app 20, the document is digitally signed with a private key corresponding to the distributed ID (S404).
  • the identity management app requests the distributed ID management server 30 to register a distributed ID for service users (S406). These values are registered in the distributed trust storage within the service domain through the distributed ID management server 30 (S408).
  • the distributed trust storage B 70 the digital signature value of the distributed ID document value to be registered is performed through self-sign verification, and if the verification is successful, the digital signature value of the document is excluded and registered in the distributed trust storage (S410, S412, S414). ).
  • the distributed trust storage B 70 transmits a response message to the distributed ID management server 30 (S416).
  • the distributed ID management server 30 receiving the response text delivers the response text to the identity management app 20 (S418).
  • the identity management app 20 When the distributed ID for user service is registered, the identity management app 20 requests the service provider 50 to issue a membership VC (S420).
  • the service provider 50 sends the information necessary for issuing the membership VC in the form of a request, which is initially transmitted to the identity management app 20 in an encrypted state with the session key shared through the DID Authentication connection ( S422).
  • the identity management app 20 decrypts the request sent through the session key (S424), checks the information necessary for the membership VC, and fills in the corresponding values (S426). There are three types of necessary information.
  • the three types of information are information necessary for association between user and device information, and are distributed ID for service users, which is a distributed ID directly mapped to membership VC, and device distributed ID and device VC ID, which are information mapped to device VC.
  • the identity management app 20 After filling the corresponding values, the identity management app 20 transmits a response message to the service provider (S428), and in this process, it is also sent in an encrypted form using a session key.
  • the challenge-response authentication process is performed every time to prevent replay attacks.
  • the service provider 50 decrypts the received encrypted response message (S430) and extracts three ID values necessary for issuing the membership VC. Among them, a search request is made to the distributed ID resolver 40 with the distributed ID value for the service user, and confirmation is made as to whether the distributed ID is actually registered (S432).
  • the service provider 50 requests the distributed ID resolver 40 to resolve the distributed ID for the service user (S434).
  • the distributed ID resolver 40 requests the distributed trust storage B 70 to retrieve the distributed ID document for the service user (S436), and receives a response of the distributed ID document for the service user according to the search result (S438) (S440). .
  • the distributed ID resolver 40 transmits a distributed ID resolving response for the service user to the service provider (S442).
  • the service provider 50 proceeds with a membership VC issuance procedure.
  • the service provider 50 creates a membership VC associated with the device (S446).
  • the membership VC contains specific device and user information, and the information is injected into the credentialSubject field of the VC.
  • a digital signature value is added using a private key corresponding to the distributed ID of the service provider 50.
  • the VC issuance process has a VC issuing server separately managed for each service provider, and the structure may be different for each service provider, and the scope of the present invention is not limited thereto.
  • the membership VC created by the service provider 50 is included in the VC issuance request response statement to be sent to the identity management app 20, and is transmitted in the form of an encrypted response statement through the session key (S448).
  • the identity management app 20 receiving the encrypted response text decrypts the response text with the session key to obtain the membership VC (S450).
  • the issuer field is a distributed ID value of the VC issuer, and a document value obtained by requesting distributed ID resolving (S452, S454) for this value, that is, the public key of the VC issuer can be obtained.
  • the distributed ID resolver 40 requests distributed ID document inquiry to the distributed trust storage A 60 corresponding to the heterogeneous domain (S456), and receives a distributed ID document search result (S458) (S460).
  • the distributed ID resolver 40 transmits the heterogeneous domain distributed ID resolving response to the distributed ID management server 30 (S462), and the distributed ID management server 30 transmits the response to the identity management app 20.
  • the identity management app 20 verifies the digital signature value of the issued membership VC with the obtained public key of the VC issuer (S466).
  • the purpose of this verification process is to check whether the membership VC received by the user is the correct VC issuer.
  • the identity management app can store the membership VC and utilize the VC when using the home IoT service afterwards.
  • 15 is a flowchart showing in detail a membership VC registration process according to an embodiment of the present invention.
  • BLE communication when transmitting membership VC from the identity management app 20 to the device 10, BLE communication is used (S502).
  • membership VC can be registered in the device.
  • the membership VC registration button is clicked (S506), a list of transmittable membership VCs appears, and the user selects a membership VC (S508).
  • the identity management app 20 creates a registration request to transmit the membership VC (S510), and the full membership VC and meta information of the membership VC are inserted into the registration request. Meta information may be used as information to be used instead of the VC full text when outputting the VC management list in the device 10.
  • the request is transmitted to the device in the form of BLE communication (S512).
  • BLE communication BLE communication
  • the start packet is the header of the membership VC registration request, and the packet structure is in the form of ⁇ SOF ⁇ + [number of data packets].
  • the total number of transmitted data packets can be confirmed by checking the start packet, and the number of data packets is calculated as follows.
  • the device 10 which is the receiving side, needs to know the order of assembling the data, and for this, the data packet structure is composed of ⁇ NUM_ + [data packet sequence] + ⁇ + [data].
  • the end packet is the last packet sent when there is no more transmission data, and the structure of the end packet is composed of ⁇ EOF ⁇ .
  • the device When the device completes receiving the end packet, it saves the transmitted packets as a file and sends a notification packet notifying the identity management app that the reception has been completed.
  • the notification packet structure is in the form of ⁇ ALL_RCV ⁇ , and the identity management app 20 terminates the transmission mode by receiving the corresponding packet. If the identity management app 20 does not receive this notification packet for a certain period of time, it determines that it is a transmission error and retransmits the packets. A total of 3 attempts are made, and if all 3 attempts fail, the transmission failure is notified to the user.
  • the device 10 After receiving the membership VC registration request, the device 10 checks whether membership VCs are duplicated (S514). The redundancy check is conducted with three pieces of information from the membership VC. First, it is checked whether the vcId field value of the membership VC overlaps with other VCs in the device. Next, it is checked whether deviceDid and deviceVcId have duplicate values among the credentialSubject fields of the membership VC.
  • the device stores the received membership VC (S516), creates a registration response statement, and transmits it to the identity management app 20 (S518).
  • the identity management app checks the result of the registration response statement and outputs a registration success message if successful (S520).
  • 16 is a flowchart illustrating in detail a process of performing device verification according to an embodiment of the present invention.
  • the user can use the identity management app 20 to set the refrigerator home IoT service.
  • menu management is provided with a touch screen screen.
  • the quantity of specific ingredients can be checked through a sensor that detects the ingredients, and if the ingredients are insufficient, the item can be purchased once by a preset number. It is said that there is a service that automatically connects to an online market and performs payment.
  • the device 10 When checking ingredients suitable for the next day's diet, as a result of the sensor detection, if the ingredients are insufficient, a notification requiring product purchase is transmitted to the device 10 .
  • the device 10 generates a product order request statement to be submitted to the service provider based on the received notification (S602).
  • the product order request contains information necessary for product order details, IoT equipment, and payment user authentication.
  • Information necessary for authentication is included in the request in the form of a VP containing the device VC and membership VC, and transmitted to the service provider (S604).
  • the transmitting VP creates a digital signature with the private key corresponding to the device distributed ID and sends it in addition to the original VP text.
  • the online service provider 50 Upon receiving the request, the online service provider 50 confirms the product order request (S606) and performs an authentication process based on the VP information of the product order request (S608).
  • a total of three digital signature values must be authenticated, and the subject of each digital signature and its distributed ID value are as follows.
  • the service provider 50 sends a distributed ID resolving batch request to the distributed ID resolver 40 to retrieve the public key of each distributed ID (S610).
  • the distributed ID resolver 40 finds the distributed trust storage 70 suitable for the distributed ID domain with the distributed IDs received and performs distributed ID document inquiry (S612, S614).
  • the distributed ID resolver 40 puts the searched distributed ID documents in a response message and delivers them to the service provider (S618).
  • the service provider 50 extracts the public key from the document of each distributed ID and verifies the digital signature values of the device VC, membership VC, and VP, respectively (S620).
  • the service provider 50 processes the product order through the online market according to the requested product order details (S622).
  • the service provider 50 transmits a response to the product order request to the device (S624).
  • the device Upon receiving the product order response, the device processes a screen indicating that the product order was successful on the touch screen screen of the refrigerator (S626).
  • 17 is a diagram showing the configuration of a computer system according to an embodiment.
  • the identity management app of the distributed ID-based verification credential management and device verification method according to the embodiment may be implemented in the computer system 1000 such as a computer-readable recording medium.
  • Computer system 1000 may include one or more processors 1010, memory 1030, user interface input devices 1040, user interface output devices 1050, and storage 1060 that communicate with each other over a bus 1020. can In addition, computer system 1000 may further include a network interface 1070 coupled to network 1080 .
  • the processor 1010 may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory 1030 or the storage 1060 .
  • the memory 1030 and the storage 1060 may be storage media including at least one of volatile media, nonvolatile media, removable media, non-removable media, communication media, and information delivery media.
  • memory 1030 may include ROM 1031 or RAM 1032 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Un procédé de gestion de justificatif d'identité de vérification basée sur un ID distribué, conçu pour atteindre l'objectif ci-dessus, selon un mode de réalisation de la présente invention, comprend les étapes consistant à : enregistrer des informations de connexion de dispositif IoT comprenant des premiers justificatifs d'identité de vérification correspondant à un dispositif IoT ; émettre des seconds justificatifs d'identité de vérification correspondant à un utilisateur ; et enregistrer les seconds justificatifs d'identité de vérification émis avec le dispositif IoT.
PCT/KR2021/017562 2021-11-24 2021-11-25 Dispositif et procédé de gestion de justificatif d'identité de vérification basée sur un id distribué, et procédé et appareil de vérification de dispositif WO2023095953A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020210163321A KR102612463B1 (ko) 2021-11-24 2021-11-24 분산 id 기반 검증 크리덴셜 관리 및 디바이스 검증 방법 및 장치
KR10-2021-0163321 2021-11-24

Publications (1)

Publication Number Publication Date
WO2023095953A1 true WO2023095953A1 (fr) 2023-06-01

Family

ID=86539815

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/017562 WO2023095953A1 (fr) 2021-11-24 2021-11-25 Dispositif et procédé de gestion de justificatif d'identité de vérification basée sur un id distribué, et procédé et appareil de vérification de dispositif

Country Status (2)

Country Link
KR (1) KR102612463B1 (fr)
WO (1) WO2023095953A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210091677A (ko) * 2020-01-14 2021-07-22 베이징 바이두 넷컴 사이언스 앤 테크놀로지 코., 엘티디. 디지털 신원 인증 방법, 장치, 기기 및 저장 매체
KR20210095061A (ko) * 2020-01-22 2021-07-30 주식회사 코인플러그 탈중앙화 아이디 앱을 이용하여 인증 서비스를 제공하는 방법 및 이를 이용한 탈중앙화 아이디 인증 서버
KR102303254B1 (ko) * 2021-03-09 2021-09-17 주식회사 에프원시큐리티 스마트홈 환경 블록체인 분산식별자 인증 시스템
KR102323522B1 (ko) * 2020-11-10 2021-11-09 (주)소프트제국 크리덴셜을 이용하여 브라우저 상에서 검증이 가능한 did 시스템 및 그것의 제어 방법
KR102323523B1 (ko) * 2020-11-10 2021-11-09 (주)소프트제국 블록체인 크리덴셜 기반의 신원인증 시스템 및 그것의 제어 방법

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102139645B1 (ko) 2020-04-13 2020-07-30 주식회사 한국정보보호경영연구소 블록체인 기반의 신원증명 시스템 및 그 구동방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210091677A (ko) * 2020-01-14 2021-07-22 베이징 바이두 넷컴 사이언스 앤 테크놀로지 코., 엘티디. 디지털 신원 인증 방법, 장치, 기기 및 저장 매체
KR20210095061A (ko) * 2020-01-22 2021-07-30 주식회사 코인플러그 탈중앙화 아이디 앱을 이용하여 인증 서비스를 제공하는 방법 및 이를 이용한 탈중앙화 아이디 인증 서버
KR102323522B1 (ko) * 2020-11-10 2021-11-09 (주)소프트제국 크리덴셜을 이용하여 브라우저 상에서 검증이 가능한 did 시스템 및 그것의 제어 방법
KR102323523B1 (ko) * 2020-11-10 2021-11-09 (주)소프트제국 블록체인 크리덴셜 기반의 신원인증 시스템 및 그것의 제어 방법
KR102303254B1 (ko) * 2021-03-09 2021-09-17 주식회사 에프원시큐리티 스마트홈 환경 블록체인 분산식별자 인증 시스템

Also Published As

Publication number Publication date
KR102612463B1 (ko) 2023-12-11
KR20230076419A (ko) 2023-05-31

Similar Documents

Publication Publication Date Title
WO2013025085A2 (fr) Appareil et procédé permettant de prendre en charge un nuage de famille dans un système informatique en nuage
WO2020171538A1 (fr) Dispositif électronique et procédé de fourniture de service de signature numérique de chaîne de blocs utilisant ce dernier
WO2014200240A1 (fr) Procédé et appareil d'enregistrement de dispositif sans fil dans un système de communication sans fil
WO2020189926A1 (fr) Procédé et serveur permettant de gérer une identité d'utilisateur en utilisant un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur utilisant l'identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2015020360A1 (fr) Procédé et dispositif pour enregistrer et certifier un dispositif dans un système de communications sans fil
WO2020189927A1 (fr) Procédé et serveur de gestion de l'identité d'un utilisateur à l'aide d'un réseau de chaîne de blocs, et procédé et terminal d'authentification d'utilisateur à l'aide d'une identité d'utilisateur sur la base d'un réseau de chaîne de blocs
WO2017111383A1 (fr) Dispositif d'authentification sur la base de données biométriques, serveur de commande relié à celui-ci, et procédé de d'ouverture de session sur la base de données biométriques
WO2020147383A1 (fr) Procédé, dispositif et système d'examen et d'approbation de processus utilisant un système de chaîne de blocs, et support de stockage non volatil
WO2015126124A1 (fr) Procédé et dispositif pour transmettre et recevoir des informations d'authentification dans un système de communication sans fil
WO2012005555A2 (fr) Procédé pour créer/générer un certificat de distribution de document électronique, procédé pour vérifier un certificat de distribution de document électronique et système pour distribuer un document électronique
WO2022102930A1 (fr) Système did utilisant une authentification par pin de sécurité basée sur un navigateur, et procédé de commande associé
WO2021107256A1 (fr) Procédé pour fournir une interface pour l'interfonctionnement entre différents types de dispositifs de plateforme ido et système pour fournir une interface pour l'interfonctionnement entre différents types de dispositifs de plateforme ido
WO2017054443A1 (fr) Procédé de commande à distance, serveur et stockage rattaché à un réseau
WO2012099330A2 (fr) Système et procédé de délivrance d'une clé d'authentification pour authentifier un utilisateur dans un environnement cpns
WO2012044072A2 (fr) Procédé d'attribution de clé utilisateur dans un réseau convergent
WO2020042464A1 (fr) Procédé, appareil et dispositif d'interaction de données, et support d'informations lisible
WO2020141782A1 (fr) Procédé et serveur de gestion d'identité d'utilisateur à l'aide d'un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur à l'aide d'une identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2017111483A1 (fr) Dispositif d'authentification basée sur des données biométriques, serveur de commande et serveur d'application relié à celui-ci, et procédé de commande associé
WO2021235893A1 (fr) Dispositif électronique et procédé destiné à un dispositif électronique permettant de fournir un service fondé sur la télémétrie
WO2020141783A1 (fr) Procédé et serveur de gestion d'identité d'utilisateur à l'aide d'un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur à l'aide d'une identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2020032351A1 (fr) Procédé permettant d'établir une identité numérique anonyme
WO2023095953A1 (fr) Dispositif et procédé de gestion de justificatif d'identité de vérification basée sur un id distribué, et procédé et appareil de vérification de dispositif
WO2021049681A1 (fr) Dispositif électronique permettant d'effectuer une authentification se basant sur un serveur en nuage, et procédé de commande pour celui-ci
WO2018021864A1 (fr) Procédé pour fournir un service en nuage
WO2021085954A1 (fr) Dispositif électronique pour garantir l'intégrité d'informations intrinsèques de dispositif électronique, et son procédé de fonctionnement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21965740

Country of ref document: EP

Kind code of ref document: A1