WO2024090628A1 - Procédé et appareil de communication cryptographique de service basé sur un identifiant décentralisé - Google Patents

Procédé et appareil de communication cryptographique de service basé sur un identifiant décentralisé Download PDF

Info

Publication number
WO2024090628A1
WO2024090628A1 PCT/KR2022/016714 KR2022016714W WO2024090628A1 WO 2024090628 A1 WO2024090628 A1 WO 2024090628A1 KR 2022016714 W KR2022016714 W KR 2022016714W WO 2024090628 A1 WO2024090628 A1 WO 2024090628A1
Authority
WO
WIPO (PCT)
Prior art keywords
distributed
service
user
organization
key
Prior art date
Application number
PCT/KR2022/016714
Other languages
English (en)
Korean (ko)
Inventor
배웅식
우정민
강의용
두상균
Original Assignee
주식회사 드림시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 드림시큐리티 filed Critical 주식회사 드림시큐리티
Publication of WO2024090628A1 publication Critical patent/WO2024090628A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a technology for exchanging encrypted messages between entities such as users and service providers in a distributed ID-based environment.
  • the present invention relates to communication security technology for transmitting an encrypted message to a service provider using the service provider's public ID.
  • decentralized identifiers which allow users to manage and control their own identity information without a centralized registration agency, are being used in various digital industrial fields.
  • distributed identifiers are being used in various digital certificate services such as mobile driver's licenses and vaccine certificates along with W3C's Verifiable Credential standard.
  • a credential contains a variety of information, including user information.
  • Information for verifying the issuer includes the issuer's signature and issuer authentication key ID information. If the user wants to use another identity verification service in the future, he or she can prove his/her identity by submitting the existing issued credential to the verifier. At this time, the credential issuer's signature can be verified through the credential's issuer verification information. Although this issuer verification process is cryptographically valid, it is difficult to verify whether the issuer is a true service provider.
  • Patent Document 1 Domestic Patent Publication No. 10-2139645 (Title of invention: Blockchain-based identity authentication system and method of operating the same)
  • the purpose of the present invention is to improve the reliability of service providers by using public ID in a distributed ID-based identity management service environment.
  • the purpose of the present invention is to obtain the service provider's public key using the public ID and utilize this to provide confidentiality between data transmission between the user and the service provider.
  • An encryption and decryption communication method for a distributed ID-based service includes the steps of receiving a service organization search result from an organization information management server using the public ID of the service organization, the search result receiving a distributed ID document of the service organization using a service organization distributed ID document, encrypting a communication encryption key using a service organization distributed ID public key, transmitting the encrypted communication encryption key to the service organization, and the communication encryption key. and requesting verification from the service organization using a key, user distributed ID, and public ID of the service organization.
  • the public ID may have been previously issued to correspond to the service organization based on the service organization's distributed ID and organization information.
  • the communication encryption key may be generated based on a symmetric key algorithm.
  • the step of requesting verification from the service organization can confirm whether the communication encryption key is shared with the service organization.
  • the credential may be encrypted using the communication encryption key.
  • the submission containing the encrypted credential may be signed with the user's distributed ID private key.
  • the encryption and decryption communication method of a distributed ID-based service further includes the step of receiving a verification result, and the verification result is a result of decrypting the credential using the communication encryption key.
  • the communication encryption key may be obtained using the user distributed ID public key, and the user distributed ID public key may be obtained using the user distributed ID.
  • a user terminal includes a communication unit that communicates with a service organization, an information management server, or another terminal, and a control unit that generates a communication encryption key and generates a submission required for verification.
  • the communication unit receives a service organization search result from the organization information management server using the public ID of the service organization, and receives a distributed ID document of the service organization using the search result,
  • the control unit encrypts the communication encryption key using the service organization distributed ID public key and shares it with the service organization, and verifies it with the service organization using the communication encryption key, user distributed ID, and public ID of the service organization. You can request it.
  • the public ID may have been previously issued to correspond to the service organization based on the service organization's distributed ID and organization information.
  • the communication encryption key may be generated based on a symmetric key algorithm.
  • control unit can confirm whether the communication encryption key is shared with the service organization when requesting verification from the service organization.
  • control unit may encrypt the credential using the communication encryption key when requesting verification from the service organization.
  • control unit may sign a submission containing the encrypted credential with the user's distributed ID private key.
  • the communication unit receives a verification result for the verification request, the verification result is based on a result of decrypting the credential using the communication encryption key, and the communication encryption key uses the user distributed ID public key. and the user distributed ID public key can be obtained using the user distributed ID.
  • the encryption and decryption communication method of a distributed ID-based service includes the steps of receiving a credential submission from a user terminal, and using the user distributed ID to provide a user distributed ID public key. Obtaining, verifying the signature of the credential submission using the user distributed ID public key, decrypting the credential with a communication encryption key corresponding to the user distributed ID, and using the decrypted credential It includes performing user verification.
  • the credential submission may be generated using a public ID previously issued based on the service organization's distributed ID and organization information.
  • the communication encryption key may be generated based on a symmetric key algorithm.
  • the communication encryption key may be encrypted and received at the user terminal with the service organization distributed ID public key.
  • the user distributed ID public key can be obtained by searching the user distributed ID document stored in the distributed trust storage using the user distributed ID.
  • the reliability of the service provider can be improved by using a public ID in a distributed ID-based identity management service environment.
  • the present invention can obtain the service provider's public key using a public ID and utilize this to provide confidentiality between data transmission between the user and the service provider.
  • Figure 1 is a diagram conceptually showing a distributed ID-based distributed identity management service environment.
  • Figure 2 is an example of using a heterogeneous domain distributed identity management service in a single terminal.
  • Figure 3 is a diagram conceptually showing a symmetric key encryption algorithm.
  • Figure 4 is a diagram conceptually showing an asymmetric key encryption algorithm.
  • Figure 5 is an example verification framework for identity management service.
  • Figure 6 is an example of a malicious attack on an existing distributed identity management service.
  • Figure 7 is a flowchart showing an encryption and decryption communication method for a distributed ID-based service according to an embodiment of the present invention.
  • Figure 8 is a flowchart showing an encryption and decryption communication method for a distributed ID-based service according to another embodiment of the present invention.
  • Figure 9 is a configuration diagram showing an encryption and decryption communication system for distributed ID-based services according to an embodiment of the present invention.
  • FIGS 10 and 11 are flowcharts showing the organization information registration step in the verification method according to an embodiment of the present invention.
  • FIGS 14 and 15 are flowcharts showing the credential submission and verification steps in the verification method according to an embodiment of the present invention.
  • Figure 16 is a block diagram showing an encryption and decryption communication device (user terminal) for a distributed ID-based service according to an embodiment of the present invention.
  • Figure 17 is a diagram showing the configuration of a computer system according to an embodiment.
  • a or B “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C”, and “A Each of phrases such as “at least one of , B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof.
  • Figure 1 is a diagram conceptually showing a distributed ID-based distributed identity management service environment.
  • the distributed identity management service environment consists of entities such as an issuing authority, a user, a verification authority, and a trust repository.
  • the issuer issues credentials to the user, and the user manages the issued credentials and submits the credentials needed to use the service to the verifier.
  • the verifier requests the user for the credentials needed to provide the service, verifies the credentials submitted by the user, and provides the service.
  • the trust store stores and manages distributed identifiers (IDs) and distributed identifier documents that represent the identities of the issuing agency, user, and verification agency.
  • IDs distributed identifiers
  • distributed identifier documents that represent the identities of the issuing agency, user, and verification agency.
  • Figure 2 is an example of using a heterogeneous domain distributed identity management service in a single terminal.
  • Figure 3 is a diagram conceptually showing a symmetric key encryption algorithm.
  • Figure 4 is a diagram conceptually showing an asymmetric key encryption algorithm.
  • Encryption is a very important security technology in the modern information society. It is a technology that protects sensitive information by converting it into a form that is difficult for others to read. At this time, sensitive information is called plaintext, encryption applied is called ciphertext, and the process of restoring this ciphertext to plaintext is called decryption.
  • An encryption key is required for the encryption/decryption process, and the types of encryption keys are largely divided into symmetric keys and asymmetric keys.
  • the symmetric key algorithm is an algorithm that uses the same encryption key during the encryption/decryption process, and although it has a fast calculation speed, the strength of security is low because it uses the same key when encrypting/decrypting between the sender and the receiver.
  • the asymmetric key algorithm is an algorithm in which the sender and receiver each use different encryption keys during the encryption/decryption process.
  • the computation speed is slow, so it is less efficient for large data, but the encryption and decryption keys are different, so the strength of security is higher than that of symmetric keys. .
  • Figure 5 is an example verification framework for identity management service.
  • Figure 6 is an example of a malicious attack on an existing distributed identity management service.
  • Figure 7 is a flowchart showing an encryption and decryption communication method for a distributed ID-based service according to an embodiment of the present invention.
  • the encryption and decryption communication method of the distributed ID-based service shown in FIG. 7 can be performed on user devices such as smartphones and personal computers.
  • the encryption and decryption communication method of a distributed ID-based service includes the step of receiving a service organization search result from an organization information management server using the public ID of the service organization (S110). Receiving the distributed ID document of the service organization using the search result (S120), encrypting the communication encryption key using the service organization distributed ID public key (S130), and transferring the encrypted communication encryption key to the service organization It includes the step of transmitting to and requesting verification from the service organization using the communication encryption key (S140), the user distributed ID, and the public ID of the service organization (S150).
  • the public ID may have been previously issued to correspond to the service organization based on the service organization's distributed ID and organization information.
  • the communication encryption key may be generated based on a symmetric key algorithm.
  • the credential may be encrypted using the communication encryption key.
  • the concept of credential refers to proof information that a specific user has the relevant qualification, and includes not only VC, which is commonly referred to in a distributed identity management system, but also existing legacy electronic documents, certificate photos, etc.
  • the submission containing the encrypted credential may be signed with the user's distributed ID private key.
  • the encryption and decryption communication method of a distributed ID-based service may further include the step of receiving a verification result.
  • the verification result is based on the result of decrypting the credential using the communication encryption key
  • the communication encryption key is obtained using the user distributed ID public key
  • the user distributed ID public key is obtained by using the user distributed ID public key. It can be obtained using ID.
  • Figure 8 is a flowchart showing an encryption and decryption communication method for a distributed ID-based service according to another embodiment of the present invention.
  • the encryption and decryption communication method of the distributed ID-based service shown in FIG. 8 can be performed on a device such as a server of a distributed ID-based service provider.
  • the encryption and decryption communication method of a distributed ID-based service includes receiving a credential submission from a user terminal (S210), using the user distributed ID to obtain the user distributed ID public key.
  • Obtaining S220
  • verifying the signature of the credential submission using the user distributed ID public key
  • decrypting the credential with a communication encryption key corresponding to the user distributed ID (S240) and performing user verification using the decrypted credential (S250).
  • the concept of credential refers to proof information that a specific user has the relevant qualification, and includes not only VC, which is commonly referred to in a distributed identity management system, but also existing legacy electronic documents, certificate photos, etc.
  • the credential submission may be generated using a public ID previously issued based on the service organization's distributed ID and organization information.
  • the communication encryption key may be generated based on a symmetric key algorithm.
  • the communication encryption key may be encrypted and received at the user terminal with the service organization distributed ID public key.
  • the user distributed ID public key can be obtained by searching the user distributed ID document stored in the distributed trust storage using the user distributed ID.
  • the encryption and decryption communication method for distributed ID-based services is characterized by maintaining data confidentiality using a public ID and communication encryption key for verification of the service provider.
  • Figure 9 is a configuration diagram showing an encryption and decryption communication system for distributed ID-based services according to an embodiment of the present invention.
  • the user terminal (identity management app, 10) is the entity that stores and manages the credential issued by the service organization and submits the credential for identity verification when using other services.
  • the organization information management agency 20 is an entity that verifies the qualifications of the issuing agency so that a specific agency can serve as a credential issuer.
  • the institutional information management agency 20 sets the distributed ID for the institution and institutional information (ex: public information) as one set, issues a public ID when the service providing institution requests information registration, and later searches the institutional information and distributed ID for the institution using this. We provide services to make this possible.
  • the institutional information management server 30 is a system that stores and manages a set of institutional information, and may basically consist of a server and storage.
  • the credential issuing agency 40 is an entity that issues credentials to users at a service organization to use for identity verification. At this time, if the credential issuing agency 40 can provide verification-related services, it can simultaneously perform the role of a service provider.
  • the service provider 50 is a target entity for which a user requests service use, and requests and verifies the user's identity verification credentials for service provision. At this time, if the service provider 50 can perform credential issuance, it can simultaneously perform the role of a credential issuing agency.
  • the distributed ID management servers 60 and 80 are entities in charge of registering and managing the distributed IDs of entities in the distributed ID identity management system in the distributed trust storage, and perform registration/inquiry/update/disposal of the distributed IDs.
  • the server structure may be different for each distributed identity management system.
  • the distributed ID analysis server 70 is an entity that searches distributed trust repositories operated by each distributed identity management service and searches distributed ID document information.
  • the distributed ID interpretation server 70 checks the service domain information in the distributed ID, finds the distributed trust storage address, and requests information from that address. It can query the distributed ID document information itself or only partial information within it. .
  • the distributed trust storage 90 is an entity that stores and manages distributed IDs and other data (distributed ID documents, public keys, metadata, etc.) of entities on the distributed identity management service.
  • the distributed trust storage 90 is often configured in the form of a blockchain, but it can be configured only with a distributed ledger, and the scope of the present invention is not limited thereto.
  • Institutional information consists of information that can determine whether a company is a corporation, and the management data structure of the institutional information management agency can be configured in accordance with the service policy, but it must include identification information that can prove that it is an actual company.
  • An example of identification information that can prove that it is an actual company is the business registration number.
  • the organization information management server 30 must provide a means to check whether the organization is actually a corporation using the organization identification information received from the organization information management agency 20, but the present invention does not limit the implementation method.
  • the user requests the institution information management agency (20) through the public ID in the identity management app (10), checks whether the service is a legitimate institution through the searched information, and then requests credential issuance or provides services. You may submit credentials to prove your identity.
  • the user After public ID-based institutional verification is performed, the user performs encryption and decryption communication when communicating with the credential issuing agency 40 or the service provider 50.
  • an encryption algorithm an encryption algorithm with guaranteed safety must be used, and a hybrid encryption method that combines symmetric key and asymmetric key algorithms can be used to ensure communication speed and confidentiality.
  • the user generates a symmetric key using the symmetric key algorithm in the identity management app 10.
  • This symmetric key is encrypted using the public key contained in the distributed ID document of the transmitting institution, and if there is attached data, it is encrypted in advance using the symmetric key.
  • the symmetric key encrypted with the public key and the attached data encrypted with the symmetric key are sent to the transmission destination institution, and the institution decrypts the encrypted symmetric key using the private key corresponding to the public key contained in the distributed ID document for the institution and obtains the symmetric key. do.
  • the transmission destination organization decrypts the encrypted attached data using the obtained symmetric key, receives the attached data safely, and later performs bilateral encryption and decryption communication using this symmetric key.
  • the present invention can be largely comprised of an organization information registration step, a communication encryption key exchange step, and a credential submission and verification step.
  • an organization information registration step of the present invention will be described in detail with reference to FIGS. 10 and 11.
  • FIGS 10 and 11 are flowcharts showing the organization information registration step in the verification method according to an embodiment of the present invention.
  • a credential issuing agency 40
  • a credential verification agency 50
  • credential verification is mainly performed by the service provider, it can also be called a service provider. Since it is assumed that the two organizations have registered the distributed ID document containing the public key in the distributed trust storage (90), each organization must register the organization's distributed ID in the distributed trust storage (90) through the distributed ID management server.
  • the credential issuing agency 40 and the service provider 50 generate organization information (S302).
  • the institutional information must include at least one piece of identification information that can confirm the actual corporation, such as a business registration number.
  • an institutional information registration request is created (S304) to request registration of the relevant information with the institutional information management agency 20, and the registration request is signed with the private key corresponding to the distributed ID for each institution. Create (S306), attach, and send a request for registration of institutional information to the institutional information management agency (20) (S308).
  • the institutional information management agency 20 checks the institutional information registration request (S310) and transmits the institutional information and distributed institutional ID registration request to the institutional information management server 30 (S312).
  • the institution information management server 30 performs a duplicate check of the institution information based on the database that manages the institution information (S312). If the institutional information is not duplicated, the institutional information management server requests the distributed ID of the institution contained in the request to the distributed ID interpretation server to verify the signature of the institutional information registration request (S316).
  • the distributed ID interpretation server 70 confirms the structure of the organization's distributed ID and plays a role in finding the location of an appropriate distributed trust store (S318), and the distributed trust store 90 provides a distributed ID document corresponding to the distributed ID requested to be searched. It is searched and returned as a response value (S320, S322), and the distributed ID analysis server 70 also returns the distributed ID document, which is the response value, to the organization information management server 30 (S324).
  • the institutional information management server 30 obtains a public key from the distributed ID document that is the response value and performs signature verification on the institutional information registration request (S326, S328). When verification is completed, the authenticity of the organization information requested for registration is confirmed (S330). Since the authenticity verification method may be implemented differently depending on the system policy, the present invention does not impose restrictions on the form of implementation of the authenticity verification method. For example, one way is to build a linked system to check whether a company is a corporation using the OpenDART API of the electronic disclosure system.
  • the institutional information management server 30 When verification of the authenticity of the institutional information requested for registration is completed, the institutional information management server 30 creates a public ID and stores it in the institutional information management database along with the institutional information and institutional distributed ID (S332, S334).
  • the public ID serves as a primary key to search the stored organization information dataset (organization information + organization distributed ID), and returns the public ID together in the response to the organization information registration request (S336).
  • the institutional information management agency transmits an institutional information registration response to the credential issuing agency and service provider, and each agency stores the public ID received as a response (S338, S340, S342).
  • Each service organization must be able to provide public IDs to users by providing a QR code on the site screen or sending an email. When saving the public ID is complete, the process ends.
  • the user Before communicating with the credential issuer 40 or service provider 50, the user must establish a secure connection by exchanging encryption keys.
  • the user selects the 'Share communication security key' menu in the identity management app (10)
  • it is checked whether there is a previously created communication encryption key in the mobile terminal, and if there is no pre-generated encryption key, a communication encryption key creation notification window is displayed to the user.
  • a communication encryption key can be generated (S402).
  • a symmetric key algorithm must be used, and an algorithm with guaranteed safety, such as AES, must be used.
  • the user selects a communication encryption key and then enters the public ID of the target organization.
  • a public ID input field will appear. Enter the public ID value by entering it directly as text or by scanning the QR code of the public ID posted on the organization's site (S404).
  • the identity management app makes a query request to the institution information management server 30 (S406) to check whether the public ID is valid, and the institution information management server 30 sends an inquiry request to the institution information data set (institution information and Agency distributed ID) is transmitted to the identity management app (S408, S410).
  • the identity management app 10 checks whether the searched organization information data exists (S412, S414) and displays the searched organization information on the screen so that the user can directly check the organization information and proceed with the steps.
  • the identity management app 10 requests the distributed ID interpretation server 70 to query the public key corresponding to the organization distributed ID (S416).
  • the distributed ID interpretation server 70 is a server that returns a distributed ID document after checking which distributed ID the requested distributed ID is stored in the distributed trust store on multiple domains.
  • the distributed ID interpretation server 70 is a server that returns the distributed ID document to the distributed trust store 90 ), the distributed trust storage 90 returns a distributed ID document in which the public key of the distributed ID is stored (S420, S422).
  • the distributed ID interpretation server 70 transmits the searched organization distributed ID document to the identity management app 10 (S424), and the identity management app obtains the public key of the organization distributed ID from the searched distributed ID document (S426).
  • the institutional distributed ID public key is used to encrypt the communication encryption key, and in the present invention, the public key contained in the distributed ID document uses a public key created using a secure asymmetric key algorithm such as RSA.
  • the identity management app 10 encrypts the communication encryption key with the public key contained in the distributed ID document (S428), creates a message containing the encrypted communication encryption key and the user distributed ID, and transmits it to the target organization (S430, S432, S434) ).
  • the target organization (40, 50) obtains the communication encryption key encrypted from the received transmission (S436), decrypts it with the private key of the distributed ID held by the organization, obtains the communication encryption key, and stores it in the database along with the distributed ID. Do (S438, S440).
  • the organization (40, 50) After saving the communication encryption key, the organization (40, 50) sends a transmission processing completion response to the identity management app (10) (S442), and the identity management app checks the response result and then enters the public ID of the organization for which communication encryption key exchange was completed. Store it in the database within the identity management app (S444, S446). Later, you can check the public ID value stored in the database to check whether the organization has previously exchanged communication encryption keys. When saving is complete, the process ends.
  • FIGS 14 and 15 are flowcharts showing the credential submission and verification steps in the verification method according to an embodiment of the present invention.
  • a window will pop up to enter the public ID of the service provider you want to connect to, and enter the public ID value by entering it directly as text or scanning the QR code of the public ID posted on the organization's site (S502).
  • the communication encryption key and credentials When it is confirmed whether the communication encryption key is shared, select the communication encryption key and credentials to be submitted (S506, S508).
  • the submitted credential is encrypted using the communication encryption key, and a credential submission containing the encrypted credential and the user's distributed ID is generated (S510, S512, S514).
  • the generated credential submission is signed with the private key of the user's distributed ID for identity verification, and then the signed credential submission is sent to the service provider (S516, S518).
  • the service provider obtains the user's distributed ID and encrypted credential from the received credential submission (S520).
  • the service provider requests the user's distributed ID document to be searched to the distributed ID analysis server to search the submitter's public key for signature verification (S522).
  • the distributed ID interpretation server requests the distributed trust store to query the user's distributed ID document, and the distributed trust store returns a distributed ID document with the distributed ID as the key value (S524, S526, S528).
  • the distributed ID analysis server transmits the searched organization distributed ID document to the service provider, and the service provider obtains the public key of the user distributed ID from the searched distributed ID document (S530, S532).
  • the service provider performs signature verification on the credential submission using the obtained public key (S534).
  • the service provider checks whether there is a communication encryption key corresponding to the user distributed ID in the communication encryption key database (S536). If there is a queried communication encryption key, the service provider decrypts the encrypted credential using the corresponding communication encryption key (S538). With the decrypted credential, the service provider verifies whether the user is eligible to receive the service (S540). Since the verification content and method may differ depending on the service provision type, this invention does not place any restrictions on the verification procedure.
  • the service provider sends a response notifying the completion of verification of the submitted credential to the identity management app (S542, S544).
  • the identity management app checks the response that has completed verification of the submitted credentials and ends the process (S546).
  • Figure 16 is a block diagram showing an encryption and decryption communication device (user terminal) for a distributed ID-based service according to an embodiment of the present invention.
  • a user terminal includes a communication unit 110 that communicates with a service organization, an information management server, or another terminal, and a control unit (110) that generates a communication encryption key and generates a submission required for verification ( 120),
  • the communication unit 110 receives a service organization search result from the organization information management server using the public ID of the service organization, receives a distributed ID document of the service organization using the search result, and the control unit 120
  • the communication encryption key can be encrypted using the service organization distributed ID public key and shared with the service organization, and verification can be requested from the service organization using the communication encryption key, user distributed ID, and the service organization's public ID. .
  • the public ID may have been previously issued to correspond to the service organization based on the service organization's distributed ID and organization information.
  • the communication encryption key may be generated based on a symmetric key algorithm.
  • control unit 120 can check whether the communication encryption key is shared with the service organization when requesting verification from the service organization.
  • control unit 120 may encrypt the credential using the communication encryption key when requesting verification from the service organization.
  • the concept of credential refers to proof information that a specific user has the relevant qualification, and includes not only VC, which is commonly referred to in a distributed identity management system, but also existing legacy electronic documents, certificate photos, etc.
  • control unit 120 may sign a submission containing the encrypted credential with the user's distributed ID private key when requesting verification from the service organization.
  • the communication unit 110 receives a verification result for the verification request, the verification result is based on a result of decrypting the credential using the communication encryption key, and the communication encryption key is disclosed to the user distributed ID. It is obtained using a key, and the user distributed ID public key may be obtained using the user distributed ID.
  • Figure 17 is a diagram showing the configuration of a computer system according to an embodiment.
  • An encryption/decryption communication device for a distributed ID-based service may be implemented in a computer system 1000 such as a computer-readable recording medium.
  • Computer system 1000 may include one or more processors 1010, memory 1030, user interface input device 1040, user interface output device 1050, and storage 1060 that communicate with each other via bus 1020. You can. Additionally, the computer system 1000 may further include a network interface 1070 connected to the network 1080.
  • the processor 1010 may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory 1030 or storage 1060.
  • the memory 1030 and storage 1060 may be storage media that includes at least one of volatile media, non-volatile media, removable media, non-removable media, communication media, and information transfer media.
  • memory 1030 may include ROM 1031 or RAM 1032.
  • connections or connection members of lines between components shown in the drawings exemplify functional connections and/or physical or circuit connections, and in actual devices, various functional connections or physical connections may be replaced or added. Can be represented as connections, or circuit connections. Additionally, if there is no specific mention such as “essential,” “important,” etc., it may not be a necessary component for the application of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Un procédé de communication cryptographique d'un service basé sur un identifiant décentralisé, selon un mode de réalisation de la présente invention, comporte les étapes consistant à : recevoir un résultat d'interrogation d'organisation de service provenant d'un serveur de gestion d'informations d'organisation en utilisant un identifiant public d'une organisation de service ; recevoir un document d'identification décentralisée de l'organisation de service en utilisant le résultat d'interrogation ; chiffrer une clé cryptographique de communication en utilisant une clé publique d'identification décentralisée d'organisation de service ; transmettre la clé cryptographique chiffrée de communication à l'organisation de service ; et demander une authentification à l'organisation de service en utilisant la clé cryptographique de communication, un identifiant décentralisé d'un utilisateur, et l'identifiant public de l'organisation de service.
PCT/KR2022/016714 2022-10-27 2022-10-28 Procédé et appareil de communication cryptographique de service basé sur un identifiant décentralisé WO2024090628A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2022-0140396 2022-10-27
KR1020220140396A KR20240059302A (ko) 2022-10-27 2022-10-27 분산 id 기반 서비스의 암복호화 통신 방법 및 장치

Publications (1)

Publication Number Publication Date
WO2024090628A1 true WO2024090628A1 (fr) 2024-05-02

Family

ID=90831058

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/016714 WO2024090628A1 (fr) 2022-10-27 2022-10-28 Procédé et appareil de communication cryptographique de service basé sur un identifiant décentralisé

Country Status (2)

Country Link
KR (1) KR20240059302A (fr)
WO (1) WO2024090628A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160055388A (ko) * 2014-11-08 2016-05-18 김경진 서비스 제공사 인증 및 보안 통신이 가능한 환경 기반의 공동앱을 구성하는 방법
US20200196143A1 (en) * 2016-07-28 2020-06-18 Estorm Co., Ltd. Public key-based service authentication method and system
KR102131206B1 (ko) * 2019-08-30 2020-08-05 비씨카드(주) 법인 관련 서비스 제공 방법, 이를 지원하는 방법, 이를 수행하는 서비스 서버 및 인증 서버
KR20210139052A (ko) * 2020-05-13 2021-11-22 한국전자통신연구원 블록체인 기반 id 관리 장치 및 방법
KR20220122224A (ko) * 2021-02-26 2022-09-02 한국전자통신연구원 사용자 단말 및 대상 서버에서의 분산 id에 기반한 사용자 통합 인증 방법

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102139645B1 (ko) 2020-04-13 2020-07-30 주식회사 한국정보보호경영연구소 블록체인 기반의 신원증명 시스템 및 그 구동방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160055388A (ko) * 2014-11-08 2016-05-18 김경진 서비스 제공사 인증 및 보안 통신이 가능한 환경 기반의 공동앱을 구성하는 방법
US20200196143A1 (en) * 2016-07-28 2020-06-18 Estorm Co., Ltd. Public key-based service authentication method and system
KR102131206B1 (ko) * 2019-08-30 2020-08-05 비씨카드(주) 법인 관련 서비스 제공 방법, 이를 지원하는 방법, 이를 수행하는 서비스 서버 및 인증 서버
KR20210139052A (ko) * 2020-05-13 2021-11-22 한국전자통신연구원 블록체인 기반 id 관리 장치 및 방법
KR20220122224A (ko) * 2021-02-26 2022-09-02 한국전자통신연구원 사용자 단말 및 대상 서버에서의 분산 id에 기반한 사용자 통합 인증 방법

Also Published As

Publication number Publication date
KR20240059302A (ko) 2024-05-07

Similar Documents

Publication Publication Date Title
WO2018030707A1 (fr) Système et procédé d'authentification, et équipement d'utilisateur, serveur d'authentification, et serveur de service pour exécuter ledit procédé
WO2018124857A1 (fr) Procédé et terminal d'authentification sur la base d'une base de données de chaînes de blocs d'un utilisateur sans face-à-face au moyen d'un id mobile, et serveur utilisant le procédé et le terminal
WO2021002692A1 (fr) Procédé de fourniture de service d'actifs virtuels sur la base d'un identifiant décentralisé et serveur de fourniture de service d'actifs virtuels les utilisant
WO2020062642A1 (fr) Procédé, dispositif et équipement à base de chaîne de blocs pour signer des documents électroniques, et support d'informations
WO2020147383A1 (fr) Procédé, dispositif et système d'examen et d'approbation de processus utilisant un système de chaîne de blocs, et support de stockage non volatil
WO2017111383A1 (fr) Dispositif d'authentification sur la base de données biométriques, serveur de commande relié à celui-ci, et procédé de d'ouverture de session sur la base de données biométriques
WO2019132272A1 (fr) Identifiant en tant que service basé sur une chaîne de blocs
WO2018194379A1 (fr) Procédé d'approbation de l'utilisation d'une carte à l'aide d'un identificateur de jeton sur la base d'une chaîne de blocs et structure en arbre de merkle associée à celui-ci, et serveur l'utilisant
WO2022102930A1 (fr) Système did utilisant une authentification par pin de sécurité basée sur un navigateur, et procédé de commande associé
WO2020220413A1 (fr) Procédé et système de preuve à divulgation nulle de connaissance pour informations personnelles, et support de données
WO2020189926A1 (fr) Procédé et serveur permettant de gérer une identité d'utilisateur en utilisant un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur utilisant l'identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2018124856A1 (fr) Procédé et terminal d'authentification d'un utilisateur au moyen d'un id mobile grâce à une base de données de chaînes de blocs, et serveur utilisant le procédé et le terminal
WO2012099330A2 (fr) Système et procédé de délivrance d'une clé d'authentification pour authentifier un utilisateur dans un environnement cpns
WO2020164280A1 (fr) Procédé de chiffrement de transmission de données, dispositif, support de stockage et serveur
JP2007110377A (ja) ネットワークシステム
WO2017105072A1 (fr) Dispositif d'authentification basé sur des informations biométriques et son procédé de fonctionnement
WO2020034527A1 (fr) Procédé, appareil, et dispositif de chiffrement et d'autorisation d'informations personnelles d'utilisateur, et support de stockage lisible
WO2015030553A1 (fr) Système et procédé de signature sans certificat sur la base d'un réseau
WO2012047032A2 (fr) Système de gestion de carte d'identification mobile et son procédé de gestion de carte d'identification mobile
WO2020141782A1 (fr) Procédé et serveur de gestion d'identité d'utilisateur à l'aide d'un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur à l'aide d'une identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2017116062A1 (fr) Procédé et serveur d'authentification et de vérification de fichier
WO2020222475A1 (fr) Procédé d'authentification de document et système d'authentification de document dans lequel une fonction d'authentification est améliorée par des informations d'historique d'interrogation et des informations d'authentification de document
WO2020032351A1 (fr) Procédé permettant d'établir une identité numérique anonyme
WO2020138733A1 (fr) Système de chaîne de blocs pour fournir l'anonymat d'informations privées et procédé pour fournir l'anonymat d'informations privées dans une chaîne de blocs
Zou et al. A decentralized electronic reporting scheme with privacy protection based on proxy signature and blockchain