CN113704775A - Service processing method based on distributed digital identity and related device - Google Patents
Service processing method based on distributed digital identity and related device Download PDFInfo
- Publication number
- CN113704775A CN113704775A CN202110797332.7A CN202110797332A CN113704775A CN 113704775 A CN113704775 A CN 113704775A CN 202110797332 A CN202110797332 A CN 202110797332A CN 113704775 A CN113704775 A CN 113704775A
- Authority
- CN
- China
- Prior art keywords
- certificate
- service
- electronic
- user
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000012795 verification Methods 0.000 claims abstract description 57
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000012545 processing Methods 0.000 claims abstract description 23
- YSCNMFDFYJUPEF-OWOJBTEDSA-N 4,4'-diisothiocyano-trans-stilbene-2,2'-disulfonic acid Chemical compound OS(=O)(=O)C1=CC(N=C=S)=CC=C1\C=C\C1=CC=C(N=C=S)C=C1S(O)(=O)=O YSCNMFDFYJUPEF-OWOJBTEDSA-N 0.000 claims description 7
- 239000000126 substance Substances 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 16
- 230000008569 process Effects 0.000 abstract description 13
- 230000001960 triggered effect Effects 0.000 abstract description 7
- 230000014759 maintenance of location Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008520 organization Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
One or more embodiments of the present specification disclose a service processing method and a related device based on distributed digital identities, the scheme including: by using the DID technology, higher-level privacy protection can be performed on a user side by using an encryption technology in a real-time triggered service scene, and the content option of a certificate required by verification operation is given to the user side for processing, so that data leakage possibly caused by retention on other platforms is avoided, and the data security of the user is ensured as much as possible; in addition, state information is maintained for the certified certificate on the block chain, and the verification accuracy of the user can be guaranteed. Therefore, the data security and the service processing efficiency in the certificate verification process are improved as a whole.
Description
Technical Field
The present invention relates to the field of block chain technologies, and in particular, to a service processing method and a related apparatus based on distributed digital identities.
Background
Traditional financial institutions serve financial systems in a centralized manner, and play a role in information matching, credit guarantee and resource allocation.
However, with the increasing number of counterparties, increasingly complex transaction patterns, and more diversified data exchange requirements, the centralized operation pattern of conventional financial institutions is challenged. Particularly, in the aspect of information processing, financial institutions need to invest huge cost to solve the problem of information asymmetry. Many financial institutions propose digital transformation plans, but most still move offline services to online, which are not the root cause of the disease.
Especially, in the existing financial service scene related to multipoint information interaction and verification, the security and verification efficiency of the service data cannot be guaranteed.
Disclosure of Invention
One or more embodiments of the present disclosure provide a service processing method and a related device based on distributed digital identity, so as to improve data security and service processing efficiency in a credential verification process.
To solve the above technical problem, one or more embodiments of the present specification are implemented as follows:
in a first aspect, a service processing method based on distributed digital identities is provided, including:
after a user side creates a distributed digital identity DID for a target user, a service request is sent to a service side;
the business side returns a verification requirement, and the verification requirement at least comprises the following steps: executing the certificate type needing to be verified of the current service;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates related to corresponding DIDs for the target users respectively, and the electronic certificates are encrypted and then sent to the user side; meanwhile, the electronic certificates are signed and then sent to a block chain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the block chain;
the user side decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service side and transmits the encrypted certificate contents to the service side;
and the service party decrypts the received certificate content by using a private key of the service party, verifies the decrypted certificate content based on the electronic certificate signature stored on the block chain and corresponding state information, and executes the service after the verification is passed.
In a second aspect, a service processing system based on distributed digital identity is provided, which includes: a user side, a service side and a issuing side; wherein the content of the first and second substances,
after a user side creates a distributed digital identity DID for a target user, a service request is sent to a service side;
the business side returns a verification requirement, and the verification requirement at least comprises the following steps: executing the certificate type needing to be verified of the current service;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates related to corresponding DIDs for the target users respectively, and the electronic certificates are encrypted and then sent to the user side; meanwhile, the electronic certificates are signed and then sent to a block chain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the block chain;
the user side decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service side and transmits the encrypted certificate contents to the service side;
and the service party decrypts the received certificate content by using a private key of the service party, verifies the decrypted certificate content based on the electronic certificate signature stored on the block chain and corresponding state information, and executes the service after the verification is passed.
In a third aspect, an electronic device is provided, including:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method performed by the respective execution body.
In a fourth aspect, a computer-readable storage medium is provided, which stores one or more programs that, when executed by an electronic device including a plurality of application programs, cause the electronic device to perform the method performed by the above-described respective execution body.
As can be seen from the technical solutions provided by one or more embodiments of the present specification, by using the DID technology, a higher level of privacy protection can be performed on the user side by using the encryption technology in a real-time triggered service scenario, and moreover, the content option of the credential required for the verification operation is handed to the user side for processing, thereby avoiding data leakage possibly caused by retention on other platforms, and ensuring the security of the user data as much as possible; in addition, state information is maintained for the certified certificate on the block chain, and the verification accuracy of the user can be guaranteed. Therefore, the data security and the service processing efficiency in the certificate verification process are improved as a whole.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, reference will now be made briefly to the attached drawings, which are needed in the description of one or more embodiments or prior art, and it should be apparent that the drawings in the description below are only some of the embodiments described in the specification, and that other drawings may be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a system architecture for implementing a service processing scheme based on DID according to an embodiment of the present disclosure.
Fig. 2 is a schematic step diagram of a service processing method based on distributed digital identities provided in an embodiment of this specification.
Fig. 3 is a flow chart of the business process of purchasing a house loan, provided in the embodiments of the present description.
Fig. 4 is a schematic structural diagram of a service processing system based on distributed digital identity according to an embodiment of the present specification.
Fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present specification.
Detailed Description
In order to make the technical solutions in the present specification better understood, the technical solutions in one or more embodiments of the present specification will be clearly and completely described below with reference to the accompanying drawings in one or more embodiments of the present specification, and it is obvious that the one or more embodiments described are only a part of the embodiments of the present specification, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments described herein without making any inventive step shall fall within the scope of protection of this document.
Distributed Identities (DID) are Decentralized verifiable digital Identifiers, and have the characteristics of being distributed, autonomously controllable, cross-chain multiplexing and the like. The user entity (natural person or enterprise, organization, etc.) can autonomously complete the registration, parsing, updating or revocation of the DID. The DID is an identifier consisting of a string of characters to represent a digital identity that can be globally unique without the need for a central registry. Typically, a user entity may possess multiple identities, each assigned a unique DID value, and an asymmetric key associated therewith. There is no associated information between different identities, thus effectively avoiding the collection of owner identity information.
First, a system architecture for implementing a service processing scheme based on DID according to an embodiment of the present disclosure is introduced, and as shown in fig. 1, the system architecture includes: user 102, business 104, issuer 106, and agent 108. The user 102 corresponds to a platform service object, for example, a target user operating the credential application and verification service of this time, where the target user may be a natural person, an enterprise, an organization, or the like; the service part 104 is configured to provide a backend service (specifically, may include a verification service and a service) for the user part 102, and in a specific implementation, the user part 102 may be a mobile terminal such as a mobile phone, and the service part 104 may be a background server such as a computer. Issuer 106 may be the authority (actually corresponding to the service terminal) issuing verifiable credentials VC and agent 108 may be the authority providing KYC services, creating DID for the entity. It should be understood that in this system architecture, there may be multiple issuers 106, and the target user may apply for electronic credentials from different issuers 106; the issuer 106 may be one, and the single issuer 106 integrates multiple certificate issuing functions, that is, multiple different electronic certificates can be issued according to different applications of the target user.
In the scheme, the DID technology realizes a set of identity identification and trusted data exchange solution with global mutual authentication, portability and interoperability. A series of services of distributed entity identity and management, trusted data exchange protocol, etc. are carried out by creating a DID and issuing verifiable credentials VC for user entities (business, individual). A data exchange paradigm based on user-centered and privacy protection and safety specifications is provided for decentralized business (particularly financial services). The ecological circle of the business organization is expanded to obtain the guest capacity, and the business capacity is opened in a wider range.
Example one
Referring to fig. 2, a schematic step diagram of a service processing method based on distributed digital identity provided in an embodiment of the present specification, where the method may include the following steps:
step 202: after the user side creates a distributed digital identity DID for the target user, a service request is sent to the service side.
Optionally, the creating, by the user side, the distributed digital identity DID for the target user may specifically include:
creating a DID for the target user through an agent; the agent only allows the user party to access the data, or allows the user party and the service party to access the data, or opens the access right of the agent.
The DID can be specifically analyzed as a DID Document, which includes a unique id of the DID, a public key list, detailed information of the public key (holder, encryption algorithm, key status, etc.), and other attribute descriptions of the DID holder. The user side can complete identity authentication through the agent side, and create and generate one or more DIDs which are not associated with each other and represent different identity information in different service fields.
The user side initiates a service request to the service side based on the created DID, and it should be understood that the service request may carry information related to the DID of the target user, so that the service side can identify the identity conveniently.
Step 204: the business side returns a verification requirement, and the verification requirement at least comprises the following steps: the type of credential that needs to be verified to perform this transaction.
After the user side initiates the service application, the service side is not triggered to directly enter the service operation. Instead, the service party returns a subsequent verification requirement for verifying the identity and the service authority of the user party to the user party, wherein the verification requirement at least comprises a certificate type required to be verified for executing the service. For example, the credential types may include tax payment proofs, house proofs, academic proofs, and the like.
Step 206: and the user side applies for the electronic certificate to at least one issuer respectively based on the certificate type in the verification requirement.
After the user side knows the required certificate types verified by the service side, the user side can respectively apply for the electronic certificates to the issuers corresponding to the certificate types. In fact, the authentication requirement can only comprise one certificate type, so that the user side only needs to apply for the electronic certificate to the issuer corresponding to the certificate type subsequently; of course, the verification requirement may also include a plurality of credential types, and the user side may apply for different electronic credentials to the issuers corresponding to the credential types, respectively.
Step 208: the at least one issuer issues electronic certificates related to corresponding DIDs for the target users respectively, and the electronic certificates are encrypted and then sent to the user side; and meanwhile, the electronic certificate is signed and then sent to a block chain for storing certificates, wherein state information representing the validity of the electronic certificate is maintained on the block chain for each electronic certificate.
And the issuer verifies whether the target user has claim qualification according to the matching of the received DID completion data, if so, the issuer issues an electronic certificate to the target user, and otherwise, the issuer does not issue the electronic certificate. Optionally, when each issuer encrypts the issued electronic certificate, the method specifically includes: acquiring a public key of the target user from a block chain; and encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result. And then, sending the encrypted electronic certificate to the user side. Meanwhile, the issuer signs the electronic certificate by using a local private key, and then sends the electronic certificate to the block chain for storing the certificate, and after storing the certificate, the block chain maintains state information of each electronic certificate, wherein the state information is used for representing the validity of the electronic certificate, for example, the state information may be an aging mark, and if the aging is exceeded, the certificate is determined to be invalid. As another example, the state information may be a state flag, and the credential may be determined to be invalid if the current state flag is invalid.
Step 210: and the user side decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts by using the public key of the service side and transmits the encrypted certificate contents to the service side.
Optionally, when the user decrypts the encrypted electronic certificate, the method specifically includes: decrypting the encryption result by using a private key of the user to obtain a symmetric key; and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
An implementable approach, said validating requirement further comprising: executing the content attribute of the electronic certificate which needs to be verified in the business; then, when the user party selects one or more credential contents of each electronic credential, encrypts the selected credential contents using the public key of the service party, and transmits the encrypted credential contents to the service party, the method specifically includes: and selecting one or more certificate contents of each electronic certificate based on the content attribute of the electronic certificate in the verification requirement, encrypting by using the public key of the service party, and transmitting to the service party.
The content attribute may be a certain content of the electronic certificate, for example, taking the electronic certificate as tax payment certificate as an example, the content attribute may include: annual tax amount, year of tax, total amount of tax etc.
Step 212: and the service party decrypts the received certificate content by using a private key of the service party, verifies the decrypted certificate content based on the electronic certificate signature stored on the block chain and corresponding state information, and executes the service after the verification is passed.
Optionally, when the service party decrypts the received credential content by using its own private key and verifies the received credential content based on the electronic credential signature stored in the block chain and the corresponding state information, the method specifically includes: decrypting the received certificate content by using a self private key, and performing signature release on a corresponding electronic certificate signature by using a public key of an issuer; and verifying the authenticity of the decrypted certificate content based on the electronic certificate obtained after the electronic certificate is de-signed, and verifying the validity of the decrypted certificate content based on the state information of each electronic certificate.
In fact, in the embodiment of the present specification, when verifying the electronic certificate, the authenticity of the certificate content of the electronic certificate may be verified first, that is, whether the received certificate content is authentic or not may be verified based on the electronic certificate obtained after the electronic certificate is signed off; and then, checking the timeliness of the voucher content based on the on-chain state information corresponding to the electronic voucher. Or, the timeliness is checked first and then the authenticity is checked.
By using the DID technology, higher-level privacy protection can be performed on a user side by using an encryption technology in a real-time triggered service scene, and the content option of a certificate required by verification operation is given to the user side for processing, so that data leakage possibly caused by retention on other platforms is avoided, and the data security of the user is ensured as much as possible; in addition, state information is maintained for the certified certificate on the block chain, and the verification accuracy of the user can be guaranteed. Therefore, the data security and the service processing efficiency in the certificate verification process are improved as a whole.
The following describes the embodiments of the present disclosure in detail by taking financial services as an example.
Referring to fig. 3, a business flow chart is shown, which takes financial business as a house purchasing commercial loan as an example. In the business scenario, the house purchasing user end, the loan bank end, the supervision end and the government integrated affair end (tax sub-end, house manager end, college sub-end) can be mainly involved. In addition, a block chain is also included.
And the house purchasing user side carries out identity authentication through the monitoring end to create the DID.
The client side of the purchasing room sends a loan request to the loan bank side.
And the paying bank side returns the required certificate type and the content attribute.
The house purchasing user side respectively initiates electronic certificate application to the tax sub-terminal, the house manager terminal and the college sub-terminal.
Issuing and encrypting an electronic certificate: firstly, a tax sub-terminal, a house manager terminal and a college sub-terminal respectively issue electronic certificates (tax certificate, house certificate and academic certificate) associated with DID; next, acquiring a public key of the house purchasing user on the chain; then, encrypting the electronic certificate original text (M) by using the local symmetric key (K) to obtain an encrypted electronic certificate (EK (M)); finally, the symmetric key (K) is encrypted by using the public key PK of the house-buying user to obtain an encrypted result (EPK (K)).
And sending the encrypted electronic certificate to a house purchasing user side and sending the electronic certificate to a block chain certificate after signing.
The house-buying user side decrypts the electronic certificate: firstly, decrypting (EPK (K)) by using a local private key to obtain (K); then, the encrypted electronic certificate (EK (M)) is decrypted by using the symmetric key (K) to obtain the original text (M) of the electronic certificate.
The client side of the house purchase selectively re-encrypts the electronic certificate and transmits the electronic certificate to the bank side of the deposit.
And the paying bank terminal decrypts the electronic certificate and then acquires the signature of the electronic certificate from the chain and releases the signature.
And the bank paying terminal verifies the authenticity and timeliness of the electronic certificate.
And after the verification is passed, the deposit bank terminal executes the deposit service.
By the technical scheme, the collection of information can be reduced when a financial institution executes business operation, the required certificate can be called in a distributed mode, certificate verification and operation registration are realized through a block chain, and supervision and tracing are supported. The entity can protect privacy as much as possible in the service development process, and particularly in a cross-business state and multi-level service mode, the identity and the information can be aligned quickly without collecting data.
Example two
Referring to fig. 4, for a service processing system based on distributed digital identity provided in this specification, the system 400 may include: a user party 402, a business party 404, and an issuer 406; wherein the content of the first and second substances,
after the user side 402 creates a distributed digital identity DID for the target user, a service request is sent to the service side 404;
the business party 404 returns verification requirements, which include at least: executing the certificate type needing to be verified of the current service;
the user part 402 applies for electronic certificates from at least one issuer 406 based on the certificate types in the verification requirements, respectively;
the at least one issuer 406 issues electronic certificates associated with the corresponding DIDs for the target users respectively, and sends the electronic certificates to the user party 402 after encryption; meanwhile, the electronic certificates are signed and then sent to a block chain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the block chain;
the user party 402 decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service party 404, and transmits the encrypted certificate contents to the service party 404;
the service party 404 decrypts the received voucher content by using its own private key, verifies the decrypted voucher content based on the electronic voucher signature stored in the block chain and the corresponding state information, and executes the service after the verification is passed.
Optionally, as an embodiment, the system further includes: an agent side;
when the user party creates a distributed digital identity DID for a target user, the method is specifically configured to: creating a DID for the target user through an agent;
the agent only allows the user party to access the data, or allows the user party and the service party to access the data, or opens the access right of the agent.
In a specific implementation manner of the embodiment of the present specification, when each issuer encrypts the issued electronic certificate, the method is specifically configured to:
acquiring a public key of the target user from a block chain;
encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result;
correspondingly, when the user side decrypts the encrypted electronic certificate, the method is specifically configured to:
decrypting the encryption result by using a private key of the user to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
In another specific implementation manner of the embodiment of the present specification, the verifying requirement further includes: executing the content attribute of the electronic certificate which needs to be verified in the business;
when the user party selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service party, and transmits the encrypted certificate contents to the service party, the user party is specifically configured to:
and selecting one or more certificate contents of each electronic certificate based on the content attribute of the electronic certificate in the verification requirement, encrypting by using the public key of the service party, and transmitting to the service party.
In another specific implementation manner of the embodiment of this specification, when the service party decrypts the received credential content by using its own private key and verifies the decrypted credential content based on the electronic credential signature stored in the block chain and the corresponding state information, the service party is specifically configured to:
decrypting the received certificate content by using a self private key, and performing signature release on a corresponding electronic certificate signature by using a public key of an issuer;
and verifying the authenticity of the decrypted certificate content based on the electronic certificate obtained after the electronic certificate is de-signed, and verifying the validity of the decrypted certificate content based on the state information of each electronic certificate.
By using the DID technology, higher-level privacy protection can be performed on a user side by using an encryption technology in a real-time triggered service scene, and the content option of a certificate required by verification operation is given to the user side for processing, so that data leakage possibly caused by retention on other platforms is avoided, and the data security of the user is ensured as much as possible; in addition, state information is maintained for the certified certificate on the block chain, and the verification accuracy of the user can be guaranteed. Therefore, the data security and the service processing efficiency in the certificate verification process are improved as a whole.
EXAMPLE III
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present specification. Referring to fig. 5, at a hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other via an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to form a corresponding execution main body device on a logic level. And the processor is used for executing the program stored in the memory and is specifically used for executing the operation executed by the corresponding execution main body.
The method performed by the apparatus according to the embodiment shown in fig. 2 or 3 of the present specification may be implemented in or by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The methods, steps, and logic blocks disclosed in one or more embodiments of the present specification may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with one or more embodiments of the present disclosure may be embodied directly in hardware, in a software module executed by a hardware decoding processor, or in a combination of the hardware and software modules executed by a hardware decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
The electronic device may further execute the method of fig. 2 or 3, and implement the functions of the corresponding apparatus in the embodiments shown in fig. 2 and 3, which are not described herein again in this specification.
Of course, besides the software implementation, the electronic device of the embodiment of the present disclosure does not exclude other implementations, such as a logic device or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or a logic device.
By using the DID technology, higher-level privacy protection can be performed on a user side by using an encryption technology in a real-time triggered service scene, and the content option of a certificate required by verification operation is given to the user side for processing, so that data leakage possibly caused by retention on other platforms is avoided, and the data security of the user is ensured as much as possible; in addition, state information is maintained for the certified certificate on the block chain, and the verification accuracy of the user can be guaranteed. Therefore, the data security and the service processing efficiency in the certificate verification process are improved as a whole.
Example four
Embodiments of the present specification also provide a computer-readable storage medium storing one or more programs, where the one or more programs include instructions, which when executed by a portable electronic device including a plurality of application programs, enable the portable electronic device to perform the methods of the embodiments shown in fig. 2 and 3, and are specifically configured to perform the operations performed by the corresponding execution main body.
By using the DID technology, higher-level privacy protection can be performed on a user side by using an encryption technology in a real-time triggered service scene, and the content option of a certificate required by verification operation is given to the user side for processing, so that data leakage possibly caused by retention on other platforms is avoided, and the data security of the user is ensured as much as possible; in addition, state information is maintained for the certified certificate on the block chain, and the verification accuracy of the user can be guaranteed. Therefore, the data security and the service processing efficiency in the certificate verification process are improved as a whole.
In short, the above description is only a preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present specification shall be included in the protection scope of the present specification.
The system, apparatus, module or unit illustrated in one or more of the above embodiments may be implemented by a computer chip or an entity, or by an article of manufacture with a certain functionality. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Claims (12)
1. A service processing method based on distributed digital identity comprises the following steps:
after a user side creates a distributed digital identity DID for a target user, a service request is sent to a service side;
the business side returns a verification requirement, and the verification requirement at least comprises the following steps: executing the certificate type needing to be verified of the current service;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates related to corresponding DIDs for the target users respectively, and the electronic certificates are encrypted and then sent to the user side; meanwhile, the electronic certificates are signed and then sent to a block chain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the block chain;
the user side decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service side and transmits the encrypted certificate contents to the service side;
and the service party decrypts the received certificate content by using a private key of the service party, verifies the decrypted certificate content based on the electronic certificate signature stored on the block chain and corresponding state information, and executes the service after the verification is passed.
2. The distributed digital identity-based service processing method according to claim 1, wherein the user party creates a distributed digital identity DID for the target user, and specifically comprises:
the user side creates a DID for the target user through the agent side;
the agent only allows the user party to access the data, or allows the user party and the service party to access the data, or opens the access right of the agent.
3. The service processing method based on the distributed digital identity as claimed in claim 1 or 2, when each issuer encrypts the issued electronic certificate, specifically comprising:
the issuer acquires the public key of the target user from the block chain;
encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result;
correspondingly, when the user side decrypts the encrypted electronic certificate, the method specifically comprises the following steps:
the user side decrypts the encrypted result by using a private key of the user side to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
4. The distributed digital identity based transaction processing method of claim 1, wherein said verification requirement further comprises: executing the content attribute of the electronic certificate which needs to be verified in the business;
the user side selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service side and transmits the encrypted certificate contents to the service side, and the method specifically comprises the following steps:
and the user side selects one or more certificate contents of each electronic certificate based on the content attribute of the electronic certificate in the verification requirement, encrypts by using the public key of the service side and transmits the encrypted certificate contents to the service side.
5. The service processing method based on distributed digital identity according to claim 1, 2 or 4, wherein the service party decrypts the received voucher content by using its own private key, and verifies the decrypted voucher content based on the electronic voucher signature certified on the block chain and the corresponding state information, specifically comprising:
the business party decrypts the received certificate content by using a private key of the business party and uses a public key of an issuer to sign off a corresponding electronic certificate;
and verifying the authenticity of the decrypted certificate content based on the electronic certificate obtained after the electronic certificate is de-signed, and verifying the validity of the decrypted certificate content based on the state information of each electronic certificate.
6. A distributed digital identity based transaction system comprising: a user side, a service side and a issuing side; wherein the content of the first and second substances,
after a user side creates a distributed digital identity DID for a target user, a service request is sent to a service side;
the business side returns a verification requirement, and the verification requirement at least comprises the following steps: executing the certificate type needing to be verified of the current service;
the user side applies for electronic certificates to at least one issuer respectively based on the certificate types in the verification requirements;
the at least one issuer issues electronic certificates related to corresponding DIDs for the target users respectively, and the electronic certificates are encrypted and then sent to the user side; meanwhile, the electronic certificates are signed and then sent to a block chain for storing certificates, wherein state information representing the validity of each electronic certificate is maintained on the block chain;
the user side decrypts the encrypted electronic certificates, selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service side and transmits the encrypted certificate contents to the service side;
and the service party decrypts the received certificate content by using a private key of the service party, verifies the decrypted certificate content based on the electronic certificate signature stored on the block chain and corresponding state information, and executes the service after the verification is passed.
7. The distributed digital identity-based transaction system of claim 6 further comprising: an agent side;
when the user party creates a distributed digital identity DID for a target user, the method is specifically configured to: creating a DID for the target user through an agent;
the agent only allows the user party to access the data, or allows the user party and the service party to access the data, or opens the access right of the agent.
8. The distributed digital identity based transaction system of claim 6 or 7, when each issuer encrypts the issued electronic voucher, being specifically configured to:
acquiring a public key of the target user from a block chain;
encrypting the electronic certificate original text by using a local symmetric key to obtain an encrypted electronic certificate, and encrypting the symmetric key by using the public key of the target user to obtain an encryption result;
correspondingly, when the user side decrypts the encrypted electronic certificate, the method is specifically configured to:
decrypting the encryption result by using a private key of the user to obtain a symmetric key;
and decrypting the encrypted electronic certificate by using the symmetric key to obtain the original text of the electronic certificate.
9. The distributed digital identity based transaction system of claim 6 wherein said verification requirements further comprise: executing the content attribute of the electronic certificate which needs to be verified in the business;
when the user party selects one or more certificate contents of each electronic certificate, encrypts the certificate contents by using the public key of the service party, and transmits the encrypted certificate contents to the service party, the user party is specifically configured to:
and selecting one or more certificate contents of each electronic certificate based on the content attribute of the electronic certificate in the verification requirement, encrypting by using the public key of the service party, and transmitting to the service party.
10. The service processing system based on distributed digital identity according to claim 6, 7 or 9, wherein when the service party decrypts the received voucher content by using its own private key and verifies the decrypted voucher content based on the electronic voucher signature stored in the block chain and the corresponding status information, the service party is specifically configured to:
decrypting the received certificate content by using a self private key, and performing signature release on a corresponding electronic certificate signature by using a public key of an issuer;
and verifying the authenticity of the decrypted certificate content based on the electronic certificate obtained after the electronic certificate is de-signed, and verifying the validity of the decrypted certificate content based on the state information of each electronic certificate.
11. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method performed by the subject in any of claims 1-5.
12. A computer readable storage medium storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method performed by the main body in any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110797332.7A CN113704775B (en) | 2021-07-14 | 2021-07-14 | Service processing method and related device based on distributed digital identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110797332.7A CN113704775B (en) | 2021-07-14 | 2021-07-14 | Service processing method and related device based on distributed digital identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113704775A true CN113704775A (en) | 2021-11-26 |
| CN113704775B CN113704775B (en) | 2024-02-27 |
Family
ID=78648582
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110797332.7A Active CN113704775B (en) | 2021-07-14 | 2021-07-14 | Service processing method and related device based on distributed digital identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113704775B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114666168A (en) * | 2022-05-23 | 2022-06-24 | 浙江毫微米科技有限公司 | Decentralized identity certificate verification method and device, and electronic equipment |
| CN114679313A (en) * | 2022-03-23 | 2022-06-28 | 杭州溪塔科技有限公司 | Verifiable certificate circulation interaction method and device for block chain system |
| CN114900321A (en) * | 2022-07-14 | 2022-08-12 | 云上人和物联科技有限公司 | Autonomous real-name electronic identity certificate generation system and method |
| CN115174146A (en) * | 2022-06-02 | 2022-10-11 | 浙江毫微米科技有限公司 | Communication method and device based on distributed identity |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10637665B1 (en) * | 2016-07-29 | 2020-04-28 | Workday, Inc. | Blockchain-based digital identity management (DIM) system |
| US20200195436A1 (en) * | 2016-02-15 | 2020-06-18 | Sal Khan | System and method, which using blockchain and mobile devices, provides the validated and authenticated identity of an individual to a valid and authenticated requestor |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112199721A (en) * | 2020-10-13 | 2021-01-08 | 腾讯科技(北京)有限公司 | Authentication information processing method, device, equipment and storage medium |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
-
2021
- 2021-07-14 CN CN202110797332.7A patent/CN113704775B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200195436A1 (en) * | 2016-02-15 | 2020-06-18 | Sal Khan | System and method, which using blockchain and mobile devices, provides the validated and authenticated identity of an individual to a valid and authenticated requestor |
| US10637665B1 (en) * | 2016-07-29 | 2020-04-28 | Workday, Inc. | Blockchain-based digital identity management (DIM) system |
| CN111680324A (en) * | 2020-05-28 | 2020-09-18 | 中国工商银行股份有限公司 | Certificate verification method, management method and issuing method for block chain |
| CN112199721A (en) * | 2020-10-13 | 2021-01-08 | 腾讯科技(北京)有限公司 | Authentication information processing method, device, equipment and storage medium |
| CN113098838A (en) * | 2021-02-21 | 2021-07-09 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114679313A (en) * | 2022-03-23 | 2022-06-28 | 杭州溪塔科技有限公司 | Verifiable certificate circulation interaction method and device for block chain system |
| CN114679313B (en) * | 2022-03-23 | 2023-06-20 | 杭州溪塔科技有限公司 | Method and device for verifying credential transfer interaction of blockchain system |
| CN114666168A (en) * | 2022-05-23 | 2022-06-24 | 浙江毫微米科技有限公司 | Decentralized identity certificate verification method and device, and electronic equipment |
| CN115174146A (en) * | 2022-06-02 | 2022-10-11 | 浙江毫微米科技有限公司 | Communication method and device based on distributed identity |
| CN115174146B (en) * | 2022-06-02 | 2024-02-23 | 浙江毫微米科技有限公司 | Communication method and device based on distributed identity |
| CN114900321A (en) * | 2022-07-14 | 2022-08-12 | 云上人和物联科技有限公司 | Autonomous real-name electronic identity certificate generation system and method |
| CN114900321B (en) * | 2022-07-14 | 2022-10-14 | 云上人和物联科技有限公司 | Autonomous real-name electronic identity certificate generation system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113704775B (en) | 2024-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111401902B (en) | Service processing method, device and equipment based on block chain | |
| JP6873270B2 (en) | Handling of transaction activities based on smart contracts in the blockchain Caution Methods and devices for protecting data | |
| CN112307455B (en) | Identity authentication method and device based on block chain and electronic equipment | |
| CN109584066B (en) | Privacy transaction based on block chain and application method and device thereof | |
| CN107086909B (en) | Identity information generation method and device and identity verification method and device | |
| CN110166442B (en) | Data processing method and device based on block chain | |
| CN113012008B (en) | Identity management method, device and equipment based on trusted hardware | |
| CN110795501A (en) | Method, device, equipment and system for creating verifiable statement based on block chain | |
| CN112215608A (en) | Data processing method and device | |
| CN113704775A (en) | Service processing method based on distributed digital identity and related device | |
| CN109614813B (en) | Privacy transaction method and device based on block chain and application method and device thereof | |
| CN111770199B (en) | Information sharing method, device and equipment | |
| CN111047313B (en) | Code scanning payment, information sending and key management method, device and equipment | |
| CN111092724B (en) | Block chain system digital certificate issuing method, equipment, system and medium | |
| CN110246039B (en) | Transaction monitoring method and device based on alliance chain and electronic equipment | |
| CN111814196B (en) | Data processing method, device and equipment | |
| CN111770112B (en) | Information sharing method, device and equipment | |
| CN114143041A (en) | Identity verification method, device and equipment based on block chain and storage medium | |
| CN111460457A (en) | Real estate property registration supervision method, device, electronic equipment and storage medium | |
| CN114463110A (en) | Credit granting system and method based on block chain | |
| CN113704734A (en) | Distributed digital identity-based method for realizing certificate verification and related device | |
| CN111818094B (en) | Identity registration method, device and equipment | |
| CN113761496A (en) | Identity verification method and device based on block chain and electronic equipment | |
| CN110648123A (en) | Digital asset construction method and device and electronic equipment | |
| CN113919969A (en) | Method and system for credit granting evaluation of power utilization enterprises based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |