CN115174146B - Communication method and device based on distributed identity - Google Patents
Communication method and device based on distributed identity Download PDFInfo
- Publication number
- CN115174146B CN115174146B CN202210621053.XA CN202210621053A CN115174146B CN 115174146 B CN115174146 B CN 115174146B CN 202210621053 A CN202210621053 A CN 202210621053A CN 115174146 B CN115174146 B CN 115174146B
- Authority
- CN
- China
- Prior art keywords
- client
- encrypted
- key
- verifiable
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006854 communication Effects 0.000 title claims abstract description 126
- 238000004891 communication Methods 0.000 title claims abstract description 123
- 238000000034 method Methods 0.000 title claims abstract description 74
- 230000004044 response Effects 0.000 claims abstract description 23
- 230000009191 jumping Effects 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000004590 computer program Methods 0.000 description 14
- 238000012795 verification Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000013500 data storage Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000009795 derivation Methods 0.000 description 3
- 230000007774 longterm Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application discloses a communication method based on distributed identity, belongs to the technical field of communication, and is beneficial to improving communication safety. The method comprises the following steps: the first client obtains a DID public key of the second client according to the DID of the second client; based on the DID public key of the second client, acquiring a verifiable certificate issued by the second client for the DID of the second client through the identity HUB, wherein the verifiable certificate is issued based on the encrypted material after the second client generates the encrypted material in response to the communication request of the first client; acquiring the encrypted material carried in the verifiable certificate; the first client obtains a symmetric encryption key based on the DID private key and the encryption material of the first client; the first client transmits first encryption information encrypted by a symmetric encryption key to the second client. The method improves the communication security by generating the symmetric encryption key based on the encryption material carried by the verifiable certificate.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a communication method and apparatus based on distributed identities, and an electronic device and a computer readable storage medium.
Background
In the communication process, in order to ensure the security of session messages, encryption communication is generally adopted. For example, the message interacted by the two communication parties is encrypted by adopting the key agreed by the two communication parties. In the prior art, when encrypted communication is performed between users in a decentralization system, a traditional network communication encryption protocol based on a link layer can be adopted for communication. However, the conventional encryption communication method is not secure enough. In the prior art, there is also an encryption communication method, in which an anonymous communication channel is first established, then a key negotiated by both parties of communication is transmitted through the anonymous communication channel, and then encryption communication is performed by using the negotiated key. In the encryption method, if the anonymous communication channel for transmitting the secret key has potential safety hazard, the information security of both communication parties cannot be ensured.
It can be seen that there is still a need for improvement in the prior art for a distributed identity based communication method.
Disclosure of Invention
The embodiment of the application provides a communication method based on distributed identities, which is beneficial to improving communication security.
In a first aspect, an embodiment of the present application provides a communication method based on distributed identity, including:
The first client obtains a DID public key of the second client according to the DID of the second client;
based on the DID public key of a second client, acquiring a verifiable certificate issued by the second client for self DID through an identity HUB, wherein the verifiable certificate is issued based on the encrypted material after the second client generates the encrypted material in response to a communication request of the first client;
acquiring the encrypted material carried in the verifiable certificate;
the first client obtains a symmetric encryption key based on the DID private key of the first client and the encryption material;
and the first client sends first encryption information which is encrypted by adopting the symmetric encryption key to the second client.
In a second aspect, embodiments of the present application provide a communication device based on distributed identities, including:
the DID public key acquisition module is used for acquiring the DID public key of the second client according to the DID of the second client by the first client;
the verifiable credential acquisition module is used for acquiring a verifiable credential issued by a second client for self DID through an identity HUB based on the DID public key of the second client, wherein the verifiable credential is issued based on the encrypted material after the second client generates the encrypted material in response to the communication request of the first client;
The encryption material acquisition module is used for acquiring the encryption material carried in the verifiable certificate;
the symmetric encryption key acquisition module is used for acquiring a symmetric encryption key by the first client based on the DID private key of the first client and the encryption material;
and the encryption communication module is used for sending the first encryption information which is encrypted by adopting the symmetric encryption key to the second client by the first client.
In a third aspect, the embodiment of the application further discloses an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the communication method based on distributed identity according to the embodiment of the application when executing the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of a distributed identity based communication method as disclosed in embodiments of the present application.
According to the communication method based on the distributed identity, which is disclosed by the embodiment of the application, a DID public key of a second client is obtained through the first client according to the DID of the second client; based on the DID public key of a second client, acquiring a verifiable certificate issued by the second client for self DID through an identity HUB, wherein the verifiable certificate is issued based on the encrypted material after the second client generates the encrypted material in response to a communication request of the first client; acquiring the encrypted material carried in the verifiable certificate; the first client obtains a symmetric encryption key based on the DID private key of the first client and the encryption material; the first client sends the first encryption information which is encrypted by the symmetric encryption key to the second client, so that the security of encrypted communication is improved.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
FIG. 1 is a flow chart of a communication method based on distributed identities in one embodiment of the present application;
FIG. 2 is another flow diagram of a distributed identity based communication method in one embodiment of the present application;
FIG. 3 is a diagram of multi-terminal interactions of a distributed identity based communication method in one embodiment of the present application;
FIG. 4 is one of the schematic structural diagrams of a communication device based on distributed identity in one embodiment of the present application;
FIG. 5 is a second schematic diagram of a distributed identity based communication device in one embodiment of the present application;
FIG. 6 schematically shows a block diagram of an electronic device for performing a method according to the present application; and
fig. 7 schematically shows a memory unit for holding or carrying program code implementing the method according to the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Example 1
The embodiment of the application discloses a communication method based on distributed identity, as shown in fig. 1, the method includes: steps 110 to 150.
In step 110, the first client obtains the DID public key of the second client according to the DID of the second client.
The communication method based on the distributed identity, which is described in the embodiment of the application, is applied to a decentralised communication system. In the decentralizing avatar identification system, the first client and the second client may acquire decentralizing avatar identifications (Decentralized Identifier, hereinafter simply referred to as "DID") each in the decentralizing avatar identification system by registering in advance. For example, the first client and the second client may obtain respective DID at an identifier registration authority (Identifier Registry).
DID is a new type of identifier with global uniqueness, high availability resolvability, and encryption verifiability. The DID is typically associated with an encrypted material (e.g., public key) and a service endpoint to establish a secure communication channel. In an off-center avatar identification system, a guarantee of DID storage and non-falsification is provided, and services are provided for an upper application layer, including: a DID identifier and a DID document; the DID identifier may actually be a key, and the corresponding value is the DID document, and the specific information may be in the DID document. The DID document is a standard Json, and includes the public key of the user (i.e., the DID public key corresponding to each DID public key, and also the DID public key of the first client in this document), the DID protocol used, and the service request address, timestamp, signature, etc. of the DID.
The DID private key is stored locally at the client, e.g., in a digital wallet-like client application.
After the first client and the second client register the DID for the decentralised avatar identification system, the private key corresponding to the DID document generated by the system for the DID may be stored locally, while the public key is stored in a distributed system, e.g., in a blockchain, a distributed ledger or a trusted database.
In an embodiment of the present application, the first client and the second client are two clients in a distributed identity system, and the first client and the second client log in the distributed identity system with respective off-center avatar identifications (i.e., DID) and communicate based on the respective off-center avatar identifications (i.e., DID).
Step 120, based on the DID public key of the second client, obtaining, by the identity HUB, a verifiable credential issued by the second client for its DID.
Wherein the verifiable credential is issued based on the encrypted material after the second client generates the encrypted material in response to the communication request of the first client. The verifiable credential carries the encrypted material therein. In some embodiments of the present application, the encryption material may be an encryption public key used by the client to encrypt communications. For example, the encryption material may be a public key of an encryption key pair generated by the client by performing an elliptic curve encryption algorithm (e.g., an ECDSA algorithm using a Secp256k1 curve).
In an off-center avatar identification system, verifiable credentials for DID are typically stored at the identity HUB (i.e., the relay node used to store the identity information). The identity HUB may be a data storage unit on the user equipment.
In the off-center avatar identification system, the user does not verify directly using DID, but rather using verifiable credentials (Verifiable Claims or Verifiable Credentials, hereinafter simply VC). In the off-center avatar identification system, the Issuer (Issuer) can prescribe VC (access user data). The issuer may be a government, a bank, a university, or the like, or may be the user himself. The verifiable credential is used for a third party to request credential verification by an issuing authority of the verifiable credential. Then, when a certain DID in the de-centralized identification system requests authentication credentials from the DID itself, the DID may issue verifiable credentials for itself.
In the prior art, in an off-center avatar identification system, the off-center avatar identification system includes: a user agent unit, a data storage unit, and a declaration verification unit.
Wherein the user agent unit is an application by which a client user can use his or her decentralised identity identification, through which the client user can generate DID, manage data and permissions, issue or verify DID identity-related claims. In some embodiments, the user agent unit may be a digital wallet application.
The data storage unit is used for storing user data, and for example, may store data including: identity data, verifiable Claim data (for short, claim), DID-related identity asset data, DID-related identity, and the like. The identity HUB (i.e. the relay node for storing identity information) may be stored in a data storage unit local to the client.
The claim validation unit may implement the application, issuance, granting, and validation of the verifiable claim. A verifiable claim is a descriptive claim that an issuer issues using its DID to endorse certain properties of the user's DID, and attaches its digital signature, which may be considered a digital certificate, also referred to as a "verifiable credential".
In practical applications, when a user (such as the first client) needs to apply for an authenticatable credential to a certain issuer (which may be another organization or organization, or may be the first client itself), the user may send an authentication credential request to the issuer through, for example, a digital wallet, where the authentication credential request carries information (e.g., a public key of the first client) related to the applied authenticatable credential. The issuer verifies the information carried in the received verification credential request (which may be verified on-line or off-line), and if passed, stores the credential issued for the verification credential request to the identity HUB (i.e., the distributed personal information, application data, and message storage relay node). The user (e.g., the first client) then queries the credential issuance result by the acceptance number of the authentication credential request, and if so, takes a service endpoint (endpoints) accessing the identity HUB. After the user passes the DID authentication, the access identity HUB obtains the issued certificate.
To this end, the user holds the verifiable credential.
Typically, the client may apply for verifiable credentials from an Issuer in advance and store them (e.g., in its own client application) for presentation to the verifier when needed.
When a certain client (such as a first client) needs to acquire a verifiable credential of another client (such as a second client), the first client sends a credential verification request carrying an identity public key (i.e. a DID public key) of the second client to an identity HUB, and acquires the verifiable credential issued by the second client for the DID of the second client.
The second client's own DID may possess multiple verifiable credentials, where different verifiable credentials may carry different information for the second client, and different verifiable credentials may be issued by different organizations and other issuers, including the verifiable credentials issued by the second client's own DID. In some embodiments of the present application, a verifiable credential type or other identification may be carried in the credential verification request to obtain a specified verifiable credential.
In some embodiments of the present application, after receiving a communication request sent by a first client, a second client responds to the communication request of the first client, and obtains an encrypted material according to a preset method, and issues a verifiable credential carrying the encrypted material for its DID. The verifiable credential carries encrypted material that the second client acquired for encrypted communication with the first client.
For a specific embodiment of the second client issuing the verifiable credential for itself, refer to the prior art, and will not be described herein. The difference from the prior art is that in the embodiment of the present application, the types of verifiable credentials issued by the client for itself may include: one or more of a long term public key, a medium term public key, a temporary public key, and a plurality of public keys may be carried in the verifiable credential. For example, one long term public key, one medium term public key, and several temporary public keys may be carried.
Step 130, obtaining the encrypted material carried in the verifiable credential.
After the first client obtains the verifiable certificate issued by the second client for the DID, the first client analyzes the verifiable certificate to obtain the encryption material (such as an encryption public key) carried in the verifiable certificate.
In some embodiments of the present application, the first client may obtain the plurality of encrypted materials of the second client when the verifiable credential of the second client carries the plurality of encrypted materials.
In step 140, the first client obtains a symmetric encryption key based on its DID private key and the encryption material.
Next, the first client generates a symmetric encryption key based on its DID private key and one of the encryption materials of the second client.
In some embodiments of the present application, the first client obtains a symmetric encryption key based on its DID private key and the encryption material, including: and the first client obtains the symmetric encryption key between the first client and the second client through a key negotiation algorithm or a key exchange algorithm based on the DID private key of the first client and the encryption material. For example, the first client may determine a "negotiation key" in an unsecured network based on Diffie-hellman key exchange protocol (hereinafter referred to simply as "DH" protocol) without prior communication between the first client and the second client, which key may be used as a symmetric key in subsequent communications to encrypt message content. The principle of the DH protocol can be expressed by the following formula: DH (a 'S private key, B' S public key) =negotiation key s=dh (B 'S private key, a' S public key). The above formula applies to the embodiments of the present application, where a and B are used to represent different clients, respectively, e.g., a represents a first client and B represents a second client.
In some embodiments of the present application, other key exchange algorithms may also be used to generate symmetric encryption keys. Such as a temporary key exchange algorithm based on the Diffie-Hellman (elliptic curve, hereinafter simply referred to as "ECDH") algorithm. If elliptic curve cryptography is used, the elliptic curve may be generated by the server and the client device or may be selected from a number of predefined curves. And are not exemplified in the examples herein.
So far, the first client has completed the key agreement procedure with the second client.
In order to achieve encrypted communication between the two parties, the processes of key agreement or key exchange are mutual, and the second client also needs to perform key agreement or key exchange with the first client to obtain a symmetric encryption key for encrypted communication with the first client.
As shown in fig. 2, before the first client obtains the DID public key of the second client according to the DID of the second client, the method further includes: step 100.
Step 100, in response to a communication request of the second client, the first client obtains the encrypted material according to a preset method, and issues a verifiable certificate carrying the encrypted material for the DID of the first client.
For the specific implementation manner that the first client issues the verifiable credential carrying the encrypted material for the self DID, see the foregoing description of the manner that the second client issues the verifiable credential for the self, which is not repeated here.
The second client may obtain the verifiable credential of the first client based on the identity DID public key of the first client through the identity HUB. And then, analyzing the acquired verifiable credentials to acquire the encrypted materials carried in the verifiable credentials.
Further, the second client obtains a symmetric encryption key for encrypted communication with the first client by using the same key agreement algorithm or key exchange algorithm as the first client based on the DID private key of the second client and the encryption material.
And step 150, the first client sends the first encryption information which is encrypted by adopting the symmetric encryption key to the second client.
After the symmetric encryption key for carrying out encrypted communication with the second client is obtained, the first client encrypts the information sent to the second client by adopting the obtained symmetric encryption key to obtain first encrypted information, and then the first encrypted information is sent to the second client.
After the second client receives the first encrypted information sent by the first client, the second client adopts the symmetric encryption key acquired by the second client to decrypt the first encrypted information, so that the original information can be obtained.
Similarly, after the second client obtains the symmetric encryption key for encrypted communication with the first client, the second client encrypts the information sent to the first client by using the obtained symmetric encryption key to obtain second encrypted information, and then sends the second encrypted information to the first client.
In some embodiments of the present application, as shown in fig. 2, the method further includes: step 160.
And step 160, in response to receiving the second encrypted information sent by the second client, decrypting the second encrypted information based on the symmetric encryption key.
After the first client receives the second encrypted information sent by the second client, the first client adopts the symmetric encryption key acquired by the first client to decrypt the second encrypted information, so that the original information can be obtained.
Because the first client uses the pre-negotiated or exchanged symmetric encryption key to encrypt the information sent to the opposite client, the opposite client can use the pre-negotiated or exchanged symmetric encryption key to decrypt the received encrypted information to obtain the original information.
Thus, a round of encrypted communication is completed.
In order to improve the security of communications between clients, the encryption key of the communication process typically needs to be dynamically changed. I.e. after successful completion of the sequential information interaction, the client may apply for re-key negotiation or key exchange with the counterpart client. Taking the dual ratchet communication algorithm as an example, the dual ratchet algorithm comprises a KDF ratchet and a DH ratchet. The KDF is commonly referred to (Key derivation function) as a key derivation function for deriving one or more keys from an original key, e.g., generating a master key based on a symmetric encryption key agreed upon by a first client and a second client, and then deriving an encryption key, a root key, and a chain key using a key derivation function. In the communication process of one round, if the first client side does not receive the response of the second client side after sending the encryption information to the second client side, the first client side adopts the chain key to add salt to derive the encryption key for sending the encryption information of the next round. Until the information fed back by the second client is received, the ratchet step at the first client further carries out key negotiation or key exchange with the second client again.
In the conventional dual-ratchet communication algorithm, public keys used by both parties to derive other keys are stored in a trusted third party server, and both parties need to access the third party server to obtain the public keys.
In some embodiments of the present application, in response to a communication request of a second client, a first client obtains an encrypted material according to a preset method, and issues a verifiable credential carrying the encrypted material for its DID, including: and responding to the communication request of the second client, the first client acquires a plurality of encrypted materials according to a preset method, and issues verifiable certificates carrying the plurality of encrypted materials for the DID of the first client. The plurality of encryption materials can be public keys of the same valid time limit type or public keys of different valid time limit types. For example, the plurality of encrypted materials may include: a long term public key, a medium term public key, and a temporary public key; the plurality of encrypted materials may further include only: a temporary public key. Wherein the temporary public key may include a plurality of. That is, when the client side issues the verifiable credential for itself in response to the communication request of the counterpart client side, a plurality of encryption materials can be generated, and based on the generated plurality of encryption materials, the verifiable credential is issued, so that the issued verifiable credential carries the plurality of encryption materials.
In some embodiments of the present application, the verifiable credential carries a plurality of encryption materials used by the second client to communicate with the first client, and after the first client sends the first encryption information encrypted by the symmetric encryption key to the second client, the method further includes: determining whether all of the plurality of encrypted materials carried in the verifiable certificate are used under the condition that the symmetric encryption key replacement is satisfied; in response to the verifiable credential carrying less than all of the encrypted material, selecting one of the encrypted material that is not used from the encrypted material carried in the verifiable credential, the first client jumps to perform the step of obtaining the symmetric encryption key based on its DID private key and the selected encrypted material. The condition for replacing the symmetric encryption key in the embodiment of the present application may be that information fed back by the client of the other party is received, or that a preset time limit for replacing the encryption material is reached, or other conditions specified by the communication protocol may be also reached.
Correspondingly, after the client acquires the verifiable certificate of the other client, if a plurality of encryption keys are carried in the verifiable certificate, the encryption materials and the private keys thereof can be sequentially used in the process of sending the multi-round messages, and the symmetric encryption keys can be generated according to the method, so that a plurality of different symmetric encryption keys can be obtained. When a plurality of pieces of information are sent, the sent information is encrypted by sequentially using each symmetrical encryption key, so that the encryption key for dynamically changing encrypted communication is realized, and the third party server is not required to be accessed frequently.
In some embodiments of the present application, after determining whether all of the plurality of encryption materials carried in the verifiable credential are used under the condition that the symmetric encryption key is replaced, the method further includes: and in response to that the verifiable certificate carries the encryption materials which are all used, jumping to the step of executing the DID public key based on the second client, and acquiring the verifiable certificate issued by the second client for the DID through the identity HUB.
If the client acquires the verifiable certificate of the other client, the verifiable certificate only carries one encryption material, and after the symmetric encryption key obtained by negotiation by using the encryption material carried in the verifiable certificate completes one round of encryption, the verifiable certificate of the other client needs to be acquired again if the symmetric encryption key needs to be updated.
If the client acquires the verifiable certificate of the other client, the verifiable certificate only carries a plurality of encryption materials, such as M (M > 1), after the M symmetric encryption keys obtained by respectively negotiating the M encryption materials carried in the verifiable certificate respectively finish one round of encryption, if the symmetric encryption keys need to be updated, the verifiable certificate of the other client needs to be acquired again.
In the embodiment of the application, in order to facilitate readers to understand the communication method based on the distributed identity disclosed in the embodiment of the application, the execution process of the method is mainly described based on the angle of the first client. In a specific implementation process, the first client and the second client are peer-to-peer clients, and the first client and the second client also execute the communication method based on the distributed identity disclosed in the embodiment of the application. The illustration in fig. 2 is merely one order of execution of the steps in the method, and is not intended to limit the order of execution of the steps in the distributed identity-based communication method disclosed in the embodiments of the present application.
Further, in order to facilitate the reader to understand the communication method based on the distributed identity disclosed in the embodiment of the present application, the communication method based on the distributed identity disclosed in the present application is further illustrated in the following in conjunction with the interaction process shown in fig. 3.
In step 301, the first client obtains, from a DID server (e.g., a server of the identifier registration authority), a DID document corresponding to the DID of the second client (including the DID public key of the second client).
And 302, the DID server acquires the DID document of the second client stored in the blockchain and feeds the DID document back to the DID server.
And 303, the DID server feeds the DID document of the second client back to the first client.
In step 301', the second client obtains, from the DID server (e.g., the server of the identifier registration authority), a DID document corresponding to the DID of the first client (including the DID public key of the first client).
In step 302', the DID server obtains the DID document of the first client stored in the blockchain and feeds back the DID document to the DID server.
And 303', the DID server feeds the DID document of the first client back to the second client.
In step 304, the first client obtains the verifiable credential for encrypted communication from the second client to the identity HUB.
In some embodiments of the present application, the first client may apply for credential verification from the second client when the second client initiates the communication request. The second client generates an encryption material according to the certificate verification request of the first client, issues a verifiable certificate for encrypted communication for the second client based on the encryption material, enables the verifiable certificate to carry the encryption material, stores the verifiable certificate in an identity HUB, and waits for the first client to request for acquisition.
In step 305, the identity HUB feeds back the verifiable credential used by the second client for encrypted communication to the first client.
In step 306, the first client obtains the encrypted material carried in the verifiable credential.
Wherein the verifiable credential may carry one or more encrypted materials therein.
In step 307, the first client generates a corresponding symmetric encryption key according to the encryption material carried in the verifiable credential and the DID private key of the first client.
For example, a DH key negotiation protocol is used to generate symmetric encryption keys.
In step 304', the second client obtains the verifiable credential for the encrypted communication from the first client to the identity HUB.
The specific embodiment of the first client generating the verifiable credential for encrypted communications is as described above and will not be described in detail herein.
In step 305', the identity HUB feeds back the verifiable credential used by the first client for encrypted communications to the second client.
In step 306', the second client obtains the encrypted material carried in the verifiable credential.
Wherein the verifiable credential may carry one or more encrypted materials therein.
In step 307', the second client generates a corresponding symmetric encryption key according to the encryption material carried in the verifiable credential and the DID private key of the second client.
The second client generates a symmetric encryption key in the same manner as the first client.
The first client and the second client generate the symmetric encryption keys in the same way, namely the key parameter structures of the key agreement are the same, so that the first client and the second client obtain the same key parameters under the condition of no message interaction, and the obtained symmetric encryption keys are the same.
In step 308, the first client and the second client perform encrypted communication based on the symmetric encryption keys obtained in step 307 and step 307'.
According to the communication method based on the distributed identity, which is disclosed by the embodiment of the application, a DID public key of a second client is obtained through the first client according to the DID of the second client; based on the DID public key of a second client, acquiring a verifiable certificate issued by the second client for self DID through an identity HUB, wherein the verifiable certificate is issued based on the encrypted material after the second client generates the encrypted material in response to a communication request of the first client; acquiring the encrypted material carried in the verifiable certificate; the first client obtains a symmetric encryption key based on the DID private key of the first client and the encryption material; the first client sends the first encryption information which is encrypted by the symmetric encryption key to the second client, so that the security of encrypted communication is improved.
According to the communication method based on the distributed identity, through carrying the encryption material in the verifiable certificate, the clients of both communication parties can conduct key negotiation or key exchange based on the encryption material carried in the verifiable certificate, so that the symmetric encryption key is obtained under the condition that an encryption communication channel is not required to be additionally established and additional information interaction is not required, encryption communication between both parties is achieved, and the safety of encryption communication is improved through reducing key transmission links.
Furthermore, by carrying a plurality of encryption materials in the verifiable certificate, encryption communication based on a dynamic key can be realized, and the security of network communication is further improved. On the other hand, the dynamic secret key is obtained by carrying the encryption material in the verifiable certificate, so that the access times to the third party server side when the secret key is obtained in the scene of encrypted communication by adopting the dynamic secret key are effectively reduced, and the communication efficiency is improved.
Example two
The embodiment of the application discloses a communication device based on distributed identity, as shown in fig. 4, the device includes:
the DID public key obtaining module 410, configured to obtain, by the first client, a DID public key of the second client according to the DID of the second client;
A verifiable credential obtaining module 420, configured to obtain, based on the DID public key of a second client, a verifiable credential issued by the second client for its own DID through an identity HUB, where the verifiable credential is issued based on an encrypted material after the second client generates the encrypted material in response to a communication request of the first client;
an encrypted material acquisition module 430, configured to acquire the encrypted material carried in the verifiable credential;
a symmetric encryption key obtaining module 440, configured to obtain a symmetric encryption key by the first client based on the DID private key of the first client and the encryption material;
and the encryption communication module 450 is configured to send, by the first client, first encryption information that is encrypted by using the symmetric encryption key to the second client.
In some embodiments of the present application, the encryption communication module 450 is further configured to:
and in response to receiving second encryption information sent by the second client, decrypting the second encryption information based on the symmetric encryption key.
In some embodiments of the present application, as shown in fig. 5, the apparatus further includes:
the verifiable credential issuing module 400 is configured to respond to a communication request of the second client, obtain the encrypted material by the first client according to a preset method, and issue a verifiable credential carrying the encrypted material for the self DID.
In some embodiments of the present application, the verifiable credential issuance module 400 is further configured to:
and responding to the communication request of the second client, the first client acquires a plurality of encrypted materials according to a preset method, and issues verifiable certificates carrying the plurality of encrypted materials for the DID of the first client.
In some embodiments of the present application, the verifiable credential carries a plurality of encrypted materials used by the second client to communicate with the first client, as shown in fig. 5, and the apparatus further includes:
a key update module 460, configured to determine whether all of the plurality of encryption materials carried in the verifiable credential are used if the condition of replacing the symmetric encryption key is satisfied;
the key updating module 460 is further configured to, in response to the verifiable credential carrying the encrypted material that is not used completely, select one of the encrypted materials that is not used from the encrypted materials carried in the verifiable credential, skip to the symmetric encryption key obtaining module 440, and perform obtaining of a symmetric encryption key based on the first client based on its DID private key and the selected encrypted material.
In some embodiments of the present application, the key update module 460 is further configured to:
And in response to the verifiable credential carrying the encrypted material fully used, jumping to execute the verifiable credential acquisition module.
In some embodiments of the present application, the symmetric encryption key acquisition module 440 is further configured to:
and the first client obtains the symmetric encryption key between the first client and the second client through a key negotiation algorithm or a key exchange algorithm based on the DID private key of the first client and the encryption material.
The communication device based on the distributed identity disclosed in the embodiment of the present application is configured to implement the communication method based on the distributed identity described in the first embodiment of the present application, and specific implementation manners of each module of the device are not described herein, and reference may be made to specific implementation manners of corresponding steps in the method embodiment.
According to the communication device based on the distributed identity, which is disclosed by the embodiment of the application, a DID public key of a second client is obtained through the first client according to the DID of the second client; based on the DID public key of a second client, acquiring a verifiable certificate issued by the second client for self DID through an identity HUB, wherein the verifiable certificate is issued based on the encrypted material after the second client generates the encrypted material in response to a communication request of the first client; acquiring the encrypted material carried in the verifiable certificate; the first client obtains a symmetric encryption key based on the DID private key of the first client and the encryption material; the first client sends the first encryption information which is encrypted by the symmetric encryption key to the second client, so that the security of encrypted communication is improved.
According to the communication device based on the distributed identity, disclosed by the embodiment of the application, through carrying the encryption material in the verifiable certificate, the clients of both communication parties can carry out key negotiation or key exchange based on the encryption material carried in the verifiable certificate, so that the symmetric encryption key is obtained under the condition that an encryption communication channel is not required to be additionally established and additional information interaction is not required, the encryption communication between both parties is realized, and the safety of the encryption communication is improved by reducing key transmission links.
Furthermore, by carrying a plurality of encryption materials in the verifiable certificate, encryption communication based on a dynamic key can be realized, and the security of network communication is further improved. On the other hand, the dynamic secret key is obtained by carrying the encryption material in the verifiable certificate, so that the access times to the third party server side when the secret key is obtained in the scene of encrypted communication by adopting the dynamic secret key are effectively reduced, and the communication efficiency is improved.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. For the apparatus embodiment, the specific implementation of each module or sub-module is substantially similar to the implementation of the corresponding step in the method, so the description is simpler, and the relevant points refer to the part of the description of the method embodiment.
The foregoing has described in detail a communication method and apparatus based on distributed identities provided in the present application, and specific examples have been applied herein to illustrate the principles and embodiments of the present application, where the foregoing examples are provided only to assist in understanding the method of the present application and a core idea thereof; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
The system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Various component embodiments of the present application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in an electronic device according to embodiments of the present application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application may also be embodied as a device or system program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
For example, fig. 6 shows an electronic device in which a method according to the present application may be implemented. The electronic device may be a PC, a mobile terminal, a personal digital assistant, a tablet computer, etc. The electronic device conventionally comprises a processor 610 and a memory 620 and a program code 630 stored on said memory 620 and executable on the processor 610, said processor 610 implementing the method described in the above embodiments when said program code 630 is executed. The memory 620 may be a computer program product or a computer readable medium. The memory 620 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. The memory 620 has a storage space 6201 for program code 630 of a computer program for performing any of the method steps described above. For example, the memory space 6201 for the program code 630 may include individual computer programs for implementing the various steps in the above methods, respectively. The program code 630 is computer readable code. These computer programs may be read from or written to one or more computer program products. These computer program products comprise a program code carrier such as a hard disk, a Compact Disc (CD), a memory card or a floppy disk. The computer program comprises computer readable code which, when run on an electronic device, causes the electronic device to perform a method according to the above-described embodiments.
The embodiment of the application also discloses a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the steps of the communication method based on distributed identity according to the embodiment one of the application.
Such a computer program product may be a computer readable storage medium, which may have memory segments, memory spaces, etc. arranged similarly to the memory 620 in the electronic device shown in fig. 6. The program code may be stored in the computer readable storage medium, for example, in a suitable form. The computer readable storage medium is typically a portable or fixed storage unit as described with reference to fig. 7. In general, the memory unit comprises computer readable code 630', which computer readable code 630' is code that is read by a processor, which code, when executed by the processor, implements the steps of the method described above.
Reference herein to "one embodiment," "an embodiment," or "one or more embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Furthermore, it is noted that the word examples "in one embodiment" herein do not necessarily all refer to the same embodiment.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (8)
1. A method of distributed identity-based communication, comprising:
the first client obtains a DID public key of the second client according to the DID of the second client;
based on the DID public key of a second client, acquiring a verifiable certificate issued by the second client for self DID through an identity HUB, wherein the verifiable certificate is issued based on the encrypted material after the second client generates the encrypted material in response to a communication request of the first client; the identity HUB is a relay node for storing identity information;
acquiring the encrypted material carried in the verifiable certificate;
the first client obtains a symmetric encryption key based on the DID private key of the first client and the encryption material;
the first client sends first encryption information which is encrypted by adopting the symmetric encryption key to the second client;
the step of the first client obtaining the DID public key of the second client according to the DID of the second client comprises the following steps:
and responding to the communication request of the second client, the first client acquires a plurality of encrypted materials according to a preset method, and issues verifiable certificates carrying the plurality of encrypted materials for the DID of the first client.
2. The method of claim 1, wherein the verifiable credential carries a plurality of encrypted materials used by the second client to communicate with the first client, and wherein the first client sends the first encrypted information encrypted using the symmetric encryption key to the second client, further comprising:
determining whether all of the plurality of encrypted materials carried in the verifiable certificate are used under the condition that the symmetric encryption key replacement is satisfied;
in response to the verifiable credential carrying less than all of the encrypted material, selecting one of the encrypted material that is not used from the encrypted material carried in the verifiable credential, the first client jumps to perform the step of obtaining the symmetric encryption key based on its DID private key and the selected encrypted material.
3. The method of claim 2, wherein said determining whether all of said plurality of encrypted materials carried in said verifiable credential have been used if said symmetric encryption key replacement is satisfied further comprises:
and in response to that the verifiable certificate carries the encryption materials which are all used, jumping to the step of executing the DID public key based on the second client, and acquiring the verifiable certificate issued by the second client for the DID through the identity HUB.
4. A method according to any one of claims 1 to 3, further comprising:
and in response to receiving second encryption information sent by the second client, decrypting the second encryption information based on the symmetric encryption key.
5. A method according to any one of claims 1 to 3, wherein the first client obtains a symmetric encryption key based on its DID private key and the encryption material, comprising:
and the first client obtains the symmetric encryption key between the first client and the second client through a key negotiation algorithm or a key exchange algorithm based on the DID private key of the first client and the encryption material.
6. A distributed identity-based communication device, comprising:
the DID public key acquisition module is used for acquiring the DID public key of the second client according to the DID of the second client by the first client;
the verifiable credential acquisition module is used for acquiring a verifiable credential issued by a second client for self DID through an identity HUB based on the DID public key of the second client, wherein the verifiable credential is issued based on the encrypted material after the second client generates the encrypted material in response to the communication request of the first client; the identity HUB is a relay node for storing identity information;
The encryption material acquisition module is used for acquiring the encryption material carried in the verifiable certificate;
the symmetric encryption key acquisition module is used for acquiring a symmetric encryption key by the first client based on the DID private key of the first client and the encryption material;
the encryption communication module is used for sending first encryption information which is encrypted by adopting the symmetric encryption key to the second client by the first client;
and the verifiable credential issuing module is used for responding to the communication request of the second client, acquiring a plurality of encrypted materials by the first client according to a preset method, and issuing verifiable credentials carrying the plurality of encrypted materials for the DID.
7. An electronic device comprising a memory, a processor and program code stored on the memory and executable on the processor, wherein the processor implements the distributed identity based communication method of any one of claims 1 to 5 when the program code is executed by the processor.
8. A computer readable storage medium having stored thereon program code, which when executed by a processor realizes the steps of the distributed identity based communication method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210621053.XA CN115174146B (en) | 2022-06-02 | 2022-06-02 | Communication method and device based on distributed identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210621053.XA CN115174146B (en) | 2022-06-02 | 2022-06-02 | Communication method and device based on distributed identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115174146A CN115174146A (en) | 2022-10-11 |
| CN115174146B true CN115174146B (en) | 2024-02-23 |
Family
ID=83483668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210621053.XA Active CN115174146B (en) | 2022-06-02 | 2022-06-02 | Communication method and device based on distributed identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115174146B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112199714A (en) * | 2020-12-04 | 2021-01-08 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device based on block chain and electronic equipment |
| CN112199721A (en) * | 2020-10-13 | 2021-01-08 | 腾讯科技(北京)有限公司 | Authentication information processing method, device, equipment and storage medium |
| CN112926092A (en) * | 2021-03-30 | 2021-06-08 | 支付宝(杭州)信息技术有限公司 | Privacy-protecting identity information storage and identity authentication method and device |
| CN113256290A (en) * | 2021-05-14 | 2021-08-13 | 杭州链网科技有限公司 | Decentralized encrypted communication and transaction system |
| CN113704775A (en) * | 2021-07-14 | 2021-11-26 | 杭州溪塔科技有限公司 | Service processing method based on distributed digital identity and related device |
| CN114051031A (en) * | 2021-11-16 | 2022-02-15 | 中国电信股份有限公司 | Encryption communication method, system, equipment and storage medium based on distributed identity |
| WO2022096126A1 (en) * | 2020-11-06 | 2022-05-12 | Lenovo (Singapore) Pte. Ltd. | Subscription onboarding using a verified digital identity |
| CN114528532A (en) * | 2022-04-24 | 2022-05-24 | 南方电网数字电网研究院有限公司 | Supply chain data evidence storing method and device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210314293A1 (en) * | 2020-04-02 | 2021-10-07 | Hewlett Packard Enterprise Development Lp | Method and system for using tunnel extensible authentication protocol (teap) for self-sovereign identity based authentication |
-
2022
- 2022-06-02 CN CN202210621053.XA patent/CN115174146B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112199721A (en) * | 2020-10-13 | 2021-01-08 | 腾讯科技(北京)有限公司 | Authentication information processing method, device, equipment and storage medium |
| WO2022096126A1 (en) * | 2020-11-06 | 2022-05-12 | Lenovo (Singapore) Pte. Ltd. | Subscription onboarding using a verified digital identity |
| CN112199714A (en) * | 2020-12-04 | 2021-01-08 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device based on block chain and electronic equipment |
| CN112926092A (en) * | 2021-03-30 | 2021-06-08 | 支付宝(杭州)信息技术有限公司 | Privacy-protecting identity information storage and identity authentication method and device |
| CN113256290A (en) * | 2021-05-14 | 2021-08-13 | 杭州链网科技有限公司 | Decentralized encrypted communication and transaction system |
| CN113704775A (en) * | 2021-07-14 | 2021-11-26 | 杭州溪塔科技有限公司 | Service processing method based on distributed digital identity and related device |
| CN114051031A (en) * | 2021-11-16 | 2022-02-15 | 中国电信股份有限公司 | Encryption communication method, system, equipment and storage medium based on distributed identity |
| CN114528532A (en) * | 2022-04-24 | 2022-05-24 | 南方电网数字电网研究院有限公司 | Supply chain data evidence storing method and device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于区块链的数字身份发展现状;崔久强;吕尧;王虎;;网络空间安全(06);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115174146A (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7119040B2 (en) | Data transmission method, device and system | |
| CN111953705B (en) | Internet of things identity authentication method and device and power Internet of things identity authentication system | |
| CN110708170B (en) | Data processing method and device and computer readable storage medium | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| US9065637B2 (en) | System and method for securing private keys issued from distributed private key generator (D-PKG) nodes | |
| CA2408589C (en) | Url-based certificate in a pki | |
| CN114730420A (en) | System and method for generating signatures | |
| CN111884805A (en) | Data hosting method and system based on block chain and distributed identity | |
| WO2022111102A1 (en) | Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium | |
| CN110599342B (en) | Block chain-based identity information authorization method and device | |
| CN112543166B (en) | Real name login method and device | |
| CN110138548B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol | |
| CN112311543B (en) | GBA key generation method, terminal and NAF network element | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN112766962A (en) | Method for receiving and sending certificate, transaction system, storage medium and electronic device | |
| CN113382002B (en) | Data request method, request response method, data communication system, and storage medium | |
| CN113810412A (en) | Certificateless identification resolution identity trust control method, system and equipment | |
| CN108259486B (en) | End-to-end key exchange method based on certificate | |
| CN110335040A (en) | Resource transfers method, apparatus, electronic equipment and storage medium | |
| CN111756528A (en) | Quantum session key distribution method and device and communication architecture | |
| CN112235276B (en) | Master-slave equipment interaction method, device, system, electronic equipment and computer medium | |
| NL1043779B1 (en) | Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge | |
| CN116684093B (en) | Identity authentication and key exchange method and system | |
| CN110166460B (en) | Service account registration method and device, storage medium and electronic device | |
| CN110417722B (en) | Business data communication method, communication equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |