CN117056981A - Digital identity management method and device - Google Patents
Digital identity management method and device Download PDFInfo
- Publication number
- CN117056981A CN117056981A CN202311043550.7A CN202311043550A CN117056981A CN 117056981 A CN117056981 A CN 117056981A CN 202311043550 A CN202311043550 A CN 202311043550A CN 117056981 A CN117056981 A CN 117056981A
- Authority
- CN
- China
- Prior art keywords
- document
- hash value
- user
- identity
- storage system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims description 33
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000012795 verification Methods 0.000 claims description 19
- 210000001072 colon Anatomy 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and a device for digital identity management, which take a decentralised identity identifier DID as a unique identity of a user, store a corresponding DID document in a distributed storage system, and store a hash value of the DID document together with the DID identifier on a blockchain; therefore, on the premise of ensuring safety and credibility, more efficient user identity management is realized.
Description
Technical Field
The invention relates to a method and a device for digital identity management.
Background
In an informationized system, personal identity information is typically stored and managed in a centralized manner, including: account numbers, passwords, identification card numbers, etc., have some problems as follows:
1. information security risk: the central avatar management system may be the target of hacking, once the system is broken, the hacker will be able to access, control and tamper with the identity information of all users. Such security vulnerabilities may lead to personal information disclosure, identity theft and unauthorized access, and even malicious tampering of the identity information.
2. Privacy disclosure problem: the central avatar management system needs to collect and store a large amount of user identity information. This may raise concerns about personal privacy for the user, especially in case of data leakage or abuse. Users may be reluctant to centrally store their identity information under the management of a single entity.
3. Monopoly problem: central avatar management systems often have a strong dependence on a particular technology or provider, and user identity information is difficult to migrate to other systems or platforms. If the technology or provider becomes problematic or unavailable, the entire identity management system may be impacted.
4. Lack of flexibility: the central avatar management system is typically responsible for management by a single entity or organization, meaning that the functions and rules of the system are determined by that entity. This centralized control limits the ability for user selection and customization, making the system inflexible in meeting different user needs and specific scenarios.
To address these shortcomings, a series of decentralised identity management methods have been proposed by the industry to provide better security, privacy protection, monopoly and the like through blockchain, a distributed ledger technology.
Typical schemes include:
1. sovrin: the block chain-based decentralized identity management network aims at establishing a safe, reliable and autonomous identity ecosystem. It provides decentralised identity verification and identity provider functions, and the user can own identity and control sharing of his identity information.
2. uPort is an item in the Ethernet ecosystem that provides a decentralised identity management and authentication solution. It allows users to create and manage their own identities while providing open standards and protocols that allow applications to interact with the user's identities.
3. SelfKey is a chain-based decentralised avatar management platform, aimed at giving users control over personal identity information. It provides authentication, KYC (your knowledge of customers) services, and decentralizing identity wallets etc. functions to support users to manage and authenticate their identity in the digital world.
In existing solutions, a globally unique and constant identity is usually created for the user, called DID (Decentralized Identifier ). And, each DID also corresponds to a document created to contain the public information of the DID owner, called the DID document. The document mainly contains the necessary information for verifying the DID and the identity of the owner associated therewith, such as public key (PublicKey) etc. Then, the DID and the DID document are signed by the private key of the DID owner and then stored on the blockchain, and the subsequent update of the DID document is also stored on the blockchain in the same way, so that the latest identity information of the user can be synchronously obtained by the whole blockchain network node, and the functions of verification, tamper resistance, traceability and the like of the identity information of the user can be conveniently realized.
However, since DID documents generally contain much information such as public key information, digital signature information, etc., the documents were relatively long. And if modified repeatedly, all old versions of DID documents would remain permanently on the blockchain. Therefore, although the DID document can be directly stored on the chain as the block content to obtain the highest reliability, the DID document is easy to bring too high storage and network transmission load pressure, so that the problems of block link point storage, network bandwidth cost increase, block chain network consensus speed reduction, system service capability reduction and the like are caused.
Therefore, there is a need for a new digital identity management method and apparatus.
Disclosure of Invention
The invention aims to provide a method and a device for managing digital identity, which can realize more efficient user identity management on the premise of ensuring safety and credibility.
The technical proposal of the invention is as follows:
a digital identity management method uses a decentralised identity identifier DID as a unique identity of a user, stores a corresponding DID document in a distributed storage system, and only stores a hash value of the DID document together with the DID identifier on a blockchain;
the DID name contains three parts, separated by a colon: 1) Identifying the scheme type as did; 2) The third part specifically identifies the name of the character string generation method; 3) A character string for identifying the identity of the user generated according to the method represented by the second part.
The user identity information registration process comprises the following steps:
(1) The user calls the DID client to generate a DID identifier and identity key pair;
the identity key pair consists of a private key and a public key;
(2) Signing
The user side calls the DID client side to create the DID document, the DID document comprises public key information, verification method and other metadata in the key pair, and the DID document is divided by adopting the private key in the identity key pair
Signature is carried out on all other metadata except the "proof" attribute, signature information needs to mark the identification of the corresponding public key recorded in the DID document, and the signature information is put into the DID document;
(3) Calculating hash values
If the distributed storage system supports calculating the hash value according to the complete content of the DID document and supports taking the hash value as an index mode of the DID document, the user side calls a client of the distributed storage system to store the DID document into a plurality of nodes of the distributed storage system and records the returned hash value; otherwise, the user side calculates a hash value for the DID document by adopting a secure hash algorithm, and stores the DID document into a plurality of nodes of the distributed storage system by calling the client of the distributed storage system in a mode of taking the hash value as an index; the finally generated DID document hash value is recorded as a first hash value;
(4) Data store block and uplink
The user end combines the DID and the hash value obtained in the step 3 into data in the form of a key value pair, stores the data into a block, and then carries out uplink operation on the block, wherein the operation is completed by calling the blockchain client. After the block uplink is completed, all the block chain link points are synchronized to obtain the block, and the key value pair is also obtained.
The user identity information updating flow is as follows:
(1) The user side invokes the DID client side to modify the DID document, adopts a private key in an identity key pair to sign various metadata of the DID document except signature information, and the signature information needs to mark the identifier of a corresponding public key recorded in the DID document and then replaces original signature information in the DID document;
(2) If the distributed storage system supports calculating the hash value of the DID document and supports taking the hash value as an index mode of the DID document, the user side calls a client of the distributed storage system to store the DID document into a plurality of nodes of the distributed storage system and records the returned hash value; otherwise, the user side calculates a hash value for the DID document by adopting a secure hash algorithm, and stores the DID document into a plurality of nodes of the distributed storage system by calling the client of the distributed storage system in a mode of taking the hash value as an index;
(3) The user side combines the DID and the hash value obtained in the step 2 into block information to carry out the uplink operation, and the operation is completed by calling the block chain client side; similarly, after the uplink is completed, all the blockchain nodes know that the corresponding DID document is updated, the hash value of the latest version is the second hash value, and the DID document with the hash value of the original version being the first hash value does not need to be changed or deleted, and only needs to be stored in the distributed storage system continuously.
The authentication flow of the identity information in the user request is as follows:
(1) Initiation of a request
In the application scene, if a user needs to access a resource or service bound with the identity of the user, the user needs to initiate a request, the request needs to contain a DID identifier, a signature of the request content by using a private key in a corresponding identity key pair and an identifier of a corresponding public key, and then the request is sent to a verifier;
(2) Obtaining the hash value of the latest version;
aiming at the appointed DID, a verifier side obtains a hash value of a DID document corresponding to the latest version of the DID through a blockchain client side;
(3) Obtaining DID documents
The verifier side obtains a corresponding DID document according to the HASH value 'sha 256: HASH 456' by calling a distributed storage system client side, and if the DID document cannot be found, the verification is requested to fail;
(4) Validating specific content
The verifier verifies the DID document by calling the DID client, and the verification content comprises: 1) Verifying the DID document structure, and whether necessary public key information and signature information fields are contained; 2) Finding the identification of the public key related to the signature from the signature information, finding the corresponding public key from the DID document, and verifying the signature by using the public key; if any of the above fails, the request fails to verify
(5) After the DID document passes verification, because the DID document supports a plurality of public keys, the corresponding public key needs to be found from the DID document according to the public key identification in the request for verifying the request signature, and if the step can not find the corresponding public key or fails to verify, the request fails to verify; and (5) continuing the follow-up steps according to the application logic after the verification is successful.
The method of digital identity management is applied to digital wallets, namely off-center avatar wallets.
A digital identity management device realizes data transmission and storage based on the method of digital identity management.
The beneficial effects are that:
the invention relates to a method and a device for digital identity management, wherein the proposal adopts a decentralised identity identification (DID) as a unique identity of a user, and stores a corresponding DID document in a distributed storage system, and only stores the hash value of the DID document and the DID on a blockchain. Therefore, on the premise of ensuring safety and credibility, more efficient user identity management is realized.
Detailed Description
The invention will be described in further detail with reference to the following examples:
example 1:
the invention provides an off-center avatar management scheme based on a blockchain and a distributed storage system, which adopts an off-center avatar identifier (DID) as a unique identity of a user, stores a corresponding DID document in the distributed storage system, and only stores the hash value of the DID document and the DID on the blockchain. Therefore, on the premise of ensuring safety and credibility, more efficient user identity management is realized.
The DID in the scheme mainly refers to a globally unique and unchanged character string used for identifying the identity of a user, and is similar to an identity card number in daily life. DID consists essentially of three parts separated by a colon: 1) Identifying a schema type, typically did; 2) The third part specifically identifies the name of the character string generation method; 3) A character string for identifying the identity of the user generated according to the method represented by the second part. For each DID, a DID document (supplementary explanation: DID corresponds to the identification card number of each person, DID document corresponds to the identification card, and this is written with the basic information such as name and address of the person, and also written with the identification card number). The DID document is used to describe the user identity to which the DID corresponds, including, but not limited to, meta information, the DID itself, user identity public key information, and the like. Specific implementations include, but are not limited to, the DID standard of W3C (WorldWide Web Consortium), the DID Auth standard of DIF (DecentralizedIdentityFoundation). For example: the DID name of a certain user is: the DID document content of the user 123 can be: {
"@context":[
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"id":"did:user:123",
"verificationMethod":[
{
"id":"did:user:123#key-1",
"type":"Ed25519VerificationKey2018",
"publicKey":"zH3C2a89Bcc…PV"
},
{
"id":"did:user:123#key-2",
"type":"Ed25519VerificationKey2018",
"publicKey":"Dk3kd…jww33"
}
],
"proof":{
"type":"Secp256k1",
"creator":"did:user:123#key-1",
"signatureValue":"QNB13Y7Q9...1tzjn4w=="
}
}
In the above example, the "@ context" attribute is a meta information portion, and is formed of a URL list for describing various format specifications to be adhered to by the DID document. If the meta information part contains different URLs, the field formats of the rest of the DID document will be correspondingly different. The "id" attribute is the DID itself, indicating that the document belongs to the DID. The "verifiationmethod" attribute is public key information (there may be a plurality of public keys) of the user, and can be used to verify a digital signature of a document or a request, or the like. In addition, the DID document also contains a digital signature for the content of the document itself (as shown by the "proof" attribute), as well as some other attribute fields defined in the meta-information.
The scheme mainly comprises a blockchain node, a blockchain wallet, a distributed storage system service node, a distributed storage system client, a DID client, user identity owner side client software (hereinafter referred to as a user side) and a software system (hereinafter referred to as a verifier side) for verifying user identity information in a request. The blockchain wallet, the distributed storage system client and the DID client may provide the user side and the verifier side with related functions in various forms such as SDK (software development kit), runtime library (RuntimeLibrary), source code, and the like.
The blockchain node in this solution is mainly responsible for executing and maintaining tasks of the blockchain network, including but not limited to: block data storage, transaction verification and packaging, participation in consensus mechanisms, network communications, and the like. The method is mainly realized by common blockchain technology, including but not limited to Ethernet. The deployment modes such as a public chain, a alliance chain and the like can be adopted. A plurality of blockchain nodes are directly connected by establishing a point-to-point network to form a blockchain network together.
The block chain wallet is mainly responsible for generating and managing a key pair for identifying identities on a block chain by a user, and comprises a public key and a private key, and performs digital signature operation on block information to be uplinked by using the private key, and invokes a block chain link point service interface to complete the uplinking operation of a block.
The distributed storage system in the scheme comprises: a system for decentralized storage of data on multiple physical storage nodes (i.e., by dividing the data into small blocks and storing the blocks on multiple nodes, each small block having a copy on multiple physical storage nodes, each node can independently store and access the data to provide greater reliability, scalability, and fault tolerance. The system calculates a hash value based on the content of each piece of data and locates and retrieves the data in the system by means of the hash value. Such distributed storage systems include, but are not limited to, the common IPFS (Inter-planar file system) and the like. The distributed storage system service node, i.e. the physical storage node for storing data,
the DID client is mainly responsible for: 1) Creating a DID and a DID document; 2) Generating and managing a key pair for verifying the identity of the DID owner, also including a public key and a private key; 3) And carrying out digital signature and verification operation on the DID document by using the identity private key.
The scheme mainly comprises the following steps: 1) A user identity information registration process; 2) A user identity information updating flow; 3) User authentication process.
1. User identity information registration process
1) The user invokes the DID client to generate a DID and identity key pair. The portion for unique identification in the DID may be generated in various manners, such as UUID (universal unique identifier), etc. Assuming that the generated user DID is "DID: user:123", the identity key pair consists of a private key and a public key, assuming that the private key is "PRIKEY123", the public key is: "PUBKEY123";
2) The user side calls the DID client side to create a DID document, the DID document comprises public key information (a private key is only stored in the client side and the DID document is not written in), a verification method and other metadata, the private key in the identity key pair is adopted to sign various metadata except for a proof attribute of the DID document, signature information needs to mark the identification of the corresponding public key recorded in the DID document, and the signature information is put into the DID document (namely the proof field);
3) If the distributed storage system supports calculating the hash value according to the complete content of the DID document and supports taking the hash value as an index mode of the DID document, the user side calls a client of the distributed storage system to store the DID document into a plurality of nodes of the distributed storage system and records the returned hash value; otherwise, the user side calculates a hash value for the DID document by adopting a secure hash algorithm commonly used in the industry, including but not limited to SHA2-256 and the like, and uses the hash value as an index mode to store the DID document in a plurality of nodes of the distributed storage system by calling the client side of the distributed storage system. Assuming that the HASH value of the finally generated DID document is "sha256: HASH123";
4) The user end combines the DID and the hash value obtained in the step 3 into data in the form of a key value pair, stores the data into a block, and then carries out uplink operation on the block, wherein the operation is completed by calling the blockchain client. After the block uplink is completed, all the block chain link points are synchronized to obtain the block, and the key value pair is also obtained. In a physical sense, all blockchain nodes know the fact that the HASH value of the latest version of the DID document of "DID: user:123" is "sha256: HASH 123".
2. User identity information updating process
1) The user side invokes the DID client side to modify the DID document, adopts a private key in an identity key pair to sign various metadata of the DID document except signature information, and the signature information needs to mark the identifier of a corresponding public key recorded in the DID document and then replaces original signature information in the DID document;
2) If the distributed storage system supports calculating the hash value of the DID document and supports taking the hash value as an index mode of the DID document, the user side calls a client of the distributed storage system to store the DID document into a plurality of nodes of the distributed storage system and records the returned hash value; otherwise, the user side calculates a hash value for the DID document by adopting a secure hash algorithm commonly used in the industry, including but not limited to SHA2-256 and the like, and uses the hash value as an index mode to store the DID document in a plurality of nodes of the distributed storage system by calling the client side of the distributed storage system. If the updated HASH value is "sha256: HASH456";
3) And the user terminal combines the DID and the hash value obtained in the step 2 into block information to perform the uplink operation, and the operation is completed by calling the block chain client terminal. Similarly, after the uplink is completed, all the blockchain nodes know that the DID document of "diduser: 123" has been updated, the HASH value of the latest version is "sha256: HASH456", and the DID document of the original version with the HASH value of "sha256: HASH123" does not need to be changed or deleted, and only needs to be stored in the distributed storage system continuously.
3. Authentication process of identity information in user request
1) In the application scene, if a user needs to access a resource or service bound with the identity of the user, the user needs to initiate a request, and the user also needs to include DID, a signature of the request content by using a private key in a corresponding identity key pair and an identifier of a corresponding public key, and then the request is sent to a verifier side;
2) For a specified DID, the verifier side obtains a HASH value of the DID corresponding to the DID document of the latest version through the blockchain client (as described in an example of step 2, "sha256: HASH 456");
3) The verifier side obtains a corresponding DID document according to the HASH value 'sha 256: HASH 456' by calling a distributed storage system client side, and if the DID document cannot be found, the verification is requested to fail;
4) The verifier verifies the DID document by calling the DID client, and the verification content comprises: 1) Verifying the DID document structure, and judging whether the DID document structure contains necessary fields such as public key information, signature information and the like; 2) The identity of the signature-related public key, such as "fid: user:123#key-1" in the above example, is found from the signature information, and the corresponding public key (i.e., "PK 123") is found from the DID document, which is used to verify the signature. If any of the above fails, the request fails to verify
5) After the DID document passes verification, because the DID document supports a plurality of public keys, the corresponding public key needs to be found from the DID document according to the public key identification in the request for verifying the request signature, and if the step can not find the corresponding public key or fails to verify, the request fails to verify;
6) And (5) continuing the follow-up steps according to the application logic after the verification is successful.
The key point of the invention is that the DID document corresponding to the DID is stored in the distributed storage system, and only the hash value of the DID document and the DID are stored on the blockchain. The data volume of the uplink block information is obviously reduced, the problems of operation and maintenance cost, efficiency and the like of a storage block chain network are effectively solved, and the overall response speed of the system is also improved; finally, on the premise of ensuring safety and credibility, more efficient user identity management is realized.
Claims (6)
1. A digital identity management method is characterized in that an off-center identity identifier DID is used as a unique identity of a user, a corresponding DID document is stored in a distributed storage system, and only the hash value of the DID document and the DID identifier are stored on a blockchain;
the DID name contains three parts, separated by a colon: 1) Identifying the scheme type as did; 2) The third part specifically identifies the name of the character string generation method; 3) A character string for identifying the identity of the user generated according to the method represented by the second part.
2. The method of digital identity management according to claim 1, wherein the user identity information registration procedure is:
1) The user calls the DID client to generate a DID identifier and identity key pair;
the identity key pair consists of a private key and a public key;
2) Signing
The user side calls the DID client side to create a DID document, the DID document comprises public key information in a key pair, a verification method and other metadata, the private key in an identity key pair is adopted to sign various metadata except for a proof attribute of the DID document, signature information needs to mark the identification of the corresponding public key recorded in the DID document, and the signature information is put into the DID document;
3) Calculating hash values
If the distributed storage system supports calculating the hash value according to the complete content of the DID document and supports taking the hash value as an index mode of the DID document, the user side calls a client of the distributed storage system to store the DID document into a plurality of nodes of the distributed storage system and records the returned hash value; otherwise, the user side calculates a hash value for the DID document by adopting a secure hash algorithm, and stores the DID document into a plurality of nodes of the distributed storage system by calling the client of the distributed storage system in a mode of taking the hash value as an index; the finally generated DID document hash value is recorded as a first hash value;
4) Data store block and uplink
The user end combines the DID and the hash value obtained in the step 3 into data in the form of a key value pair, stores the data into a block, and then carries out uplink operation on the block, wherein the operation is completed by calling the blockchain client. After the block uplink is completed, all the block chain link points are synchronized to obtain the block, and the key value pair is also obtained.
3. The method of digital identity management according to claim 2, wherein the user identity information update procedure is:
1) The user side invokes the DID client side to modify the DID document, adopts a private key in an identity key pair to sign various metadata of the DID document except signature information, and the signature information needs to mark the identifier of a corresponding public key recorded in the DID document and then replaces original signature information in the DID document;
2) If the distributed storage system supports calculating the hash value of the DID document and supports taking the hash value as an index mode of the DID document, the user side calls a client of the distributed storage system to store the DID document into a plurality of nodes of the distributed storage system and records the returned hash value; otherwise, the user side calculates a hash value for the DID document by adopting a secure hash algorithm, and stores the DID document into a plurality of nodes of the distributed storage system by calling the client of the distributed storage system in a mode of taking the hash value as an index;
3) The user side combines the DID and the hash value obtained in the step 2 into block information to carry out the uplink operation, and the operation is completed by calling the block chain client side; similarly, after the uplink is completed, all the blockchain nodes know that the corresponding DID document is updated, the hash value of the latest version is the second hash value, and the DID document with the hash value of the original version being the first hash value does not need to be changed or deleted, and only needs to be stored in the distributed storage system continuously.
4. A method of digital identity management according to claim 3, wherein the authentication procedure of the identity information in the user request is:
1) Initiation of a request
In the application scene, if a user needs to access a resource or service bound with the identity of the user, the user needs to initiate a request, the request needs to contain a DID identifier, a signature of the request content by using a private key in a corresponding identity key pair and an identifier of a corresponding public key, and then the request is sent to a verifier;
2) Obtaining the hash value of the latest version;
aiming at the appointed DID, a verifier side obtains a hash value of a DID document corresponding to the latest version of the DID through a blockchain client side;
3) Obtaining DID documents
The verifier side obtains a corresponding DID document according to the HASH value 'sha 256: HASH 456' by calling a distributed storage system client side, and if the DID document cannot be found, the verification is requested to fail;
4) Validating specific content
The verifier verifies the DID document by calling the DID client, and the verification content comprises: 1) Verifying the DID document structure, and whether necessary public key information and signature information fields are contained; 2) Finding the identification of the public key related to the signature from the signature information, finding the corresponding public key from the DID document, and verifying the signature by using the public key; if any of the above fails, the request fails to verify
5) After the DID document passes verification, because the DID document supports a plurality of public keys, the corresponding public key needs to be found from the DID document according to the public key identification in the request for verifying the request signature, and if the step can not find the corresponding public key or fails to verify, the request fails to verify;
6) And (5) continuing the follow-up steps according to the application logic after the verification is successful.
5. A method of digital identity management according to any one of claims 1-4, characterized in that the method of digital identity management is applied to a digital wallet, an off-center avatar wallet.
6. A digital identity management device, characterized in that the device implements data transfer and storage based on the method of digital identity management according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311043550.7A CN117056981A (en) | 2023-08-18 | 2023-08-18 | Digital identity management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311043550.7A CN117056981A (en) | 2023-08-18 | 2023-08-18 | Digital identity management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117056981A true CN117056981A (en) | 2023-11-14 |
Family
ID=88668922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311043550.7A Pending CN117056981A (en) | 2023-08-18 | 2023-08-18 | Digital identity management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117056981A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117650943A (en) * | 2024-01-24 | 2024-03-05 | 中国信息通信研究院 | User verification method and device based on distributed network, equipment and medium |
-
2023
- 2023-08-18 CN CN202311043550.7A patent/CN117056981A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117650943A (en) * | 2024-01-24 | 2024-03-05 | 中国信息通信研究院 | User verification method and device based on distributed network, equipment and medium |
| CN117650943B (en) * | 2024-01-24 | 2024-05-31 | 中国信息通信研究院 | User verification method and device based on distributed network, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11177961B2 (en) | Method and system for securely sharing validation information using blockchain technology | |
| CN111970129B (en) | Data processing method and device based on block chain and readable storage medium | |
| CN112311530B (en) | Block chain-based alliance trust distributed identity certificate management authentication method | |
| CN112055025B (en) | Privacy data protection method based on block chain | |
| US9635000B1 (en) | Blockchain identity management system based on public identities ledger | |
| CN110958111B (en) | Block chain-based identity authentication mechanism of electric power mobile terminal | |
| CN111144881A (en) | Selective access to asset transfer data | |
| CN111164594A (en) | System and method for mapping decentralized identity to real entity | |
| CN111191283B (en) | Beidou positioning information security encryption method and device based on alliance block chain | |
| CN108377272B (en) | Method and system for managing terminal of Internet of things | |
| CN112287034B (en) | Data synchronization method, equipment and computer readable storage medium | |
| CN111510298B (en) | Cross-domain trusted data exchange method and system based on block chain | |
| US20200235921A1 (en) | Method and system for recovering cryptographic keys of a blockchain network | |
| CN111815321A (en) | Transaction proposal processing method, device, system, storage medium and electronic device | |
| CN112287033B (en) | Data synchronization method, equipment and computer readable storage medium | |
| CN113360861B (en) | Mortgage loan oriented decentralized identity method based on repeater cross-chain | |
| CN114338242B (en) | Cross-domain single sign-on access method and system based on block chain technology | |
| CN117056981A (en) | Digital identity management method and device | |
| CN114553440B (en) | Cross-data center identity authentication method and system based on block chain and attribute signature | |
| CN108768650B (en) | Short message verification system based on biological characteristics | |
| CN112634040B (en) | Data processing method and device | |
| CN112052473B (en) | Geographic location compliance | |
| KR20190114424A (en) | Method for sso service through blockchain, and terminal and server using the same | |
| KR102357595B1 (en) | Blockchain-based authentication system and method for preventing interception hacking attacks | |
| CN114598531A (en) | Identity authentication method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |