WO2021204067A1 - Forwarding and acquisition of verifiable claim - Google Patents

Forwarding and acquisition of verifiable claim Download PDF

Info

Publication number
WO2021204067A1
WO2021204067A1 PCT/CN2021/085169 CN2021085169W WO2021204067A1 WO 2021204067 A1 WO2021204067 A1 WO 2021204067A1 CN 2021085169 W CN2021085169 W CN 2021085169W WO 2021204067 A1 WO2021204067 A1 WO 2021204067A1
Authority
WO
WIPO (PCT)
Prior art keywords
verifiable
verifiable statement
verifier
obtaining
statement
Prior art date
Application number
PCT/CN2021/085169
Other languages
French (fr)
Chinese (zh)
Inventor
杨仁慧
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021204067A1 publication Critical patent/WO2021204067A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/283Multi-dimensional databases or data warehouses, e.g. MOLAP or ROLAP
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management

Definitions

  • This application relates to the field of computer technology, in particular to the forwarding and obtaining of verifiable claims.
  • Decentralized IDentifier is a new type of identifier with global uniqueness, high availability, resolvability, and encryption verifiability. After the DID technology is put into use, one DID can correspond to multiple verifiable claims (VC). When the number of VCs is too large, there is a demand for storage and management of VCs. Thus, the VC data warehouse came into being. The data warehouse can store and manage the user's VC. In practical applications, users of the data warehouse hope to record the use of VC in order to perform statistical analysis on the use of VC. However, VC data warehouse does not have this function.
  • the embodiments of the present application provide a method, device, and equipment for forwarding and obtaining verifiable claims, so as to enable the verifier of the VC to obtain the VC on the blockchain system.
  • the embodiment of this specification provides a method for forwarding verifiable claims, including: a data warehouse monitors the on-chain transaction data containing verifiable claims generated in the target blockchain system; if the on-chain transaction data contains decentralized If the identity is the same as the decentralized identity of the verifier of the data warehouse service, the verifiable statement in the on-chain transaction data is obtained; the verifiable statement is sent to the verifier's device.
  • An embodiment of this specification provides a method for obtaining a verifiable claim, including: a verifier of a verifiable claim obtains a first verification request sent by a holder of the verifiable claim, and the first verification request includes at least all The identification of the verifiable claim; sending a second verification request for obtaining the verifiable claim to the data warehouse, the second verification request including the identifier; obtaining all the data that the data warehouse feedbacks based on the second verification request The verifiable statement is obtained by the data warehouse from the target blockchain system.
  • An embodiment of this specification provides a device for forwarding verifiable claims, the device is applied to a data warehouse, and the device includes: a monitoring module for monitoring on-chain transactions containing verifiable claims generated in a target blockchain system Data; a verifiable statement acquisition module for obtaining the on-chain transaction if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service The verifiable statement in the data; the verifiable statement sending module is used to send the verifiable statement to the device of the verifier.
  • the embodiment of this specification provides a device for obtaining a verifiable claim, which is applied to a verifier of a verifiable claim, and the device includes: a first verification request obtaining module, which is used to obtain a verification request sent by the holder of the verifiable claim A first verification request, the first verification request includes at least the identification of the verifiable claim; the second verification request sending module is configured to send a second verification request for obtaining the verifiable claim to the data warehouse, the first verification request 2.
  • the verification request includes the identifier; a verifiable statement obtaining module is used to obtain the verifiable statement fed back by the data warehouse based on the second verification request, and the verifiable statement is the data warehouse from the target area Obtained in the blockchain system.
  • An embodiment of this specification provides a verifiable claim forwarding device, which includes at least one processor and a memory communicatively connected with the at least one processor.
  • the memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can: On-chain transaction data containing verifiable claims; if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, then the on-chain transaction is obtained The verifiable claim in the data; the verifiable claim is sent to the verifier's device.
  • the device for obtaining a verifiable statement includes: at least one processor; and a memory communicatively connected with the at least one processor.
  • the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can: obtain the holding of the verifiable statement
  • the first verification request sent by the party, the first verification request contains at least the identification of the verifiable claim; the second verification request to obtain the verifiable claim is sent to the data warehouse, and the second verification request contains all The identification; obtaining the verifiable statement fed back by the data warehouse based on the second verification request, where the verifiable statement is obtained by the data warehouse from the target blockchain system.
  • the data warehouse obtains the VC to be verified from the blockchain and sends it to the verifier. Since the verifiable statement is sent from the holder device to the verifier device through the blockchain, the transmission process of the verifiable statement can be made It is recorded by the blockchain system and can be traced back.
  • the above solutions provide specific implementation procedures for how the data warehouse transmits the VC to be verified to the verifier, and how the verifier obtains the VC to be verified from the data warehouse, which can be used as a standard process for reference.
  • FIG. 1 is a schematic diagram of the application background of the method in the embodiment of the specification.
  • FIG. 2 is a schematic diagram of the architecture of a verifiable claim transmission system provided by an embodiment of this specification
  • FIG. 3 is a schematic flowchart of a method for forwarding verifiable claims according to an embodiment of this specification
  • FIG. 5 is a schematic flowchart of another method for forwarding verifiable claims according to an embodiment of this specification
  • FIG. 6 is a schematic flowchart of a method for obtaining a verifiable statement according to an embodiment of the specification
  • FIG. 7 is a schematic structural diagram of a verifiable claim forwarding device corresponding to FIG. 3 provided by an embodiment of this specification;
  • FIG. 8 is a schematic structural diagram of a device for obtaining a verifiable statement corresponding to FIG. 6 provided by an embodiment of this specification;
  • Fig. 9 is a schematic structural diagram of the forwarding device corresponding to the verifiable claim of Fig. 3 and the obtaining device corresponding to the verifiable claim of Fig. 6 provided by an embodiment of this specification.
  • FIG. 1 is a schematic diagram of the application background of the method in the embodiment of the specification.
  • the client 101 may be a mobile terminal such as a mobile phone, or a device such as a desktop computer.
  • the user's account is logged in on the client, and each account can have a decentralized identification (DID) 102 corresponding to it.
  • DID decentralized identification
  • a DID can correspond to an individual user, or a device, or to a merchant, or to a company, and so on.
  • a verifiable statement can be understood as a statement on whether the identity identified by a DID has a certain qualification.
  • VC can be the data that records this kind of statement.
  • a DID can have multiple verifiable claims 103.
  • this DID can include VC1 used to prove that user A is over 18 years old, VC2 used to prove that user A's property is greater than 1 million, and used to prove that user A has a motor vehicle driving Qualified VC3 and so on.
  • VC1 used to prove that user A is over 18 years old
  • VC2 used to prove that user A's property is greater than 1 million
  • VC3 motor vehicle driving Qualified VC3 and so on.
  • the data warehouse 104 can be used to store the verifiable statement 103 corresponding to the DID.
  • VC Repo Data warehouse used to store VC, referred to as VC Repo.
  • VC Repo is a logical concept, which can be an application or a program.
  • VC Repo can be deployed on various types of hardware devices.
  • VC Repo stores VC
  • VC can be stored in a database that VC Repo has permission to use.
  • Fig. 2 is a schematic diagram of the architecture of a verifiable claim transmission system provided by an embodiment of the specification.
  • the method for sending and obtaining verifiable claims provided in the embodiments of this specification can be run based on the system.
  • 200 is the user terminal (also the sending device for the transmission request that can verify the declaration)
  • 201 is the first data warehouse
  • 202 is the second data warehouse
  • 203 is the operable database of the first data warehouse
  • 204 is the The server of the verifier who can verify the claim.
  • 11 is the first blockchain node
  • 12 is the second blockchain node
  • 13 is the third blockchain node.
  • the blockchain nodes 11, 12, and 13 belong to the first blockchain system.
  • FIG. 21 is the fourth blockchain node
  • 22 is the fifth blockchain node
  • 23 is the sixth blockchain node
  • the blockchain nodes 21, 22, and 23 belong to the second blockchain system.
  • 31 is the seventh blockchain node
  • 32 is the eighth blockchain node
  • 33 is the ninth blockchain node
  • the blockchain nodes 31, 32, and 33 belong to the third blockchain system.
  • Figure 2 is only a schematic diagram. In practical applications, the number of blockchain systems that can be connected to the data warehouse can be more, and the number of nodes in a blockchain system can also be more. It should also be noted that, in some cases, the first data warehouse 201 and the second data warehouse 202 are physically spaced, and may be located in the same place or deployed in the same device.
  • the first data warehouse 201 is the first data warehouse 201 and the other is the second data warehouse 202.
  • the two data warehouses respectively correspond to the holder and verifier of the VC.
  • the VC will still be sent to the second data warehouse 202 by the first data warehouse 201 through the blockchain system.
  • one of the functions is to send the verifiable statement to the server 204 of the verifier for verification.
  • the device that initially sends the verifiable claim to the first data warehouse may be the device of the holder of the verifiable claim.
  • the device of the holder is logged in with the account of the holder (which may be a DID).
  • the holder needs to send the VC to the verifier's device for verification.
  • the holder is also a user of the first data warehouse, and the VC that needs to be verified can be stored in the first data warehouse in advance.
  • the first data warehouse receives the request and can upload the corresponding VC to a blockchain system, and the corresponding VC is stored in the blockchain system. On-chain transaction data. After uploading to the blockchain system, the second data warehouse needs to obtain the corresponding VC from the blockchain system and send the VC to the verifier's device.
  • Fig. 3 is a schematic flowchart of a method for forwarding verifiable claims provided by an embodiment of the specification.
  • the execution subject of a process can be a program or an application client loaded on an application server. Specifically, it may be the second data warehouse in FIG. 2.
  • the method may include the following steps:
  • Step 302 Monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system
  • Step 304 If the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, obtain the verifiable statement in the on-chain transaction data;
  • Step 306 Send the verifiable statement to the device of the verifier
  • the data warehouse may have an account in the target blockchain system.
  • the data warehouse can obtain data in the blockchain system after logging in to the blockchain system through the account.
  • the data warehouse does not have an account, and the data in the blockchain system can be obtained through a third-party platform with an account. This is not limited in the embodiments of this specification.
  • the data warehouse can monitor part or all of the blockchain systems in all the blockchain systems connected to it.
  • the verifier of the VC has a corresponding DID.
  • the DID can be included in the transaction data on the chain.
  • the verifier of the VC can be the user of the data warehouse.
  • the data warehouse needs to provide services for this user.
  • the data warehouse can monitor the VCs to be verified of all verifiers belonging to its own users.
  • the data warehouse may also not monitor the to-be-verified VCs of all verifiers belonging to its own users, but obtain all the newly generated on-chain transaction data in the target blockchain system, and obtain the local data warehouse. , And then analyze whether the VC to be verified contained in the newly generated chain transaction data needs to be sent to the user managed by the data warehouse.
  • the monitoring method can reduce the data warehouse's acquisition of transaction data on the chain that does not need to be forwarded, reduce the pressure on the data warehouse, and improve the efficiency of the data warehouse.
  • the verifiable statement may be included in the on-chain transaction data in the form of a subject matter.
  • the information in the authorization list can be mainly monitored, and when the authorization list contains the DID of the user of the data warehouse itself, the complete transaction data on the chain can be obtained.
  • the second data warehouse actively monitors the generation of on-chain transaction data in the blockchain system.
  • the second data warehouse actively obtains the on-chain transaction data, reads the VC as the subject matter from it, and then sends the VC to the verifier’s
  • the device in a nutshell, is equivalent to a method of actively pushing the VC to be verified to the device of the verifier. Using this method, on the one hand, the operation of the verifier’s device can be simplified.
  • the verifier’s device only needs to interact with the second data warehouse to obtain the VC to be verified, thereby verifying the VC; on the other hand, Since the verifiable statement is sent from the holder device to the verifier device through the blockchain, the transmission process of the verifiable statement can be recorded by the blockchain system and can be traced.
  • the monitoring method for newly generated on-chain transaction data in the blockchain system may specifically be: the data warehouse scans the block header data in the blockchain system according to a set time point.
  • the block header data may include the height of the block where the newly generated transaction data on the chain is located, and the destination address of the transaction data on the chain. Among them, when the height of the scanned block changes, the data warehouse can determine that there is new transaction data on the chain.
  • the destination address in the block header data can be represented by the DID of the verifier. The data warehouse can determine whether the destination address contains the DID of the verifier that the data warehouse is responsible for management.
  • step 304 is executed, from the blockchain system Pull the on-chain transaction data and upload it to the chain, and obtain the verifiable statement in the on-chain transaction data.
  • the information stored in the VC is usually the user's private information, in order to improve the protection of the user's privacy, the following methods can be used.
  • the obtaining the verifiable statement in the on-chain transaction data may specifically include: obtaining the encrypted verifiable statement from the on-chain transaction data.
  • the sending the verifiable statement to the verifier may specifically include: sending the encrypted verifiable statement to the verifier.
  • the VC in the transaction data on the chain is an encrypted VC, not the original VC. Even if the data on the blockchain has the characteristics of openness and transparency, after a third party obtains the transaction data on the chain, the original VC cannot be obtained, which can improve the protection of user privacy.
  • a symmetric key can be used to encrypt the verifiable statement, and then the public key of the verifier can be used to encrypt the symmetric key.
  • the encrypted symmetric key can be It is called the authorization key. Add the authorization key to the transaction data on the chain, and then upload the transaction data on the chain to the target blockchain system.
  • step 304 Obtain the verifiable statement in the on-chain transaction data.
  • the following methods may be used: Obtain the encrypted verifiable statement from the on-chain transaction data Obtain the authorization key from the transaction data on the chain; use the private key of the verifier to decrypt the authorization key to obtain the symmetric key; use the symmetric key to encrypt the verifiable statement Decryption is performed to obtain the verifiable statement.
  • Fig. 4 is a schematic diagram of the field structure of the transaction data on the chain provided by the embodiment of the specification. It should be noted that FIG. 4 is only a schematic diagram, and the fields shown in FIG. 4 may be included in the on-chain transaction data, but the position of these fields in the on-chain transaction data is not limited.
  • the first part of the field may be the VC original text (VC Content) encrypted by the Advanced Encryption Standard (AES).
  • a symmetric key can be used to encrypt the original VC.
  • the second part of the field it may be the authorization key obtained by using the public key of the verifier B to encrypt the above-mentioned symmetric key.
  • the third part of the field can be an authorization list.
  • the authorization list can include the authenticator's DID.
  • the identifier contained in the authorization list can be used to indicate the target verifier to which the VC contained in the transaction data on the chain needs to be sent.
  • the data warehouse on the verifier's side can obtain the use authority of the verifier's private key. After the data warehouse obtains on-chain transaction data with the same or similar field structure as shown in Figure 4, it can first obtain the authorization key in the second part of the field from the on-chain transaction data, and then use the verifier’s private key pair Authorize the key for decryption. After decryption, you can get the symmetric key, and then use the symmetric key to decrypt the encrypted VC to get the original VC.
  • the decryption process of the VC original text is all executed by the data warehouse, and the verifier device is not required for decryption, which can reduce the burden on the verifier device.
  • the private key of the verifier can also be entrusted to a decentralized identity server that provides a decentralized identity service (DID Service) for use.
  • DID Service decentralized identity service
  • the data warehouse on the verifier side no longer has the authority to use the verifier's private key.
  • the data warehouse can obtain the original VC from the transaction data on the chain in the following ways:
  • the decentralized identity server can use the private key of the verifier to decrypt the authorization key to obtain the symmetric key, and then The symmetric key is sent to the data warehouse of the verifier.
  • FIG. 5 is a schematic flowchart of another method for forwarding verifiable claims according to an embodiment of the specification.
  • the execution subject of a process can be a program or an application client loaded on an application server. Specifically, it may be the second data warehouse in FIG. 2. As shown in Figure 5, the method may include the following steps:
  • Step 502 Monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system
  • Step 504 If the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, obtain the verifiable statement in the on-chain transaction data;
  • the aforementioned various methods can be used to obtain the verifiable statement in the transaction data on the chain from the target blockchain system.
  • Step 506 Save the verifiable statement in the database connected to the data warehouse
  • the verifier has the right to use the data warehouse, after obtaining the verifiable statement, it does not need to be sent to the verifier’s device immediately, and the verifiable statement can be stored in the data first.
  • the database connected to the warehouse.
  • the data warehouse obtains the verification request sent by the verifier's device to the data warehouse (the verification request is used to request to obtain the verifiable statement for verification), the verifiable statement is sent to the verifier's device.
  • Step 508 Obtain a verification request sent by the verifier, where the verification request includes at least the identifier of the verifiable claim;
  • the verifier may send the verification request through a device logged in to the verifier's account.
  • the verifier may be triggered by the verification request sent by the holder of the verifiable claim before sending the verification request. That is, the holder of the verifiable claim may first send the first verification request to the verifier's device through the device with the holder's account logged in.
  • the first verification request may be used to inform the verifier that the device has a VC to be verified, and wait for the verifier to perform verification.
  • the verifier device may send a second verification request (that is, the verification request in step 508) to the data warehouse.
  • the identifier of the verifiable claim can be expressed as Vcid, which is used to indicate the VC waiting to be verified.
  • Step 510 Find the verifiable statement from the database according to the identifier
  • Step 512 Send the found verifiable statement to the verifier's device.
  • the data warehouse does not need to actively send the verifiable statement to the verifier device. Therefore, the verifier device does not need to design an interface for receiving the verifiable statement sent by the data warehouse, which can simplify the verification of the verifier device. Changes.
  • the holder device may send multiple VCs waiting to be verified, but the verification order of these VCs to be verified has certain rules. Generally, if a VC fails the verification, it is not necessary to verify the remaining VCs. For example, a certain user wants to visit a certain website. The website requires users to be at least 25 years old, with assets greater than 300,000, and unmarried. These three conditions can correspond to three VCs.
  • the verifier can verify the three VCs in the order of age, assets, and marital status. In this case, using the method shown in Figure 5, the verifier does not need to obtain three VCs for verification at a time, but can obtain the VCs to be verified from the data warehouse one by one in order. Once it is found that a certain VC has not passed the verification, there is no need to obtain another VC. This can further reduce the burden on the verifier.
  • step 508 may further include the following steps after obtaining the verification request sent by the verifier:
  • step 510 is executed to search for the verifiable statement from the database according to the identifier.
  • Fig. 6 is a schematic flowchart of a method for obtaining a verifiable statement provided by an embodiment of the specification.
  • the execution subject of a process can be a program or an application client loaded on an application server. Specifically, it may be a program or application carried on a verifier device that can verify the statement.
  • the method may include the following steps:
  • Step 602 The verifier of the verifiable claim obtains the first verification request sent by the holder of the verifiable claim, and the first verification request includes at least the identifier of the verifiable claim;
  • the verifier of the verifiable claim may refer to the device logged in or used by the verifier.
  • the first verification request is a request for requesting the verifier to verify the verifiable statement.
  • the identifier of the verifiable claim can be expressed as Vcid, which is used to indicate the VC waiting to be verified.
  • Step 604 Send a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
  • Step 606 Obtain the verifiable statement fed back by the data warehouse based on the second verification request
  • the data warehouse can search for the verifiable statement from the database according to the method in Figure 5 and according to the identifier. Feedback the found VC to the verifier.
  • the verifiable statement is obtained by the data warehouse from the target blockchain system.
  • the method in FIG. 6 corresponds to the method in FIG. 5, and can bring about the same technical effects as the method in FIG. 5, which will not be repeated here.
  • FIG. 7 is a schematic structural diagram of a verifiable claim forwarding device corresponding to FIG. 3 provided by an embodiment of this specification.
  • the device can be applied to data warehouses. As shown in Figure 7, the device may include:
  • the monitoring module 701 is used to monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system
  • the verifiable statement obtaining module 702 is configured to obtain the on-chain transaction data if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service Verifiable statement in
  • the verifiable statement sending module 703 is configured to send the verifiable statement to the device of the verifier.
  • the data warehouse may have an account in the target blockchain system.
  • the verifiable statement obtaining module 702 may specifically include a first verifiable statement obtaining unit for obtaining encrypted verifiable claims from the transaction data on the chain.
  • the verifiable statement sending module 703 may specifically include a first verifiable statement sending unit for sending the encrypted verifiable statement to the device of the verifier.
  • the verifiable statement obtaining module 702 may specifically include: a second verifiable statement obtaining unit, configured to obtain an encrypted verifiable statement from the transaction data on the chain; and a first authorized key obtaining unit, It is used to obtain the authorization key from the transaction data on the chain; the first decryption unit is used to decrypt the authorization key using the private key of the verifier to obtain the symmetric key; the second decryption unit uses Then, the encrypted verifiable statement is decrypted by using the symmetric key to obtain the verifiable statement.
  • the verifiable statement obtaining module 702 may specifically include: a third verifiable statement obtaining unit, configured to obtain an encrypted verifiable statement from the on-chain transaction data; and a second authorized key obtaining unit, It is used to obtain the authorization key from the transaction data on the chain; the authorization key sending unit is used to send the authorization key to the decentralized identity server; the symmetric key obtaining unit is used to obtain the decentralized identity server The authentication server decrypts the symmetric key obtained by decrypting the authorization key; the third decryption unit is configured to use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
  • the above-mentioned device may further include: a verifiable statement storage module for storing the verifiable statement in the database connected to the data warehouse after obtaining the verifiable statement in the on-chain transaction data;
  • the verification request obtaining module is configured to obtain a verification request sent by the verifier before sending the verifiable statement to the device of the verifier, and the verification request includes at least the identifier of the verifiable statement.
  • the verifiable statement sending module 703 may specifically include: a verifiable statement searching unit for searching the verifiable statement from the database according to the identifier; a second verifiable statement sending unit for searching The arrived verifiable statement is sent to the verifier's device.
  • the device may further include: a decentralized identity acquisition module, which is used to acquire the decentralized identity of the verifier whose verifiability statement is claimed after acquiring the verification request sent by the verifier; and a judgment module , Used for judging whether the verifier has the right to use the data warehouse according to the decentralized identity.
  • the verifiable statement search unit may specifically include: a verifiable statement search subunit, which is used to search for the verifiable statement from the database when the verifier has the right to use the data warehouse. Verify the statement.
  • FIG. 8 is a schematic structural diagram of a device for obtaining a verifiable statement corresponding to FIG. 6 provided by an embodiment of this specification.
  • the device can be applied to verifiers who can verify claims.
  • the device may include:
  • the first verification request obtaining module 801 is configured to obtain the first verification request sent by the holder of the verifiable claim, where the first verification request includes at least the identifier of the verifiable claim;
  • the second verification request sending module 802 is configured to send a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
  • the verifiable statement obtaining module 803 is configured to obtain the verifiable statement fed back by the data warehouse based on the second verification request, and the verifiable statement is obtained by the data warehouse from the target blockchain system.
  • the second verification request may also include the decentralized identity of the verifier.
  • the embodiment of this specification also provides a device corresponding to the above method.
  • Fig. 9 is a schematic structural diagram of the forwarding device corresponding to the verifiable claim of Fig. 3 and the obtaining device corresponding to the verifiable claim of Fig. 6 provided by an embodiment of this specification.
  • the device 900 may include: at least one processor 910; and a memory 930 communicatively connected with the at least one processor.
  • the memory 930 stores instructions 920 that can be executed by the at least one processor 910, and the instructions are executed by the at least one processor 910, so that the at least one processor 910 can: monitor the target block On-chain transaction data containing verifiable claims generated in the chain system; if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, then obtain The verifiable statement in the transaction data on the chain; the verifiable statement is sent to the verifier's device.
  • the instruction is executed by the at least one processor 910, so that the at least one processor 910 can: obtain the first verification request sent by the holder of the verifiable claim, in the first verification request At least the identifier of the verifiable statement is included; a second verification request for obtaining the verifiable statement is sent to the data warehouse, and the second verification request includes the identifier; the data warehouse is obtained based on the second verification request The verifiable statement that is fed back is obtained by the data warehouse from the target blockchain system.
  • the improvement of a technology can be clearly distinguished between hardware improvements (for example, improvements in circuit structures such as diodes, transistors, switches, etc.) or software improvements (improvements in method flow).
  • hardware improvements for example, improvements in circuit structures such as diodes, transistors, switches, etc.
  • software improvements improvements in method flow.
  • the improvement of many methods and processes of today can be regarded as a direct improvement of the hardware circuit structure.
  • Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by the hardware entity module.
  • a programmable logic device for example, a Field Programmable Gate Array (Field Programmable Gate Array, FPGA)
  • PLD Programmable Logic Device
  • FPGA Field Programmable Gate Array
  • HDL Hardware Description Language
  • ABEL Advanced Boolean Expression Language
  • AHDL Altera Hardware Description Language
  • HDCal JHDL
  • Lava Lava
  • Lola MyHDL
  • PALASM RHDL
  • VHDL Very-High-Speed Integrated Circuit Hardware Description Language
  • Verilog Verilog
  • the controller can be implemented in any suitable manner.
  • the controller can take the form of, for example, a microprocessor or a processor and a computer-readable medium storing computer-readable program codes (such as software or firmware) executable by the (micro)processor. , Logic gates, switches, application specific integrated circuits (ASICs), programmable logic controllers and embedded microcontrollers.
  • controllers include but are not limited to the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicon Labs C8051F320, the memory controller can also be implemented as a part of the control logic of the memory.
  • controllers in addition to implementing the controller in a purely computer-readable program code manner, it is entirely possible to program the method steps to make the controller use logic gates, switches, application specific integrated circuits, programmable logic controllers, and embedded logic.
  • the same function can be realized in the form of a microcontroller or the like. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as a structure within the hardware component. Or even, the device for realizing various functions can be regarded as both a software module for realizing the method and a structure within a hardware component.
  • a typical implementation device is a computer.
  • the computer may be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
  • the embodiments of the present invention can be provided as a method, a system, or a computer program product. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cartridges, magnetic tape storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • This application may be described in the general context of computer-executable instructions executed by a computer, such as a program module.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • This application can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a method, apparatus and device for forwarding a verifiable claim, and a method, apparatus and device for acquiring a verifiable claim. The solution comprises: a data warehouse associated with a verification party acquiring a verifiable claim, which is to be verified, from on-chain transaction data in a blockchain system; and then sending said verifiable claim to a device of the verification party.

Description

可验证声明的转发、获取Forwarding and obtaining of verifiable claims 技术领域Technical field
本申请涉及计算机技术领域,尤其涉及可验证声明的转发、获取。This application relates to the field of computer technology, in particular to the forwarding and obtaining of verifiable claims.
背景技术Background technique
去中心化身份标识(Decentralized IDentifier,DID)是一种新类型的标识符,具有全局唯一性、高可用性、可解析性和加密可验证性。DID技术投入使用后,一个DID可以对应于多个可验证声明(Verifiable Claim,VC)。当VC的数量过多,就产生了对于VC进行存储与管理的需求。于是,VC数据仓库应运而生。该数据仓库可以对于用户的VC进行存储与管理。实际应用中,数据仓库的用户希望对于VC的使用过程进行记录,以便后续对于VC的使用过程进行统计分析。但是,VC数据仓库并不具备这一功能。Decentralized IDentifier (DID) is a new type of identifier with global uniqueness, high availability, resolvability, and encryption verifiability. After the DID technology is put into use, one DID can correspond to multiple verifiable claims (VC). When the number of VCs is too large, there is a demand for storage and management of VCs. Thus, the VC data warehouse came into being. The data warehouse can store and manage the user's VC. In practical applications, users of the data warehouse hope to record the use of VC in order to perform statistical analysis on the use of VC. However, VC data warehouse does not have this function.
因此,如何使VC数据仓库中的VC的使用过程可被追溯,成为一个重要的技术问题。发明人经研究发现,可以利用区块链***对VC进行传输,从而使得VC的使用过程可被追溯。但是,当VC上传到区块链***后,如何使得VC的验证方获取到区块链***上的VC,又成为亟待解决的技术问题。Therefore, how to make the VC use process in the VC data warehouse traceable has become an important technical issue. The inventor found through research that the blockchain system can be used to transmit VC, so that the use of VC can be traced. However, after the VC is uploaded to the blockchain system, how to make the VC verifier obtain the VC on the blockchain system has become an urgent technical problem to be solved.
发明内容Summary of the invention
有鉴于此,本申请实施例提供了可验证声明的转发、获取方法、装置及设备,用于使得VC的验证方获取到区块链***上的VC。In view of this, the embodiments of the present application provide a method, device, and equipment for forwarding and obtaining verifiable claims, so as to enable the verifier of the VC to obtain the VC on the blockchain system.
为解决上述技术问题,本说明书实施例是这样实现的:In order to solve the above technical problems, the embodiments of this specification are implemented as follows:
本说明书实施例提供的一种可验证声明的转发方法,包括:数据仓库监听目标区块链***中产生的包含可验证声明的链上交易数据;若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;将所述可验证声明发送至所述验证方的设备。The embodiment of this specification provides a method for forwarding verifiable claims, including: a data warehouse monitors the on-chain transaction data containing verifiable claims generated in the target blockchain system; if the on-chain transaction data contains decentralized If the identity is the same as the decentralized identity of the verifier of the data warehouse service, the verifiable statement in the on-chain transaction data is obtained; the verifiable statement is sent to the verifier's device.
本说明书实施例提供的一种可验证声明的获取方法,包括:可验证声明的验证方获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明, 所述可验证声明是所述数据仓库从目标区块链***中获取的。An embodiment of this specification provides a method for obtaining a verifiable claim, including: a verifier of a verifiable claim obtains a first verification request sent by a holder of the verifiable claim, and the first verification request includes at least all The identification of the verifiable claim; sending a second verification request for obtaining the verifiable claim to the data warehouse, the second verification request including the identifier; obtaining all the data that the data warehouse feedbacks based on the second verification request The verifiable statement is obtained by the data warehouse from the target blockchain system.
本说明书实施例提供的一种可验证声明的转发装置,所述装置应用于数据仓库,所述装置包括:监听模块,用于监听目标区块链***中产生的包含可验证声明的链上交易数据;可验证声明获取模块,用于若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;可验证声明发送模块,用于将所述可验证声明发送至所述验证方的设备。An embodiment of this specification provides a device for forwarding verifiable claims, the device is applied to a data warehouse, and the device includes: a monitoring module for monitoring on-chain transactions containing verifiable claims generated in a target blockchain system Data; a verifiable statement acquisition module for obtaining the on-chain transaction if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service The verifiable statement in the data; the verifiable statement sending module is used to send the verifiable statement to the device of the verifier.
本说明书实施例提供的一种可验证声明的获取装置,应用于可验证声明的验证方,所述装置包括:第一验证请求获取模块,用于获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;第二验证请求发送模块,用于向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;可验证声明获取模块,用于获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明,所述可验证声明是所述数据仓库从目标区块链***中获取的。The embodiment of this specification provides a device for obtaining a verifiable claim, which is applied to a verifier of a verifiable claim, and the device includes: a first verification request obtaining module, which is used to obtain a verification request sent by the holder of the verifiable claim A first verification request, the first verification request includes at least the identification of the verifiable claim; the second verification request sending module is configured to send a second verification request for obtaining the verifiable claim to the data warehouse, the first verification request 2. The verification request includes the identifier; a verifiable statement obtaining module is used to obtain the verifiable statement fed back by the data warehouse based on the second verification request, and the verifiable statement is the data warehouse from the target area Obtained in the blockchain system.
本说明书实施例提供的一种可验证声明的转发设备,包括至少一个处理器以及与所述至少一个处理器通信连接的存储器。其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够:监听目标区块链***中产生的包含可验证声明的链上交易数据;若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;将所述可验证声明发送至所述验证方的设备。An embodiment of this specification provides a verifiable claim forwarding device, which includes at least one processor and a memory communicatively connected with the at least one processor. Wherein, the memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can: On-chain transaction data containing verifiable claims; if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, then the on-chain transaction is obtained The verifiable claim in the data; the verifiable claim is sent to the verifier's device.
本说明书实施例提供的一种可验证声明的获取设备,包括:至少一个处理器;以及,与所述至少一个处理器通信连接的存储器。其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够:获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明,所述可验证声明是所述数据仓库从目标区块链***中获取的。The device for obtaining a verifiable statement provided by an embodiment of the present specification includes: at least one processor; and a memory communicatively connected with the at least one processor. Wherein, the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can: obtain the holding of the verifiable statement The first verification request sent by the party, the first verification request contains at least the identification of the verifiable claim; the second verification request to obtain the verifiable claim is sent to the data warehouse, and the second verification request contains all The identification; obtaining the verifiable statement fed back by the data warehouse based on the second verification request, where the verifiable statement is obtained by the data warehouse from the target blockchain system.
一方面,数据仓库从区块链上获取待验证的VC,然后发送至验证方,由于通过区块链将可验证声明由持有方设备发送至验证方设备,可以使得可验证声明的传输过程被区块链***记录,可被追溯。On the one hand, the data warehouse obtains the VC to be verified from the blockchain and sends it to the verifier. Since the verifiable statement is sent from the holder device to the verifier device through the blockchain, the transmission process of the verifiable statement can be made It is recorded by the blockchain system and can be traced back.
另一方面,上述方案,对于数据仓库如何向验证方传输待验证VC,验证方如何从 数据仓库获取待验证VC,均提供了具体实现流程,可以作为标准流程进行参考使用。On the other hand, the above solutions provide specific implementation procedures for how the data warehouse transmits the VC to be verified to the verifier, and how the verifier obtains the VC to be verified from the data warehouse, which can be used as a standard process for reference.
附图说明Description of the drawings
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The exemplary embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation of the application. In the attached picture:
图1为本说明书实施例中的方法的应用背景的示意图;FIG. 1 is a schematic diagram of the application background of the method in the embodiment of the specification;
图2为本说明书实施例提供的一种可验证声明的传输***的架构示意图;2 is a schematic diagram of the architecture of a verifiable claim transmission system provided by an embodiment of this specification;
图3为本说明书实施例提供的一种可验证声明的转发方法的流程示意图;FIG. 3 is a schematic flowchart of a method for forwarding verifiable claims according to an embodiment of this specification;
图4为本说明书实施例提供的链上交易数据的字段结构示意图;4 is a schematic diagram of the field structure of the transaction data on the chain provided by the embodiment of the specification;
图5为本说明书实施例提供的另一种可验证声明的转发方法的流程示意图;FIG. 5 is a schematic flowchart of another method for forwarding verifiable claims according to an embodiment of this specification;
图6为本说明书实施例提供的一种可验证声明的获取方法的流程示意图;FIG. 6 is a schematic flowchart of a method for obtaining a verifiable statement according to an embodiment of the specification;
图7为本说明书实施例提供的对应于图3的一种可验证声明的转发装置的结构示意图;FIG. 7 is a schematic structural diagram of a verifiable claim forwarding device corresponding to FIG. 3 provided by an embodiment of this specification;
图8为本说明书实施例提供的对应于图6的一种可验证声明的获取装置的结构示意图;FIG. 8 is a schematic structural diagram of a device for obtaining a verifiable statement corresponding to FIG. 6 provided by an embodiment of this specification;
图9为本说明书实施例提供的对应于图3的可验证声明的转发设备以及对应于图6的可验证声明的获取设备的结构示意图。Fig. 9 is a schematic structural diagram of the forwarding device corresponding to the verifiable claim of Fig. 3 and the obtaining device corresponding to the verifiable claim of Fig. 6 provided by an embodiment of this specification.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施例及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be described clearly and completely in conjunction with specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
以下结合附图,详细说明本申请各实施例提供的技术方案。The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
图1为本说明书实施例中的方法的应用背景的示意图。如图1所示,客户端101可以是手机等移动终端,也可以是台式电脑等设备。客户端上登录有用户的账号,每个账号可以对应的具有一个去中心化身份标识(DID)102。实际应用中:一个DID可以对应于一个个人用户,或者一个设备,或者对应于一个商家,或者对应于一个公司等等。FIG. 1 is a schematic diagram of the application background of the method in the embodiment of the specification. As shown in FIG. 1, the client 101 may be a mobile terminal such as a mobile phone, or a device such as a desktop computer. The user's account is logged in on the client, and each account can have a decentralized identification (DID) 102 corresponding to it. In practical applications: a DID can correspond to an individual user, or a device, or to a merchant, or to a company, and so on.
可验证声明(VC)可以理解为对于一个DID所标识的身份是否具有某种资质的声明。具体到数据层面,VC可以是记录这种声明的数据。A verifiable statement (VC) can be understood as a statement on whether the identity identified by a DID has a certain qualification. Specific to the data level, VC can be the data that records this kind of statement.
一个DID可以具有多个可验证声明103。比如:对于用户A使用的一个DID来说,这个DID可以包含用于证明用户A年满18周岁的VC1,用于证明用户A的财产大于100万的VC2,用于证明用户A具有机动车辆驾驶资格的VC3等等。实际应用中,用户A也即一个DID对应的VC可以有很多(n个)。此时,众多的VC需要进行统一存储和管理,因此,可以采用数据仓库104来存储DID对应的可验证声明103。A DID can have multiple verifiable claims 103. For example: for a DID used by user A, this DID can include VC1 used to prove that user A is over 18 years old, VC2 used to prove that user A's property is greater than 1 million, and used to prove that user A has a motor vehicle driving Qualified VC3 and so on. In practical applications, there may be many (n) VCs corresponding to user A, that is, one DID. At this time, a large number of VCs need to be stored and managed uniformly. Therefore, the data warehouse 104 can be used to store the verifiable statement 103 corresponding to the DID.
用于存储VC的数据仓库,简称VC Repo。需要说明的是,VC Repo是一个逻辑概念,具体可以是一个应用或一段程序。VC Repo可以部署在各种类型的硬件设备上。VC Repo在对VC进行存储时,可以将VC存储在VC Repo具有使用权限的数据库。Data warehouse used to store VC, referred to as VC Repo. It should be noted that VC Repo is a logical concept, which can be an application or a program. VC Repo can be deployed on various types of hardware devices. When VC Repo stores VC, VC can be stored in a database that VC Repo has permission to use.
图2为本说明书实施例提供的一种可验证声明的传输***的架构示意图。本说明书实施例提供的可验证声明的发送方法和获取方法,可以基于该***运行。如图2所示,200为用户终端(也是可验证声明的传输请求的发送设备),201为第一数据仓库,202为第二数据仓库,203为第一数据仓库可操作的数据库,204为可验证声明的验证方的服务器。11为第一区块链节点,12为第二区块链节点,13为第三区块链节点,区块链节点11、12和13属于第一区块链***。21为第四区块链节点,22为第五区块链节点,23为第六区块链节点,区块链节点21、22和23属于第二区块链***。31为第七区块链节点,32为第八区块链节点,33为第九区块链节点,区块链节点31、32和33属于第三区块链***。需要说明的是,图2只是示意图,实际应用中,数据仓库可以连接的区块链***的个数可以更多,一个区块链***中的节点数目也可以更多。还需要说明的是,在某些情况下,第一数据仓库201与第二数据仓库202在物理空间上,可以位于同一地点,或部署在同一设备。但是从软件功能的角度,还是可以被划分为两个功能模块,一个为第一数据仓库201,另一个为第二数据仓库202,两个数据仓库分别对应VC的持有方和验证方。当有VC需要从第一数据仓库201传输至第二数据仓库202时,VC仍然会被第一数据仓库201通过区块链***发送至第二数据仓库202。Fig. 2 is a schematic diagram of the architecture of a verifiable claim transmission system provided by an embodiment of the specification. The method for sending and obtaining verifiable claims provided in the embodiments of this specification can be run based on the system. As shown in Figure 2, 200 is the user terminal (also the sending device for the transmission request that can verify the declaration), 201 is the first data warehouse, 202 is the second data warehouse, 203 is the operable database of the first data warehouse, and 204 is the The server of the verifier who can verify the claim. 11 is the first blockchain node, 12 is the second blockchain node, and 13 is the third blockchain node. The blockchain nodes 11, 12, and 13 belong to the first blockchain system. 21 is the fourth blockchain node, 22 is the fifth blockchain node, 23 is the sixth blockchain node, and the blockchain nodes 21, 22, and 23 belong to the second blockchain system. 31 is the seventh blockchain node, 32 is the eighth blockchain node, 33 is the ninth blockchain node, and the blockchain nodes 31, 32, and 33 belong to the third blockchain system. It should be noted that Figure 2 is only a schematic diagram. In practical applications, the number of blockchain systems that can be connected to the data warehouse can be more, and the number of nodes in a blockchain system can also be more. It should also be noted that, in some cases, the first data warehouse 201 and the second data warehouse 202 are physically spaced, and may be located in the same place or deployed in the same device. However, from the perspective of software functions, it can still be divided into two functional modules, one is the first data warehouse 201 and the other is the second data warehouse 202. The two data warehouses respectively correspond to the holder and verifier of the VC. When there is a VC that needs to be transmitted from the first data warehouse 201 to the second data warehouse 202, the VC will still be sent to the second data warehouse 202 by the first data warehouse 201 through the blockchain system.
本说明书实施例中,对于可验证声明的传输,作用之一是将可验证声明发送至验证方的服务器204进行验证。最初将可验证声明发送至第一数据仓库的,可以是可验证声明的持有方的设备。所述持有方的设备登录有持有方的账户(可以是DID)。所述持有方需要将VC发送至验证方的设备进行验证。持有方也是第一数据仓库的用户,需要验证的VC,预先可以存储在第一数据仓库。当持有方发起将VC发送至验证方进行验证 的请求后,第一数据仓库接收到该请求,可以将对应的VC上传至一个区块链***,对应的VC存储在该区块链***的链上交易数据中。上传到区块链***后,第二数据仓库需要从该区块链***上获取对应的VC,并将该VC发送至验证方的设备。In the embodiment of this specification, for the transmission of the verifiable statement, one of the functions is to send the verifiable statement to the server 204 of the verifier for verification. The device that initially sends the verifiable claim to the first data warehouse may be the device of the holder of the verifiable claim. The device of the holder is logged in with the account of the holder (which may be a DID). The holder needs to send the VC to the verifier's device for verification. The holder is also a user of the first data warehouse, and the VC that needs to be verified can be stored in the first data warehouse in advance. When the holder initiates a request to send the VC to the verifier for verification, the first data warehouse receives the request and can upload the corresponding VC to a blockchain system, and the corresponding VC is stored in the blockchain system. On-chain transaction data. After uploading to the blockchain system, the second data warehouse needs to obtain the corresponding VC from the blockchain system and send the VC to the verifier's device.
图3为本说明书实施例提供的一种可验证声明的转发方法的流程示意图。从程序角度而言,流程的执行主体可以为搭载于应用服务器的程序或应用客户端。具体的,可以是图2中的第二数据仓库。如图3所示,该方法可以包括以下步骤:Fig. 3 is a schematic flowchart of a method for forwarding verifiable claims provided by an embodiment of the specification. From a program perspective, the execution subject of a process can be a program or an application client loaded on an application server. Specifically, it may be the second data warehouse in FIG. 2. As shown in Figure 3, the method may include the following steps:
步骤302:监听目标区块链***中产生的包含可验证声明的链上交易数据;Step 302: Monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system;
步骤304:若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;Step 304: If the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, obtain the verifiable statement in the on-chain transaction data;
步骤306:将所述可验证声明发送至所述验证方的设备;Step 306: Send the verifiable statement to the device of the verifier;
其中,所述数据仓库在所述目标区块链***中可以具有账户。所述数据仓库通过所述账户登录区块链***后,可以获取区块链***中的数据。或者,所述数据仓库不具有账户,可以通过具有账户的第三方平台获取区块链***中的数据。本说明书实施例中对此不作限定。Wherein, the data warehouse may have an account in the target blockchain system. The data warehouse can obtain data in the blockchain system after logging in to the blockchain system through the account. Alternatively, the data warehouse does not have an account, and the data in the blockchain system can be obtained through a third-party platform with an account. This is not limited in the embodiments of this specification.
步骤302中,数据仓库可以监听自身连接的所有区块链***中的部分或全部区块链***。VC的验证方具有对应的DID。链上交易数据中,可以包含该DID。VC的验证方,可以是该数据仓库的用户。数据仓库需要为该用户提供服务。该数据仓库可以对于属于自身的用户的全部验证方的待验证VC进行监听。该数据仓库也可以不对属于自身的用户的全部验证方的待验证VC进行监听,而是对于目标区块链***中的所有新生成的链上交易数据全部进行获取,获取到该数据仓库本地后,再分析该新生成的链上交易数据中包含的待验证VC是否是需要发送至该数据仓库所管理的用户的。两种方式相对而言,采用监听的方式,可以减少数据仓库对于不必进行转发处理的链上交易数据的获取,减轻数据仓库的压力,提高数据仓库的效率。所述可验证声明,可以以标的物的形式包含在所述链上交易数据中。所述链上交易数据中,还可以在授权列表中(可以参照图4中的AuthList),添加验证方的DID等标识,用于表示该链上交易数据中包含的VC是需要哪个验证方进行验证的。具体在进行监听时,可以主要监听授权列表中的信息,当监听到授权列表中包含该数据仓库自身的用户的DID时,再对完整的链上交易数据进行获取。In step 302, the data warehouse can monitor part or all of the blockchain systems in all the blockchain systems connected to it. The verifier of the VC has a corresponding DID. The DID can be included in the transaction data on the chain. The verifier of the VC can be the user of the data warehouse. The data warehouse needs to provide services for this user. The data warehouse can monitor the VCs to be verified of all verifiers belonging to its own users. The data warehouse may also not monitor the to-be-verified VCs of all verifiers belonging to its own users, but obtain all the newly generated on-chain transaction data in the target blockchain system, and obtain the local data warehouse. , And then analyze whether the VC to be verified contained in the newly generated chain transaction data needs to be sent to the user managed by the data warehouse. The two methods are relatively speaking, the monitoring method can reduce the data warehouse's acquisition of transaction data on the chain that does not need to be forwarded, reduce the pressure on the data warehouse, and improve the efficiency of the data warehouse. The verifiable statement may be included in the on-chain transaction data in the form of a subject matter. In the transaction data on the chain, you can also add identifiers such as the DID of the verifier in the authorization list (see AuthList in Figure 4) to indicate which verifier is required for the VC included in the transaction data on the chain verified. Specifically, when monitoring, the information in the authorization list can be mainly monitored, and when the authorization list contains the DID of the user of the data warehouse itself, the complete transaction data on the chain can be obtained.
上述步骤中,由第二数据仓库主动监听区块链***中的链上交易数据的生成情况。 当监听到包含第二数据仓库所负责的验证方的DID的链上交易数据后,第二数据仓库主动获取链上交易数据,从中读取作为标的物的VC,然后将VC发送至验证方的设备,概括的说,相当于一种主动将待验证的VC推送给验证方的设备的方法。采用这种方法,一方面可以简化验证方的设备的操作,验证方的设备只需要与第二数据仓库之间进行交互,就可以获取到待验证的VC,从而对VC进行验证;另一方面,由于是通过区块链将可验证声明由持有方设备发送至验证方设备的,可以使得可验证声明的传输过程被区块链***记录,可被追溯。In the above steps, the second data warehouse actively monitors the generation of on-chain transaction data in the blockchain system. When the on-chain transaction data containing the DID of the verifier responsible for the second data warehouse is monitored, the second data warehouse actively obtains the on-chain transaction data, reads the VC as the subject matter from it, and then sends the VC to the verifier’s The device, in a nutshell, is equivalent to a method of actively pushing the VC to be verified to the device of the verifier. Using this method, on the one hand, the operation of the verifier’s device can be simplified. The verifier’s device only needs to interact with the second data warehouse to obtain the VC to be verified, thereby verifying the VC; on the other hand, Since the verifiable statement is sent from the holder device to the verifier device through the blockchain, the transmission process of the verifiable statement can be recorded by the blockchain system and can be traced.
实际应用中,步骤302中,对于区块链***中新产生的链上交易数据的监听方式,具体可以是:数据仓库按照设定时间点,扫描区块链***中的区块头部数据。该区块头部数据中可以包含新产生的链上交易数据所在的区块高度,以及该链上交易数据的目的地址。其中,当扫描得到的区块高度发生改变,则数据仓库可以确定有新的链上交易数据产生。区块头部数据中的目的地址,可以采用验证方的DID进行表示。数据仓库可以通过判断目的地址中是否包含该数据仓库负责管理的验证方的DID,如果在目的地址中检测到该数据仓库负责管理的验证方的DID,则执行步骤304,从区块链***中拉取所述链上交易数据上链,获取所述链上交易数据中的可验证声明。In practical applications, in step 302, the monitoring method for newly generated on-chain transaction data in the blockchain system may specifically be: the data warehouse scans the block header data in the blockchain system according to a set time point. The block header data may include the height of the block where the newly generated transaction data on the chain is located, and the destination address of the transaction data on the chain. Among them, when the height of the scanned block changes, the data warehouse can determine that there is new transaction data on the chain. The destination address in the block header data can be represented by the DID of the verifier. The data warehouse can determine whether the destination address contains the DID of the verifier that the data warehouse is responsible for management. If the DID of the verifier that the data warehouse is responsible for management is detected in the destination address, then step 304 is executed, from the blockchain system Pull the on-chain transaction data and upload it to the chain, and obtain the verifiable statement in the on-chain transaction data.
实际应用中,由于VC中存储的信息通常是用户的隐私信息,为了提高对于用户的隐私的保护,可以采用以下方式。In practical applications, since the information stored in the VC is usually the user's private information, in order to improve the protection of the user's privacy, the following methods can be used.
所述获取所述链上交易数据中的可验证声明,具体可以包括:从所述链上交易数据中获取加密的可验证声明。所述将所述可验证声明发送至所述验证方,具体可以包括:将所述加密的可验证声明发给所述验证方。The obtaining the verifiable statement in the on-chain transaction data may specifically include: obtaining the encrypted verifiable statement from the on-chain transaction data. The sending the verifiable statement to the verifier may specifically include: sending the encrypted verifiable statement to the verifier.
上述方式中,链上交易数据中的VC是经过加密后的VC,不是VC原文。即使区块链上的数据具有公开透明的特性,第三方获取到链上交易数据后,也无法得到VC原文,可以提高对于用户的隐私的保护程度。In the above method, the VC in the transaction data on the chain is an encrypted VC, not the original VC. Even if the data on the blockchain has the characteristics of openness and transparency, after a third party obtains the transaction data on the chain, the original VC cannot be obtained, which can improve the protection of user privacy.
实际应用中,为了可以进一步提高对于VC的隐私保护程度,可以先采用对称密钥对可验证声明进行加密,再采用验证方的公钥对该对称密钥进行加密,加密后的对称密钥可以称为授权密钥。将授权密钥添加至链上交易数据中,再将链上交易数据上传至目标区块链***。In practical applications, in order to further improve the degree of privacy protection for VC, a symmetric key can be used to encrypt the verifiable statement, and then the public key of the verifier can be used to encrypt the symmetric key. The encrypted symmetric key can be It is called the authorization key. Add the authorization key to the transaction data on the chain, and then upload the transaction data on the chain to the target blockchain system.
相应的,采用上述方式对可验证声明进行加密后,步骤304:获取所述链上交易数据中的可验证声明,具体可以采用以下方式:从所述链上交易数据中获取加密的可验证 声明;从所述链上交易数据中获取授权密钥;采用所述验证方的私钥对所述授权密钥进行解密,得到对称密钥;采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。Correspondingly, after the verifiable statement is encrypted in the above-mentioned manner, step 304: Obtain the verifiable statement in the on-chain transaction data. Specifically, the following methods may be used: Obtain the encrypted verifiable statement from the on-chain transaction data Obtain the authorization key from the transaction data on the chain; use the private key of the verifier to decrypt the authorization key to obtain the symmetric key; use the symmetric key to encrypt the verifiable statement Decryption is performed to obtain the verifiable statement.
图4为本说明书实施例提供的链上交易数据的字段结构示意图。需要说明的是,图4只是示意图,图4中所示出的字段,可以包含在链上交易数据中,但对于这些字段在链上交易数据中的位置,并不进行限定。如图4所示,第一部分字段内,可以是采用高级加密标准(Advanced Encryption Standard,AES)进行加密的VC原文(VC Content)。可以采用对称密钥对VC原文进行加密。第二部分字段内,可以是采用验证方B的公钥对上述对称密钥进行加密后得到的授权密钥。第三部分字段,可以是授权列表。授权列表中可以包含验证方的DID。授权列表中包含的标识,可以用于表示该链上交易数据中包含的VC需要发送至的目标验证方。Fig. 4 is a schematic diagram of the field structure of the transaction data on the chain provided by the embodiment of the specification. It should be noted that FIG. 4 is only a schematic diagram, and the fields shown in FIG. 4 may be included in the on-chain transaction data, but the position of these fields in the on-chain transaction data is not limited. As shown in Figure 4, the first part of the field may be the VC original text (VC Content) encrypted by the Advanced Encryption Standard (AES). A symmetric key can be used to encrypt the original VC. In the second part of the field, it may be the authorization key obtained by using the public key of the verifier B to encrypt the above-mentioned symmetric key. The third part of the field can be an authorization list. The authorization list can include the authenticator's DID. The identifier contained in the authorization list can be used to indicate the target verifier to which the VC contained in the transaction data on the chain needs to be sent.
验证方这一侧的数据仓库,可以获得验证方的私钥的使用权限。该数据仓库在获取到与图4所示字段结构相同或相似的链上交易数据后,可以先从链上交易数据中获取第二部分字段内的授权密钥,然后采用验证方的私钥对授权密钥进行解密。解密后,可以得到对称密钥,再用对称密钥对加密的VC进行解密,就可以得到VC原文。The data warehouse on the verifier's side can obtain the use authority of the verifier's private key. After the data warehouse obtains on-chain transaction data with the same or similar field structure as shown in Figure 4, it can first obtain the authorization key in the second part of the field from the on-chain transaction data, and then use the verifier’s private key pair Authorize the key for decryption. After decryption, you can get the symmetric key, and then use the symmetric key to decrypt the encrypted VC to get the original VC.
采用上述方式,对于VC原文的解密过程,全部交由数据仓库执行,无需验证方设备进行解密,可以减轻验证方设备的负担。Using the above method, the decryption process of the VC original text is all executed by the data warehouse, and the verifier device is not required for decryption, which can reduce the burden on the verifier device.
实际应用中,也可以将验证方的私钥委托给用于提供去中心化身份标识服务(DID Service)的去中心化身份标识服务器使用。此时,验证方一侧的数据仓库,不再具有验证方的私钥的使用权限。该数据仓库可以采用以下方式从链上交易数据中获取VC原文:In practical applications, the private key of the verifier can also be entrusted to a decentralized identity server that provides a decentralized identity service (DID Service) for use. At this time, the data warehouse on the verifier side no longer has the authority to use the verifier's private key. The data warehouse can obtain the original VC from the transaction data on the chain in the following ways:
从所述链上交易数据中获取加密的可验证声明;Obtain an encrypted verifiable statement from the transaction data on the chain;
从所述链上交易数据中获取授权密钥;Obtain an authorization key from the transaction data on the chain;
向去中心化身份标识服务器发送所述授权密钥;Sending the authorization key to a decentralized identity server;
获取所述去中心化身份标识服务器对所述授权密钥进行解密得到的对称密钥;Obtaining a symmetric key obtained by decrypting the authorization key by the decentralized identity server;
采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。Use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
上述方式中,向去中心化身份标识服务器发送所述授权密钥后,所述去中心化身份标识服务器可以采用验证方的私钥对所述授权密钥进行解密,得到对称密钥,然后将对称密钥发送至验证方的数据仓库。In the above manner, after sending the authorization key to the decentralized identity server, the decentralized identity server can use the private key of the verifier to decrypt the authorization key to obtain the symmetric key, and then The symmetric key is sent to the data warehouse of the verifier.
图5为本说明书实施例提供的另一种可验证声明的转发方法的流程示意图。从程序角度而言,流程的执行主体可以为搭载于应用服务器的程序或应用客户端。具体的,可以是图2中的第二数据仓库。如图5所示,该方法可以包括以下步骤:FIG. 5 is a schematic flowchart of another method for forwarding verifiable claims according to an embodiment of the specification. From a program perspective, the execution subject of a process can be a program or an application client loaded on an application server. Specifically, it may be the second data warehouse in FIG. 2. As shown in Figure 5, the method may include the following steps:
步骤502:监听目标区块链***中产生的包含可验证声明的链上交易数据;Step 502: Monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system;
步骤504:若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;Step 504: If the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, obtain the verifiable statement in the on-chain transaction data;
具体可以采用前述的各种方式,从目标区块链***中获取所述链上交易数据中的可验证声明。Specifically, the aforementioned various methods can be used to obtain the verifiable statement in the transaction data on the chain from the target blockchain system.
步骤506:将所述可验证声明保存在所述数据仓库连接的数据库中;Step 506: Save the verifiable statement in the database connected to the data warehouse;
图5所示的方法中,验证方具有使用权限的数据仓库,在获取到所述可验证声明后,可以不必立即发送至验证方的设备,而可以将所述可验证声明先存储在该数据仓库连接的数据库中。等到该数据仓库获取到验证方的设备向该数据仓库发送的验证请求(该验证请求用于请求获取该可验证声明进行验证)后,再将该可验证声明发送至该验证方的设备。In the method shown in Figure 5, the verifier has the right to use the data warehouse, after obtaining the verifiable statement, it does not need to be sent to the verifier’s device immediately, and the verifiable statement can be stored in the data first. In the database connected to the warehouse. After the data warehouse obtains the verification request sent by the verifier's device to the data warehouse (the verification request is used to request to obtain the verifiable statement for verification), the verifiable statement is sent to the verifier's device.
步骤508:获取所述验证方发送的验证请求,所述验证请求中至少包含所述可验证声明的标识;Step 508: Obtain a verification request sent by the verifier, where the verification request includes at least the identifier of the verifiable claim;
所述验证方可以通过登录有验证方的账户的设备发送该验证请求。所述验证方在发送该验证请求之前,可以先被所述可验证声明的持有方发送的验证请求触发。即,所述可验证声明的持有方可以通过登录有持有方的账户的设备先向验证方的设备发送第一验证请求。该第一验证请求,可以用于告知验证方设备有待验证的VC,等待验证方进行验证。验证方设备在接收到第一验证请求后,可以向数据仓库发送第二验证请求(即步骤508中的验证请求)。The verifier may send the verification request through a device logged in to the verifier's account. The verifier may be triggered by the verification request sent by the holder of the verifiable claim before sending the verification request. That is, the holder of the verifiable claim may first send the first verification request to the verifier's device through the device with the holder's account logged in. The first verification request may be used to inform the verifier that the device has a VC to be verified, and wait for the verifier to perform verification. After receiving the first verification request, the verifier device may send a second verification request (that is, the verification request in step 508) to the data warehouse.
所述可验证声明的标识,可以表示为Vcid,用于表明等待验证的VC。The identifier of the verifiable claim can be expressed as Vcid, which is used to indicate the VC waiting to be verified.
步骤510:根据所述标识,从所述数据库中查找所述可验证声明;Step 510: Find the verifiable statement from the database according to the identifier;
步骤512:将查找到的所述可验证声明发送至所述验证方的设备。Step 512: Send the found verifiable statement to the verifier's device.
图5所示的方法,数据仓库不必主动向验证方设备发送该可验证声明,因此,验证方设备相应的可以不必设计用于接收数据仓库发送的可验证声明的接口,可以简化对于验证方设备的改动。另一方面,在某些场景下,持有方设备可能会发送多个等待验证的 VC,但是这些待验证的VC的验证顺序是有一定规则的。通常,如果某个VC没有验证通过,就不必验证剩余的VC。例如,某个用户希望访问某个网站。该网站要求访问的用户需要年满25周岁,资产大于30万,未婚。这三个条件可以对应三个VC。访问网站的用户可以一次性将自身的与年龄,资产,婚姻状况相关的三个VC一起上传。但验证方可以按照先年龄,再资产,最后婚姻状况的顺序,对三个VC依次进行验证。这种情况下,采用图5的方法,验证方可以不必一次获取三个VC进行验证,而可以按照顺序,逐一从数据仓库获取待验证的VC。一旦发现某一个VC没有通过验证,就无需获取另外的VC。这可以进一步减轻验证方的负担。In the method shown in Figure 5, the data warehouse does not need to actively send the verifiable statement to the verifier device. Therefore, the verifier device does not need to design an interface for receiving the verifiable statement sent by the data warehouse, which can simplify the verification of the verifier device. Changes. On the other hand, in some scenarios, the holder device may send multiple VCs waiting to be verified, but the verification order of these VCs to be verified has certain rules. Generally, if a VC fails the verification, it is not necessary to verify the remaining VCs. For example, a certain user wants to visit a certain website. The website requires users to be at least 25 years old, with assets greater than 300,000, and unmarried. These three conditions can correspond to three VCs. Users who visit the website can upload their own three VCs related to age, assets, and marital status at one time. But the verifier can verify the three VCs in the order of age, assets, and marital status. In this case, using the method shown in Figure 5, the verifier does not need to obtain three VCs for verification at a time, but can obtain the VCs to be verified from the data warehouse one by one in order. Once it is found that a certain VC has not passed the verification, there is no need to obtain another VC. This can further reduce the burden on the verifier.
实际应用中,为了确保发送验证请求的验证方是该数据仓库的用户,具有该数据仓库的使用权限,步骤508获取所述验证方发送的验证请求之后,还可以包括以下步骤:In actual applications, in order to ensure that the verifier sending the verification request is a user of the data warehouse and has the right to use the data warehouse, step 508 may further include the following steps after obtaining the verification request sent by the verifier:
获取所述可验证声明的验证方的去中心化身份标识;Obtaining the decentralized identity of the verifier of the verifiable claim;
根据所述去中心化身份标识,判断所述验证方是否具有所述数据仓库的使用权限;Judging whether the verifier has the right to use the data warehouse according to the decentralized identity;
当所述验证方具有所述数据仓库的使用权限,再执行步骤510根据所述标识,从所述数据库中查找所述可验证声明。When the verifier has the permission to use the data warehouse, step 510 is executed to search for the verifiable statement from the database according to the identifier.
图6为本说明书实施例提供的一种可验证声明的获取方法的流程示意图。从程序角度而言,流程的执行主体可以为搭载于应用服务器的程序或应用客户端。具体的,可以为搭载于可验证声明的验证方设备上的程序或应用。如图6所示,该方法可以包括以下步骤:Fig. 6 is a schematic flowchart of a method for obtaining a verifiable statement provided by an embodiment of the specification. From a program perspective, the execution subject of a process can be a program or an application client loaded on an application server. Specifically, it may be a program or application carried on a verifier device that can verify the statement. As shown in Figure 6, the method may include the following steps:
步骤602:可验证声明的验证方获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;Step 602: The verifier of the verifiable claim obtains the first verification request sent by the holder of the verifiable claim, and the first verification request includes at least the identifier of the verifiable claim;
需要说明的是,本步骤中,从硬件角度而言,可验证声明的验证方可以是指验证方所登录或使用的设备。所述第一验证请求,是用于请求验证方对所述可验证声明进行验证的请求。It should be noted that, in this step, from a hardware perspective, the verifier of the verifiable claim may refer to the device logged in or used by the verifier. The first verification request is a request for requesting the verifier to verify the verifiable statement.
所述可验证声明的标识,可以表示为Vcid,用于表明等待验证的VC。The identifier of the verifiable claim can be expressed as Vcid, which is used to indicate the VC waiting to be verified.
步骤604:向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;Step 604: Send a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
步骤606:获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明;Step 606: Obtain the verifiable statement fed back by the data warehouse based on the second verification request;
数据仓库在接收到所述可验证声明后,可以按照图5中的方法,根据该标识,从数 据库中查找所述可验证声明。将查找到的VC反馈至验证方。After receiving the verifiable statement, the data warehouse can search for the verifiable statement from the database according to the method in Figure 5 and according to the identifier. Feedback the found VC to the verifier.
其中,所述可验证声明是所述数据仓库从目标区块链***中获取的。Wherein, the verifiable statement is obtained by the data warehouse from the target blockchain system.
图6中的方法是与图5的方法相对应的,可以带来与图5的方法相同的技术效果,在此不再赘述。The method in FIG. 6 corresponds to the method in FIG. 5, and can bring about the same technical effects as the method in FIG. 5, which will not be repeated here.
基于同样的思路,本说明书实施例还提供了上述方法对应的装置。图7为本说明书实施例提供的对应于图3的一种可验证声明的转发装置的结构示意图。该装置可以应用于数据仓库。如图7所示,该装置可以包括:Based on the same idea, the embodiment of this specification also provides a device corresponding to the above method. FIG. 7 is a schematic structural diagram of a verifiable claim forwarding device corresponding to FIG. 3 provided by an embodiment of this specification. The device can be applied to data warehouses. As shown in Figure 7, the device may include:
监听模块701,用于监听目标区块链***中产生的包含可验证声明的链上交易数据;The monitoring module 701 is used to monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system;
可验证声明获取模块702,用于若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;The verifiable statement obtaining module 702 is configured to obtain the on-chain transaction data if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service Verifiable statement in
可验证声明发送模块703,用于将所述可验证声明发送至所述验证方的设备。The verifiable statement sending module 703 is configured to send the verifiable statement to the device of the verifier.
其中,所述数据仓库在所述目标区块链***中可以具有账户。Wherein, the data warehouse may have an account in the target blockchain system.
实际应用中,所述可验证声明获取模块702,具体可以包括第一可验证声明获取单元,用于从所述链上交易数据中获取加密的可验证声明。In practical applications, the verifiable statement obtaining module 702 may specifically include a first verifiable statement obtaining unit for obtaining encrypted verifiable claims from the transaction data on the chain.
所述可验证声明发送模块703,具体可以包括第一可验证声明发送单元,用于将所述加密的可验证声明发给所述验证方的设备。The verifiable statement sending module 703 may specifically include a first verifiable statement sending unit for sending the encrypted verifiable statement to the device of the verifier.
实际应用中,所述可验证声明获取模块702,具体可以包括:第二可验证声明获取单元,用于从所述链上交易数据中获取加密的可验证声明;第一授权密钥获取单元,用于从所述链上交易数据中获取授权密钥;第一解密单元,用于采用所述验证方的私钥对所述授权密钥进行解密,得到对称密钥;第二解密单元,用于采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。In practical applications, the verifiable statement obtaining module 702 may specifically include: a second verifiable statement obtaining unit, configured to obtain an encrypted verifiable statement from the transaction data on the chain; and a first authorized key obtaining unit, It is used to obtain the authorization key from the transaction data on the chain; the first decryption unit is used to decrypt the authorization key using the private key of the verifier to obtain the symmetric key; the second decryption unit uses Then, the encrypted verifiable statement is decrypted by using the symmetric key to obtain the verifiable statement.
实际应用中,所述可验证声明获取模块702,具体可以包括:第三可验证声明获取单元,用于从所述链上交易数据中获取加密的可验证声明;第二授权密钥获取单元,用于从所述链上交易数据中获取授权密钥;授权密钥发送单元,用于向去中心化身份标识服务器发送所述授权密钥;对称密钥获取单元,用于获取所述去中心化身份标识服务器对所述授权密钥进行解密得到的对称密钥;第三解密单元,用于采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。In practical applications, the verifiable statement obtaining module 702 may specifically include: a third verifiable statement obtaining unit, configured to obtain an encrypted verifiable statement from the on-chain transaction data; and a second authorized key obtaining unit, It is used to obtain the authorization key from the transaction data on the chain; the authorization key sending unit is used to send the authorization key to the decentralized identity server; the symmetric key obtaining unit is used to obtain the decentralized identity server The authentication server decrypts the symmetric key obtained by decrypting the authorization key; the third decryption unit is configured to use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
实际应用中,上述装置还可以包括:可验证声明保存模块,用于在获取所述链上交易数据中的可验证声明之后,将所述可验证声明保存在所述数据仓库连接的数据库中;验证请求获取模块,用于在将所述可验证声明发送至所述验证方的设备之前,获取所述验证方发送的验证请求,所述验证请求中至少包含所述可验证声明的标识。所述可验证声明发送模块703,具体可以包括:可验证声明查找单元,用于根据所述标识,从所述数据库中查找所述可验证声明;第二可验证声明发送单元,用于将查找到的所述可验证声明发送至所述验证方的设备。In practical applications, the above-mentioned device may further include: a verifiable statement storage module for storing the verifiable statement in the database connected to the data warehouse after obtaining the verifiable statement in the on-chain transaction data; The verification request obtaining module is configured to obtain a verification request sent by the verifier before sending the verifiable statement to the device of the verifier, and the verification request includes at least the identifier of the verifiable statement. The verifiable statement sending module 703 may specifically include: a verifiable statement searching unit for searching the verifiable statement from the database according to the identifier; a second verifiable statement sending unit for searching The arrived verifiable statement is sent to the verifier's device.
实际应用中,该装置还可包括:去中心化身份标识获取模块,用于在获取所述验证方发送的验证请求之后,获取所述可验证声明的验证方的去中心化身份标识;判断模块,用于根据所述去中心化身份标识,判断所述验证方是否具有所述数据仓库的使用权限。所述可验证声明查找单元,具体可包括:可验证声明查找子单元,用于当所述验证方具有所述数据仓库的使用权限,则根据所述标识,从所述数据库中查找所述可验证声明。In practical applications, the device may further include: a decentralized identity acquisition module, which is used to acquire the decentralized identity of the verifier whose verifiability statement is claimed after acquiring the verification request sent by the verifier; and a judgment module , Used for judging whether the verifier has the right to use the data warehouse according to the decentralized identity. The verifiable statement search unit may specifically include: a verifiable statement search subunit, which is used to search for the verifiable statement from the database when the verifier has the right to use the data warehouse. Verify the statement.
图8为本说明书实施例提供的对应于图6的一种可验证声明的获取装置的结构示意图。该装置可以应用于可验证声明的验证方。如图8所示,该装置可以包括:FIG. 8 is a schematic structural diagram of a device for obtaining a verifiable statement corresponding to FIG. 6 provided by an embodiment of this specification. The device can be applied to verifiers who can verify claims. As shown in Figure 8, the device may include:
第一验证请求获取模块801,用于获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;The first verification request obtaining module 801 is configured to obtain the first verification request sent by the holder of the verifiable claim, where the first verification request includes at least the identifier of the verifiable claim;
第二验证请求发送模块802,用于向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;The second verification request sending module 802 is configured to send a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
可验证声明获取模块803,用于获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明,所述可验证声明是所述数据仓库从目标区块链***中获取的。The verifiable statement obtaining module 803 is configured to obtain the verifiable statement fed back by the data warehouse based on the second verification request, and the verifiable statement is obtained by the data warehouse from the target blockchain system.
实际应用中,所述第二验证请求中还可以包括所述验证方的去中心化身份标识。In practical applications, the second verification request may also include the decentralized identity of the verifier.
基于同样的思路,本说明书实施例还提供了上述方法对应的设备。Based on the same idea, the embodiment of this specification also provides a device corresponding to the above method.
图9为本说明书实施例提供的对应于图3的可验证声明的转发设备以及对应于图6的可验证声明的获取设备的结构示意图。如图9所示,设备900可以包括:至少一个处理器910;以及,与所述至少一个处理器通信连接的存储器930。Fig. 9 is a schematic structural diagram of the forwarding device corresponding to the verifiable claim of Fig. 3 and the obtaining device corresponding to the verifiable claim of Fig. 6 provided by an embodiment of this specification. As shown in FIG. 9, the device 900 may include: at least one processor 910; and a memory 930 communicatively connected with the at least one processor.
其中,所述存储器930存储有可被所述至少一个处理器910执行的指令920,所述指令被所述至少一个处理器910执行,以使所述至少一个处理器910能够:监听目标区块链***中产生的包含可验证声明的链上交易数据;若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链 上交易数据中的可验证声明;将所述可验证声明发送至所述验证方的设备。The memory 930 stores instructions 920 that can be executed by the at least one processor 910, and the instructions are executed by the at least one processor 910, so that the at least one processor 910 can: monitor the target block On-chain transaction data containing verifiable claims generated in the chain system; if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, then obtain The verifiable statement in the transaction data on the chain; the verifiable statement is sent to the verifier's device.
或者,所述指令被所述至少一个处理器910执行,以使所述至少一个处理器910能够:获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明,所述可验证声明是所述数据仓库从目标区块链***中获取的。Alternatively, the instruction is executed by the at least one processor 910, so that the at least one processor 910 can: obtain the first verification request sent by the holder of the verifiable claim, in the first verification request At least the identifier of the verifiable statement is included; a second verification request for obtaining the verifiable statement is sent to the data warehouse, and the second verification request includes the identifier; the data warehouse is obtained based on the second verification request The verifiable statement that is fed back is obtained by the data warehouse from the target blockchain system.
在20世纪90年代,对于一个技术的改进可以很明显地区分是硬件上的改进(例如,对二极管、晶体管、开关等电路结构的改进)还是软件上的改进(对于方法流程的改进)。然而,随着技术的发展,当今的很多方法流程的改进已经可以视为硬件电路结构的直接改进。设计人员几乎都通过将改进的方法流程编程到硬件电路中来得到相应的硬件电路结构。因此,不能说一个方法流程的改进就不能用硬件实体模块来实现。例如,可编程逻辑器件(Programmable Logic Device,PLD)(例如现场可编程门阵列(Field Programmable Gate Array,FPGA))就是这样一种集成电路,其逻辑功能由用户对器件编程来确定。由设计人员自行编程来把一个数字***“集成”在一片PLD上,而不需要请芯片制造厂商来设计和制作专用的集成电路芯片。而且,如今,取代手工地制作集成电路芯片,这种编程也多半改用“逻辑编译器(logic compiler)”软件来实现,它与程序开发撰写时所用的软件编译器相类似,而要编译之前的原始代码也得用特定的编程语言来撰写,此称之为硬件描述语言(Hardware Description Language,HDL),而HDL也并非仅有一种,而是有许多种,如ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated Circuit Hardware Description Language)与Verilog。本领域技术人员也应该清楚,只需要将方法流程用上述几种硬件描述语言稍作逻辑编程并编程到集成电路中,就可以很容易得到实现该逻辑方法流程的硬件电路。In the 1990s, the improvement of a technology can be clearly distinguished between hardware improvements (for example, improvements in circuit structures such as diodes, transistors, switches, etc.) or software improvements (improvements in method flow). However, with the development of technology, the improvement of many methods and processes of today can be regarded as a direct improvement of the hardware circuit structure. Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by the hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (for example, a Field Programmable Gate Array (Field Programmable Gate Array, FPGA)) is such an integrated circuit whose logic function is determined by the user's programming of the device. It is programmed by the designer to "integrate" a digital system on a piece of PLD, without requiring chip manufacturers to design and manufacture dedicated integrated circuit chips. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly realized with "logic compiler" software, which is similar to the software compiler used in program development and writing, but before compilation The original code must also be written in a specific programming language, which is called Hardware Description Language (HDL), and there is not only one type of HDL, but many types, such as ABEL (Advanced Boolean Expression Language) , AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description), etc., currently most commonly used It is VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. It should also be clear to those skilled in the art that only a little bit of logic programming of the method flow in the above-mentioned hardware description languages and programming into an integrated circuit, the hardware circuit that implements the logic method flow can be easily obtained.
控制器可以按任何适当的方式实现,例如,控制器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑控制器和嵌入微控制器的形式,控制器的例子包括但不限于以下微控制器:ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20以及Silicone Labs C8051F320, 存储器控制器还可以被实现为存储器的控制逻辑的一部分。本领域技术人员也知道,除了以纯计算机可读程序代码方式实现控制器以外,完全可以通过将方法步骤进行逻辑编程来使得控制器以逻辑门、开关、专用集成电路、可编程逻辑控制器和嵌入微控制器等的形式来实现相同功能。因此这种控制器可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构。或者甚至,可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。The controller can be implemented in any suitable manner. For example, the controller can take the form of, for example, a microprocessor or a processor and a computer-readable medium storing computer-readable program codes (such as software or firmware) executable by the (micro)processor. , Logic gates, switches, application specific integrated circuits (ASICs), programmable logic controllers and embedded microcontrollers. Examples of controllers include but are not limited to the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicon Labs C8051F320, the memory controller can also be implemented as a part of the control logic of the memory. Those skilled in the art also know that, in addition to implementing the controller in a purely computer-readable program code manner, it is entirely possible to program the method steps to make the controller use logic gates, switches, application specific integrated circuits, programmable logic controllers, and embedded logic. The same function can be realized in the form of a microcontroller or the like. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as a structure within the hardware component. Or even, the device for realizing various functions can be regarded as both a software module for realizing the method and a structure within a hardware component.
上述实施例阐明的***、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机。具体的,计算机例如可以为个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules, or units illustrated in the above embodiments may be specifically implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本申请时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above device, the functions are divided into various units and described separately. Of course, when implementing this application, the functions of each unit can be implemented in the same or multiple software and/or hardware.
本领域内的技术人员应明白,本发明的实施例可提供为方法、***、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention can be provided as a method, a system, or a computer program product. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本发明是参照根据本发明实施例的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带式磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cartridges, magnetic tape storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.
本申请可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本申请,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。This application may be described in the general context of computer-executable instructions executed by a computer, such as a program module. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. This application can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的 部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于***实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
以上所述仅为本申请的实施例而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。The above descriptions are only examples of the present application, and are not used to limit the present application. For those skilled in the art, this application can have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the scope of the claims of this application.

Claims (18)

  1. 一种可验证声明的转发方法,包括:A method of forwarding verifiable claims, including:
    数据仓库监听目标区块链***中产生的包含可验证声明的链上交易数据;The data warehouse monitors the on-chain transaction data containing verifiable claims generated in the target blockchain system;
    若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;If the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, obtaining the verifiable statement in the on-chain transaction data;
    将所述可验证声明发送至所述验证方的设备。The verifiable statement is sent to the verifier's device.
  2. 根据权利要求1所述的方法,The method according to claim 1,
    获取所述链上交易数据中的可验证声明,包括:从所述链上交易数据中获取加密的可验证声明;Obtaining the verifiable statement in the on-chain transaction data includes: obtaining an encrypted verifiable statement from the on-chain transaction data;
    将所述可验证声明发送至所述验证方的设备,包括:将所述加密的可验证声明发给所述验证方的设备。Sending the verifiable statement to the device of the verifier includes: sending the encrypted verifiable statement to the device of the verifier.
  3. 根据权利要求1所述的方法,获取所述链上交易数据中的可验证声明,包括:The method according to claim 1, obtaining a verifiable statement in the on-chain transaction data, comprising:
    从所述链上交易数据中获取加密的可验证声明;Obtain an encrypted verifiable statement from the transaction data on the chain;
    从所述链上交易数据中获取授权密钥;Obtain an authorization key from the transaction data on the chain;
    采用所述验证方的私钥对所述授权密钥进行解密,得到对称密钥;Decrypt the authorized key using the private key of the verifier to obtain a symmetric key;
    采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。Use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
  4. 根据权利要求1所述的方法,获取所述链上交易数据中的可验证声明,包括:The method according to claim 1, obtaining a verifiable statement in the on-chain transaction data, comprising:
    从所述链上交易数据中获取加密的可验证声明;Obtain an encrypted verifiable statement from the transaction data on the chain;
    从所述链上交易数据中获取授权密钥;Obtain an authorization key from the transaction data on the chain;
    向去中心化身份标识服务器发送所述授权密钥;Sending the authorization key to a decentralized identity server;
    获取所述去中心化身份标识服务器对所述授权密钥进行解密得到的对称密钥;Obtaining a symmetric key obtained by decrypting the authorization key by the decentralized identity server;
    采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。Use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
  5. 根据权利要求1至4任一项所述的方法,获取所述链上交易数据中的可验证声明之后,还包括:The method according to any one of claims 1 to 4, after obtaining the verifiable statement in the on-chain transaction data, further comprising:
    将所述可验证声明保存在所述数据仓库连接的数据库中;Save the verifiable statement in the database connected to the data warehouse;
    所述将所述可验证声明发送至所述验证方的设备之前,还包括:Before sending the verifiable statement to the verifier's device, the method further includes:
    获取所述验证方发送的验证请求,所述验证请求中至少包含所述可验证声明的标识;Acquiring a verification request sent by the verifier, where the verification request at least includes the identifier of the verifiable claim;
    所述将所述可验证声明发送至所述验证方的设备,具体包括:The device that sends the verifiable statement to the verifier specifically includes:
    根据所述标识,从所述数据库中查找所述可验证声明;Searching for the verifiable statement from the database according to the identifier;
    将查找到的所述可验证声明发送至所述验证方的设备。Send the found verifiable statement to the verifier's device.
  6. 根据权利要求5所述的方法,获取所述验证方发送的验证请求之后,还包括:The method according to claim 5, after obtaining the verification request sent by the verifier, further comprising:
    获取所述可验证声明的验证方的去中心化身份标识;Obtaining the decentralized identity of the verifier of the verifiable claim;
    根据所述去中心化身份标识,判断所述验证方是否具有所述数据仓库的使用权限;Judging whether the verifier has the right to use the data warehouse according to the decentralized identity;
    所述根据所述标识,从所述数据库中查找所述可验证声明,具体包括:The searching for the verifiable statement from the database according to the identifier specifically includes:
    当所述验证方具有所述数据仓库的使用权限,则根据所述标识,从所述数据库中查找所述可验证声明。When the verifier has the right to use the data warehouse, the verifiable statement is searched from the database according to the identifier.
  7. 一种可验证声明的获取方法,包括A method of obtaining verifiable claims, including
    可验证声明的验证方获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;The verifier of the verifiable claim obtains the first verification request sent by the holder of the verifiable claim, and the first verification request includes at least the identifier of the verifiable claim;
    向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;Sending a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
    获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明;Obtaining the verifiable statement fed back by the data warehouse based on the second verification request;
    其中,所述可验证声明是所述数据仓库从目标区块链***中获取的。Wherein, the verifiable statement is obtained by the data warehouse from the target blockchain system.
  8. 根据权利要求7所述的方法,所述第二验证请求中还包括所述验证方的去中心化身份标识。The method according to claim 7, wherein the second verification request further includes a decentralized identity of the verifier.
  9. 一种可验证声明的转发装置,所述装置应用于数据仓库,所述装置包括:A device for forwarding verifiable claims, the device being applied to a data warehouse, and the device comprising:
    监听模块,用于监听目标区块链***中产生的包含可验证声明的链上交易数据;The monitoring module is used to monitor the on-chain transaction data containing verifiable claims generated in the target blockchain system;
    可验证声明获取模块,用于若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;The verifiable statement obtaining module is used to obtain the on-chain transaction data if the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service Verifiable statement of
    可验证声明发送模块,用于将所述可验证声明发送至所述验证方的设备。The verifiable statement sending module is used to send the verifiable statement to the device of the verifier.
  10. 根据权利要求9所述的装置,所述可验证声明获取模块,具体包括:The device according to claim 9, wherein the verifiable claim obtaining module specifically includes:
    第一可验证声明获取单元,用于从所述链上交易数据中获取加密的可验证声明;The first verifiable statement obtaining unit is configured to obtain an encrypted verifiable statement from the transaction data on the chain;
    所述可验证声明发送模块,具体包括:The verifiable statement sending module specifically includes:
    第一可验证声明发送单元,用于将所述加密的可验证声明发给所述验证方的设备。The first verifiable statement sending unit is used to send the encrypted verifiable statement to the device of the verifier.
  11. 根据权利要求9所述的装置,所述可验证声明获取模块,具体包括:The device according to claim 9, wherein the verifiable claim obtaining module specifically includes:
    第二可验证声明获取单元,用于从所述链上交易数据中获取加密的可验证声明;The second verifiable statement obtaining unit is used to obtain an encrypted verifiable statement from the transaction data on the chain;
    第一授权密钥获取单元,用于从所述链上交易数据中获取授权密钥;The first authorization key obtaining unit is configured to obtain an authorization key from the transaction data on the chain;
    第一解密单元,用于采用所述验证方的私钥对所述授权密钥进行解密,得到对称密钥;The first decryption unit is configured to decrypt the authorized key by using the private key of the verifier to obtain a symmetric key;
    第二解密单元,用于采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。The second decryption unit is configured to use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
  12. 根据权利要求9所述的装置,所述可验证声明获取模块,具体包括:The device according to claim 9, wherein the verifiable claim obtaining module specifically includes:
    第三可验证声明获取单元,用于从所述链上交易数据中获取加密的可验证声明;The third verifiable statement obtaining unit is configured to obtain an encrypted verifiable statement from the transaction data on the chain;
    第二授权密钥获取单元,用于从所述链上交易数据中获取授权密钥;The second authorization key obtaining unit is configured to obtain an authorization key from the transaction data on the chain;
    授权密钥发送单元,用于向去中心化身份标识服务器发送所述授权密钥;An authorization key sending unit, configured to send the authorization key to a decentralized identity server;
    对称密钥获取单元,用于获取所述去中心化身份标识服务器对所述授权密钥进行解密得到的对称密钥;A symmetric key obtaining unit, configured to obtain a symmetric key obtained by decrypting the authorization key by the decentralized identity server;
    第三解密单元,用于采用所述对称密钥对所述加密的可验证声明进行解密,得到所述可验证声明。The third decryption unit is configured to use the symmetric key to decrypt the encrypted verifiable statement to obtain the verifiable statement.
  13. 根据权利要求9至12任一项所述的装置,还包括:The device according to any one of claims 9 to 12, further comprising:
    可验证声明保存模块,用于在获取所述链上交易数据中的可验证声明之后,将所述可验证声明保存在所述数据仓库连接的数据库中;The verifiable statement storage module is configured to store the verifiable statement in the database connected to the data warehouse after obtaining the verifiable statement in the on-chain transaction data;
    验证请求获取模块,用于在将所述可验证声明发送至所述验证方的设备之前,获取所述验证方发送的验证请求,所述验证请求中至少包含所述可验证声明的标识;A verification request obtaining module, configured to obtain a verification request sent by the verifier before sending the verifiable statement to the verifier's device, and the verification request includes at least the identifier of the verifiable statement;
    所述可验证声明发送模块,具体包括:The verifiable statement sending module specifically includes:
    可验证声明查找单元,用于根据所述标识,从所述数据库中查找所述可验证声明;The verifiable statement searching unit is configured to search for the verifiable statement from the database according to the identifier;
    第二可验证声明发送单元,用于将查找到的所述可验证声明发送至所述验证方的设备。The second verifiable statement sending unit is configured to send the found verifiable statement to the device of the verifier.
  14. 根据权利要求13所述的装置,还包括:The device according to claim 13, further comprising:
    去中心化身份标识获取模块,用于在获取所述验证方发送的验证请求之后,获取所述可验证声明的验证方的去中心化身份标识;The decentralized identity obtaining module is configured to obtain the decentralized identity of the verifier whose verifiable claim is obtained after obtaining the verification request sent by the verifier;
    判断模块,用于根据所述去中心化身份标识,判断所述验证方是否具有所述数据仓库的使用权限;The judgment module is used to judge whether the verifier has the right to use the data warehouse according to the decentralized identity;
    所述可验证声明查找单元,具体包括:The verifiable statement search unit specifically includes:
    可验证声明查找子单元,用于当所述验证方具有所述数据仓库的使用权限,则根据所述标识,从所述数据库中查找所述可验证声明。The verifiable statement searching subunit is used to search for the verifiable statement from the database according to the identifier when the verifier has the use authority of the data warehouse.
  15. 一种可验证声明的获取装置,所述装置应用于可验证声明的验证方,所述装置包括:A device for obtaining a verifiable statement, the device being applied to a verifier of a verifiable statement, the device comprising:
    第一验证请求获取模块,用于获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;The first verification request obtaining module is configured to obtain the first verification request sent by the holder of the verifiable claim, and the first verification request includes at least the identifier of the verifiable claim;
    第二验证请求发送模块,用于向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;A second verification request sending module, configured to send a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
    可验证声明获取模块,用于获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明;A verifiable statement obtaining module, configured to obtain the verifiable statement fed back by the data warehouse based on the second verification request;
    其中,所述可验证声明是所述数据仓库从目标区块链***中获取的。Wherein, the verifiable statement is obtained by the data warehouse from the target blockchain system.
  16. 根据权利要求15所述的装置,所述第二验证请求中还包括所述验证方的去中心化身份标识。The apparatus according to claim 15, wherein the second verification request further includes a decentralized identity of the verifier.
  17. 一种可验证声明的转发设备,包括:A verifiable claim forwarding device, including:
    至少一个处理器;以及,At least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,A memory communicatively connected with the at least one processor; wherein,
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够:The memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can:
    监听目标区块链***中产生的包含可验证声明的链上交易数据;Monitor on-chain transaction data containing verifiable claims generated in the target blockchain system;
    若所述链上交易数据中包含的去中心化身份标识,与所述数据仓库服务的验证方的去中心化身份标识相同,则获取所述链上交易数据中的可验证声明;If the decentralized identity included in the on-chain transaction data is the same as the decentralized identity of the verifier of the data warehouse service, obtaining the verifiable statement in the on-chain transaction data;
    将所述可验证声明发送至所述验证方的设备。The verifiable statement is sent to the verifier's device.
  18. 一种可验证声明的获取设备,包括:A device for obtaining verifiable claims, including:
    至少一个处理器;以及,At least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,A memory communicatively connected with the at least one processor; wherein,
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够:The memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can:
    获取所述可验证声明的持有方发送的第一验证请求,所述第一验证请求中至少包含所述可验证声明的标识;Acquiring a first verification request sent by the holder of the verifiable claim, where the first verification request includes at least the identifier of the verifiable claim;
    向数据仓库发送获取所述可验证声明的第二验证请求,所述第二验证请求中包含所述标识;Sending a second verification request for obtaining the verifiable statement to the data warehouse, where the second verification request includes the identifier;
    获取所述数据仓库基于所述第二验证请求反馈的所述可验证声明,所述可验证声明是所述数据仓库从目标区块链***中获取的。Obtain the verifiable statement fed back by the data warehouse based on the second verification request, where the verifiable statement is obtained by the data warehouse from the target blockchain system.
PCT/CN2021/085169 2020-04-10 2021-04-02 Forwarding and acquisition of verifiable claim WO2021204067A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010277163.X 2020-04-10
CN202010277163.XA CN111190974B (en) 2020-04-10 2020-04-10 Method, device and equipment for forwarding and acquiring verifiable statement

Publications (1)

Publication Number Publication Date
WO2021204067A1 true WO2021204067A1 (en) 2021-10-14

Family

ID=70710289

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/085169 WO2021204067A1 (en) 2020-04-10 2021-04-02 Forwarding and acquisition of verifiable claim

Country Status (2)

Country Link
CN (1) CN111190974B (en)
WO (1) WO2021204067A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779637A (en) * 2021-11-10 2021-12-10 腾讯科技(深圳)有限公司 Attribute data processing method, attribute data processing device, attribute data processing equipment and attribute data processing medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111190974B (en) * 2020-04-10 2021-01-26 支付宝(杭州)信息技术有限公司 Method, device and equipment for forwarding and acquiring verifiable statement
CN116340955A (en) * 2020-07-31 2023-06-27 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment based on block chain
CN113395281B (en) * 2021-06-11 2022-11-01 网易(杭州)网络有限公司 Verification method and device capable of verifying statement and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108898389A (en) * 2018-06-26 2018-11-27 阿里巴巴集团控股有限公司 Based on the content verification method and device of block chain, electronic equipment
CN109947848A (en) * 2019-01-30 2019-06-28 阿里巴巴集团控股有限公司 Card method and apparatus are deposited based on block chain
WO2019143582A1 (en) * 2018-01-22 2019-07-25 Microsoft Technology Licensing, Llc Attestation management
CN111190974A (en) * 2020-04-10 2020-05-22 支付宝(杭州)信息技术有限公司 Method, device and equipment for forwarding and acquiring verifiable statement

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109493082A (en) * 2018-09-25 2019-03-19 西安纸贵互联网科技有限公司 A kind of agricultural product block chain source tracing method and device
CN109492431A (en) * 2018-10-31 2019-03-19 国网河南省电力公司信息通信公司 The storage method and its system and electronic equipment of financial data
WO2019072271A2 (en) * 2018-11-16 2019-04-18 Alibaba Group Holding Limited A domain name scheme for cross-chain interactions in blockchain systems
CN110224837B (en) * 2019-06-06 2021-11-19 西安纸贵互联网科技有限公司 Zero-knowledge proof method and terminal based on distributed identity
CN110795501A (en) * 2019-10-11 2020-02-14 支付宝(杭州)信息技术有限公司 Method, device, equipment and system for creating verifiable statement based on block chain
CN115396114A (en) * 2019-10-11 2022-11-25 支付宝(杭州)信息技术有限公司 Authorization method, device, equipment and system based on verifiable statement

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019143582A1 (en) * 2018-01-22 2019-07-25 Microsoft Technology Licensing, Llc Attestation management
CN108898389A (en) * 2018-06-26 2018-11-27 阿里巴巴集团控股有限公司 Based on the content verification method and device of block chain, electronic equipment
CN109947848A (en) * 2019-01-30 2019-06-28 阿里巴巴集团控股有限公司 Card method and apparatus are deposited based on block chain
CN111190974A (en) * 2020-04-10 2020-05-22 支付宝(杭州)信息技术有限公司 Method, device and equipment for forwarding and acquiring verifiable statement

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779637A (en) * 2021-11-10 2021-12-10 腾讯科技(深圳)有限公司 Attribute data processing method, attribute data processing device, attribute data processing equipment and attribute data processing medium

Also Published As

Publication number Publication date
CN111190974A (en) 2020-05-22
CN111190974B (en) 2021-01-26

Similar Documents

Publication Publication Date Title
TWI723261B (en) Data storage method, data query method and device
WO2021204067A1 (en) Forwarding and acquisition of verifiable claim
WO2021209041A1 (en) Authorization processing based on verifiable credential
WO2021204068A1 (en) Storage of verifiable claim
CN108932297B (en) Data query method, data sharing method, device and equipment
TWI686071B (en) Key management method, device and equipment
US10389728B2 (en) Multi-level security enforcement utilizing data typing
US11626984B2 (en) Blockchain integrated station and cryptographic acceleration card, key management methods and apparatuses
WO2021179744A1 (en) Code-scanning payment method, apparatus and device, information sending method, apparatus and device, and key management method, apparatus and device
US11546348B2 (en) Data service system
WO2017036190A1 (en) Data access method based on cloud computing platform, and user terminal
WO2021179748A1 (en) Methods, apparatuses and devices for barcode scanning payment, information transmission and collection code generation
CN111612462B (en) Method, node and storage medium for implementing privacy protection in blockchain
TWI723525B (en) Alarm method, device and system
US11683298B2 (en) Secure messaging
CN114884674B (en) User data circulation method, device and equipment based on block chain
CN111193597B (en) Transmission method, device, equipment and system capable of verifying statement
CN111639362B (en) Method, node and storage medium for implementing privacy protection in blockchain
TW201937425A (en) Transaction processing method, server, client, and system
CN112788001A (en) Data encryption-based data processing service processing method, device and equipment
US11423169B1 (en) System, method and apparatus for securely storing data on public networks
CN110011807A (en) A kind of key message maintaining method and system
CN112818380B (en) Backtracking processing method, device, equipment and system for business behaviors
CN116226902A (en) Data query method and device, storage medium and electronic equipment
CN115758418A (en) Data management method, device and equipment based on block chain network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21783740

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21783740

Country of ref document: EP

Kind code of ref document: A1