[go: up one dir, main page]

CN117978404A - Trusted digital identity issuing and distributed authentication method - Google Patents

Trusted digital identity issuing and distributed authentication method Download PDF

Info

Publication number
CN117978404A
CN117978404A CN202410132964.5A CN202410132964A CN117978404A CN 117978404 A CN117978404 A CN 117978404A CN 202410132964 A CN202410132964 A CN 202410132964A CN 117978404 A CN117978404 A CN 117978404A
Authority
CN
China
Prior art keywords
digital identity
identity
basic
user
business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410132964.5A
Other languages
Chinese (zh)
Inventor
于锐
杨林
郝久月
章锋
胡光俊
邱旭华
李頔
蔡国城
王剑冰
吴瑶
邓晨
夏吉广
国伟
刘斌
王颖
张萍萍
张晔
张明舵
欧阳晖
白培鑫
陈思敏
李振裕
庄江龙
章伟良
黄文滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongdun Anxin Technology Development Co ltd
Xiamen Zhongdunanxin Technology Co ltd
First Research Institute of Ministry of Public Security
Original Assignee
Beijing Zhongdun Anxin Technology Development Co ltd
Xiamen Zhongdunanxin Technology Co ltd
First Research Institute of Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhongdun Anxin Technology Development Co ltd, Xiamen Zhongdunanxin Technology Co ltd, First Research Institute of Ministry of Public Security filed Critical Beijing Zhongdun Anxin Technology Development Co ltd
Priority to CN202410132964.5A priority Critical patent/CN117978404A/en
Publication of CN117978404A publication Critical patent/CN117978404A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method for trusted digital identity issuing and distributed authentication, which comprises three stages of trusted digital identity issuing, service credential issuing, combined identity statement creation and verification. The method takes the trusted identity of the authoritative network as a trust root, and then issues the basic digital identity mark, the basic digital identity certificate and the business certificate, so that the advantages of the blockchain and the distributed digital identity technology are maintained, the final tracing of the real identity of the user through the trusted digital identity is supported, the construction requirement of a network trusted identity management service system is met, the distributed application ecology is supported, the identity management and service system is supplemented and expanded, and the market potential is huge.

Description

一种可信数字身份签发和分布式认证的方法A method for issuing and distributing trusted digital identities

技术领域Technical Field

本发明涉及网络安全技术领域,具体涉及一种可信数字身份签发和分布式认证的方法。The present invention relates to the field of network security technology, and in particular to a method for issuing and distributing a trusted digital identity.

背景技术Background technique

数字身份是构建数字经济时代信任体系的关键要素之一,也是互联网可控可管和安全可信的关键。Digital identity is one of the key elements in building a trust system in the digital economy era, and is also the key to making the Internet controllable, manageable, secure and reliable.

分布式数字身份通过区块链技术实现,由身份所有者即用户来自主控制和管理自己的数字身份,将数据所有权归还给用户来解决隐私和安全问题,并通过制定标准协议来提供跨应用的互操作性。区块链的难于篡改、存证溯源等特性可进一步保证数据的真实有效。流通的数字身份属性信息在确认或验证时,又可以充分发挥区块链技术的去中心化特点。分布式数字身份为数字身份提供了新的技术发展方向,备受政府和产业界的关注。Distributed digital identity is realized through blockchain technology. Identity owners, i.e. users, can independently control and manage their own digital identities. Data ownership is returned to users to solve privacy and security issues, and interoperability across applications is provided by formulating standard protocols. Blockchain's features such as difficulty in tampering and evidence tracing can further ensure the authenticity and validity of data. When confirming or verifying the attribute information of circulating digital identities, the decentralized characteristics of blockchain technology can be fully utilized. Distributed digital identity provides a new technical development direction for digital identity, and has attracted much attention from the government and industry.

现有技术方案一般遵循国际标准组织W3C联盟和DIF(去中心化身份组织)的分布式数字身份DID相关标准,W3C主要集中在DID规范方面,DIF则致力于提高DID的互操作性,用户可去中心化方式地、自主匿名地创建、更新、删除DID并通过智能合约注册到区块链上,不要求用户在注册前完成真实身份认证。Existing technical solutions generally follow the distributed digital identity DID-related standards of the international standards organization W3C Alliance and DIF (Decentralized Identity Organization). W3C mainly focuses on DID specifications, while DIF is committed to improving the interoperability of DID. Users can create, update, and delete DIDs in a decentralized, autonomous and anonymous manner and register them on the blockchain through smart contracts. Users are not required to complete real identity authentication before registration.

现有方案的工作流程为:(1)用户即凭证持有方和凭证签发方都将自主创建的分布式数字身份DID标识通过智能合约注册到区块链上,并将包含公钥的DID文档存储到区块链上;(2)用户向凭证签发方申领可验证凭证VC后存储到终端安全区域,凭证签发方将可验证凭证VC状态(是否被撤销)存储到区块链上;(3)用户根据验证方业务需求,基于可验证凭证VC创建可验证表达VP,自主出示给验证方进行验证;(4)凭证验证方检索区块链上的DID文档和VC状态,验证可验证表达VP中所包含的可验证凭证VC的数字签名及有效性(未被撤销等)。The workflow of the existing scheme is as follows: (1) The user, i.e., the credential holder and the credential issuer, registers the self-created distributed digital identity DID identifier on the blockchain through a smart contract, and stores the DID document containing the public key on the blockchain; (2) The user applies for a verifiable credential VC from the credential issuer and stores it in the terminal security area, and the credential issuer stores the status of the verifiable credential VC (whether it has been revoked) on the blockchain; (3) The user creates a verifiable expression VP based on the verifiable credential VC according to the business needs of the verifier, and presents it to the verifier for verification; (4) The credential verifier retrieves the DID document and VC status on the blockchain, and verifies the digital signature and validity (not revoked, etc.) of the verifiable credential VC contained in the verifiable expression VP.

我国网络可信身份建设需要满足前端匿名、后台实名、隐私安全、跨域信任、经济易用等需求。一方面,网络可信身份应支持“前端匿名使用”。自然人可借助网络可信身份认证服务完成网络应用的身份认证、用户鉴权,网络应用可对账户系统进行“可控匿名化”改造,以减少个人身份明文数据的使用、留存,切实保护公民信息和个人隐私。另一方面,网络可信身份应支持“后台实名管理”,可通过国家权威机构追溯到个人真实身份。虽然W3C提出的分布式数字身份技术具有自主性、隐匿性等技术特点,在保护用户个人隐私方面做了大量精心的设计,但并不符合网络实名制管理要求。The construction of my country's network trusted identity needs to meet the needs of front-end anonymity, back-end real-name, privacy and security, cross-domain trust, economy and ease of use. On the one hand, network trusted identity should support "front-end anonymous use". Natural persons can use network trusted identity authentication services to complete identity authentication and user authentication of network applications. Network applications can perform "controllable anonymization" transformation of account systems to reduce the use and retention of personal identity plaintext data and effectively protect citizens' information and personal privacy. On the other hand, network trusted identity should support "back-end real-name management" and can be traced back to the real identity of individuals through national authoritative agencies. Although the distributed digital identity technology proposed by W3C has technical characteristics such as autonomy and anonymity, and has made a lot of careful designs in protecting users' personal privacy, it does not meet the requirements of network real-name management.

发明内容Summary of the invention

针对现有技术的不足,本发明旨在提供一种可信数字身份签发和分布式认证的方法。In view of the deficiencies of the prior art, the present invention aims to provide a method for issuing a trusted digital identity and distributed authentication.

为了实现上述目的,本发明采用如下技术方案:In order to achieve the above object, the present invention adopts the following technical solution:

一种可信数字身份签发和分布式认证的方法,包括可信数字身份签发、业务凭证签发、联合身份声明创建和验证三个阶段;A method for trusted digital identity issuance and distributed authentication, including three stages: trusted digital identity issuance, business credential issuance, and joint identity claim creation and verification;

一、可信数字身份签发的具体流程如下:1. The specific process of issuing a trusted digital identity is as follows:

A1、用户通过数字身份应用终端申领可信数字身份,可信数字身份包括基础级数字身份标识和基础级数字身份凭证;数字身份应用终端在终端本地创建公私钥对,加密存储在终端本地;A1. Users apply for a trusted digital identity through a digital identity application terminal. The trusted digital identity includes a basic digital identity identifier and a basic digital identity certificate. The digital identity application terminal creates a public-private key pair locally and stores it in encrypted form locally.

A2、数字身份应用终端要求用户进行真实身份核验,录入身份信息和采集人脸;A2. Digital identity application terminals require users to verify their real identity, enter their identity information and collect their faces;

A3、数字身份应用终端将用户提交的身份信息和通过活体检测的人脸图片以及创建的用户公钥提交给数字身份分布式应用平台,数字身份分布式应用平台将用户的身份信息和人脸图片转发至权威身份认证平台完成用户的真实身份核验;A3. The digital identity application terminal submits the identity information submitted by the user, the face image that has passed the liveness detection, and the created user public key to the digital identity distributed application platform. The digital identity distributed application platform forwards the user's identity information and face image to the authoritative identity authentication platform to complete the user's real identity verification;

A4、如果用户的真实身份核验成功,权威身份认证平台向数字身份分布式应用平台返回该用户的网络可信身份,并转入步骤A5;如果用户的真实身份信息核验失败,则数字身份分布式应用平台通过数字身份应用终端通知用户申领失败;A4. If the user's real identity verification is successful, the authoritative identity authentication platform returns the user's network trusted identity to the digital identity distributed application platform and proceeds to step A5; if the user's real identity information verification fails, the digital identity distributed application platform notifies the user of the application failure through the digital identity application terminal;

A5、数字身份分布式应用平台为用户创建基础级数字身份标识即基础DID和包含用户公钥的基础级数字身份标识文档即基础DID文档,并将用户的网络可信身份和基础DID的映射关系存储到数据库中,同时依据基础级数字身份凭证模板规定的数据格式创建基础级数字身份凭证,并进行签名;A5. The digital identity distributed application platform creates a basic digital identity, i.e., a basic DID, and a basic digital identity document, i.e., a basic DID document, for the user, and stores the mapping relationship between the user's network trusted identity and the basic DID in the database. At the same time, it creates a basic digital identity certificate according to the data format specified by the basic digital identity certificate template and signs it.

A6、数字身份分布式应用平台调用数字身份链智能合约,将用户的基础DID文档和基础级数字身份凭证的哈希和状态存储到数字身份链上;A6. The digital identity distributed application platform calls the digital identity chain smart contract to store the hash and status of the user's basic DID document and basic digital identity credentials on the digital identity chain;

A7、数字身份分布式应用平台将用户的基础DID、基础DID文档和基础级数字身份凭证的签名值返回给数字身份应用终端;A7. The digital identity distributed application platform returns the user's basic DID, basic DID document, and signature value of the basic-level digital identity credential to the digital identity application terminal;

A8、数字身份应用终端将用户提交的身份信息和数字身份分布式应用平台返回的基础级数字身份凭证的签名值进行组装,生成终端本地的基础级数字身份凭证,和数字身份分布式应用平台返回的基础DID一起加密存储在终端本地的安全区域;A8. The digital identity application terminal assembles the identity information submitted by the user and the signature value of the basic digital identity certificate returned by the digital identity distributed application platform to generate a local basic digital identity certificate of the terminal, and encrypts and stores it together with the basic DID returned by the digital identity distributed application platform in the local security area of the terminal;

二、业务凭证签发的具体流程为:2. The specific process for issuing business vouchers is as follows:

B1、用户需要向某个业务系统申领业务凭证时,使用数字身份应用终端将终端本地的基础级数字身份凭证用用户的私钥签名后提交至该业务系统;B1. When a user needs to apply for a business certificate from a business system, he/she uses a digital identity application terminal to sign the basic digital identity certificate on the terminal with the user's private key and submit it to the business system;

B2、该业务系统访问数字身份链,验证用户提交的基础级数字身份凭证的用户签名以及数字身份分布式应用平台的签名,并验证用户提交的基础级数字身份凭证的状态,确认该基础级数字身份凭证的状态为有效;B2. The business system accesses the digital identity chain, verifies the user signature of the basic digital identity certificate submitted by the user and the signature of the digital identity distributed application platform, and verifies the status of the basic digital identity certificate submitted by the user, confirming that the status of the basic digital identity certificate is valid;

B3、验证通过后,业务系统基于用户的基础DID为用户签发业务凭证;B3. After verification, the business system issues a business certificate to the user based on the user's basic DID;

B4、业务系统将步骤B3签发的业务凭证的哈希和状态存储到对应的业务链上;B4. The business system stores the hash and status of the business certificate issued in step B3 on the corresponding business chain;

B5、数字身份应用终端接收业务系统签发的业务凭证,加密存储在终端本地的安全区域;B5. The digital identity application terminal receives the business certificate issued by the business system and encrypts and stores it in a secure area on the terminal.

三、联合身份声明创建和验证的具体流程为:3. The specific process of creating and verifying a joint identity claim is as follows:

C1、在某一个业务场景中,验证方需要验证相关业务系统的业务凭证时,验证方系统先要求用户使用数字身份应用终端按业务场景指定的联合身份声明模板出示联合身份声明,数字身份应用终端经用户授权后,按联合身份声明模板指定的格式要求将相关业务系统所签发的业务凭证与终端本地的基础级数字身份凭证进行组合,使用用户的私钥签名后,创建联合身份声明,并将联合身份声明用验证方的公钥加密后传输给验证方系统,验证方系统使用验证方的私钥进行解密后,获取到联合身份声明;C1. In a certain business scenario, when the verifier needs to verify the business credentials of the relevant business system, the verifier system first requires the user to use the digital identity application terminal to present the joint identity statement according to the joint identity statement template specified in the business scenario. After the user's authorization, the digital identity application terminal combines the business credentials issued by the relevant business system with the basic digital identity credentials of the terminal in the format specified by the joint identity statement template, creates a joint identity statement after signing with the user's private key, and encrypts the joint identity statement with the public key of the verifier and transmits it to the verifier system. The verifier system obtains the joint identity statement after decrypting it with the private key of the verifier;

C2、数字身份应用终端将向验证方系统授权联合身份声明的日志记录在数字身份链上存证;C2. The digital identity application terminal will store the log record of the authorization of the joint identity statement to the verification system on the digital identity chain;

C3、验证方系统通过数字身份链上的任意节点查询数字身份分布式应用平台、相关业务系统以及用户的基础DID文档;从数字身份分布式应用平台和用户的基础DID文档获取数字身份分布式应用平台和用户的公钥信息,验证联合身份声明的用户签名和联合身份声明中的基础级数字身份凭证的数字身份分布式应用平台的签名,并确认基础级数字身份凭证状态为有效,且用户同意授权;C3. The verification system queries the digital identity distributed application platform, related business systems, and the user's basic DID documents through any node on the digital identity chain; obtains the public key information of the digital identity distributed application platform and the user from the digital identity distributed application platform and the user's basic DID documents, verifies the user signature of the joint identity statement and the signature of the digital identity distributed application platform of the basic digital identity certificate in the joint identity statement, and confirms that the status of the basic digital identity certificate is valid and the user agrees to the authorization;

C4、验证方系统读取各个相关业务系统的基础DID文档中的公钥,对各个业务凭证携带的对应业务系统的签名进行验证,并访问各个相关业务系统的业务链,查询获取各个业务凭证的哈希和状态,确认各个业务凭证是有效的;C4. The verification system reads the public key in the basic DID document of each relevant business system, verifies the signature of the corresponding business system carried by each business certificate, accesses the business chain of each relevant business system, queries and obtains the hash and status of each business certificate, and confirms that each business certificate is valid;

C5、验证方系统完成对联合身份声明的验证后,继续进行后续业务流程。C5. After the verification system completes the verification of the joint identity claim, it continues with the subsequent business process.

进一步地,在上述方法中,数字身份分布式应用平台可撤销已签发的基础级数字身份凭证,如果撤销基础级数字身份凭证,该基础级数字身份凭证的撤销状态也将存储到数字身份链上;用户可向数字身份分布式应用平台申请冻结或解冻申领到的基础级数字身份凭证,该基础级数字身份凭证的冻结和解冻状态也将存储到数字身份链上。Furthermore, in the above method, the digital identity distributed application platform can revoke the issued basic-level digital identity certificate. If the basic-level digital identity certificate is revoked, the revocation status of the basic-level digital identity certificate will also be stored in the digital identity chain; the user can apply to the digital identity distributed application platform to freeze or unfreeze the basic-level digital identity certificate applied for, and the freezing and unfreezing status of the basic-level digital identity certificate will also be stored in the digital identity chain.

本发明的有益效果在于:本发明提出了一种支持前台匿名使用、后台实名管理的可信数字身份签发和分布式认证的方法,符合网络实名制管理要求,以权威网络可信身份为信任根,再签发基础级数字身份标识、基础级数字身份凭证和业务凭证,在保留了区块链和分布式数字身份技术的多方共识共建生态、链上数据难于篡改可信流转、用户自主授权、个人数据资产确权、隐私保护以及分布式认证的可靠性高、消除单点故障、验证方不依赖签发方来完成身份认证等诸多优势的同时,支持通过可信数字身份最终追溯到用户真实身份,符合网络可信身份管理服务体系建设要求,支持分布式应用生态,是对身份管理和服务体系的补充和拓展,市场潜力巨大。The beneficial effects of the present invention are as follows: the present invention proposes a method for issuing and distributing a trusted digital identity that supports anonymous use in the foreground and real-name management in the background, which complies with the requirements for network real-name management, takes an authoritative network trusted identity as the trust root, and then issues a basic-level digital identity identifier, a basic-level digital identity certificate, and a business certificate. While retaining the advantages of blockchain and distributed digital identity technology, such as the multi-party consensus co-construction ecology, the difficult-to-tamper trusted flow of on-chain data, user autonomous authorization, personal data asset confirmation, privacy protection, and high reliability of distributed authentication, elimination of single point failures, and the verification party not relying on the issuer to complete identity authentication, the present invention supports tracing back to the user's real identity through a trusted digital identity, complies with the requirements for the construction of a network trusted identity management service system, supports a distributed application ecology, and is a supplement and expansion of the identity management and service system, with huge market potential.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明实施例1中可信数字身份签发的流程图;FIG1 is a flow chart of issuing a trusted digital identity in Embodiment 1 of the present invention;

图2为本发明实施例1中业务凭证签发的流程图;FIG2 is a flow chart of issuing a business voucher in Embodiment 1 of the present invention;

图3为本发明实施例1中联合身份声明创建和验证的流程图;FIG3 is a flowchart of joint identity claim creation and verification in Embodiment 1 of the present invention;

图4为本发明实施例2中业务凭证签发的流程图;FIG4 is a flow chart of issuing a business voucher in Embodiment 2 of the present invention;

图5为本发明实施例2中联合身份声明创建和验证的流程图。FIG5 is a flowchart of joint identity claim creation and verification in Embodiment 2 of the present invention.

具体实施方式Detailed ways

以下将结合附图对本发明作进一步的描述,需要说明的是,本实施例以本技术方案为前提,给出了详细的实施方式和具体的操作过程,但本发明的保护范围并不限于本实施例。The present invention will be further described below in conjunction with the accompanying drawings. It should be noted that this embodiment is based on the technical solution and provides a detailed implementation method and specific operation process, but the protection scope of the present invention is not limited to this embodiment.

实施例1Example 1

本实施例提供了一种可信数字身份签发和分布式认证的方法,包括可信数字身份签发、业务凭证签发、联合身份声明创建和验证三个阶段;This embodiment provides a method for trusted digital identity issuance and distributed authentication, including three stages: trusted digital identity issuance, business credential issuance, and joint identity claim creation and verification;

一、如图1所示,可信数字身份签发的具体流程如下:1. As shown in Figure 1, the specific process of issuing a trusted digital identity is as follows:

A1、用户通过数字身份应用终端申领可信数字身份,可信数字身份包括基础级数字身份标识和基础级数字身份凭证;数字身份应用终端在终端本地创建公私钥对,加密存储在终端本地;A1. Users apply for a trusted digital identity through a digital identity application terminal. The trusted digital identity includes a basic digital identity identifier and a basic digital identity certificate. The digital identity application terminal creates a public-private key pair locally and stores it in encrypted form locally.

A2、数字身份应用终端要求用户进行真实身份核验,录入身份信息和采集人脸;A2. Digital identity application terminals require users to verify their real identity, enter their identity information and collect their faces;

A3、数字身份应用终端将用户提交的身份信息和通过活体检测的人脸图片以及创建的用户公钥提交给数字身份分布式应用平台,数字身份分布式应用平台将用户的身份信息和人脸图片转发至权威身份认证平台完成用户的真实身份核验;A3. The digital identity application terminal submits the identity information submitted by the user, the face image that has passed the liveness detection, and the created user public key to the digital identity distributed application platform. The digital identity distributed application platform forwards the user's identity information and face image to the authoritative identity authentication platform to complete the user's real identity verification;

A4、如果用户的真实身份核验成功,权威身份认证平台向数字身份分布式应用平台返回该用户的网络可信身份,并转入步骤A5;如果用户的真实身份信息核验失败,则数字身份分布式应用平台通过数字身份应用终端通知用户申领失败;A4. If the user's real identity verification is successful, the authoritative identity authentication platform returns the user's network trusted identity to the digital identity distributed application platform and proceeds to step A5; if the user's real identity information verification fails, the digital identity distributed application platform notifies the user of the application failure through the digital identity application terminal;

A5、数字身份分布式应用平台为用户创建基础级数字身份标识即基础DID和包含用户公钥的基础级数字身份标识文档即基础DID文档,并将用户的网络可信身份和基础DID的映射关系存储到数据库中,同时依据基础级数字身份凭证模板规定的数据格式创建基础级数字身份凭证,并进行签名;A5. The digital identity distributed application platform creates a basic digital identity, i.e., a basic DID, and a basic digital identity document, i.e., a basic DID document, for the user, and stores the mapping relationship between the user's network trusted identity and the basic DID in the database. At the same time, it creates a basic digital identity certificate according to the data format specified by the basic digital identity certificate template and signs it.

A6、数字身份分布式应用平台调用数字身份链智能合约,将用户的基础DID文档和基础级数字身份凭证的哈希和状态存储到数字身份链上;数字身份分布式应用平台可撤销已签发的基础级数字身份凭证,如果撤销基础级数字身份凭证,该基础级数字身份凭证的撤销状态也将存储到数字身份链上;用户也可向数字身份分布式应用平台申请冻结或解冻申领到的基础级数字身份凭证,该基础级数字身份凭证的冻结和解冻状态也将存储到数字身份链上;A6. The digital identity distributed application platform calls the digital identity chain smart contract to store the hash and status of the user's basic DID document and basic digital identity certificate on the digital identity chain; the digital identity distributed application platform can revoke the issued basic digital identity certificate. If the basic digital identity certificate is revoked, the revocation status of the basic digital identity certificate will also be stored on the digital identity chain; users can also apply to the digital identity distributed application platform to freeze or unfreeze the basic digital identity certificate they have applied for, and the freezing and unfreezing status of the basic digital identity certificate will also be stored on the digital identity chain;

A7、数字身份分布式应用平台将用户的基础DID、基础DID文档和基础级数字身份凭证的签名值返回给数字身份应用终端;A7. The digital identity distributed application platform returns the user's basic DID, basic DID document, and signature value of the basic-level digital identity credential to the digital identity application terminal;

A8、数字身份应用终端将用户提交的身份信息和数字身份分布式应用平台返回的基础级数字身份凭证的签名值进行组装,生成终端本地的基础级数字身份凭证,和数字身份分布式应用平台返回的基础DID一起加密存储在终端本地的安全区域。A8. The digital identity application terminal assembles the identity information submitted by the user and the signature value of the basic-level digital identity certificate returned by the digital identity distributed application platform to generate a basic-level digital identity certificate local to the terminal, and encrypts and stores it together with the basic DID returned by the digital identity distributed application platform in a secure area local to the terminal.

二、如图2所示,业务凭证签发的具体流程为:2. As shown in Figure 2, the specific process of issuing business vouchers is as follows:

B1、用户需要向某个业务系统申领业务凭证时,使用数字身份应用终端将终端本地的基础级数字身份凭证用用户的私钥签名后提交至该业务系统;B1. When a user needs to apply for a business certificate from a business system, he/she uses a digital identity application terminal to sign the basic digital identity certificate on the terminal with the user's private key and submit it to the business system;

B2、该业务系统访问数字身份链,验证用户提交的基础级数字身份凭证的用户签名以及数字身份分布式应用平台的签名,并验证用户提交的基础级数字身份凭证的状态,确认该基础级数字身份凭证的状态为有效(未被撤销或冻结);B2. The business system accesses the digital identity chain, verifies the user signature of the basic digital identity certificate submitted by the user and the signature of the digital identity distributed application platform, and verifies the status of the basic digital identity certificate submitted by the user, confirming that the status of the basic digital identity certificate is valid (not revoked or frozen);

B3、验证通过后,业务系统基于用户的基础DID为用户签发业务凭证;B3. After verification, the business system issues a business certificate to the user based on the user's basic DID;

B4、业务系统将步骤B3签发的业务凭证的哈希和状态存储到对应的业务链上;B4. The business system stores the hash and status of the business certificate issued in step B3 on the corresponding business chain;

B5、数字身份应用终端接收业务系统签发的业务凭证,加密存储在终端本地的安全区域。B5. The digital identity application terminal receives the business credentials issued by the business system and encrypts and stores them in a secure area on the terminal.

三、如图3所示,联合身份声明创建和验证的具体流程为:3. As shown in Figure 3, the specific process of creating and verifying a joint identity claim is as follows:

C1、在某一个业务场景中,验证方需要验证相关业务系统的业务凭证时,验证方系统先要求用户使用数字身份应用终端按业务场景指定的联合身份声明模板出示联合身份声明,数字身份应用终端经用户授权后,按联合身份声明模板指定的格式要求将相关业务系统所签发的业务凭证(如业务系统A签发的业务凭证VC-A和业务系统B签发的业务凭证VC-B)与终端本地的基础级数字身份凭证进行组合,使用用户的私钥签名后,创建联合身份声明,并将联合身份声明用验证方的公钥加密后传输给验证方系统,验证方系统使用验证方的私钥进行解密后,获取到联合身份声明;C1. In a certain business scenario, when the verifier needs to verify the business credentials of the relevant business system, the verifier system first requires the user to use the digital identity application terminal to present the joint identity statement according to the joint identity statement template specified in the business scenario. After the user's authorization, the digital identity application terminal combines the business credentials issued by the relevant business system (such as business credentials VC-A issued by business system A and business credentials VC-B issued by business system B) with the basic digital identity credentials of the terminal in the format specified by the joint identity statement template, creates a joint identity statement after signing with the user's private key, and encrypts the joint identity statement with the public key of the verifier and transmits it to the verifier system. The verifier system obtains the joint identity statement after decrypting it with the private key of the verifier;

C2、数字身份应用终端将向验证方系统授权联合身份声明的日志记录在数字身份链上存证;C2. The digital identity application terminal will store the log record of the authorization of the joint identity statement to the verification system on the digital identity chain;

C3、验证方系统通过数字身份链上的任意节点查询数字身份分布式应用平台、相关业务系统以及用户的基础DID文档;从数字身份分布式应用平台和用户的基础DID文档获取数字身份分布式应用平台和用户的公钥信息,验证联合身份声明的用户签名和联合身份声明中的基础级数字身份凭证的数字身份分布式应用平台的签名,并确认基础级数字身份凭证状态为有效(未被撤销或冻结),且用户同意授权;C3. The verification system queries the digital identity distributed application platform, related business systems, and the user's basic DID documents through any node on the digital identity chain; obtains the public key information of the digital identity distributed application platform and the user from the digital identity distributed application platform and the user's basic DID documents, verifies the user signature of the joint identity statement and the signature of the digital identity distributed application platform of the basic digital identity certificate in the joint identity statement, and confirms that the status of the basic digital identity certificate is valid (not revoked or frozen), and the user agrees to the authorization;

C4、验证方系统读取各个相关业务系统的基础DID文档中的公钥,对各个业务凭证携带的对应业务系统的签名进行验证,并访问各个相关业务系统的业务链,查询获取各个业务凭证的哈希和状态,确认各个业务凭证是有效的(未被撤销或冻结);C4. The verification system reads the public key in the basic DID document of each relevant business system, verifies the signature of the corresponding business system carried by each business certificate, accesses the business chain of each relevant business system, queries and obtains the hash and status of each business certificate, and confirms that each business certificate is valid (not revoked or frozen);

C5、验证方系统完成对联合身份声明的验证后,继续进行后续业务流程。C5. After the verification system completes the verification of the joint identity claim, it continues with the subsequent business process.

在上述方法中,用户可通过数字身份应用终端申领可信数字身份,数字身份分布式应用平台通过权威身份认证平台核验用户真实身份后,为用户“中心化签发”基础级数字身份标识和基础级数字身份凭证,将包含用户公钥的DID文档和基础级数字身份凭证状态存储到多方参与共识、数据难于篡改的数字身份链上。基础DID由权威的网络可信身份、机构信息和时间戳加密变换后生成,数字身份分布式应用平台将网络可信身份和基础DID映射关系存储到数据库中,以支持从匿名的基础DID追溯到网络可信身份,再从网络可信身份再追溯到用户真实身份,实现前台匿名使用、后台实名管理。In the above method, users can apply for a trusted digital identity through a digital identity application terminal. After the digital identity distributed application platform verifies the user's real identity through an authoritative identity authentication platform, it "centrally issues" a basic digital identity identifier and a basic digital identity certificate for the user, and stores the DID document containing the user's public key and the basic digital identity certificate status on a digital identity chain where multiple parties participate in consensus and data is difficult to tamper with. The basic DID is generated by an encrypted transformation of an authoritative network trusted identity, institutional information, and timestamp. The digital identity distributed application platform stores the mapping relationship between the network trusted identity and the basic DID in the database to support tracing from the anonymous basic DID to the network trusted identity, and then from the network trusted identity to the user's real identity, realizing anonymous use in the foreground and real-name management in the background.

授权接入数字身份链的业务系统,可基于可信数字身份凭证和业务链为用户再签发业务凭证。用户持有的基础级数字身份凭证和业务凭证在数字身份应用终端中汇聚。当用户在业务办理时,可使用数字身份应用终端,依据业务场景要求,灵活组合基础级数字身份凭证和多个业务凭证的数据,经用户签名后生成联合身份声明,实现同一自然人的身份属性与业务属性的聚合,自主授权向验证方出示。验证方分别访问数字身份链任一节点“分布式认证”数字签名及基础级数字身份凭证的有效性,访问业务链任一节点“分布式认证”验证业务凭证的有效性,验证通过后进行后续业务流程办理。Business systems that are authorized to access the digital identity chain can reissue business credentials for users based on trusted digital identity credentials and business chains. The basic digital identity credentials and business credentials held by users are aggregated in the digital identity application terminal. When users are handling business, they can use the digital identity application terminal to flexibly combine the data of the basic digital identity credentials and multiple business credentials according to the requirements of the business scenario, generate a joint identity statement after the user's signature, realize the aggregation of the identity attributes and business attributes of the same natural person, and autonomously authorize the presentation to the verifier. The verifier accesses the "distributed authentication" digital signature of any node in the digital identity chain and the validity of the basic digital identity certificate, and accesses the "distributed authentication" of any node in the business chain to verify the validity of the business credentials. After the verification is passed, the subsequent business process is processed.

实施例2Example 2

本实施例提供一种实施例1所述方法的应用实例。This embodiment provides an application example of the method described in Embodiment 1.

本实施例具体是某用户入职某企业的场景。该用户入职该企业时,需要向该企业信息化系统提交过去一年的薪酬流水、学历证书和个人身份信息,经审核符合企业相关要求后,方可办理入职流程。This embodiment is a scenario where a user joins a company. When the user joins the company, he needs to submit his salary flow, education certificate and personal identity information for the past year to the company's information system. After being reviewed and found to meet the company's relevant requirements, he can go through the on-boarding process.

一、该用户按实施例1方法的流程申领可信数字身份。1. The user applies for a trusted digital identity according to the process of the method in Example 1.

二、该用户薪酬流水凭证和学历证书凭证申领流程如图4所示:2. The process of applying for the user's salary voucher and academic certificate is shown in Figure 4:

(1)用户打开数字身份应用终端APP,提交带用户个人私钥签名的基础级数字身份凭证,向某大学A申领学历证书凭证;(1) The user opens the digital identity application terminal APP, submits the basic digital identity certificate signed with the user's personal private key, and applies for a degree certificate from University A;

(2)该大学A访问数字身份链,验证用户提交的基础级数字身份凭证的用户签名以及数字身份分布式应用平台的签名,并确认基础级数字身份凭证状态为有效,未被撤销或冻结;(2) University A accesses the digital identity chain, verifies the user signature of the basic digital identity certificate submitted by the user and the signature of the digital identity distributed application platform, and confirms that the status of the basic digital identity certificate is valid and has not been revoked or frozen;

(3)该大学A验证通过后,基于用户基础DID,为用户签发学历证书凭证;(3) After University A passes the verification, it issues a diploma certificate to the user based on the user's basic DID;

(4)该大学A将学历证书凭证的哈希和状态(有效)存储到教育行业链上;(4) University A stores the hash and status (valid) of the academic certificate on the education industry chain;

(5)用户继续使用数字身份应用终端APP,提交带个人私钥签名的基础级数字身份凭证,向某银行A申领薪酬流水凭证;(5) The user continues to use the digital identity application terminal APP, submits the basic digital identity certificate signed with the personal private key, and applies for a salary slip from Bank A;

(6)该银行A访问数字身份链,验证基础级数字身份凭证中的用户签名和数字身份分布式应用平台的签名,并且确认基础级数字身份凭证状态为有效,未被撤销或冻结;(6) Bank A accesses the digital identity chain, verifies the user signature in the basic digital identity certificate and the signature of the digital identity distributed application platform, and confirms that the status of the basic digital identity certificate is valid and has not been revoked or frozen;

(7)该银行A验证通过后,基于用户基础DID,为用户签发薪酬流水凭证;(7) After verification, Bank A issues a salary voucher to the user based on the user's basic DID;

(8)该银行A将薪酬流水凭证的哈希和状态(有效)存储到金融行业链上;(8) Bank A stores the hash and status (valid) of the salary slip on the financial industry chain;

(9)数字身份应用终端APP获取到学历证书凭证和薪酬流水凭证,存储在终端本地的安全区域。(9) The digital identity application terminal APP obtains the academic certificate and salary flow certificate and stores them in the local secure area of the terminal.

三、该用户入职材料的提交和核验流程如图5所示:3. The submission and verification process of the user's onboarding materials is shown in Figure 5:

(1)该用户按某企业流程要求提交相关入职材料,使用数字身份应用终端APP,经该用户授权后,按该企业预先设定的联合身份声明模板即所需要的入职材料,将用户申领到的基础级数字身份凭证、学历证书凭证和薪酬流水凭证进行组合,创建由用户私钥签名的联合身份声明,使用该企业的公钥加密后,提交至该企业的信息化系统。该企业的信息化系统接收到用户提交的联合身份证明加密数据后,使用其私钥进行解密,获取到用户提交的联合身份声明。(1) The user submits relevant onboarding materials according to the process requirements of a certain enterprise, and uses the digital identity application terminal APP. After the user's authorization, the basic digital identity certificate, academic certificate and salary slip certificate applied by the user are combined according to the joint identity declaration template pre-set by the enterprise, that is, the required onboarding materials, to create a joint identity declaration signed by the user's private key, which is encrypted with the enterprise's public key and submitted to the enterprise's information system. After receiving the encrypted data of the joint identity certificate submitted by the user, the enterprise's information system uses its private key to decrypt it and obtain the joint identity declaration submitted by the user.

(2)数字身份应用终端APP将联合身份声明授权给某企业信息化系统的日志记录上数字身份链存证;(2) The digital identity application terminal APP authorizes the joint identity statement to be recorded in the log of a certain enterprise information system and stored in the digital identity chain;

(3)该企业的信息化系统访问数字身份链,查询数字身份分布式应用平台的基础DID文档、用户的基础DID文档、大学A的基础DID文档和银行A的基础DID文档,验证联合身份声明的用户签名、基础级数字身份凭证的数字身份分布式应用平台的签名,并确认基础级数字身份凭证状态有效(未被撤销或冻结)。(3) The enterprise's information system accesses the digital identity chain, queries the basic DID document of the digital identity distributed application platform, the user's basic DID document, the basic DID document of University A, and the basic DID document of Bank A, verifies the user signature of the joint identity declaration, the signature of the digital identity distributed application platform of the basic-level digital identity certificate, and confirms that the status of the basic-level digital identity certificate is valid (not revoked or frozen).

(4)该企业的信息化系统验证学历证书凭证的大学A的签名,并访问教育行业链,获取该学历证书的凭证状态,确认学历证书凭证有效(未被撤销或冻结)。(4) The enterprise's information system verifies the signature of University A on the diploma certificate and accesses the education industry chain to obtain the diploma status of the diploma and confirm that the diploma is valid (not revoked or frozen).

(5)该企业的信息化系统验证薪酬流水的银行A的签名,并访问金融行业链,获取该薪酬流水凭证状态,确认薪酬流水凭证有效(未被撤销或冻结)。(5) The enterprise's information system verifies the signature of Bank A on the payroll voucher and accesses the financial industry chain to obtain the status of the payroll voucher and confirm that the payroll voucher is valid (not revoked or frozen).

(6)该企业完成对全部入职材料(包括学历证书凭证、薪酬流水凭证与基础级数字身份凭证)的核验,且全部入职材料的获取经过用户同意授权,如验证通过且该用户符合该企业入职资格要求,该企业可为该用户办理后续的入职流程。(6) The enterprise completes the verification of all onboarding materials (including academic certificates, salary receipts and basic digital identity certificates), and the acquisition of all onboarding materials is authorized by the user. If the verification is passed and the user meets the enterprise's onboarding qualification requirements, the enterprise can handle the subsequent onboarding process for the user.

对于本领域的技术人员来说,可以根据以上的技术方案和构思,给出各种相应的改变和变形,而所有的这些改变和变形,都应该包括在本发明权利要求的保护范围之内。For those skilled in the art, various corresponding changes and modifications can be made according to the above technical solutions and concepts, and all of these changes and modifications should be included in the protection scope of the claims of the present invention.

Claims (2)

1.一种可信数字身份签发和分布式认证的方法,其特征在于,包括可信数字身份签发、业务凭证签发、联合身份声明创建和验证三个阶段;1. A method for issuing a trusted digital identity and distributed authentication, characterized by comprising three stages: issuing a trusted digital identity, issuing a business credential, and creating and verifying a joint identity statement; 一、可信数字身份签发的具体流程如下:1. The specific process of issuing a trusted digital identity is as follows: A1、用户通过数字身份应用终端申领可信数字身份,可信数字身份包括基础级数字身份标识和基础级数字身份凭证;数字身份应用终端在终端本地创建公私钥对,加密存储在终端本地;A1. Users apply for a trusted digital identity through a digital identity application terminal. The trusted digital identity includes a basic digital identity identifier and a basic digital identity certificate. The digital identity application terminal creates a public-private key pair locally and stores it in encrypted form locally. A2、数字身份应用终端要求用户进行真实身份核验,录入身份信息和采集人脸;A2. Digital identity application terminals require users to verify their real identity, enter their identity information and collect their faces; A3、数字身份应用终端将用户提交的身份信息和通过活体检测的人脸图片以及创建的用户公钥提交给数字身份分布式应用平台,数字身份分布式应用平台将用户的身份信息和人脸图片转发至权威身份认证平台完成用户的真实身份核验;A3. The digital identity application terminal submits the identity information submitted by the user, the face image that has passed the liveness detection, and the created user public key to the digital identity distributed application platform. The digital identity distributed application platform forwards the user's identity information and face image to the authoritative identity authentication platform to complete the user's real identity verification; A4、如果用户的真实身份核验成功,权威身份认证平台向数字身份分布式应用平台返回该用户的网络可信身份,并转入步骤A5;如果用户的真实身份信息核验失败,则数字身份分布式应用平台通过数字身份应用终端通知用户申领失败;A4. If the user's real identity verification is successful, the authoritative identity authentication platform returns the user's network trusted identity to the digital identity distributed application platform and proceeds to step A5; if the user's real identity information verification fails, the digital identity distributed application platform notifies the user of the application failure through the digital identity application terminal; A5、数字身份分布式应用平台为用户创建基础级数字身份标识即基础DID和包含用户公钥的基础级数字身份标识文档即基础DID文档,并将用户的网络可信身份和基础DID的映射关系存储到数据库中,同时依据基础级数字身份凭证模板规定的数据格式创建基础级数字身份凭证,并进行签名;A5. The digital identity distributed application platform creates a basic digital identity, i.e., a basic DID, and a basic digital identity document, i.e., a basic DID document, for the user, and stores the mapping relationship between the user's network trusted identity and the basic DID in the database. At the same time, it creates a basic digital identity certificate according to the data format specified by the basic digital identity certificate template and signs it. A6、数字身份分布式应用平台调用数字身份链智能合约,将用户的基础DID文档和基础级数字身份凭证的哈希和状态存储到数字身份链上;A6. The digital identity distributed application platform calls the digital identity chain smart contract to store the hash and status of the user's basic DID document and basic digital identity credentials on the digital identity chain; A7、数字身份分布式应用平台将用户的基础DID、基础DID文档和基础级数字身份凭证的签名值返回给数字身份应用终端;A7. The digital identity distributed application platform returns the user's basic DID, basic DID document, and signature value of the basic-level digital identity credential to the digital identity application terminal; A8、数字身份应用终端将用户提交的身份信息和数字身份分布式应用平台返回的基础级数字身份凭证的签名值进行组装,生成终端本地的基础级数字身份凭证,和数字身份分布式应用平台返回的基础DID一起加密存储在终端本地的安全区域;A8. The digital identity application terminal assembles the identity information submitted by the user and the signature value of the basic digital identity certificate returned by the digital identity distributed application platform to generate a local basic digital identity certificate of the terminal, and encrypts and stores it together with the basic DID returned by the digital identity distributed application platform in the local security area of the terminal; 二、业务凭证签发的具体流程为:2. The specific process for issuing business vouchers is as follows: B1、用户需要向某个业务系统申领业务凭证时,使用数字身份应用终端将终端本地的基础级数字身份凭证用用户的私钥签名后提交至该业务系统;B1. When a user needs to apply for a business certificate from a business system, he/she uses a digital identity application terminal to sign the basic digital identity certificate on the terminal with the user's private key and submit it to the business system; B2、该业务系统访问数字身份链,验证用户提交的基础级数字身份凭证的用户签名以及数字身份分布式应用平台的签名,并验证用户提交的基础级数字身份凭证的状态,确认该基础级数字身份凭证的状态为有效;B2. The business system accesses the digital identity chain, verifies the user signature of the basic digital identity certificate submitted by the user and the signature of the digital identity distributed application platform, and verifies the status of the basic digital identity certificate submitted by the user, confirming that the status of the basic digital identity certificate is valid; B3、验证通过后,业务系统基于用户的基础DID为用户签发业务凭证;B3. After verification, the business system issues a business certificate to the user based on the user's basic DID; B4、业务系统将步骤B3签发的业务凭证的哈希和状态存储到对应的业务链上;B4. The business system stores the hash and status of the business certificate issued in step B3 on the corresponding business chain; B5、数字身份应用终端接收业务系统签发的业务凭证,加密存储在终端本地的安全区域;B5. The digital identity application terminal receives the business certificate issued by the business system and encrypts and stores it in a secure area on the terminal. 三、联合身份声明创建和验证的具体流程为:3. The specific process of creating and verifying a joint identity claim is as follows: C1、在某一个业务场景中,验证方需要验证相关业务系统的业务凭证时,验证方系统先要求用户使用数字身份应用终端按业务场景指定的联合身份声明模板出示联合身份声明,数字身份应用终端经用户授权后,按联合身份声明模板指定的格式要求将相关业务系统所签发的业务凭证与终端本地的基础级数字身份凭证进行组合,使用用户的私钥签名后,创建联合身份声明,并将联合身份声明用验证方的公钥加密后传输给验证方系统,验证方系统使用验证方的私钥进行解密后,获取到联合身份声明;C1. In a certain business scenario, when the verifier needs to verify the business credentials of the relevant business system, the verifier system first requires the user to use the digital identity application terminal to present the joint identity statement according to the joint identity statement template specified in the business scenario. After the user's authorization, the digital identity application terminal combines the business credentials issued by the relevant business system with the basic digital identity credentials of the terminal in the format specified by the joint identity statement template, creates a joint identity statement after signing with the user's private key, and encrypts the joint identity statement with the public key of the verifier and transmits it to the verifier system. The verifier system obtains the joint identity statement after decrypting it with the private key of the verifier; C2、数字身份应用终端将向验证方系统授权联合身份声明的日志记录在数字身份链上存证;C2. The digital identity application terminal will store the log record of the authorization of the joint identity statement to the verification system on the digital identity chain; C3、验证方系统通过数字身份链上的任意节点查询数字身份分布式应用平台、相关业务系统以及用户的基础DID文档;从数字身份分布式应用平台和用户的基础DID文档获取数字身份分布式应用平台和用户的公钥信息,验证联合身份声明的用户签名和联合身份声明中的基础级数字身份凭证的数字身份分布式应用平台的签名,并确认基础级数字身份凭证状态为有效,且用户同意授权;C3. The verification system queries the digital identity distributed application platform, related business systems, and the user's basic DID documents through any node on the digital identity chain; obtains the public key information of the digital identity distributed application platform and the user from the digital identity distributed application platform and the user's basic DID documents, verifies the user signature of the joint identity statement and the signature of the digital identity distributed application platform of the basic digital identity certificate in the joint identity statement, and confirms that the status of the basic digital identity certificate is valid and the user agrees to the authorization; C4、验证方系统读取各个相关业务系统的基础DID文档中的公钥,对各个业务凭证携带的对应业务系统的签名进行验证,并访问各个相关业务系统的业务链,查询获取各个业务凭证的哈希和状态,确认各个业务凭证是有效的;C4. The verification system reads the public key in the basic DID document of each relevant business system, verifies the signature of the corresponding business system carried by each business certificate, accesses the business chain of each relevant business system, queries and obtains the hash and status of each business certificate, and confirms that each business certificate is valid; C5、验证方系统完成对联合身份声明的验证后,继续进行后续业务流程。C5. After the verification system completes the verification of the joint identity claim, it continues with the subsequent business process. 2.根据权利要求1所述的方法,其特征在于,数字身份分布式应用平台可撤销已签发的基础级数字身份凭证,如果撤销基础级数字身份凭证,该基础级数字身份凭证的撤销状态也将存储到数字身份链上;用户可向数字身份分布式应用平台申请冻结或解冻申领到的基础级数字身份凭证,该基础级数字身份凭证的冻结和解冻状态也将存储到数字身份链上。2. The method according to claim 1 is characterized in that the digital identity distributed application platform can revoke the issued basic-level digital identity certificate. If the basic-level digital identity certificate is revoked, the revocation status of the basic-level digital identity certificate will also be stored in the digital identity chain; the user can apply to the digital identity distributed application platform to freeze or unfreeze the basic-level digital identity certificate applied for, and the freezing and unfreezing status of the basic-level digital identity certificate will also be stored in the digital identity chain.
CN202410132964.5A 2024-01-31 2024-01-31 Trusted digital identity issuing and distributed authentication method Pending CN117978404A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410132964.5A CN117978404A (en) 2024-01-31 2024-01-31 Trusted digital identity issuing and distributed authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410132964.5A CN117978404A (en) 2024-01-31 2024-01-31 Trusted digital identity issuing and distributed authentication method

Publications (1)

Publication Number Publication Date
CN117978404A true CN117978404A (en) 2024-05-03

Family

ID=90855053

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410132964.5A Pending CN117978404A (en) 2024-01-31 2024-01-31 Trusted digital identity issuing and distributed authentication method

Country Status (1)

Country Link
CN (1) CN117978404A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118748590A (en) * 2024-06-14 2024-10-08 国家信息中心 Distributed digital identity implementation method and system with custom attributes for real-name authentication and storage medium
CN118869213A (en) * 2024-05-15 2024-10-29 南京邮电大学 Unified identity authentication and supervision traceability method and system based on SSI system
CN119167347A (en) * 2024-10-09 2024-12-20 重庆邮电大学 A privacy protection authentication method for W3C
CN119299105A (en) * 2024-10-11 2025-01-10 北京航空航天大学 A method and system for generating verifiable credentials for distributed digital identities
CN119402263A (en) * 2024-10-31 2025-02-07 北京浪潮云计算有限公司 A method and system for implementing trusted data circulation based on digital identity
CN120811758A (en) * 2025-09-03 2025-10-17 国泰海通证券股份有限公司 System for realizing credible authentication of financial intelligent agent based on distributed digital identity

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118869213A (en) * 2024-05-15 2024-10-29 南京邮电大学 Unified identity authentication and supervision traceability method and system based on SSI system
CN118748590A (en) * 2024-06-14 2024-10-08 国家信息中心 Distributed digital identity implementation method and system with custom attributes for real-name authentication and storage medium
CN119167347A (en) * 2024-10-09 2024-12-20 重庆邮电大学 A privacy protection authentication method for W3C
CN119167347B (en) * 2024-10-09 2025-10-24 重庆邮电大学 A W3C-oriented privacy-preserving authentication method
CN119299105A (en) * 2024-10-11 2025-01-10 北京航空航天大学 A method and system for generating verifiable credentials for distributed digital identities
CN119402263A (en) * 2024-10-31 2025-02-07 北京浪潮云计算有限公司 A method and system for implementing trusted data circulation based on digital identity
CN120811758A (en) * 2025-09-03 2025-10-17 国泰海通证券股份有限公司 System for realizing credible authentication of financial intelligent agent based on distributed digital identity

Similar Documents

Publication Publication Date Title
CN111046352B (en) A blockchain-based identity information security authorization system and method
CN117978404A (en) Trusted digital identity issuing and distributed authentication method
CN109377198B (en) Signing system based on multi-party consensus of alliance chain
CN1838163B (en) A Realization Method of General Electronic Seal System Based on PKI
US6324645B1 (en) Risk management for public key management infrastructure using digital certificates
RU2448365C2 (en) Apparatus and method for secure data transmission
CN109962890B (en) Block chain authentication service device and node admission and user authentication method
CN102769623B (en) Two-factor authentication method based on digital certificate and biological identification information
CN111506590A (en) A method for managing digital works copyright confirmation and transaction credible records
CN115619404B (en) Block chain-based enterprise associated transaction business cooperative processing method
CN114266069B (en) House transaction electronic data sharing system and method based on blockchain technology
CN115688191A (en) Block chain-based electronic signature system and method
CN109064113A (en) A kind of electronic contract management method and system based on block chain
Gulati et al. Self-sovereign dynamic digital identities based on blockchain technology
CN115225346B (en) Data evidence storage system oriented to credit investigation big data field
Hatefi et al. A conditional privacy-preserving fair electronic payment scheme based on blockchain without trusted third party
CN111523892A (en) Block chain cross-chain transaction method and device
CN116975810A (en) Identity verification methods, devices, electronic devices and computer-readable storage media
CN118473631A (en) A fast consensus method and system for identity authentication based on blockchain
CN115396096A (en) Encryption and decryption method and protection system for secret file based on national cryptographic algorithm
CN114168996A (en) Zero-knowledge-proof-based alliance-link order privacy data verification method
CN118333577A (en) Electronic seal making method and electronic seal making system
CN109600338B (en) Trusted identity management service method and system
CN117544314A (en) Distributed digital identity life cycle management system and method based on block chain
CN111866009B (en) Vehicle information updating method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination