CN112199721A - Authentication information processing method, device, equipment and storage medium - Google Patents

Abstract

The disclosure provides an authentication information processing method, an authentication information processing device, authentication information processing equipment and a storage medium, and relates to the technical field of block chains. The method comprises the following steps: acquiring a target object distributed identity identifier and target private information of a target object through a first authentication entity node in a block chain network; the first authentication entity node generates target authentication information of the target object according to the target object distributed identity and the target private information; signing the target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of a first authentication entity node to generate a first authentication certificate; storing the target private information to a first authentication entity node off line; and sending the first authentication certificate to an identity center which is in communication connection with each node in the block chain network so that each node in the block chain network shares the first authentication certificate. The method protects the private information of the user under the condition of user information sharing among mechanisms.

Description

Authentication information processing method, device, equipment and storage medium

Technical Field

The present disclosure relates to the field of block chain technologies, and in particular, to an authentication information processing method, apparatus, device, and readable storage medium.

Background

When an individual user or an enterprise user transacts related business in some organizations, it is generally required to provide private information, such as identification card information, mobile phone numbers, tax payment information, etc., to prove the qualification of the user, provide attribute certification of the user, etc. After a user provides private information at one organization, the corresponding qualification or attribute certification can be obtained at the organization, but when the user needs to go to another organization for business, the private information still needs to be provided again to obtain the required qualification or attribute certification. If the private information is shared among the organizations, the risk of privacy disclosure is increased when the private information of the user is circulated.

As described above, how to implement user information sharing between organizations without revealing private information of a user becomes an urgent problem to be solved.

The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.

Disclosure of Invention

The invention aims to provide an authentication information processing method, an authentication information processing device, authentication information processing equipment and a readable storage medium, so that private information of a user is protected under the condition of user information sharing between organizations.

Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.

According to an aspect of the present disclosure, there is provided an authentication information processing method including: acquiring a target object distributed identity identifier and target private information of a target object through a first authentication entity node in a block chain network; the first authentication entity node generates target authentication information of the target object according to the target object distributed identity and the target private information; signing the target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node to generate a first authentication certificate; storing the target private information offline to the first authentication entity node; and sending the first authentication voucher to an identity center in communication connection with each node in the block chain network, so that each node in the block chain network can share the first authentication voucher.

According to an embodiment of the present disclosure, the method further comprises: acquiring a target object distributed identity identifier and a first authentication voucher identifier through an information use entity node in the block chain network, wherein the first authentication voucher identifier and the first authentication voucher have a corresponding relation; the information use entity node acquires the first authentication certificate from the identity center according to the target object distributed identity identifier and the first authentication certificate identifier; the information usage entity node verifies the first authentication credential according to a transaction record of the blockchain network.

According to an embodiment of the present disclosure, the acquiring, by the information using entity node, the first authentication credential from the identity center according to the target object distributed identity identifier and the first authentication credential identifier includes: the information use entity node analyzes according to the target object distributed identity mark to obtain a target object distributed identity mark document; the information uses the entity node to obtain the address of the identity center from the target object distributed identity identification document; the information uses an entity node to access the address of the identity center and obtain an authentication certificate list of the target object; and acquiring the first authentication voucher from the authentication voucher list according to the first authentication voucher identifier.

According to an embodiment of the present disclosure, the analyzing, by using the entity node, the target object distributed identity identifier to obtain the target object distributed identity identifier document includes: the information use entity node obtains the distributed identity identifier of the first authentication entity according to the first authentication certificate identifier; the information use entity node accesses the first authentication entity node according to the first authentication entity distributed identity; acquiring the address of the target object distributed identity document from a distributed hash table according to the encrypted file name corresponding to the target private information by the first authentication entity node; and the information uses the entity node to access the address of the target object distributed identity document, and the target object distributed identity document is obtained through analysis.

According to an embodiment of the present disclosure, the address of the target object distributed identity document is an address of the target object distributed identity document at the first authentication entity node, or the address of the target object distributed identity document is an address of the target object distributed identity document at the identity center.

According to an embodiment of the present disclosure, the method further comprises: acquiring a target object distributed identity identifier of a target object and updated target private information through a second authentication entity node in the blockchain network; the second authentication entity node generates updated target authentication information of the target object according to the target object distributed identity and the updated target private information; signing the updated target authentication information by using a second authentication entity private key corresponding to a second authentication entity distributed identity of the second authentication entity node to generate a second authentication certificate; storing the updated target private information offline to the second authentication entity node; and sending the second authentication certificate to the identity center so that each node in the block chain network can share the second authentication certificate.

According to an embodiment of the present disclosure, the method further comprises: acquiring a target object distributed identity identifier and a second authentication voucher identifier through an information use entity node in the block chain network, wherein the second authentication voucher identifier and the second authentication voucher have a corresponding relation; the information use entity node acquires an authentication certificate list of the target object from the identity center according to the target object distributed identity identifier and the second authentication certificate identifier, wherein the authentication certificate list comprises the first authentication certificate and the second authentication certificate; the information use entity node acquires the second authentication voucher from the authentication voucher list according to the second authentication voucher identification; and the information use entity node verifies the second authentication certificate according to the transaction record of the block chain network.

According to an embodiment of the present disclosure, the method further comprises: the first authentication entity node acquires the target object distributed identity identifier and updated target private information; the first authentication entity node generates updated target authentication information of the target object according to the target object distributed identity and the updated target private information; signing the updated target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node to generate an updated first authentication certificate; updating the target private information stored at the first authentication entity node to store the updated target private information offline to the first authentication entity node; and sending the updated first authentication credential to the identity center so as to update the first authentication credential stored in the identity center to the updated first authentication credential.

According to an embodiment of the present disclosure, the identifier of the updated first authentication credential is the first authentication credential identifier; the method further comprises the following steps: acquiring the target object distributed identity identifier and the first authentication voucher identifier through an information use entity node in the block chain network; the information use entity node obtains the updated first authentication voucher from the identity center according to the target object distributed identity identifier and the first authentication voucher identifier; the information-using entity node verifies the updated first authentication credential according to a transaction record of the blockchain network.

According to an embodiment of the present disclosure, the method further comprises: marking the first authentication credential at the identity center by the first authentication entity node.

According to an embodiment of the present disclosure, the method further comprises: marking the first authentication credential at the identity center using an entity node through information in the blockchain network.

According to an aspect of the present disclosure, there is provided an authentication information processing apparatus including: the information acquisition module is used for acquiring a target object distributed identity identifier and target private information of a target object through a first authentication entity node in a block chain network; a credential generating module, configured to generate, by the first authentication entity node, target authentication information of the target object according to the target object distributed identity and the target private information; the certificate authentication module is used for signing the target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node to generate a first authentication certificate; the private information storage module is used for storing the target private information to the first authentication entity node in an off-line mode; and the authentication certificate storage module is used for sending the first authentication certificate to an identity center in communication connection with each node in the block chain network, so that each node in the block chain network can share the first authentication certificate.

According to an aspect of the present disclosure, there is provided an apparatus comprising: a memory, a processor and executable instructions stored in the memory and executable in the processor, the processor implementing any of the methods described above when executing the executable instructions.

According to an aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, implement any of the methods described above.

According to an aspect of the disclosure, there is provided a computer product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device realizes any one of the methods when executing the computer instructions.

The authentication information processing method provided by the embodiment of the disclosure obtains a target object distributed identity identifier and target private information of a target object through a first authentication entity node in a block chain network, the first authentication entity node generates the target authentication information of the target object according to the target object distributed identity identifier and the target private information, signs the target authentication information by using a first authentication entity private key corresponding to the first authentication entity distributed identity identifier of the first authentication entity node to generate a first authentication certificate, stores the target private information to the first authentication entity node in an off-line manner, and sending the first authentication credential to an identity center communicatively connected to each node in the blockchain network, such that each node in the blockchain network shares the first authentication credential, therefore, private information of the user is protected under the condition of user information sharing between mechanisms.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings.

Fig. 1A shows a schematic diagram of a system architecture in an embodiment of the disclosure.

Fig. 1B is a flowchart illustrating a block generation method in a block chain according to an embodiment of the disclosure.

FIG. 2A is a diagram illustrating a system architecture for authentication information processing, according to an example embodiment.

Fig. 2B is a flow diagram illustrating authentication information processing based on the system architecture of fig. 2A according to an example embodiment.

Fig. 2C is a general flow diagram illustrating a KYB & KYC information authentication and use service according to an exemplary embodiment.

Fig. 3 is a flowchart illustrating a method of authentication information processing according to an example embodiment.

FIG. 4 is a flow diagram illustrating a method of authentication credential use according to an example embodiment.

Fig. 5 is a flowchart illustrating an authentication credential acquisition method according to an example embodiment.

Fig. 6 shows an exemplary process of step S4042 in fig. 5.

Fig. 7 is a KYB & KYC information flow diagram shown in accordance with an exemplary embodiment.

Fig. 8 is an information interaction diagram illustrating a KYB & KYC information voucher usage business process according to an exemplary embodiment.

Fig. 9 is a flow diagram illustrating a method of authentication credential update in accordance with an example embodiment.

FIG. 10 is a flow diagram illustrating a method of using an updated authentication credential in accordance with an example embodiment.

Fig. 11 is a flow diagram illustrating another authentication credential update method in accordance with an example embodiment.

FIG. 12 is a flow chart illustrating a method of using an updated authentication credential in accordance with an example embodiment.

Fig. 13 is another KYB & KYC information flow diagram shown in accordance with an exemplary embodiment.

Fig. 14 is a schematic diagram illustrating a KYB & KYC information anti-counterfeiting process according to an exemplary embodiment.

Fig. 15 is a flow diagram illustrating a DID operation according to an exemplary embodiment.

FIG. 16 is an architectural diagram illustrating a DID Document content according to an exemplary embodiment.

Fig. 17 is an information interaction diagram illustrating a DID-based business process flow according to an example embodiment.

FIG. 18A is an architectural diagram illustrating a Verifiable Claims content, according to an exemplary embodiment.

FIG. 18B is an architectural diagram illustrating a Verifiable Credential content, according to an exemplary embodiment.

FIG. 18C is an architectural diagram illustrating a Verifiable Presentation content according to an exemplary embodiment.

FIG. 18D is a schematic diagram illustrating a process flow for generating a Verifiable Claim/generative according to an exemplary embodiment.

Fig. 19 is a block diagram illustrating an authentication information processing apparatus according to an exemplary embodiment.

Fig. 20 is a block diagram illustrating another authentication information processing apparatus according to an example embodiment.

Fig. 21 shows a schematic structural diagram of an electronic device in an embodiment of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, apparatus, steps, etc. In other instances, well-known structures, methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.

Further, in the description of the present disclosure, unless otherwise explicitly specified or limited, terms such as "connected" and the like are to be construed broadly, e.g., may be electrically connected or may be in communication with each other; may be directly connected or indirectly connected through an intermediate. "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise. The specific meaning of the above terms in the present disclosure can be understood by those of ordinary skill in the art as appropriate.

The following explains the terms and abbreviations referred to in the present disclosure.

Customer understanding (Know Your Customer, KYC): the financial institution implements the account real-name system, needs to know the actual controller of the personal account and the actual beneficiary of the transaction, and also needs to fully know the identity, the permanent address or the business engaged in by the enterprise of the client, and can take corresponding measures.

Understanding service (Know Your Business, KYB): the financial institution needs to know the basic conditions and changes of the client business of the enterprise and the basic conditions and changes of the finance, and needs to carry out basic double verification or independent review or approval by the superior according to different limit limits on the flow of large amount of funds.

Distributed identity identification (DID): a new type of identifier with global uniqueness, high availability resolvability and cryptographic verifiability. DIDs are typically associated with cryptographic material (e.g., public keys) and service endpoints to establish secure communication channels. DIDs are useful for any application that benefits from self-managed, cryptographically verifiable identifiers, such as personal identifiers, organizational identifiers, and internet of things scene identifiers. For example, current W3C may verify that commercial deployments of credentials use DIDs extensively to identify people, organizations, and things, and implement many security and privacy safeguards guarantees. The DID standards mainly include: DID Standard of W3C-A primers for Decentralized identities; distributed Identity identification basis (DIF), and the like.

Fig. 1A illustrates an exemplary data sharing system architecture 100 to which the authentication information processing method, apparatus of the present disclosure may be applied. Referring to the data sharing system 100 shown in fig. 1A, the data sharing system 100 refers to a system for performing data sharing between nodes, the data sharing system may include a plurality of nodes 101, and the plurality of nodes 101 may refer to respective clients in the data sharing system, for example, may be authentication entity nodes, financial institution nodes, and the like. Each node 101 may receive input information during normal operation and maintain shared data within the data sharing system based on the received input information, e.g., the authentication entity node receives a target object distributed identity and target private information for a target object. In order to ensure information intercommunication in the data sharing system, information connection can exist between each node in the data sharing system, and information transmission can be carried out between the nodes through the information connection. For example, after the authentication entity node generates the target authentication information of the target object according to the target object distributed identity and the target private information, the target authentication information may be signed by using a private key corresponding to the authentication entity distributed identity, an authentication credential may be generated, and the authentication credential may be sent to an identity center in communication connection with each node in the blockchain network, so that each node in the blockchain network may share the authentication credential.

When each block in the block chain is generated, referring to fig. 1B, when a node where the block chain is located receives input information (S101) such as target private information, the input information is verified, after the verification is completed, the input information can be stored in a memory pool in an offline manner, and a hash tree for recording the input information is updated (S102); thereafter, the update time stamp is updated to the time when the input information is received (S103), and different random numbers are tried (S104), and the characteristic value calculation (S105) is performed (S106) a plurality of times so that the calculated characteristic value may satisfy the following formula:

SHA256(SHA256(version+prev_hash+merkle_root+ntime+nbits+x))＜TARGET

the SHA256 (hash 256) is a characteristic value algorithm used for calculating a characteristic value, and can convert a message with any length into a short message digest with a fixed length, for example, the hash 256 algorithm can be used for calculating the characteristic value of target private information and generating an encrypted file name corresponding to the target private information; version is version information of the relevant block protocol in the block chain; prev _ hash is a block head characteristic value of a parent block of the current block; merkle _ root is a characteristic value of the input information; ntime is the update time of the update timestamp; nbits is the current difficulty, is a fixed value within a period of time, and is determined again after exceeding a fixed time period; x is a random number; TARGET is a feature threshold, which can be determined from nbits.

Thus, when the random number satisfying the above formula is obtained by calculation, the information can be correspondingly stored, and the block header and the block body are generated to obtain the current block (S107). Subsequently, the node where the block chain is located sends the newly generated blocks to other nodes in the data sharing system where the newly generated blocks are located according to the node identifiers of the other nodes in the data sharing system (S108), the newly generated blocks are checked by the other nodes, and the newly generated blocks are added to the block chain stored in the newly generated blocks after the check is completed (S109).

The technical solution provided by the embodiments of the present disclosure relates to the aspects of generation, storage, use, verification, and the like of authentication information based on a block chain, and is now illustrated by specific embodiments.

As described above, an individual user or a business user may transact financial transactions in multiple countries and at multiple financial institutions. Financial institution supervision environment of each country is comparatively complicated, and the time cost and the economic cost of carrying out KYB & KYC are higher. The current supervision environments of banks, financial institutions and other supervised institutions of various countries are extremely complex, the supervision regulations of various countries are different, the unified standards are lacked, and the supervision pressure is only increased but not reduced, so that the time cost and the economic cost of KYB & KYC of various financial institutions are higher and higher.

The KYB of the company user is more complicated than the KYC of the individual user, and the content of the KYB of the company user can also comprise various complicated ownership structures, business scopes, upstream and downstream enterprises, company scales, main decision makers and the like. In addition to the knowledge of corporate and personal background, KYB & KYC requires constant monitoring of the customer's daily transaction size, frequency, destination to and from, for compliance and anti-money laundering purposes.

The current compliance environment is inherently complex, the mechanisms have different understandings of compliance requirements and compliance measures taken, and the data sources used in performing the KYB & KYC procedures and their complexity are different, due in part to the different risk profiles of each individual. Regulatory agencies, considering the risks advocated by anti-money laundering as the basis, are reluctant to specify which are necessary, leading to a divergence in financial institutions' understanding of regulatory requirements. It is highly desirable for all parties that the entire financial industry would benefit if the KYB & KYC regulations and procedures could be standardized.

User data cannot be shared among various countries and financial institutions in the related art. The development of digitization means that it is increasingly easy to obtain data, such as the names of the senior managers of listed companies, the registration places of organizations, company addresses, etc. Of course, there are also some data that are difficult to obtain, such as the Ultimate Beneficiary Owner (UBO) information. However, easily obtained data still causes difficulties in KYB procedures, and various challenges of data, such as screening which data are more reliable, which data are most time-sensitive, how to convert the data into useful information, etc., still need to be dealt with. Additionally, it is likely that a regulatory action will be triggered if the financial institution does not acquire, utilize, or otherwise utilize the relevant data. For example, if a financial institution is able to obtain relevant data, the financial institution should analyze the information when performing risk assessment on the end-user, and not analyze the information may cause regulatory action. When a user goes to different financial institutions to transact business, the user needs to repeatedly submit data to perform KYB & KYC. In order to protect the privacy of the user, each financial institution is in a data isolated island and cannot share the user data.

Therefore, the present disclosure provides an authentication information processing method, which includes obtaining a target object distributed identity and target private information of a target object through a first authentication entity node in a blockchain network, generating, by the first authentication entity node, target authentication information of the target object according to the target object distributed identity and the target private information, signing the target authentication information by using a first authentication entity private key corresponding to the first authentication entity distributed identity of the first authentication entity node, generating a first authentication credential, storing the target private information to the first authentication entity node in an off-line manner, and sending the first authentication credential to an identity center in communication connection with each node in the blockchain network, so that each node in the blockchain network shares the first authentication credential, thereby protecting the private information of a user under the condition of user information sharing between organizations, KYB & KYC regulations and programs of each financial institution entering the chain are standardized, a data island is opened, and multiple monitoring is met.

Fig. 2A to 2C show an overall scheme of the authentication information processing method of the present application according to an exemplary embodiment. FIG. 2A is a diagram illustrating a system architecture for authentication information processing, according to an example embodiment. As shown in fig. 2A, the financial institution and the regulatory agency each participate in the blockchain network, for example, the financial institution may be the certification institution 202, and may also be the KYB & KYC information using institution 204, each of which serves as an independent node in the blockchain network.

The certification authority 202 collects and certifies KYB information of an enterprise or KYC information of a user through a terminal, generates a certificate, attaches a signature to confirm, obtains a certification certificate, and stores KYB & KYC information content into a node operated by the certification authority (S2002) in an off-line manner. The terminal devices of the certification authority 202 may be various electronic devices having a display screen and supporting input, output, including but not limited to smart phones, tablets, laptop portable computers, desktop computers, wearable devices, virtual reality devices, smart homes, and the like. The authentication credentials form DID documents of the identity of the enterprise and user, stored in identity center 210 connected to the blockchain network. A network is a medium that provides communication links and may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The authentication voucher can be used by the nodes on the network, and the usage rule is controlled by certain access authority, for example, the information using mechanism 204 can only obtain the authentication voucher, while the supervision mechanism 206 has higher authority, and can obtain the KYB & KYC information content for verification.

Each counterparty in the entire network only needs to verify the validity of the signature according to the opposite party DID, and does not need to know who the counterparty of the transaction is. The blockchain can ensure that KYB & KYC information can be traced and verified from collection to each change. The network based on the block chain technology can ensure the safety, stability and fault-tolerant mechanism of network nodes, and ensure the safe storage of KYB & KYC information.

The supervising mechanism can be a supervising mechanism 206 for checking KYB & KYC information, and can also be a supervising mechanism 208 for supervising financial transactions between financial mechanisms, for example, financial transactions initiated by the authentication mechanism 202 and the information using mechanism 204 can be synchronized to a node of the supervising mechanism 208 in real time through a block chain, and the supervising mechanism 208 can supervise transaction attributes in the process or after the fact. For example, the regulatory agency 208 may verify the DID and signature of both parties in the transaction record, or may verify the transaction content by obtaining transaction information after the transaction.

Through block chain encryption technology, the credibility of KYB & KYC information between mechanisms is realized, so that multiplexing is realized, the KYB & KYC authentication cost is saved, meanwhile, butt joint is realized through a distributed technology, a supervision instruction is executed in real time, the supervision efficiency is improved, and distributed storage is safer.

Fig. 2B is a flow diagram illustrating authentication information processing based on the system architecture of fig. 2A according to an example embodiment. As shown in fig. 2B, an enterprise user or an individual user 201 delivers KYB information or KYC information to any financial institution 202 which can join in the network for authentication, the financial institution 202 stores (S2004) the authenticated KYB & KYC information credentials to an identity center 210 which is connected with a block chain network, the financial institution (such as a using institution 204) and a supervising institution 206 on any other chain can synchronously obtain consistent information, and the incoming KYB & KYC information needs to be signed and confirmed by an executing institution every time of writing or modifying, thereby realizing KYB & KYC distributed storage and authentication sharing based on the block chain technology.

Fig. 2C is a general flow diagram illustrating a KYB & KYC information authentication and use service according to an exemplary embodiment. As shown in fig. 2C, a user first creates a distributed identity DID in the blockchain network (S2020), submits KYB & KYC information to the certification authority based on the DID, and then the certification authority issues certification credentials to the certified KYB & KYC information (S2040), and when the user transacts related services using the authority, the certification credentials are verified using the authority (S2060).

Fig. 3 is a flowchart illustrating a method of authentication information processing according to an example embodiment. The flow shown in fig. 3 may be a specific processing procedure of step S2020, step S2040, step S2002 and step S2004 in fig. 2A to 2C. The method shown in fig. 3 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example.

Referring to fig. 3, a method 30 provided by an embodiment of the present disclosure may include the following steps.

In step S302, a target object distributed identity and target private information of a target object are obtained through a first authentication entity node in the blockchain network. The user is used as a target object, information such as an Identity number, a mobile phone number, a mailbox and the like can be uploaded on a terminal managed by an authentication entity (such as a financial institution capable of authenticating user information) and a Distributed Identity (DID) managed by the authentication entity is created, a hosting authentication institution is a manager (controller) of the DID of the user, an authentication certificate can be added in an Identity Hub (Identity Hub) of a service (service) in a DID Document (DID Document) associated with the DID, the operation methods of the DID and the DID Document can be referred to fig. 15, and the content and meaning of the DID and the DID Document can be referred to fig. 16. The DID can be used for cross-organization identity authentication, and when a user submits identity card information and mobile phone number information required by business handling to a first authentication entity, the DID can be provided for the first authentication entity to perform information association; if the user needs the information using entity to provide the authentication voucher, the information using entity can be provided with DID, and the information using entity can inquire the associated authentication voucher according to the DID. The user can submit target private information such as KYB & KYC information to a first authentication entity node managed by the authentication financial institution, and a background managed by the first authentication entity can complete the following authentication on the KYB & KYC information: the certificate material is real; the certificate information is consistent; consistent testimony and testimony, etc. The KYB & KYC certification may be a certification of service-related information (such as tax payment information, academic information, social security payment information, and the like) of the user by a certification authority.

In step S304, the first authentication entity node generates target authentication information of the target object according to the target object distributed identity and the target private information. After the certification financial institution checks the identity of the user and the certificate information to check the authenticity, the DID and KYB/KYC information of the user can be associated and the certificate can be assembled to serve as target certification information, the assembling method can calculate the hash value (letter & number string) of the DID and KYB/KYC information of the user through hash, for example, the hash value can be calculated through the hash 256 algorithm, and the certificate can be obtained through calculation through other hash algorithms such as the hash 224 and the hash 516.

In some embodiments, for example, the target authentication information may be a qualification certificate of the user, such as a qualification certificate that the user identity is valid, that the individual user is a master scholarship, that the enterprise user is a high-tech enterprise, and the like.

In other embodiments, the target authentication information may also be a proof of attributes of the user, such as the age of the individual user being no greater than 40 years, the tax of the enterprise user being more than 10 years, and so forth, for example.

In step S306, the target authentication information is signed by using the first authentication entity private key corresponding to the first authentication entity distributed identity of the first authentication entity node, so as to generate a first authentication credential. A key pair, i.e. a public key and a private key, of the first authentication entity may be obtained by a cryptographic algorithm, the public key being the part of the key that is public to the outside, and the private key being the non-public part. The certification financial institution can sign the certificate assembled in the last step by using a private key to obtain a new letter and number string as the certification certificate. When a user transacts business at another financial institution (information use entity) and needs certificates such as qualification certificates or attribute information, the information use entity can verify the certificate only by providing the certificate signed by the first authentication entity to the information use entity, and can obtain user related information certificates without reading KYB & KYC information, so that complete information disclosure, partial information disclosure, attribute certificates and the like are supported on the principle of minimizing information disclosure.

In step S308, the target private information is stored offline to the first authentication entity node. KYB & KYC information may relate to various organizational forms such as text or pictures, and its original file may be stored at the first certification entity node. The first authentication entity node can comprise an online part and an offline part, the authority of the online part can be set to be public, and all nodes in the block chain network can access the online part of the node; and setting the authority of the offline part to be private, wherein only the first authentication entity node can access the offline part and read the part under the condition that the first authentication entity node provides access authority. The block chain consistency account book only needs to record hash verification information such as authentication certificates, KYB & KYC complete information is recorded in respective block chain storage nodes in a file form in an off-line mode, and the KYB & KYC information of the user stored in the nodes in an off-line mode can be effectively protected.

In step S310, the first authentication credential is sent to an identity center communicatively connected to each node in the blockchain network, so that each node in the blockchain network shares the first authentication credential. The DID Document corresponding to the DID of the user may also be stored in an Identity center, which may be, for example, an Identity repository Identity Hub developed by microsoft corporation, where the DID Document includes a service field, and the Identity Hub stored in the authentication credential managed by the DID is set in the service. The Identity Hub may operate in a non-blockchain network, communicatively coupled to the blockchain network. The management of the authentication credential may adopt a Verifiable declaration (veriable Claim), and the specific method may refer to fig. 18A to 18D.

According to the authentication information processing method provided by the embodiment of the disclosure, a target object distributed identity and target private information of a target object are acquired through a first authentication entity node in a block chain network, the first authentication entity node generates target authentication information of the target object according to the target object distributed identity and the target private information, the target authentication information is signed by using a first authentication entity private key corresponding to the first authentication entity distributed identity of the first authentication entity node to generate a first authentication certificate, the target private information is stored to the first authentication entity node in an off-line manner, and sending the first authentication credential to an identity center communicatively connected to each node in the blockchain network, such that each node in the blockchain network shares the first authentication credential, therefore, private information of the user is protected under the condition of user information sharing between mechanisms. When the target authentication information is stored through the distributed network of the block chain, each node is not required to store all uplink contents, so that the space and the bandwidth are saved more. KYB & KYC authentication information is signed and stored by a private key of an authentication mechanism, and feasibility and safety are improved.

FIG. 4 is a flow diagram illustrating a method of authentication credential use according to an example embodiment. The flow shown in fig. 4 may be a specific processing procedure of step S2060 in fig. 2C. The method shown in fig. 4 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example.

Referring to fig. 4, a method 40 provided by an embodiment of the present disclosure may include the following steps.

In step S402, an entity node is used through information in the blockchain network to obtain a target object distributed identity identifier and a first authentication credential identifier, where the first authentication credential identifier and the first authentication credential have a corresponding relationship. Each authentication credential has an identity, and specific content can be referred to the identity 1802 of the verifiable claim 180 in fig. 18A. There may be more authentication credentials under the user name, and there may be more authentication credentials associated with the user DID. When a user needs to provide authentication credentials for transacting business at an information consuming entity (a usage organization), the user may select the appropriate authentication credentials to provide. The user can check the authentication certificate of the user through a terminal managed by a DID creation platform (such as the first authentication entity node and the authentication financial institution) and select a proper authentication certificate to submit to a using institution, and the using institution can acquire the identification of the authentication certificate to call the specific content of the authentication certificate.

In step S404, the information consumption entity node obtains the first authentication credential from the identity center according to the target object distributed identity identifier and the first authentication credential identifier. Specific implementation of this step can refer to steps S8001 to S8010 in fig. 5, 6, and 8.

In step S406, the information usage entity node verifies the first authentication credential according to the transaction record of the blockchain network. When the institution verifies the first authentication certificate, the random number section in the authentication certificate is compared with the random number of the signature operation of the corresponding authentication financial institution in the block chain network transaction record to verify that the authentication certificate is signed on the block chain. The detailed description may refer to steps S8011 to S8014 in fig. 8.

According to the authentication certificate using method provided by the embodiment of the disclosure, after the using mechanism obtains the authentication certificate from the identity center according to the DID and the authentication certificate identification, only the signature of the authentication certificate needs to be verified to be real and effective, so that the information attribute of the user required by the service is verified, and the KYB & KYC information does not need to be read, so that the mechanism can reuse the authentication information of the user while effectively protecting the privacy information of the user, and the cost for repeatedly authenticating the user is saved.

Fig. 5 is a flowchart illustrating an authentication credential acquisition method according to an example embodiment. The flow shown in fig. 5 may be a specific processing procedure of step S404 in fig. 4. The method shown in fig. 5 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example.

In step S4042, the information is parsed by the entity node according to the target object distributed identity, so as to obtain a target object distributed identity document. A specific embodiment of this step can be seen in fig. 6.

In step S4044, the information uses the entity node to obtain the address of the identity center from the target object distributed identity document. The DID Document contains a service field, and the service is provided with the address of the Identity Hub stored in the authentication voucher managed by the DID.

In step S4046, the information uses the address of the entity node to access the identity center, and obtains the authentication credential list of the target object.

In step S4048, the first authentication credential is obtained from the authentication credential list according to the first authentication credential identification.

Fig. 6 shows a specific processing procedure of step S4042 in fig. 5. The processing shown in fig. 6 may be applied to the data sharing system 100 described above, for example, and particularly to the system in fig. 2A described above.

In step S40422, the information consumption entity node obtains the first authentication entity distributed identity according to the first authentication credential identifier.

In step S40424, the information usage entity node accesses the first authentication entity node according to the first authentication entity distributed identity.

In step S40426, the address of the target object distributed identity document is obtained from the distributed hash table according to the encrypted file name corresponding to the target private information by the first authentication entity node. The certification certificate signed by the certification financial institution is stored in an Identity Hub connected with the blockchain network, the identification of the certification certificate is correspondingly stored in a user DID Document, an encrypted file name can be calculated from the content of a KYB & KYC file associated with the user DID through a Hash 256 algorithm, and then the encrypted file name is added into a distributed Hash table managed by a first certification entity node in the blockchain network, and the certification financial institution and the information using institution can access through the encrypted file name and a distributed Hash table, wherein the distributed Hash table comprises the corresponding relation between the encrypted file name and the storage address of the user DID Document. The encrypted filename is stored at a node of the certified financial institution and is configured for public access by the associated user DID. The distributed hash table is a hash table managed by each node in the block chain network, can be set as public access, and can retrieve the authentication certificate for verification through accessing the distributed hash table on the node.

In some embodiments, for example, the address of the target object distributed Identity Document is the address of the target object distributed Identity Document at the first authentication entity node, that is, the DID Document of the user is stored in the Identity Hub and also stored on the blockchain.

In other embodiments, for example, the address of the target object distributed Identity Document is the address of the target object distributed Identity Document in the Identity center, that is, the user DID Document is stored in the Identity Hub, and the hash abbreviation of the DID Document is stored on the block chain.

In step S40428, the information usage entity node accesses the address of the target object distributed identity document, and parses to obtain the target object distributed identity document.

In some embodiments, for example, a user DID Document stored in an Identity Hub may be accessed through a DID Document stored on a block chain.

In other embodiments, the user DID Document stored in the Identity Hub may also be accessed, for example, by hashing the DID Document stored on the blockchain.

According to the authentication information processing method provided by the embodiment of the disclosure, data islands of various financial institutions and various countries are effectively connected through KYB & KYC authentication processes of users, so that the cost of KYB and KYC is reduced, and multiple supervision requirements are met. Building a trusted workflow based on the block chain network to realize the KYB & KYC process. Allowing participating parties to efficiently use existing relationships and the necessary data to create a secure "trust network" without revealing sensitive data. The "trust network" in turn may reduce the operating cost and may enable a smoother, faster user experience.

Fig. 7 is a KYB & KYC information flow diagram shown in accordance with an exemplary embodiment. The process is applicable to the first submission of KYB/KYC information by a user. As shown in fig. 7, an enterprise user or an individual user 702 logs in an authentication terminal of an authentication financial institution 704 (S7002), and submits KYB/KYC information to the authentication financial institution 704 through the terminal (S7004); the certified financial institution 704 certifies KYB/KYC information submitted by the user (S7006), generates and signs a credential to obtain a certified credential, and then stores the certified credential in the distributed storage network 706 (e.g., a block chain); when KYB/KYC information usage mechanism 708 needs to obtain credentials based on the user KYB/KYC information, authentication credentials may be obtained from distributed storage network 706 (S7008).

Fig. 8 is an information interaction diagram illustrating a KYB & KYC information voucher usage business process according to an exemplary embodiment. As shown in fig. 8, when the use mechanism 804 needs to use the authentication voucher corresponding to KYB & KYC information for transaction, the user 802 initiates an authentication voucher query through the use mechanism (terminal) 804 (S8001). The mechanism (terminal) 804 calls the authentication credential query interface of the mechanism background 806 (for example, the mechanism background server) (S8002), and then the mechanism background 806 obtains the user DID according to the pre-stored association relationship query by the user identity (uid) used by logging in the mechanism platform through the user (S8003), and calls the authentication credential query interface of the block chain 808 network node (S8004). The blockchain 808 determines the service address of the identity center 810 networked with the blockchain 808 according to the DID document associated with the user DID (S8005), which can refer to step S4042 of fig. 5; then, an authentication credential query request associated with the user DID is initiated to the identity center 810 based on the service address (S8006). Then, the identity center 810 returns the list of authentication credentials associated with the user DID to the blockchain 808 (S8007), the blockchain 808 returns the list of authentication credentials associated with the user DID to the using mechanism backend 806(S8008), the using mechanism backend 806 returns the list of authentication credentials associated with the user DID to the using mechanism (terminal) 804 (S8009), and the using mechanism (terminal) 804 can obtain the authentication credentials required by the service from the list of authentication credentials according to the witness credential selected by the user when initiating the authentication credential query (S8010). Then using mechanism (terminal) 804 calls the authentication credential verification interface using mechanism backend 806 (S8011), and using mechanism backend 806 calls the authentication credential verification interface of block chain 808 network node (S8012). After the block chain 808 returns the verification result to the using mechanism background 806 (S8013), the service decision platform of the using mechanism background 806 may determine whether the user handles the relevant service according to the authentication credential that the verification result is passed (S8014), and notify the using mechanism (terminal) 804 of the determination result (S8015), and the using mechanism (terminal) 804 prompts the user of the determination result in a manner of terminal display, message notification, and the like (S8016).

Fig. 9 is a flow diagram illustrating a method of authentication credential update in accordance with an example embodiment. The method shown in fig. 9 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example. The method shown in fig. 9 may be used in situations where the authentication entity node performing the information update is different from the authentication entity node where the user first submits the target private information.

Referring to fig. 9, a method 90 provided by embodiments of the present disclosure may include the following steps.

In step S902, the target object distributed identity of the target object and the updated target private information are obtained through the second authentication entity node in the blockchain network.

In step S904, the second authentication entity node generates updated target authentication information for the target object based on the target object distributed identity and the updated target private information.

In step S906, the updated target authentication information is signed by using a second authentication entity private key corresponding to the second authentication entity distributed identity of the second authentication entity node, so as to generate a second authentication credential.

In step S908, the updated target private information is stored offline to the second authentication entity node.

In step S910, the second authentication credential is sent to the identity center, so that each node in the blockchain network shares the second authentication credential.

There is no essential difference between the process of updating the target private information in the authentication of the new authentication entity and the non-updated process, and a specific implementation manner of obtaining the second authentication credential by authenticating the new KYB & KYC information through the second authentication entity node can refer to fig. 3, which is not described herein again.

In some embodiments, for example, the user authenticates the Identity card and the mobile phone number 1 at the institution a to perform an account opening operation, and the institution a obtains an authentication credential a after signing, and stores the authentication credential a in the Identity Hub; after the user changes the mobile phone number, the organization B authenticates the Identity card and carries out account opening operation with the mobile phone number 2, and the organization B signs to obtain an authentication certificate B which is also stored in the Identity Hub. When the user needs the identification card and the mobile phone number authentication information when opening an account at the organization C, the authentication certificate B, namely the authentication certificate corresponding to the updated mobile phone number information, can be provided for the organization C.

FIG. 10 is a flow diagram illustrating a method of using an updated authentication credential in accordance with an example embodiment. The method as shown in figure 10 may be used for authentication credentials updated using the method of figure 9 described above. The method shown in fig. 10 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example.

In step S1002, the entity node is used through information in the blockchain network to obtain a target object distributed identity identifier and a second authentication credential identifier, where the second authentication credential identifier and the second authentication credential have a corresponding relationship.

In step S1004, the information consumption entity node obtains an authentication credential list of the target object from the identity center according to the target object distributed identity identifier and the second authentication credential identifier, where the authentication credential list includes the first authentication credential and the second authentication credential.

In step S1006, the information usage entity node acquires the second authentication credential from the authentication credential list according to the second authentication credential identification. When the user views the authentication credentials associated with his or her DID, the user can see the corresponding timestamp, and can therefore select an updated authentication credential, the identity of which is provided to the user authority. The identity center storing the user DID may also provide a tagging function, e.g. the user may set the name of his own authentication credentials for easy selection at the time of use.

In step S1008, the information usage entity node verifies the second authentication credential according to the transaction record of the blockchain network.

Fig. 11 is a flow diagram illustrating another authentication credential update method in accordance with an example embodiment. The method shown in fig. 11 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example. The method shown in fig. 11 may be used in the case where the authentication entity node performing information update is the same as the authentication entity node where the user first submits the target private information. Referring to fig. 11, a method 110 provided by an embodiment of the present disclosure may include the following steps.

In step S1102, the first authentication entity node obtains the target object distributed identity and the updated target private information.

In step S1104, the first authentication entity node generates updated target authentication information of the target object according to the target object distributed identity and the updated target private information.

In step S1106, the updated target authentication information is signed by using the first authentication entity private key corresponding to the first authentication entity distributed identity of the first authentication entity node, so as to generate an updated first authentication credential. The first authentication entity is used as a controller of the user DID, can modify the authentication voucher stored in the user DID Document so as to update according to updated KYB & KYC information, updates the time stamp to the block chain when updating the content, and performs updating operation in the block chain network so as to ensure the timely reliability of the information.

In step S1108, the target private information stored in the first authentication entity node is updated to store the updated target private information offline to the first authentication entity node.

In step S1110, the updated first authentication credential is sent to the identity center, so that the first authentication credential stored in the identity center is updated to the updated first authentication credential.

FIG. 12 is a flow chart illustrating a method of using an updated authentication credential in accordance with an example embodiment. The method shown in FIG. 12 may be used for authentication credentials updated using the method of FIG. 11 described above. The method shown in fig. 12 may be applied to the data sharing system 100 described above, and in particular to the system in fig. 2A described above, for example.

In step S1202, a target object distributed identity and a first authentication credential identifier are obtained through an information use entity node in the blockchain network. The updated identification of the first authentication credential is the first authentication credential identification.

In step S1204, the information consumption entity node obtains the updated first authentication credential from the identity center according to the target object distributed identity and the first authentication credential identity.

In step S1206, the information consumption entity node verifies the updated first authentication credential according to the transaction record of the blockchain network;

in some embodiments, for example, the user has authenticated the id card and performed an account opening operation with the mobile phone number 1 at the institution a, and the institution a signature has obtained the authentication credential a and stored in the Identity Hub; after the user changes the mobile phone number, the user goes to the mechanism A again to start a new user, the mechanism A can update the authentication certificate A in the Identity Hub to obtain an authentication certificate A 'with an update timestamp, and the authentication certificate A' can be provided next time when the user needs to provide authentication information of the Identity card and the mobile phone number.

According to the method for updating and using the authentication voucher, when the authentication information is updated, a user does not need to update repeatedly on a plurality of mechanism platforms, and convenience is improved; when the user updates the authentication information in other organizations, the using organization can acquire the latest information in time, and the wind control cost is reduced. User Private Identity Information (PII) is not directly transmitted between organizations, and KYB & KYC capabilities can be shared between the organizations to enhance the trust of the user Information accuracy.

Fig. 13 is another KYB & KYC information flow diagram shown in accordance with an exemplary embodiment. The process is applicable to the user submitting updated KYB/KYC information. As shown in fig. 13, the enterprise user or the individual user 702 logs in the authentication terminal of the authenticated financial institution 704 (S13002), and submits updated KYB/KYC information to the authenticated financial institution 704 through the terminal (S13004).

Then, two cases can be distinguished: when the financial institution 704 is the same financial institution as the financial institution which first submits the KYB/KYC information, the financial institution 704 authenticates the updated KYB/KYC information submitted by the user (S13006), generates a certificate and signs the certificate to obtain an updated certificate, and then replaces the certificate which is stored in the distributed storage network 706 and corresponds to the KYB/KYC information which first submits by the user with the updated certificate (S13008), wherein the certificate stored in the distributed storage network 706 is the certificate whose content and timestamp are updated; when the certified financial institution 704 is a different financial institution from the financial institution to which the user first submits the KYB/KYC information, the certified financial institution 704 certifies the updated KYB/KYC information submitted by the user, generates a voucher and signs it to obtain an updated certified voucher, and then stores the updated certified voucher into the distributed storage network 706 (S13008), where the certified voucher stored in the distributed storage network 706 includes the original certified voucher and the updated certified voucher.

When the KYB/KYC information using mechanism 708 needs to obtain a credential based on the KYB/KYC information of the user, the authentication credential may be obtained from the distributed storage network 706 according to the authentication credential identification provided by the user (S13010).

When a financial institution, an information using institution and the like are authenticated and found that the information of the user has problems, for example, the user is a suspected money laundering person, an associated business practitioner and the like and needs to perform information correction and close related services, the institution can mark the information of the user so as to control risks and ensure business compliance. The authentication financial institution can mark the first authentication voucher in the identity center through the first authentication entity node; when the information using mechanism finds that the information of the user has a problem, the first authentication voucher can be marked in the identity center through the information using entity node in the block chain network. Fig. 14 is a schematic diagram illustrating a KYB & KYC information anti-counterfeiting process according to an exemplary embodiment. As shown in fig. 14, when the certified financial institution 704 finds that there is a problem in the information of the enterprise user or the individual user 702 (e.g., falsification, error, or illegal contents) (S14002), or when the KYB/KYC information using institution 708 finds that there is a problem in the information of the enterprise user or the individual user 702 (S14004), the certification voucher corresponding to the problem KYB/KYC information of the user may be marked on the identity center platform (not shown in the figure) connected to the distributed storage network 706 (S14006). After the user eliminates the problem of the KYB/KYC information, the authentication can be performed again and the authentication credential can be updated, and the updating process is shown in fig. 9, fig. 11, and fig. 13, which is not described herein again. After the distributed storage network 706 stores the updated authentication credentials (S14008), when the KYB/KYC information using mechanism 708 needs to obtain credentials based on the KYB/KYC information of the user, the updated authentication credentials may be obtained from the distributed storage network 706 according to the authentication credential identification provided by the user (S14010).

The DID and DID documents can be operated on by the DID method. Fig. 15 is a flow diagram illustrating a DID operation according to an exemplary embodiment. As shown in fig. 15, the DID operation may include operations of creation, use, read, delete, update, etc. of DID and DID Document.

The main body (e.g., user) 1504 of the DID may Create (Create) the DID through the organization platform (S15001), for example, a public-private key pair may be directly generated offline, wherein the public key may be used as the DID; transaction or smart contract addresses, i.e. numbers & alphabetic strings obtained after the public key is calculated again by using the hash 256 algorithm, may also be used as DID.

The controller of the DID (e.g., certified financial institution) 1502 may provide (S15002) the user DID to the trusted party 1506 (e.g., KYB & KYC information using institution) for reading and/or verification (Read/Verify) by the trusted party 1506. The trusted party 1506 may initiate DID verification to the controller 1502 (S15003), the controller 1502 performs signature verification on the user DID (S15004), the trusted party 1506 solves the signature using the DID of the controller 1502 (S15005), and compares the user DID obtained before the reference (S15006) with the solution result, thereby verifying (S15007) the signature of the controller 1502. After the trusted party 1506 verifies the user DID, a DID Document (DID Document) can be parsed according to the user DID, and a DID parser for DID parsing can inherit a plurality of corresponding DID methods to support different protocols of a plurality of browsers. The DID Document may be stored directly onto the blockchain. Key information, such as hash values, computed from DID documents may also be stored on the blockchain. The DID Driver (Driver) is a method (code) to assemble the DID document, running on the blockchain. After the DID Driver is assembled into the DID Document, the key information hash value is stored on the blockchain.

The controller of the DID 1502 is described in the DID Document, and the update of the DID Document can be performed only by the described controller 1502. From a security perspective, the update operation is the most critical, and control over the DID Document is essentially control over the public key or certificate that is necessary to authenticate the principal. Therefore, the control logic of the DID Document should be forced to code on the target block chain, and accurately define any operations related to the DID Document update to execute the identity authentication and the permission grant through the intelligent contract. When the user 'S controller is replaced (S15008), the server may be modified in the DID Document (S15009), such as modifying the controller' S DID, public key, etc., and the DID Document is upgraded (S15010) to cover the original DID Document (S15011). The trusted party 1506 may audit the updated DID Document (S15012).

The controller of the DID 1502 may perform a delete operation on the DID Document (S15013). Data on the block chain cannot be deleted, but the aim can be achieved by setting the Document corresponding to the DID Document associated with the DID and stored in the identity center as an empty string.

The DID Document format follows the W3C DID-CORE specification, and the signature algorithm follows the W3C LD-CRYPTOUITE-REGISTRY specification. FIG. 16 is an architectural diagram illustrating a DID Document content according to an exemplary embodiment. As shown in FIG. 16, the reference of the assignment of each field of the DID Document 160 is implemented as follows.

Environment (context) 1601: the Uniform Resource Locator (URL) of DID Document can be set to https: // www.xxxbank.com/ns/did/v 1.

Identification (id) 1602: the DID identifier itself, i.e., the DID described by the DID document. The format is "did: fuid: 0: XXX ", XXX corresponds to, for example, an RSA public key hash, taking the first 20 bytes after SHA 256.

Controller 1603: DID identifier of controller.

Public key 1604 (publicKey): public keys are used for digital signatures and other cryptographic operations that underlie the goals of authentication and establishing secure communications with service endpoints. Public keys 11610 … … (1611), public key N1612, and so forth may be included, each public key including an identification (id)1623 field, a type 1624 field, a controller 1625 field, a public key Content Format 1626, and so forth. Among the types 1624 may include Ed25519 (a curved equation) 1630, RSA 1631, secp256k1 (an elliptic curve) 1632, JWS (JSON Web Signature) 1633, GPG (a user personal encryption and Signature protocol) and other algorithms. For example, the RSA algorithm may be set to be used by default. The public key content format 1626 may correspond to algorithms including public key Jwk 1635, public key Pem 1636, public key Base 561637, public key Hex 1638, and so on. Example codes are as follows:

authentication (authentication) 1605: the process of authentication is a process in which a DID principal (e.g., a user) cryptographically proves that they are associated with the DID. Default publicKey can be directly referenced. Multiple authentications corresponding to the public key may include authentication 11613 … … (1614), authentication N1615, and so on. Example codes are as follows:

authentication：[“did：fuid：0：123456789abcdefghi#keys-default”]

service (service) 1606: may include service 11616 … … (1617), service N1618, etc., each of which may include an identification (id)1627 field, a type 1628 field, a service endpoint (service endpoint)1629 field, where the service types may include a credential storage service (credentialertorvice) 1639, an identity center (IdentityHub)1640, a message service (MessageService)1641, etc. Default credential storage only services 1639 may be set for implementing support credential storage. Standardized identity center services may be provided, supporting additional on-demand authorization. IdentityHub implements the reference DIF SECURE-DATA-STORAGE Specification. Example codes are as follows:

proof (proof) 1607: the document integrity certification may include a type (type)1619 field, a created time (created)1620 field, a creator (creator)1621 field, and a signature value (signatureValue) 1622. Example codes are as follows:

creation time (created) 1608: XML datetime format, standardized as Coordinated Universal Time (UTC), as "2002-10-10T 17: 00: 00Z'

Update time (updated) 1609: the format is as created.

Fig. 17 is an information interaction diagram illustrating a DID-based business process flow according to an example embodiment. As shown in fig. 17, the user 1702 may register a DID on the blockchain 1708 through the certification authority 1704 (S17001), the certification authority 1704 may also register a DID on the blockchain 1708 (S17002), and the use authority 1706 may register a DID on the blockchain 1708 (S17003). The user 1702 may then bi-directionally authenticate the DID with the certification authority 1704 prior to conducting the particular transaction. The flow of the DID of the user 1702 validating the certification authority 1704 is as follows: the user 1702 may query the certification authority DID document on the blockchain 1708 through the certification authority 1704 (S17004), and the blockchain 1708 returns the query result to the user 1702 (S17005); the user may challenge the certification authority 1704 through the identity verification in the DID Document (S17006), and the certification authority 1704 responds (S17007) (see steps S15003 to S15007 of fig. 15). The flow of the certification authority 1704 to verify the DID of the user 1702 is as follows: the certification authority 1704 queries the DID document of the user 1702 on the blockchain 1708 (S17008), and the blockchain 1708 returns the query result to the certification authority 1704 (S17009); the certification authority 1704 may challenge the user 1702 through identity verification in the DID Document (S17010), and the user 1702 responds (S17011). After the bidirectional DID authentication is completed, the user 1702 may apply for an authentication credential to the certification authority 1704 (S17012), the certification authority 1704 may generate an authentication credential by certifying the postscript signature with the KYB & KYC information of the user (S17013), store the authentication credential to the server of the identity center 1710 set in the DID Document of the user (S17014), and then notify the user (S17015). When the user 1702 needs to provide authentication credentials to the use authority 1706, the credentials may be extracted from the identity center 1710 by the authentication authority (S17016), and the identity center 1710 returns the credentials to the user 1702 (S17017). The user 1702 may perform DID mutual authentication with the using entity 1706 (S17019), similar to the DID mutual authentication process between the user 1702 and the authentication entity 1704. After the DID authentication is passed, the user 1702 may send the required authentication credentials to the usage mechanism 1706 (S17020), verify the credentials using the mechanism 1706 (S17021), and return the verification result to the user 1702 (S17022).

The authentication credential can be implemented in a Verifiable statement (VC). Verifiable Claim complies with the W3C VCLAIM-DATA-MODEL specification. The veriable Credential follows the W3C VC-datamode specification. FIG. 18A is an architectural diagram illustrating a Verifiable Claims content, according to an exemplary embodiment. As shown in fig. 18A, verifiable claim 180 can include fields for environment 1801, identification (id)1802, type (type)1803, issuer (issuer)1804, time of issuance (issued)1805, validity period (expiration) 1806, claim (close) 1807, revocation (revocation)1808, signature (signature)1809, where signature 1809 can include type 1810, time of creation 1811, creator 1812, domain 1813, random number (nonce)1814, signature value (signature value)1815, and the like. Wherein the environment 1801 is the URL of the VC; identification 1802 is the identification of VC; type 1803 may be a Credential (Credential) and may also include Credential template types, such as continental identity card CT _ CIDCARD, hong kong and australian pass CT _ HMKPASS, and so on; the issuer 1804 is the entity that issues the VC, such as an authenticated financial institution; the validity period 1806 sets a validity period for the VC; the declaration 1807 includes specific content of authenticated user information, such as name, gender, ethnicity, date of birth, and the like in the id card information; revocation 1808 may set the issuer 1804 to revoke the credential prior to signing; domain 1813 is the issuer platform URL; a random number (nonce)1814 is generated for each signing operation in the block chain, which may be used to verify the signing operation. Other field implementations are similar to the same name in DID Document. Example codes are as follows:

one or more veriable classes can constitute a Verifiable document (veriable document), and FIG. 18B is an architectural diagram illustrating one type of veriable document content, according to an example embodiment. As shown in FIG. 18B, the verifiable certificate 182 can be composed of certificate Metadata (Credential Metadata)1821, a statement 1822, and a certificate 1823, the statement 1822 being the specific content of Claim, and the certificate 1823 being a document integrity certificate for the verifiable certificate 182.

One or more Verifiable creatives may constitute a Verifiable report (VP) for third party verification. VC corresponds to a Credential for a single certificate, a Verifiable Credential may be a combined Credential for one or more certificates, and VP corresponds to an exported Credential for one or more Verifiable Credentials. FIG. 18C is an architectural diagram illustrating one type of VP content, according to an exemplary embodiment. As shown in FIG. 18C, Verifiable report 184 can be represented by report Metadata (Presentation Metadata)1841, Verifiable certificate 1842, and attestation 1843, Verifiable certificate 1842 being the specific content of a Verifiable Credential, attestation 1823 being a document integrity attestation of Verifiable report 184.

As shown in FIG. 18D, a Claim Template type (CT) can be generated for each certificate, instantiation of CT 1862 constitutes Claim 1864, and signing Claim generates Verifiable Claim/Credentia1866 l. The certificate type and the certificate template which need to be supported by standardization, namely the template of Claim, can be realized by adopting JSON-LD format and referencing:

the document creator is generated by signing the document Claim by the document holder (holder) and the document issuer (issuer) at the same time.

Fig. 19 is a block diagram illustrating an authentication information processing apparatus according to an exemplary embodiment. The apparatus shown in fig. 19 can be applied to the above-described data sharing system 100, for example, and particularly to the system in fig. 2A described above.

Referring to fig. 19, an apparatus 190 provided by an embodiment of the present disclosure may include an information obtaining module 1902, a credential generating module 1904, a credential authenticating module 1906, a private information storage module 1908, and an authentication credential storage module 1910.

The information obtaining module 1902 may be configured to obtain, through a first authentication entity node in the blockchain network, a target object distributed identity and target private information of a target object.

The credential generation module 1904 may be configured to generate, by the first authentication entity node, target authentication information for the target object based on the target object distributed identity and the target private information.

The credential authentication module 1906 may be configured to sign the target authentication information with a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node, so as to generate a first authentication credential.

Private information storage module 1908 may be used to store the target private information offline to the first authentication entity node.

Authentication credential storage module 1910 may be configured to send a first authentication credential to an identity center communicatively coupled to each node in a blockchain network such that each node in the blockchain network shares the first authentication credential.

Fig. 20 is a block diagram illustrating another authentication information processing apparatus according to an example embodiment. The apparatus shown in fig. 20 may be applied to the data sharing system 100 described above, for example, and particularly to the system in fig. 2A described above.

Referring to fig. 20, the apparatus 200 provided by the present disclosure may include an information acquisition module 2002, a credential generation module 2004, a credential authentication module 2006, a private information storage module 2008, an authentication credential storage module 2010, an authentication credential identification acquisition module 2012, an authentication credential acquisition module 2014, an authentication credential verification module 2016 and an exception marking module 2018, where the authentication credential verification module 2016 may include a distributed identity resolution module 20162, an identity center address acquisition module 20164 and an authentication credential list acquisition module 20166, and the distributed identity resolution module 20162 may include an authentication entity identification acquisition module 201622, an authentication entity node access module 201624 and an identity document address acquisition module 201626.

The information obtaining module 2002 may be configured to obtain, through a first authentication entity node in the blockchain network, a target object distributed identity and target private information of a target object.

The information obtaining module 2002 is further configured to obtain, through a second authentication entity node in the blockchain network, the target object distributed identity of the target object and the updated target private information.

The information obtaining module 2002 may further be configured to obtain, by the first authentication entity node, the target object distributed identity and the updated target private information.

The credential generation module 2004 may be configured to generate, by the first authentication entity node, target authentication information for the target object based on the target object distributed identity and the target private information.

The credential generation module 2004 may also be configured to generate, by the second authentication entity node, updated target authentication information for the target object based on the target object distributed identity and the updated target private information.

The credential generation module 2004 may also be configured to generate, by the first authentication entity node, updated target authentication information for the target object based on the target object distributed identity and the updated target private information.

The credential authentication module 2006 is configured to sign the target authentication information using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node, and generate a first authentication credential.

The credential authentication module 2006 is further configured to sign the updated target authentication information using a second authentication entity private key corresponding to a second authentication entity distributed identity of the second authentication entity node, so as to generate a second authentication credential.

The credential authentication module 2006 is further configured to sign the updated target authentication information using a first authentication entity private key corresponding to the first authentication entity distributed identity of the first authentication entity node, and generate an updated first authentication credential.

Private information storage module 2008 may be configured to store the target private information offline to the first authentication entity node.

Private information storage module 2008 may also be used to store the updated target private information offline to the second authentication entity node.

Private information storage module 2008 may also be configured to update the target private information stored at the first authentication entity node to store the updated target private information offline to the first authentication entity node.

The authentication credential storage module 2010 may be configured to send the first authentication credential to an identity center communicatively connected to each node in the blockchain network, so that each node in the blockchain network shares the first authentication credential.

The authentication credential storage module 2010 may be further configured to send the second authentication credential to the identity center such that each node in the blockchain network shares the second authentication credential.

The authentication credential storage module 2010 may be further configured to send the updated first authentication credential to the identity center, so as to update the first authentication credential stored in the identity center to the updated first authentication credential.

The authentication credential identifier obtaining module 2012 may be configured to obtain the target object distributed identity identifier and the first authentication credential identifier through the information using entity node in the blockchain network, where the first authentication credential identifier and the first authentication credential have a corresponding relationship.

The authentication credential identifier obtaining module 2012 is further configured to obtain the target object distributed identity identifier and the second authentication credential identifier through the information using entity node in the blockchain network, where the second authentication credential identifier and the second authentication credential have a corresponding relationship.

The authentication credential identifier obtaining module 2012 may further be configured to obtain the target object distributed identity identifier and the first authentication credential identifier through the information using entity node in the blockchain network. The updated identification of the first authentication credential is the first authentication credential identification.

The authentication credential obtaining module 2014 may be configured to obtain, by the information using entity node, the first authentication credential from the identity center according to the target object distributed identity identifier and the first authentication credential identifier.

The authentication credential obtaining module 2014 may further be configured to obtain, by the information using entity node, an authentication credential list of the target object from the identity center according to the target object distributed identity identifier and the second authentication credential identifier, where the authentication credential list includes the first authentication credential and the second authentication credential; and the information use entity node acquires the second authentication voucher from the authentication voucher list according to the second authentication voucher identification.

The authentication credential obtaining module 2014 may further be configured to obtain, by the information utilization entity node, the updated first authentication credential from the identity center according to the target object distributed identity identifier and the first authentication credential identifier.

The authentication credential validation module 2016 may be configured to validate the first authentication credential with the information consuming entity node according to a transaction record of the blockchain network.

The authentication credential verification module 2016 may also be configured to obtain the first authentication credential from the list of authentication credentials based on the first authentication credential identification.

The authentication credential verification module 2016 may also be configured to verify the second authentication credential with the information consumer entity node according to the transaction record of the blockchain network.

The authentication credential verification module 2016 may also be configured to verify the updated first authentication credential with the information consumer entity node according to the transaction record of the blockchain network.

The distributed identity resolution module 20162 may be configured to perform resolution on the information-using entity node according to the target object distributed identity to obtain a target object distributed identity document.

The authentication entity identifier obtaining module 201622 may be configured to obtain, by the information consumption entity node, the first authentication entity distributed identity based on the first authentication credential identifier.

The authentication entity node access module 201624 is operable for an information-using entity node to access a first authentication entity node according to a first authentication entity distributed identity.

The iddocument address obtaining module 201626 may be configured to obtain, via the first authentication entity node, an address of the target object distributed iddocument from the dht according to the encrypted filename corresponding to the target private information. The address of the target object distributed identity document is the address of the target object distributed identity document at the first authentication entity node, or the address of the target object distributed identity document is the address of the target object distributed identity document at the identity center.

The distributed identity resolution module 20162 may also be configured to access, by the information-using entity node, an address of the target object distributed identity document, and resolve to obtain the target object distributed identity document.

The identity center address acquisition module 20164 may be configured to acquire, from the target object distributed identity document, an address of an identity center using the entity node.

The authentication credential list acquisition module 20166 may be configured to acquire an authentication credential list of a target object at an address of an information-using entity node accessing an identity center.

The anomaly marking module 2018 may be configured to mark the first authentication credential at the identity center via the first authentication entity node.

The anomaly tagging module 2018 may be further configured to tag the first authentication credential at the identity center using the entity node through information in the blockchain network.

The specific implementation of each module in the apparatus provided in the embodiment of the present disclosure may refer to the content in the foregoing method, and is not described herein again.

Fig. 21 shows a schematic structural diagram of an electronic device in an embodiment of the present disclosure. It should be noted that the apparatus shown in fig. 21 is only an example of a computer system, and should not bring any limitation to the function and the scope of the application of the embodiments of the present disclosure.

As shown in fig. 21, the apparatus 2100 includes a Central Processing Unit (CPU)2101, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)2102 or a program loaded from a storage portion 2108 into a Random Access Memory (RAM) 2103. In the RAM 2103, various programs and data necessary for the operation of the device 2100 are also stored. The CPU2101, ROM 2102 and RAM 2103 are connected to each other via a bus 2104. An input/output (I/O) interface 2105 is also connected to bus 2104.

The following components are connected to the I/O interface 2105: an input portion 2106 including a keyboard, a mouse, and the like; an output portion 2107 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker and the like; a storage portion 2108 including a hard disk and the like; and a communication section 2109 including a network interface card such as a LAN card, a modem, or the like. The communication section 2109 performs communication processing via a network such as the internet. The driver 2110 is also connected to the I/O interface 2105 as necessary. A removable medium 2111 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 2110 as necessary, so that a computer program read out therefrom is mounted in the storage portion 2108 as necessary.

In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 2109, and/or installed from the removable medium 2111. The above-described functions defined in the system of the present disclosure are executed when the computer program is executed by the Central Processing Unit (CPU) 2101.

It should be noted that the computer readable media shown in the present disclosure may be computer readable signal media or computer readable storage media or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules described in the embodiments of the present disclosure may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor comprises an information acquisition module, a certificate generation module, a certificate authentication module, a private information storage module and an authentication certificate storage module. The names of these modules do not constitute a limitation to the module itself in some cases, and for example, the information acquisition module may also be described as a "module that authenticates an entity node to acquire target object information".

As another aspect, the present disclosure also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to perform the methods provided in the various alternatives of the first aspect.

As yet another aspect, the present disclosure also provides a computer product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device when executed implements the method provided in the various alternatives of the first aspect described above.

Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (14)

1. An authentication information processing method, characterized by comprising:

acquiring a target object distributed identity identifier and target private information of a target object through a first authentication entity node in a block chain network;

the first authentication entity node generates target authentication information of the target object according to the target object distributed identity and the target private information;

signing the target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node to generate a first authentication certificate;

storing the target private information offline to the first authentication entity node;

and sending the first authentication voucher to an identity center in communication connection with each node in the block chain network, so that each node in the block chain network can share the first authentication voucher.

2. The method of claim 1, further comprising:

acquiring a target object distributed identity identifier and a first authentication voucher identifier through an information use entity node in the block chain network, wherein the first authentication voucher identifier and the first authentication voucher have a corresponding relation;

the information use entity node acquires the first authentication certificate from the identity center according to the target object distributed identity identifier and the first authentication certificate identifier;

the information usage entity node verifies the first authentication credential according to a transaction record of the blockchain network.

3. The method of claim 2, wherein the information using entity node obtaining the first authentication credential from the identity center according to the target object distributed identity and the first authentication credential identity comprises:

the information use entity node analyzes according to the target object distributed identity mark to obtain a target object distributed identity mark document;

the information uses the entity node to obtain the address of the identity center from the target object distributed identity identification document;

the information uses an entity node to access the address of the identity center and obtain an authentication certificate list of the target object;

and acquiring the first authentication voucher from the authentication voucher list according to the first authentication voucher identifier.

4. The method of claim 3, wherein the parsing the information using entity node according to the target object distributed identity to obtain a target object distributed identity document comprises:

the information use entity node obtains the distributed identity identifier of the first authentication entity according to the first authentication certificate identifier;

the information use entity node accesses the first authentication entity node according to the first authentication entity distributed identity;

acquiring the address of the target object distributed identity document from a distributed hash table according to the encrypted file name corresponding to the target private information by the first authentication entity node;

and the information uses the entity node to access the address of the target object distributed identity document, and the target object distributed identity document is obtained through analysis.

5. The method according to claim 4, wherein the address of the target object distributed identity document is the address of the target object distributed identity document at the first authentication entity node, or

The address of the target object distributed identity document is the address of the target object distributed identity document in the identity center.

6. The method of claim 1, further comprising:

acquiring a target object distributed identity identifier of a target object and updated target private information through a second authentication entity node in the blockchain network;

the second authentication entity node generates updated target authentication information of the target object according to the target object distributed identity and the updated target private information;

signing the updated target authentication information by using a second authentication entity private key corresponding to a second authentication entity distributed identity of the second authentication entity node to generate a second authentication certificate;

storing the updated target private information offline to the second authentication entity node;

and sending the second authentication certificate to the identity center so that each node in the block chain network can share the second authentication certificate.

7. The method of claim 5, further comprising:

acquiring a target object distributed identity identifier and a second authentication voucher identifier through an information use entity node in the block chain network, wherein the second authentication voucher identifier and the second authentication voucher have a corresponding relation;

the information use entity node acquires an authentication certificate list of the target object from the identity center according to the target object distributed identity identifier and the second authentication certificate identifier, wherein the authentication certificate list comprises the first authentication certificate and the second authentication certificate;

the information use entity node acquires the second authentication voucher from the authentication voucher list according to the second authentication voucher identification;

and the information use entity node verifies the second authentication certificate according to the transaction record of the block chain network.

8. The method of claim 1, further comprising:

the first authentication entity node acquires the target object distributed identity identifier and updated target private information;

the first authentication entity node generates updated target authentication information of the target object according to the target object distributed identity and the updated target private information;

signing the updated target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node to generate an updated first authentication certificate;

updating the target private information stored at the first authentication entity node to store the updated target private information offline to the first authentication entity node;

and sending the updated first authentication credential to the identity center so as to update the first authentication credential stored in the identity center to the updated first authentication credential.

9. The method of claim 8, wherein the identification of the updated first authentication credential is the first authentication credential identification;

the method further comprises the following steps:

acquiring the target object distributed identity identifier and the first authentication voucher identifier through an information use entity node in the block chain network;

the information use entity node obtains the updated first authentication voucher from the identity center according to the target object distributed identity identifier and the first authentication voucher identifier;

the information-using entity node verifies the updated first authentication credential according to a transaction record of the blockchain network.

10. The method of claim 1, further comprising:

marking the first authentication credential at the identity center by the first authentication entity node.

11. The method of claim 1, further comprising:

marking the first authentication credential at the identity center using an entity node through information in the blockchain network.

12. An authentication information processing apparatus, comprising:

the information acquisition module is used for acquiring a target object distributed identity identifier and target private information of a target object through a first authentication entity node in a block chain network;

a credential generating module, configured to generate, by the first authentication entity node, target authentication information of the target object according to the target object distributed identity and the target private information;

the certificate authentication module is used for signing the target authentication information by using a first authentication entity private key corresponding to a first authentication entity distributed identity of the first authentication entity node to generate a first authentication certificate;

the private information storage module is used for storing the target private information to the first authentication entity node in an off-line mode;

and the authentication certificate storage module is used for sending the first authentication certificate to an identity center in communication connection with each node in the block chain network, so that each node in the block chain network can share the first authentication certificate.

13. An apparatus, comprising: memory, processor and executable instructions stored in the memory and executable in the processor, characterized in that the processor implements the method according to any of claims 1-11 when executing the executable instructions.

14. A computer-readable storage medium having computer-executable instructions stored thereon, wherein the executable instructions, when executed by a processor, implement the method of any of claims 1-11.

Images