TWI888124B - Service systems and methods based on decentralized identifier verification - Google Patents
Service systems and methods based on decentralized identifier verification Download PDFInfo
- Publication number
- TWI888124B TWI888124B TW113116425A TW113116425A TWI888124B TW I888124 B TWI888124 B TW I888124B TW 113116425 A TW113116425 A TW 113116425A TW 113116425 A TW113116425 A TW 113116425A TW I888124 B TWI888124 B TW I888124B
- Authority
- TW
- Taiwan
- Prior art keywords
- certificate
- server
- application
- client
- blockchain
- Prior art date
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
本揭示內容係關於一種基於區塊鏈的服務系統,特別是利用去中心化身份來驗證使用者,並給予對應的憑證,進而提供使用者所需之服務。 This disclosure is about a blockchain-based service system, specifically using decentralized identity to verify users and provide corresponding certificates to provide the services required by users.
開放授權(OAuth)是一種開放標準,使用者藉由提供第三方網站或應用程式特定權限,使其可於一限定時間內拜訪使用者儲存於某一平台上的個人訊息,據以允許使用者於網站或應用程式上快速註冊及登入。舉例來說,使用者欲在新的網站註冊身份,可藉由Facebook、Google或其他已存在之平台作為登入方式,授權給當前的網站有限度取得使用者儲存於Facebook、Google或其他平台的相關資訊。換句話說,使用者身份驗證的工作是委由選擇的平台完成。這樣的認證方式大幅提升使用者進入新網站,或是使用新應用程式的便利性,卻也產生資料安全性的隱憂。 Open Authorization (OAuth) is an open standard that allows users to quickly register and log in to websites or applications by providing third-party websites or applications with specific permissions, allowing them to access personal information stored by users on a certain platform within a limited time. For example, if a user wants to register an identity on a new website, he can use Facebook, Google or other existing platforms as a login method to authorize the current website to obtain limited relevant information stored by the user on Facebook, Google or other platforms. In other words, the work of user identity verification is entrusted to the selected platform. This authentication method greatly improves the convenience of users entering new websites or using new applications, but it also creates concerns about data security.
具體來說,若第三方網站或應用程式遭受攻擊,則授權時產生的權限及使用者資訊都有洩漏的可能;此外,授權機制若過於簡單或授權範圍設定不良,導致第三方獲取過多的授權,可能造成資料濫用。 Specifically, if a third-party website or application is attacked, the permissions and user information generated during authorization may be leaked; in addition, if the authorization mechanism is too simple or the authorization scope is poorly set, the third party may obtain too many authorizations, which may lead to data abuse.
有鑑於此,本領域亟需一種新穎的身份驗證方法,藉由提供一身份憑證來確認使用者身份,不僅能將個人資料的掌控權回歸到使用者身上,讓使用者可依據其選擇給予第三方特定驗證結果,據以取代目前授權第三方能夠直接訪問取得個人資料的驗證方法,以確保個人資料的安全性。 In view of this, a novel identity verification method is urgently needed in this field. By providing an identity certificate to confirm the identity of the user, the control of personal data can be returned to the user, allowing the user to give a third party a specific verification result according to his/her choice, thereby replacing the current verification method of authorizing a third party to directly access personal data to ensure the security of personal data.
發明內容旨在提供本揭示內容的簡化摘要,以使閱讀者對本揭示內容具備基本的理解。此發明內容並非本揭示內容的完整概述,且其用意並非在指出本發明實施例的重要/關鍵元件或界定本發明的範圍。 The content of the invention is intended to provide a simplified summary of the disclosure so that readers can have a basic understanding of the disclosure. This content of the invention is not a complete overview of the disclosure, and it is not intended to point out the important/key elements of the embodiments of the invention or to define the scope of the invention.
本揭示內容的第一態樣係關於一種基於去中心化身份驗證的服務系統,與用戶端通訊連接,用以提供用戶端所欲之服務。依據本揭示內容一實施方式,所述服務系統包含區塊鏈、應用程式、第一伺服器及第二伺服器,其中所述區塊鏈中儲存有用戶端的身份資訊;所述應用程式與用戶端通訊連接,用以接收來自用戶端的憑證申請及服務申請;所述第一伺服器分別與區塊鏈及應用程式通訊連接,用以對應憑證申請產生憑證,且將憑證轉換為雜湊憑證,並上傳至區塊鏈;以及第二伺服器分別與區塊鏈及應用程式通訊連接,用以對應服務申請產生所述服務,並且將服務傳送至應用程式以提供服務至用戶端。在本揭示內容實施方式中,所述第一伺服器透過執行以下步驟產生所述憑證:(a)接收來自應用程式的憑證申請;(b)自區塊鏈取得身份資訊,以驗證用戶端,產生第一身份驗證結果;(c)依據第一身份驗證結果,對應所述憑證申請產生憑證;以及所述第二伺服器透過執行以下步驟產生所述服務:(i)接收來自應用程式的憑證及服務申請;(ii)自區塊鏈取得身份資訊,以驗證用戶端,產生第二身份驗證結果; (iii)將步驟(i)之憑證與區塊鏈上的雜湊憑證進行驗證,以產生憑證驗證結果;以及(iv)依據步驟(ii)的第二身份驗證結果及步驟(iii)的憑證驗證結果,對應服務申請產生所述服務。 The first aspect of the disclosure is about a decentralized identity authentication-based service system that communicates with a client to provide the service desired by the client. According to an implementation method of the present disclosure, the service system includes a blockchain, an application, a first server and a second server, wherein the blockchain stores identity information of a client; the application is connected in communication with the client to receive a certificate application and a service application from the client; the first server is connected in communication with the blockchain and the application respectively to generate a certificate corresponding to the certificate application, and convert the certificate into a hashed certificate and upload it to the blockchain; and the second server is connected in communication with the blockchain and the application respectively to generate the service corresponding to the service application, and transmit the service to the application to provide the service to the client. In the implementation method of the present disclosure, the first server generates the certificate by executing the following steps: (a) receiving a certificate application from an application; (b) obtaining identity information from a blockchain to verify the client and generate a first identity verification result; (c) generating a certificate corresponding to the certificate application based on the first identity verification result; and the second server generates the service by executing the following steps: (i) receiving a certificate application from an application; (ii) obtaining identity information from a blockchain to verify the client and generate a first identity verification result; (iii) generating a certificate corresponding to the certificate application based on the first identity verification result; and (ii) obtaining identity information from the blockchain to verify the client and generate a second identity verification result; (iii) verifying the certificate of step (i) with the hashed certificate on the blockchain to generate a certificate verification result; and (iv) generating the service corresponding to the service application based on the second identity verification result of step (ii) and the certificate verification result of step (iii).
依據本揭示內容一實施方式,所述應用程式藉由第一連結及第二連結分別與第一伺服器及第二伺服器通訊連接。 According to an implementation method of the present disclosure, the application communicates with the first server and the second server via the first link and the second link respectively.
依據本揭示內容另一實施方式,在步驟(c)之後,第一伺服器更用以執行:(d)基於第一伺服器的私鑰對憑證進行簽章,以產生第一簽章憑證;以及(e)將第一簽章憑證傳送至應用程式。在本揭示內容一實施方式中,所述應用程式在接收到來自第一伺服器的第一簽章憑證後,則基於第一伺服器的公鑰對第一簽章憑證進行驗證;更用以基於應用程式的私鑰對第一簽章憑證進行簽章,以產生第二簽章憑證,並傳送至第二伺服器。在本揭示內容一例示性實施方式中,所述第二伺服器在接收到來自應用程式的第二簽章憑證後,更用以基於應用程式的公鑰以及第一伺服器的公鑰對第二簽章憑證進行驗證。 According to another embodiment of the disclosure, after step (c), the first server is further configured to execute: (d) signing the certificate based on the private key of the first server to generate a first signature certificate; and (e) transmitting the first signature certificate to the application. In an embodiment of the disclosure, after receiving the first signature certificate from the first server, the application verifies the first signature certificate based on the public key of the first server; and further signs the first signature certificate based on the private key of the application to generate a second signature certificate, and transmits the second signature certificate to the second server. In an exemplary implementation of the present disclosure, after receiving the second signature certificate from the application, the second server is further used to verify the second signature certificate based on the public key of the application and the public key of the first server.
依據本揭示內容某些實施方式,所述第一伺服器在上傳雜湊憑證至區塊鏈之前,是依據一寫入權限將雜湊憑證上傳至區塊鏈。在本揭示內容一實施方式中,雜湊憑證係將憑證通過雜湊函數所產生。依據本揭示內容一具體實施方式,程序(iii)更包含:(iii-1)將程序(i)之憑證通過所述雜湊函數,以產生待驗證雜湊憑證;以及(iii-2)將待驗證雜湊憑證與雜湊憑證進行比對,以產生憑證驗證結果。 According to certain implementations of the present disclosure, the first server uploads the hash certificate to the blockchain based on a write permission before uploading the hash certificate to the blockchain. In an implementation of the present disclosure, the hash certificate is generated by passing the certificate through a hash function. According to a specific implementation of the present disclosure, procedure (iii) further includes: (iii-1) passing the certificate of procedure (i) through the hash function to generate a hash certificate to be verified; and (iii-2) comparing the hash certificate to be verified with the hash certificate to generate a certificate verification result.
本揭示內容的第二態樣係關於一種基於去中心化身份來驗證用戶端身份的方法。依據本揭示內容一具體實施方式,所述方法包含: (1)提供一驗證平台,包含區塊鏈、應用程式、第一伺服器及第二伺服器,其中區塊鏈儲存有用戶端的身份資訊;以及所述應用程式分別與第一伺服器及第二伺服器通訊連接,且第一及第二伺服器分別與區塊鏈通訊連接;(2)依據用戶端的操作自應用程式傳送憑證申請至第一伺服器;(3)第一伺服器接收憑證申請,用以執行以下程序:(3-1)自區塊鏈取得所述身份資訊,以驗證用戶端,並產生第一身份驗證結果;(3-2)依據第一身份驗證結果,對應憑證申請產生憑證,並將憑證傳送至應用程式;以及(3-3)將憑證轉換為雜湊憑證,上傳至區塊鏈;(4)依據用戶端的操作自應用程式傳送憑證至第二伺服器;(5)第二伺服器接收憑證,用以執行以下程序:(5-1)自區塊鏈取得所述身份資訊,以驗證用戶端,產生第二身份驗證結果;以及(5-2)依據第二身份驗證結果,將憑證與區塊鏈上的雜湊憑證進行驗證,以產生憑證驗證結果;以及(5-3)依據憑證驗證結果確認用戶端的身份。 The second aspect of the disclosure is about a method for verifying the identity of a client based on a decentralized identity. According to a specific implementation of the disclosure, the method includes: (1) providing a verification platform, including a blockchain, an application, a first server and a second server, wherein the blockchain stores the identity information of the client; and the application is respectively connected to the first server and the second server, and the first and second servers are respectively connected to the blockchain; (2) according to the operation of the client, the application sends a certificate application to the first server; (3) the first server receives the certificate application and executes the following procedures: (3-1) obtains the identity information from the blockchain to verify the client and generates a first identity verification result; (3-2 ) Based on the first identity verification result, generate a certificate corresponding to the certificate application and transmit the certificate to the application; and (3-3) convert the certificate into a hash certificate and upload it to the blockchain; (4) transmit the certificate from the application to the second server based on the operation of the client; (5) The second server receives the certificate and executes the following procedures: (5-1) obtain the identity information from the blockchain to verify the client and generate a second identity verification result; and (5-2) based on the second identity verification result, verify the certificate with the hash certificate on the blockchain to generate a certificate verification result; and (5-3) confirm the identity of the client based on the certificate verification result.
依據本揭示內容可任選的實施方式,步驟(1)更包含:(1-1)第一伺服器及第二伺服器分別產生第一連結以及第二連結;以及(1-2)應用程式透過第一連結及第二連結,分別與第一伺服器及第二伺服器通訊連接。 According to an optional implementation of the present disclosure, step (1) further includes: (1-1) the first server and the second server generate a first link and a second link respectively; and (1-2) the application communicates with the first server and the second server respectively through the first link and the second link.
在本揭示內容一實施方式中,步驟(3-3)係依據一寫入權限將雜湊憑證上傳至區塊鏈。 In an implementation method of the present disclosure, step (3-3) is to upload the hash certificate to the blockchain based on a write permission.
依據本揭示內容一具體實施方式,步驟(3)係藉由將憑證通過一雜湊函數以產生雜湊憑證。在本揭示內容實施方式中,步驟(5-2)係將所述憑證通過該雜湊函數,產生一待驗證雜湊憑證,並將待驗證雜湊憑證與雜湊憑證進行比對,以產生憑證驗證結果。 According to a specific implementation of the present disclosure, step (3) is to generate a hash certificate by passing the certificate through a hash function. In the implementation of the present disclosure, step (5-2) is to pass the certificate through the hash function to generate a hash certificate to be verified, and compare the hash certificate to be verified with the hash certificate to generate a certificate verification result.
依據本揭示內容另一實施方式,步驟(3-2)更包含基於第一伺服器的私鑰對憑證進行簽章,以產生第一簽章憑證,並將第一簽章憑證傳送至應用程式。在本揭示內容實施方式中,步驟(4)更包含基於第一伺服器的公鑰對第一簽章憑證進行驗證;以及基於應用程式的私鑰對第一簽章憑證進行簽章,以產生第二簽章憑證,並傳送至第二伺服器。在本揭示內容一實施例中,步驟(5)更包含基於應用程式的公鑰以及第一伺服器的公鑰對第二簽章憑證進行驗證。 According to another embodiment of the disclosure, step (3-2) further includes signing the certificate based on the private key of the first server to generate a first signature certificate, and transmitting the first signature certificate to the application. In the embodiment of the disclosure, step (4) further includes verifying the first signature certificate based on the public key of the first server; and signing the first signature certificate based on the private key of the application to generate a second signature certificate, and transmitting it to the second server. In an embodiment of the disclosure, step (5) further includes verifying the second signature certificate based on the public key of the application and the public key of the first server.
在參閱下文實施方式後,本發明所屬技術領域中具有通常知識者當可輕易瞭解本發明之基本精神及其他發明目的,以及本發明所採用之技術手段與實施態樣。 After reading the implementation method below, a person with ordinary knowledge in the technical field to which the present invention belongs can easily understand the basic spirit and other invention purposes of the present invention, as well as the technical means and implementation methods adopted by the present invention.
100:服務系統 100: Service system
110:區塊鏈 110: Blockchain
120:應用程式 120: Applications
130:第一伺服器 130: First server
140:第二伺服器 140: Second server
S210-S230、S310-S340、S410-S450:步驟 S210-S230, S310-S340, S410-S450: Steps
U:用戶端 U: Client
為讓本發明的上述與其他目的、特徵、優點與實施方式能更明顯易懂,所附圖式之說明如下。 In order to make the above and other purposes, features, advantages and implementation methods of the present invention more clearly understood, the attached drawings are described as follows.
第1圖為依據本揭示內容一實施方式所繪示之服務系統100示意圖;
第2圖為第1圖之服務系統100的第一伺服器130產生憑證的流程圖;第3圖為第1圖之服務系統100的第二伺服器140產生服務的流程圖;第4圖為依據本揭示內容一實施方式所繪示之方法的流程圖。
FIG. 1 is a schematic diagram of a
根據慣常的作業方式,圖中各種特徵與元件並未依比例繪製,其繪製方式是為了以最佳的方式呈現與本新型相關的具體特徵與元件。此外,在不同圖式間,以相同或相似的元件符號來指稱相似的元件/部件。 According to the usual practice, the various features and components in the figure are not drawn to scale. The drawing method is to present the specific features and components related to the new invention in the best way. In addition, the same or similar component symbols are used to refer to similar components/parts between different figures.
為了使本揭示內容的敘述更加詳盡與完備,下文針對了本發明的實施態樣與具體實施例提出了說明性的描述;但這並非實施或運用本發明具體實施例的唯一形式。實施方式中涵蓋了多個具體實施例的特徵以及用以建構與操作這些具體實施例的方法步驟與其順序。然而,亦可利用其他具體實施例來達成相同或均等的功能與步驟順序。 In order to make the description of the disclosure more detailed and complete, the following provides an illustrative description of the implementation and specific embodiments of the present invention; however, this is not the only form of implementing or using the specific embodiments of the present invention. The implementation covers the features of multiple specific embodiments and the method steps and their sequence for constructing and operating these specific embodiments. However, other specific embodiments can also be used to achieve the same or equal functions and step sequences.
I 定義 I Definition
為方便起見,本說明書、實施例及所附申請專利範圍中所使用的特定專有名詞集中在此。除非本說明書另有定義,此處所使用的科學與技術詞彙的含義與本新型所屬技術領域中具有通常知識者所理解與慣用的意義相同。並且,在和上下文不相衝突的情形下,本說明書所使用的單數名詞涵蓋該名詞的複數型,而所使用的複數名詞時亦涵蓋該名詞的單數型。具體而言,在本說明書與申請專利範圍中,單數形式「一」(a及an)包括複數參考值,但依據上下文而另有 指示者除外。此外,在本說明書與申請專利範圍中,「至少一」(at least one)與「一或多」(one or more)表述方式的意義相同,兩者都代表包含了一、二、三或更多。 For convenience, specific terms used in this specification, embodiments and the attached patent claims are collected here. Unless otherwise defined in this specification, the scientific and technical terms used herein have the same meaning as those understood and used by ordinary knowledgeable persons in the technical field to which the novel invention belongs. In addition, where there is no conflict with the context, singular terms used in this specification include plural forms of the terms, and plural terms used also include singular forms of the terms. Specifically, in this specification and the patent claims, the singular forms "a" and "an" include plural references unless otherwise indicated by the context. In addition, in this specification and the patent claims, the expressions "at least one" and "one or more" have the same meaning, and both represent one, two, three or more.
在本揭示內容中,所述「用戶端」包含任何能夠與至少一伺服器或應用程式通訊連接的計算機裝置,其中所述通訊連接不限於有線或無線網路連接。依據本發明一實施方式,所述「用戶端」包含至少一圖形顯示裝置(graphical display device),讓使用者能夠透過圖形化使用者介面(graphical user interface)與應用程式、工具、服務或軟體互動。所述「用戶端」為使用者透過計算機裝置或終端機與本系統互動的位置。在此,所述用戶端的使用者係指透過「用戶端」與本發明系統互動的人,較佳為擁有身份相關資訊、文件等資源的任何人。再者,本技術領域具有通常知識者應當可以理解,所述用戶端的數量可以是一或多個。 In the present disclosure, the "client" includes any computer device that can communicate with at least one server or application, wherein the communication connection is not limited to a wired or wireless network connection. According to one embodiment of the present invention, the "client" includes at least one graphical display device, allowing the user to interact with the application, tool, service or software through a graphical user interface. The "client" is the location where the user interacts with the system through a computer device or terminal. Here, the user of the client refers to a person who interacts with the system of the present invention through the "client", preferably anyone who has identity-related information, documents and other resources. Furthermore, a person with ordinary knowledge in the field of technology should understand that the number of the client can be one or more.
在本揭示內容中,所述「應用程式」(application)是指針對特定使用目的所撰寫,用於在計算機、手機、平板電腦或其他裝置上執行特定的任務或功能的程式。常見的應用程式包含各種不同的功能和用途,包括用於工業上進行自動化操作、控制器、執行業務管理、內容訪問、教育、仿真、多媒體開發及產品工程等用途。在本揭示內容中,所述「應用程式」為一種中介軟體/控制器,負責接收來自使用者的指令或請求,並在系統中協調和轉發該些請求,以確保系統的正確運行和有效通訊。 In this disclosure, the "application" refers to a program written for a specific purpose and used to perform specific tasks or functions on a computer, mobile phone, tablet or other device. Common applications include a variety of functions and uses, including industrial automation, controllers, business management, content access, education, simulation, multimedia development and product engineering. In this disclosure, the "application" is a middleware/controller that is responsible for receiving instructions or requests from users and coordinating and forwarding these requests in the system to ensure the correct operation and effective communication of the system.
在本揭示內容中,所述「伺服器」是一種電腦系統,用來提供服務、資源或功能給其他電腦或設備,通常具備至少某種形式的儲存單元及通訊單元。所述的儲存單元包含依電性、及非依電性、可移除及不可移除媒體,可運用適當的方法或技術,使上述媒體能用於儲存所欲資訊(如:電腦可讀取指令、資料結構、應用程式模組、及其他資料)。儲存媒體包含但不限於:隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read only memory,ROM)、 電子抹除式可複寫唯讀記憶體(Electrically-Erasable Programmable Read-Only Memory,EEPROM)、快閃記憶體(flash memory)、或其他記憶體技術、唯讀光碟記憶體(CD-ROM)、數位多功能影音光碟(DVD)、或其他光學儲存器、磁匣、磁帶、磁碟片儲存器、以及其他磁性儲存裝置、或任何能夠用以儲存所需資訊且可供處理器存取之其他媒體。一般而言,通訊單元可將電腦可讀取指令、資料、結構、應用程式模組及其他資料具體實作成各種資料訊號,且可透過任何通訊媒體傳遞之。作為例示而非限制,通訊媒體包含有線媒體(如有線網路或直接有線連線)及無線媒體(如音波、紅外線、無線電、微波、展頻技術、及其他無線媒體技術)。在本揭示內容一實施方式中,所述伺服器為與用戶端連接的電腦系統,及/或不同機構(例如:金融、教育、保險機構等)用以驗證使用者身份的電腦系統。 In the present disclosure, the "server" is a computer system that provides services, resources or functions to other computers or devices, and usually has at least some form of storage unit and communication unit. The storage unit includes volatile and non-volatile, removable and non-removable media, and appropriate methods or techniques can be used to enable the above media to be used to store desired information (such as computer readable instructions, data structures, application modules, and other data). Storage media includes, but is not limited to, random access memory (RAM), read only memory (ROM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), flash memory, or other memory technology, compact disc-ROM, digital versatile disc (DVD), or other optical storage, magnetic cartridges, magnetic tapes, magnetic disk storage, and other magnetic storage devices, or any other media capable of storing the required information and accessible to the processor. Generally speaking, the communication unit can implement computer-readable instructions, data, structures, application modules and other data into various data signals, and can transmit them through any communication media. As an example and not a limitation, the communication media includes wired media (such as wired networks or direct wired connections) and wireless media (such as sound waves, infrared rays, radio, microwaves, spread spectrum technology, and other wireless media technologies). In an embodiment of the present disclosure, the server is a computer system connected to the client, and/or a computer system used by different institutions (such as financial, educational, insurance institutions, etc.) to verify the identity of the user.
在本揭示內容中,所述「憑證」是指用於證明使用者之身份、權限或資格的數位資訊,通常是由可信任的機構簽發。一般而言,所述「憑證」不會包含使用者的真實資料(如出生日期、身份證號碼等),而是僅記載驗證之結果。 In this disclosure, the "certificate" refers to digital information used to prove the identity, authority or qualifications of a user, usually issued by a trusted organization. Generally speaking, the "certificate" does not contain the user's real information (such as date of birth, ID number, etc.), but only records the verification result.
在本揭示內容中,所述「服務」是指履行職務提供具有特定價值、能夠滿足特定需求或是解決問題的活動/工作,包含餐飲、醫療保健、金融、教育、娛樂等服務。舉例來說,所述「服務」是指金融交易服務,當金融機構確認使用者提供的身份憑證後,依據使用者提出的交易申請,將款項移轉至特定收受人的帳戶內,或者是資產移轉。 In this disclosure, the "service" refers to the performance of duties to provide activities/work with specific value, capable of meeting specific needs or solving problems, including catering, medical care, finance, education, entertainment and other services. For example, the "service" refers to financial transaction services, when the financial institution confirms the identity certificate provided by the user, it transfers the funds to the account of a specific recipient or transfers assets according to the transaction application submitted by the user.
本文所述的「雜湊」(hash)一詞是指在區塊鏈或其他分散式系統中用以驗證資料完整性的一串具有固定長度的字串,其係透過數學函數(即:雜湊函數)轉換輸入的數據(例如:身份憑證)。一般來說,將相同內容以相同雜湊 函數進行轉換才可產生相同雜湊值,因此可藉由比較兩組雜湊值的內容,來驗證資料內容的一致性。 The term "hash" in this article refers to a string of fixed length used to verify data integrity in blockchain or other distributed systems. It converts input data (such as identity certificates) through a mathematical function (i.e., hash function). Generally speaking, the same content can only produce the same hash value when converted with the same hash function. Therefore, the consistency of the data content can be verified by comparing the contents of two sets of hash values.
II 具體實施方式 II Specific implementation methods
1.基於去中心化身份驗證的服務系統 1. Service system based on decentralized identity verification
為了改善現行身份認證機制(例如:OAuth)的缺陷,讓使用者可在不過度披露個人資訊的情況下,向其他機構證實自己的身份,以取得所欲的服務。本揭示內容提供一種利用區塊鏈的特性實現基於去中心化身份驗證的服務系統。 In order to improve the defects of the current identity authentication mechanism (such as OAuth), users can verify their identity to other organizations without excessive disclosure of personal information to obtain the desired services. This disclosure provides a service system based on decentralized identity authentication using the characteristics of blockchain.
第1圖為依據本揭示內容一實施方式所繪示之服務系統100的示意圖。如圖所示,本揭示內容服務系統100在結構上包含區塊鏈110、應用程式120、第一伺服器130及第二伺服器140,其中用戶端U透過與所述應用程式120通訊連接,據以將其指令及/或請求傳送至服務系統100中,所述應用程式120與第一伺服器130及第二伺服器140通訊連接,且所述第一及第二伺服器130及140分別與儲存有用戶端U之身份資訊的區塊鏈110進一步通訊連接,從而實現第一及第二伺服器130及140(即,發證方與驗證方)間的憑證交流及驗證。
FIG. 1 is a schematic diagram of a
具體來說,使用者透過電腦、智慧型手機等個人計算機設備(即,用戶端)輸入帳號密碼及/或以生物辨識的方式(例如:指紋、人臉、掌紋、虹膜、視網膜及/或聲音認證)建立與應用程式之間的連線,使使用者可通過用戶端U將傳送申請憑證及服務的請求(即憑證申請及服務申請)傳送至服務系統100中。
Specifically, the user enters the account password through a personal computer device such as a computer or a smart phone (i.e., a client) and/or establishes a connection with the application by means of biometrics (e.g., fingerprint, face, palm print, iris, retina and/or voice authentication), so that the user can send a request for applying for a certificate and a service (i.e., a certificate application and a service application) to the
接著,進一步建立所述應用程式120與第一伺服器130之間的連線,使應用程式120及第一伺服器130間可進行資料傳輸(即,傳送憑證申請與發
送憑證)。依據本揭示內容一例示性實施方式,所述應用程式120藉由第一連結與第一伺服器130建立連接。具體而言,第一伺服器130依據用戶端U的登入訊息產生一第一連結,用戶端U藉由操作該第一連結來確認並建立第一伺服器130與應用程式120間的連線關係。非必要地,所述第一連結是具有時效性,僅限使用者於一段特定時間內操作才可順利建立連線,若逾時則無法通過第一連結建立連線。依據本揭示內容可任選的實施方式,所述第一連結可以統一資源標識符(Uniform Resource Identifier,URI)、統一資源定位符(Uniform Resource Locator,URL;或稱為統一資源定位器、定位位址、URL位址)、統一資源名稱(Uniform Resource Name,URN)、數位物件識別符(Digital Object Identifier,DOI)、永久URL(Persistent URL,PURL)或快速反應矩陣圖碼(Quick Response code,QR code;或稱為QR碼、行動條碼、二維條碼)的形式來定位和訪問網路上的資源,但第一連結的形式並不限於此,本文僅例示性列舉幾種常用於建立跨裝置連線的連結形式,本領域中具有通常知識者可依據實際使用需求,選擇適當的形式來建立連線。在本揭示內容一實施方式中,所述第一連結為URI,用戶端U可藉由點擊URI同意應用程式120與第一伺服器130通訊連接。在本揭示內容另一實施方式中,所述第一連結為二維條碼的形式,用戶端U可藉由掃瞄或解析二維條碼同意應用程式120與第一伺服器130通訊連接。前述建立連接的方法不僅快速,亦可確保連結的正確性。
Then, a connection is further established between the
第一伺服器130與應用程式120建立連線後,可自應用程式120接收到用戶端U輸入的憑證申請,並依據憑證申請的內容產生對應的憑證。
After the first server 130 establishes a connection with the
請同時參照第1圖及第2圖,其中第2圖是依據本揭示內容一實施方式所繪示之第一伺服器130產生憑證的流程圖。如第2圖所示,第一伺服器130係透過執行以下步驟產生憑證: 步驟S210:接收來自應用程式的憑證申請;步驟S220:自區塊鏈取得身份資訊,以驗證用戶端,並產生第一身份驗證結果;以及步驟S230:依據第一身份驗證結果,對應憑證申請產生憑證。 Please refer to Figure 1 and Figure 2 at the same time, wherein Figure 2 is a flowchart of the first server 130 generating a certificate according to an implementation method of the present disclosure. As shown in Figure 2, the first server 130 generates a certificate by executing the following steps: Step S210: receiving a certificate application from an application; Step S220: obtaining identity information from a blockchain to verify the client and generate a first identity verification result; and Step S230: generating a certificate corresponding to the certificate application according to the first identity verification result.
在步驟S210中,來自應用程式120的憑證申請包含用戶端U欲申請之憑證的申請項目。所述申請項目可依據申請的服務種類來決定,其中申請項目包含,但不限於,使用者的姓名、生日、年齡、地址、電話號碼、電子郵件地址、身份識別號碼、駕照號碼、銀行帳戶訊息、信用卡號碼、健康/就醫紀錄、工作紀錄、稅務訊息、婚姻狀態、保險號碼、學歷等與使用者相關的所有訊息。舉例來說,若使用者欲申請轉帳服務,則需要申請憑證來確認帳戶中有足夠的金額可進行此次服務,因此所述申請項目需選擇銀行帳戶訊息,以確認帳戶餘額。
In step S210, the certificate application from the
在步驟S220中,第一伺服器130依據用戶端U的登入訊息取得儲存於區塊鏈110中,對應該使用者身份的身份資訊,以驗證此次申請憑證之使用者是否具合法性(亦即,用戶端U是否為已註冊之用戶),進而產生第一身份驗證結果。依據本揭示內容一例示性實施方式,第一伺服器130作為憑證發證方,需先確認用戶端U的真實身份,並建立對應其身份的身份資訊並儲存於區塊鏈110上,供後續身份驗證程序時使用。亦即,用戶端U需於開始申請憑證前向第一伺服器130進行身份註冊。使用者在註冊身份時,會產生一串代表使用者的不可變的識別符,稱為去中心化身份(Decentralized Identifier,DID),以及一記錄與特定DID相關資料的去中心化身份文檔(DID Document,DID文檔),並將其上傳至區塊鏈110中儲存。所述DID相關資料包含DID擁有者、驗證方法、創建時間、更新時間及服務端點,但不包含使用者的真實個人訊息。具體來說,第一伺服器
130是自區塊鏈110上解析並取得DID文檔(即,用戶端U的身份資訊)來驗證使用者的身份。
In step S220, the first server 130 obtains the identity information corresponding to the user identity stored in the
在步驟S230中,完成前述的驗證流程後,第一伺服器130即可依據第一身份驗證結果對應憑證申請產生所需之憑證,並將憑證回傳至應用程式120。依據本揭示內容非必要的實施方式,所述應用程式120可用以儲存接收到的一或多個憑證,方便用戶端U管理其擁有之憑證。
In step S230, after completing the aforementioned verification process, the first server 130 can generate the required certificate according to the first identity verification result corresponding to the certificate application, and return the certificate to the
此外,為了使憑證之驗證方(例如:第二伺服器140)可進一步驗證憑證內容,第一伺服器130更進一步將產生之憑證通過雜湊函數的運算,轉換為雜湊值(即,雜湊憑證)並寫入所述區塊鏈110。換句話說,若需要修改憑證內的數據,則須重新取得新的憑證,否則驗證方將無法成功驗證新的憑證內容。
In addition, in order to enable the certificate verifier (e.g., the second server 140) to further verify the certificate content, the first server 130 further converts the generated certificate into a hash value (i.e., a hash certificate) through the operation of a hash function and writes it into the
在本揭示內容某些實施方式中,第一伺服器130係依據一寫入權限將雜湊憑證上傳至區塊鏈110。具體來說,區塊鏈110上儲存有一可信任之發證方的清單(或稱為白名單),將第一伺服器130的所屬之機構與可信任之發證方的清單進行比對,若第一伺服器130列於清單中,則給予所述寫入權限;反之,則拒絕第一伺服器130將資料寫入區塊鏈110。所述清單可隨時依需求增減,用以管理可信任的發證方。
In some embodiments of the present disclosure, the first server 130 uploads the hash certificate to the
在本揭示內容服務系統完整的身份及憑證驗證過程中,第一伺服器130產生的憑證會經過多次轉傳,為了讓每個接收資料的站點(即,應用程式120與第二伺服器140)皆能確認憑證的來源。在本揭示內容一實施方式中,第一伺服器130於憑證產生後(即步驟S230後)更基於其私鑰對憑證進行簽章,以產生第一簽章憑證,並將第一簽章憑證傳送至應用程式120。接收到來自第一伺服器130的第一簽章憑證後,應用程式120則可基於第一伺服器130的公鑰(對應前
述第一伺服器130的私鑰)對第一簽章憑證進行驗證,若通過驗證,代表所述憑證是來自第一伺服器130;若無法通過驗證,代表所述憑證並非來自第一伺服器130,則憑證無效。
In the complete identity and certificate verification process of the disclosed content service system, the certificate generated by the first server 130 will be forwarded multiple times so that each site receiving data (i.e., the
當應用程式120接收到所欲之憑證後,進一步建立與第二伺服器140之間的連線,使應用程式120及第二伺服器140間可進行互動(即,傳送憑證、傳送服務申請以及提供服務)。具體來說,應用程式120與第二伺服器140之間建立連線的方式大致上與前述應用程式120與第一伺服器130建立連線的方式相同,其是由第二伺服器140依據用戶端U的登入訊息產生第二連結,用戶端U藉由操作第二連結來建立第二伺服器140與應用程式120間的連線關係。例示性可用以建立跨裝置連線的所述第二連結之形式包含,但不限於,URI、URL、URN、DOI、PURL及QR碼。在本揭示內容一具體實施方式中,所述第二連結可以是URI或QR碼。依據本揭示內容可選擇的實施方式,第一連結及第二連結可以是相同或不同的形式。舉例來說,第一連結及第二連結皆以URI或QR碼呈現;或者是,第一連結以URI呈現,且第二連結以QR碼呈現。
After the
建立連線後,所述第二伺服器140則可接收來自應用程式120的憑證及服務申請,據以產生用戶端U所需的服務,並透過應用程式120將服務提供給用戶端。
After the connection is established, the
第3圖是依據本揭示內容一實施方式所繪示之第二伺服器140產生服務的流程圖。如圖所示,第二伺服器140係透過執行以下步驟產生服務:步驟S310:接收來自應用程式的憑證及服務申請;步驟S320:自區塊鏈取得身份資訊,以驗證用戶端,產生第二身份驗證結果;
步驟S330:將步驟S310之憑證與區塊鏈上的雜湊憑證進行驗證,以產生憑證驗證結果;以及步驟S340:依據步驟S320的第二身份驗證結果及步驟S330的憑證驗證結果,對應服務申請產生服務。
FIG. 3 is a flowchart of the
第二伺服器140接收憑證及服務申請後,分別對用戶端U的身份及憑證進行驗證,確認用戶身份及憑證來源與內容是否可靠,若兩個驗證皆通過,即依據服務申請產生服務;若有任一種驗證未通過,則拒絕提供服務。
After receiving the certificate and service application, the
在步驟S310中,用戶端U可依據需求於應用程式120中選擇欲傳送的憑證,並與服務申請一起傳送至第二伺服器140。依據本揭示內容一具體實施方式,應用程式120會利用其私鑰對憑證進行簽章,使第二伺服器140可基於應用程式120的公鑰來進行驗章,以確認來源。在本揭示內容一實施例中,應用程式120接收到的憑證為利用第一伺服器130的私鑰簽章後的第一簽章憑證,經驗章後所述應用程式120更進一步以其私鑰對第一簽章憑證進行簽章,產生第二簽章憑證,並傳送至第二伺服器140。當第二伺服器140接收到所述第二簽章憑證後,可基於應用程式120的公鑰以及第一伺服器130的公鑰對第二簽章憑證進行驗章,使第二伺服器140可同時確認發證方及中繼程式(即第一伺服器130與應用程式120)。
In step S310, the client U can select the certificate to be transmitted in the
在步驟S320中,第二伺服器140會對用戶端U的身份進行驗證。驗證過程基本上與第一伺服器130執行之身份驗證過程相同(第2圖之步驟S220)。依據本揭示內容一實施例,第二伺服器140依據用戶端U的登入訊息取得儲存於區塊鏈110中,對應使用者身份的身份資訊,據以驗證提出憑證及申請服務之使用者是否具合法性(亦即,用戶端U是否為已註冊於服務系統100
中的用戶),並產生第二身份驗證結果。依據本揭示內容一實施方式,所述第二伺服器140是自區塊鏈110上解析並取得對應用戶端U之DID的DID文檔(即身份資訊)來驗證使用者的身份。
In step S320, the
接著,第二伺服器140會進行憑證內容之驗證。在步驟S330中,第二伺服器140將接收到的憑證通過雜湊函數的運算,產生一待驗證的雜湊憑證,並將所述待驗證的雜湊憑證與區塊鏈110上原有由第一伺服器130上傳之雜湊憑證進行比對,以產生憑證驗證結果,其中,待驗證雜湊憑證與雜湊憑證相符時,即通過驗證;若待驗證雜湊憑證與雜湊憑證不相符,則表示傳送到第二伺服器140的該憑證於傳送過程中可能遭到修改,與第一伺服器130上傳之憑證內容不同,此時驗證未通過。值得注意的是,步驟S310的簽章與驗章是用以驗證憑證的來源,而步驟S330的雜湊驗證則是用以驗證憑證的內容是否遭竄改。透過這樣的驗證流程,能夠先排除來源錯誤的憑證,僅對來自正確發證方的憑證進行內容驗證,以節省伺服器的運算量能,降低伺服器運作過程的能源耗損,並提升其整體效能。
Next, the
最後,在步驟S340中,若用戶端U身份及憑證內容皆通過驗證,第二伺服器140則可依據第二身份驗證結果及憑證驗證結果,對應服務申請來產生用戶端U請求提供的服務,並將所述服務傳回應用程式120,用戶端U則可通過應用程式120獲得所需之服務。
Finally, in step S340, if the identity and certificate content of the client U are both verified, the
2.基於去中心化身份驗證用戶端身份的方法 2. Methods for verifying client identity based on decentralized identity
本揭示內容另提供一種藉由中心化身份與憑證來驗證用戶端身份的方法,以發展取代目前普遍使用之OAuth協議的登入方式,能夠於保有其便利性的同時,提升使用者之個人資訊的安全性。 This disclosure also provides a method of verifying the identity of the client through centralized identity and certificates to develop a login method that replaces the currently commonly used OAuth protocol, which can improve the security of the user's personal information while maintaining its convenience.
第4圖為依據本揭示內容一實施方式所繪示之方法的流程圖。如圖所示,所述方法包含:步驟S410:提供一驗證平台,包含區塊鏈、應用程式、第一伺服器及第二伺服器;步驟S420:依據用戶端的操作自應用程式傳送憑證申請至第一伺服器;步驟S430:第一伺服器接收憑證申請,對應憑證申請產生憑證並傳送至應用程式,且將該憑證轉換為雜湊憑證,並上傳至區塊鏈;步驟S440:依據用戶端的操作自應用程式傳送憑證至第二伺服器;步驟S450:第二伺服器接收憑證,並與區塊鏈上的雜湊憑證進行驗證,據以確認用戶端的身份。 FIG. 4 is a flow chart of a method according to an implementation mode of the present disclosure. As shown in the figure, the method includes: step S410: providing a verification platform, including a blockchain, an application, a first server and a second server; step S420: sending a certificate application from the application to the first server according to the operation of the client; step S430: the first server receives the certificate application, generates a certificate corresponding to the certificate application and sends it to the application, and converts the certificate into a hash certificate and uploads it to the blockchain; step S440: sending the certificate from the application to the second server according to the operation of the client; step S450: the second server receives the certificate and verifies it with the hash certificate on the blockchain to confirm the identity of the client.
具體來說,本揭示內容方法是透過驗證平台來接收用戶端的請求,並利用驗證平台內的功能模組執行身份驗證的流程。 Specifically, the disclosed method receives the client's request through the verification platform and uses the functional module in the verification platform to execute the identity verification process.
在步驟S410中,提供一包含區塊鏈、應用程式、第一伺服器及第二伺服器的驗證平台,其中應用程式作為驗證平台與用戶端的接頭,用以與用戶端通訊連接,且應用程式亦作為第一伺服器及第二伺服器之間的聯絡通道,分別與第一及第二伺服器通訊連接;此外,區塊鏈儲存有用戶端的身份資訊,第一伺服器及第二伺服器則分別再與區塊鏈通訊連接,以利用區塊鏈不易竄改的特性來進行資料儲存及驗證。所述身份資訊為記錄有用戶端之DID相關資料的DID文檔。在本揭示內容中,用戶端是藉由個人計算機設備與步驟S410之驗證平台的應用程式通訊連接,據以輸入請求及/或指令來操作驗證平台執行身份驗證。 In step S410, a verification platform including a blockchain, an application, a first server, and a second server is provided, wherein the application serves as a connection between the verification platform and the client, and is used to communicate with the client, and the application also serves as a communication channel between the first server and the second server, and is respectively communicated with the first and second servers; in addition, the blockchain stores the identity information of the client, and the first server and the second server are respectively communicated with the blockchain to perform data storage and verification by utilizing the characteristics of the blockchain that is not easily tampered with. The identity information is a DID document that records the DID-related data of the client. In this disclosure, the client communicates with the verification platform application in step S410 through a personal computer device, and inputs requests and/or instructions to operate the verification platform to perform identity verification.
依據本揭示內容可選擇的實施方式,用戶端可於個人裝置中選擇與特定的第一及第二伺服器建立連線。在本揭示內容一實施例中,所述應用程式 是透過第一伺服器及第二伺服器產生的第一連結以及第二連結分別與第一及第二伺服器建立連線,使應用程式分別與第一及第二伺服器通訊連接。 According to the optional implementation of the present disclosure, the client can choose to establish a connection with a specific first and second server in the personal device. In an embodiment of the present disclosure, the application establishes a connection with the first and second servers respectively through the first link and the second link generated by the first server and the second server, so that the application communicates with the first and second servers respectively.
在步驟S420中,用戶端透過個人裝置輸入憑證申請請求傳送至應用程式,當應用程式接收到該請求後,進而依據所述請求產生憑證申請並傳送至第一伺服器。所述憑證申請包含用戶端的欲申請之憑證的申請項目;舉例來說,申請項目可以是使用者的身份訊息(例如:姓名、生日、年齡、地址、電話號碼、電子郵件地址、身份識別號碼、婚姻狀態及駕照號碼)的認證、金融資訊(例如:銀行帳戶訊息、信用卡號碼及稅務資料)的認證、醫療資訊的認證及/或就業紀錄的認證。由此可知,本揭示內容中所述之身份並非限定為與姓名、年齡、生日等個人訊息,其亦包含與個人相關的狀態、資格;舉例來說,所述身份可以是指使用者的學歷訊息、存款紀錄、就醫資料等。因此,驗證用戶端的身份可以是指確認所述資訊是否為真。 In step S420, the client inputs a certificate application request through a personal device and sends it to the application. When the application receives the request, it generates a certificate application according to the request and sends it to the first server. The certificate application includes application items of the certificate that the client wants to apply for; for example, the application items can be authentication of the user's identity information (e.g., name, birthday, age, address, phone number, email address, ID number, marital status and driver's license number), authentication of financial information (e.g., bank account information, credit card number and tax information), authentication of medical information and/or authentication of employment records. It can be seen that the identity described in this disclosure is not limited to personal information such as name, age, birthday, etc. It also includes personal status and qualifications; for example, the identity can refer to the user's academic information, deposit records, medical records, etc. Therefore, verifying the identity of the client can mean confirming whether the information is true.
接著,在步驟S430中,第一伺服器接收到憑證申請後,先自區塊鏈取得對應用戶端的身份資訊,驗證使用者是否為已註冊的用戶,並產生第一身份驗證結果。依據第一身份驗證結果,確認用戶端身份的合法性(即該使用者為已註冊之用戶),並對應憑證申請產生所需的憑證並傳送至應用程式。非必要地,所述應用程式可用以儲存及管理接收到的憑證。 Then, in step S430, after receiving the certificate application, the first server first obtains the identity information of the corresponding client from the blockchain, verifies whether the user is a registered user, and generates a first identity verification result. Based on the first identity verification result, the legitimacy of the client identity is confirmed (i.e., the user is a registered user), and the required certificate is generated in response to the certificate application and transmitted to the application. Optionally, the application can be used to store and manage the received certificate.
第一伺服器亦將憑證轉換為一雜湊憑證,並上傳至區塊鏈儲存,供後續驗證憑證時使用。依據本揭示內容一實施方式,第一伺服器係藉由將憑證通過一雜湊函數以產生所述雜湊憑證。 The first server also converts the certificate into a hash certificate and uploads it to the blockchain for storage for subsequent certificate verification. According to an implementation method of the present disclosure, the first server generates the hash certificate by passing the certificate through a hash function.
此外,依據本揭示內容一具體實施方式,第一伺服器須被列於可信任之發證方的白名單中才可取得將資料上傳至區塊鏈的寫入權限,並依據寫 入權限將雜湊憑證上傳至區塊鏈。然而,若第一伺服器未被列於白名單中,則拒絕其將資料上傳至區塊鏈。所述白名單可隨時依需求增減,用以管理可信任的發證方清單。 In addition, according to a specific implementation of the present disclosure, the first server must be listed in the whitelist of trusted issuers to obtain the write permission to upload data to the blockchain, and upload the hash certificate to the blockchain based on the write permission. However, if the first server is not listed in the whitelist, it is denied to upload data to the blockchain. The whitelist can be increased or decreased at any time according to demand to manage the list of trusted issuers.
在步驟S440中,用戶端可自應用程式中選擇特定憑證,將其傳送至第二伺服器。 In step S440, the client can select a specific certificate from the application and send it to the second server.
最後,在步驟S450中,第二伺服器接收到來應用程式的憑證後,同樣會自區塊鏈取得對應用戶端的身份資訊,驗證使用者是否為已註冊的用戶,並產生第二身份驗證結果。接著,第二伺服器將接收到的憑證通過步驟S430中使用之相同雜湊函數運算,產生待驗證雜湊憑證與區塊鏈上的雜湊憑證進行比對,並產生憑證驗證結果,以確認用戶端的身份。 Finally, in step S450, after receiving the certificate of the application, the second server will also obtain the identity information of the corresponding client from the blockchain, verify whether the user is a registered user, and generate a second identity verification result. Then, the second server will use the same hash function operation on the received certificate used in step S430 to generate a hash certificate to be verified and compare it with the hash certificate on the blockchain, and generate a certificate verification result to confirm the identity of the client.
由於第一及第二伺服器皆可與複數個不同的應用程式(即不同用戶端)連接,為了使資料來源更加明確,可於傳送資料的每一個接收方(即應用程式及第二伺服器)設立檢查機制,避免以錯誤的資料執行驗證程序,進而影響整體驗證效率。在本揭示內容一實施方式中,所述憑證在傳送至應用程式前,第一伺服器會以其私鑰進行簽章,以產生第一簽章憑證,據以供憑證接收方確認發證方(即,第一伺服器)的身份;當應用程式接收到第一簽章憑證時,為了確認憑證的來源為第一伺服器,會先利用第一伺服器的公鑰對第一簽章憑證進行驗證,若驗證成功即可確認來源;以及,應用程式更進一步基於應用程式自身的私鑰對第一簽章憑證進行簽章,以產生第二簽章憑證,並將第二簽章憑證傳送至第二伺服器。如上所述,第二伺服器從應用程式收到第二簽章憑證時,則可基於應用程式的公鑰以及第一伺服器的公鑰對第二簽章憑證進行二次驗證,以確認發證方身份以及應用程式的來源。 Since both the first and second servers can be connected to multiple different applications (i.e., different clients), in order to make the data source more specific, a checking mechanism can be established at each recipient of the transmitted data (i.e., the application and the second server) to avoid executing the verification process with incorrect data, thereby affecting the overall verification efficiency. In an implementation method of the present disclosure, before the certificate is transmitted to the application, the first server will sign it with its private key to generate a first signature certificate, which is used by the certificate recipient to confirm the identity of the issuer (i.e., the first server); when the application receives the first signature certificate, in order to confirm that the source of the certificate is the first server, the first signature certificate will be verified using the public key of the first server. If the verification is successful, the source can be confirmed; and the application further signs the first signature certificate based on the application's own private key to generate a second signature certificate, and transmits the second signature certificate to the second server. As described above, when the second server receives the second signature certificate from the application, it can perform a second verification on the second signature certificate based on the public key of the application and the public key of the first server to confirm the identity of the issuer and the source of the application.
總結上述,本揭示內容提供一種基於去中心化身份驗證的服務系統及驗證用戶端身份的方法,藉由憑證及去中心化身份將驗證過程中的資料控制權回歸到使用者身上,降低個人資料外洩的可能性,並透過分階段驗證的方式篩選掉錯誤的資料,提升資料及使用者的正確性及可靠性,且可減少伺服器執行不必要的驗證運算。 In summary, this disclosure provides a service system based on decentralized identity authentication and a method for authenticating the identity of a client. Through certificates and decentralized identities, the data control in the authentication process is returned to the user, reducing the possibility of personal data leakage, and filtering out erroneous data through a phased authentication method, thereby improving the accuracy and reliability of data and users, and reducing unnecessary authentication operations performed by the server.
應當理解的是,前述對實施方式的描述僅是以實施例的方式給出,且本領域所屬技術領域中具有通常知識者可進行各種修改。以上說明書、實施例及實驗結果提供本發明之例示性實施方式之結構與用途的完整描述。雖然上文實施方式中揭露了本發明的各種具體實施例,然其並非用以限定本發明,本發明所屬技術領域中具有通常知識者,在不悖離本發明之原理與精神的情形下,當可對其進行各種更動與修飾,因此本發明之保護範圍當以附隨申請專利範圍所界定者為準。 It should be understood that the above description of the embodiments is given only in the form of embodiments, and those with ordinary knowledge in the art to which this invention belongs can make various modifications. The above specification, embodiments and experimental results provide a complete description of the structure and use of the exemplary embodiments of the present invention. Although various specific embodiments of the present invention are disclosed in the above embodiments, they are not used to limit the present invention. Those with ordinary knowledge in the art to which this invention belongs can make various changes and modifications to it without deviating from the principles and spirit of the present invention. Therefore, the scope of protection of the present invention shall be based on the scope defined by the attached patent application.
100:服務系統 100: Service system
110:區塊鏈 110: Blockchain
120:應用程式 120: Applications
130:第一伺服器 130: First server
140:第二伺服器 140: Second server
U:用戶端 U: Client
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW113116425A TWI888124B (en) | 2024-05-02 | 2024-05-02 | Service systems and methods based on decentralized identifier verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW113116425A TWI888124B (en) | 2024-05-02 | 2024-05-02 | Service systems and methods based on decentralized identifier verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TWI888124B true TWI888124B (en) | 2025-06-21 |
| TW202545161A TW202545161A (en) | 2025-11-16 |
Family
ID=97227643
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW113116425A TWI888124B (en) | 2024-05-02 | 2024-05-02 | Service systems and methods based on decentralized identifier verification |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI888124B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110636057A (en) * | 2019-09-10 | 2019-12-31 | 腾讯科技(深圳)有限公司 | Application access method and device and computer readable storage medium |
| US20230141966A1 (en) * | 2021-11-10 | 2023-05-11 | International Business Machines Corporation | Using Device-Bound Credentials for Enhanced Security of Authentication in Native Applications |
| CN116980163A (en) * | 2022-11-25 | 2023-10-31 | 腾讯科技(深圳)有限公司 | Data processing methods, devices, equipment and media based on trusted execution environment |
| CN117118640A (en) * | 2022-05-17 | 2023-11-24 | 腾讯科技(深圳)有限公司 | A data processing method, device, computer equipment and readable storage medium |
| CN117456646A (en) * | 2023-11-23 | 2024-01-26 | 江苏南北木屋文化科技有限公司 | A smart wooden house access control verification method and system based on the Internet of Things |
| US20240129313A1 (en) * | 2022-10-18 | 2024-04-18 | Oracle International Corporation | Portable Access Point for Secure User Information Using a Blockchain Backed Credential |
| TWM659646U (en) * | 2024-05-02 | 2024-08-21 | 國泰金融控股股份有限公司 | Service system based on decentralized identity authentication |
-
2024
- 2024-05-02 TW TW113116425A patent/TWI888124B/en active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110636057A (en) * | 2019-09-10 | 2019-12-31 | 腾讯科技(深圳)有限公司 | Application access method and device and computer readable storage medium |
| US20230141966A1 (en) * | 2021-11-10 | 2023-05-11 | International Business Machines Corporation | Using Device-Bound Credentials for Enhanced Security of Authentication in Native Applications |
| CN117118640A (en) * | 2022-05-17 | 2023-11-24 | 腾讯科技(深圳)有限公司 | A data processing method, device, computer equipment and readable storage medium |
| US20240129313A1 (en) * | 2022-10-18 | 2024-04-18 | Oracle International Corporation | Portable Access Point for Secure User Information Using a Blockchain Backed Credential |
| CN116980163A (en) * | 2022-11-25 | 2023-10-31 | 腾讯科技(深圳)有限公司 | Data processing methods, devices, equipment and media based on trusted execution environment |
| CN117456646A (en) * | 2023-11-23 | 2024-01-26 | 江苏南北木屋文化科技有限公司 | A smart wooden house access control verification method and system based on the Internet of Things |
| TWM659646U (en) * | 2024-05-02 | 2024-08-21 | 國泰金融控股股份有限公司 | Service system based on decentralized identity authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11049205B2 (en) | System and method for electronically providing legal instrument | |
| CN111034114B (en) | Blockchain architecture with record security | |
| US10484178B2 (en) | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features | |
| KR102624700B1 (en) | Biometric identification and verification between IoT devices and applications | |
| US20210273931A1 (en) | Decentralized authentication anchored by decentralized identifiers | |
| RU2710889C1 (en) | Methods and systems for creation of identification cards, their verification and control | |
| US9774606B2 (en) | Cross platform social networking authentication system | |
| US12184787B2 (en) | Hardware security module that enforces signature requirements | |
| CN106911641A (en) | For authorizing the client terminal device for accessing, server unit and access control system | |
| CN108701276A (en) | System and method for managing digital identity | |
| EP3883204B1 (en) | System and method for secure generation, exchange and management of a user identity data using a blockchain | |
| US12423450B2 (en) | Data broker | |
| US20250053977A1 (en) | Decentralized identity-based account and user verification | |
| TWM659646U (en) | Service system based on decentralized identity authentication | |
| WO2024021785A1 (en) | Digital entity processing method and apparatus, device, medium, and program product | |
| WO2019209286A1 (en) | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features | |
| US20250139611A1 (en) | System and Methods for Implementing Blockchain Based Zero Knowledge Protocol | |
| TWI888124B (en) | Service systems and methods based on decentralized identifier verification | |
| US12062102B2 (en) | Coordination platform for generating and managing authority tokens | |
| US20250071108A1 (en) | Decentralized identifier based authentication with verifiable credentials | |
| TW202545161A (en) | Service systems and methods based on decentralized identifier verification | |
| JP2024541125A (en) | Non-transferable tokens | |
| CN117094723A (en) | Digital asset transaction management method, system, device and storage medium | |
| CN116166743A (en) | Digital asset inheritance system and method based on Hyperledger Fabric super ledger | |
| CN115085997B (en) | Open authorization method and device |