Search

CN-122001565-A - Block chain digital identity authentication method and system based on disclosure

CN122001565ACN 122001565 ACN122001565 ACN 122001565ACN-122001565-A

Abstract

The application discloses a blockchain digital identity authentication method and a blockchain digital identity authentication system according to needs, wherein the method comprises the steps that a user side sends a DID registration instruction to a DID user agent, the DID user agent generates a DID for the user side, a certification party generates a verifiable statement VC for the user side based on the DID, the user side encrypts the VC in a layered mode through an encryption algorithm to provide selective disclosing service of the VC, the encrypted VC and a digital signature are stored on an identity chain, the user side applies service to a verifier, and the verifier decrypts the VC and provides service for the user side after verification is passed. The application realizes the on-demand disclosure of the complete identity information and part of attribute information of the user, and simultaneously reduces the storage overhead of the verifiable statement of the user identity on the blockchain.

Inventors

  • WANG SHIYU
  • JIA LINPENG
  • LI ZHONGCHENG
  • ZHANG JUN
  • SUN YI

Assignees

  • 中国科学院计算技术研究所

Dates

Publication Date
20260508
Application Date
20241108

Claims (10)

  1. 1. A blockchain digital identity authentication method disclosed on demand is applied to a blockchain digital identity authentication network, wherein the blockchain digital identity authentication network comprises a certification party, a user terminal, a verifier and a DID user agent, and is characterized in that the blockchain digital identity authentication network also comprises an identity chain; The method comprises the following steps: The distributed digital identity registration step comprises the steps that the user side sends a DID registration instruction to the DID user agent, the DID user agent generates a DID for the user side, and based on the DID, the certification party generates a verifiable statement VC for the user side; The step of storing the verifiable statement encryption, which is to encrypt the VC in layers by the user side by adopting an encryption algorithm, provide selective disclosure service for the VC, and store the encrypted VC and digital signature on the identity chain; And a step of verifying the verifiable statement, in which the user terminal applies for service to the verifier, and the verifier decrypts the VC and provides service for the user terminal after verification.
  2. 2. The on-demand disclosed blockchain digital identity authentication method of claim 1, wherein the verifiable claim encryption storing step further comprises: And the user side sets an attribute structure, formulates an access strategy of the verifier, adopts a CP-ABE algorithm and a symmetric encryption SM4 algorithm to conduct layered encryption on the VC, realizes selective disclosure service of the VC, and sends encrypted information to a blockchain network for storage.
  3. 3. The on-demand disclosed blockchain digital identity authentication method of claim 1, wherein the verifiable claim verification step further comprises: After receiving the VC verification request, the verifier conforming to the access strategy inquires ciphertext of the VC on an identity chain to decrypt, inquires a corresponding DID document on the identity chain according to DID of a issuer in the VC to obtain a public key, compares the public key with a signature, and provides service after proving that the issuer issues the VC.
  4. 4. The on-demand blockchain digital identity authentication method of claim 2, wherein the selective exposure service further comprises: The user side generates a random character string for each user identity attribute as a salt value to be added into the VC, adds the salt value and the required identity attribute to be covered according to a preset selective disclosure strategy to output a hash value, generates a digital signature of an issue date and an authority, and adds the digital signature into the VC; and encrypting the VC by using a symmetric encryption algorithm, storing the encrypted ciphertext on the identity chain, and encrypting a symmetric encrypted master key MK by using a CP-ABE algorithm.
  5. 5. The on-demand blockchain digital identity authentication method of claim 4, wherein decrypting the ciphertext further comprises: The verifier conforming to the access strategy can decrypt and obtain the symmetrically encrypted master key MK, and further obtain the verifiable statement plaintext through MK decryption.
  6. 6. An on-demand blockchain digital identity authentication system, which adopts the on-demand blockchain digital identity authentication method according to any one of claims 1-5, is applied to a blockchain digital identity authentication network, wherein the blockchain digital identity authentication network comprises a prover, a user side, a verifier and a DID user agent, and is characterized in that the blockchain digital identity authentication network also comprises an identity chain; The system comprises: The role authority control module is used for defining various entities in the blockchain digital identity authentication network and the operation authorities of the entities; The distributed digital identity management module is used for creating, disabling and inquiring a DID identifier, defining a data structure of the DID identifier, and writing the generated DID identifier, a public key, whether the DID identifier is disabled, the creation time and the version number on the identity chain; The distributed digital identity document management module is used for creating, updating and inquiring the DID document and defining the data structure of the DID document; The verifiable statement management module is used for creating a template CT of the VC, creating the VC according to the CT and verifying the VC; the user side applies VC to the issuer, the issuer checks the identity legitimacy of the user side, selects a correct VC template CT, decides whether to selectively disclose the VC according to the user requirement, and issues the VC to the user after signing; the encryption service management module is used for providing services for encrypting, decrypting and storing the VC of the user on a chain and realizing an identity verification mechanism disclosed according to requirements; And the authentication contract management module is used for deploying and loading authentication contracts and providing various authentication modes for various entities in a service fusion scene.
  7. 7. The on-demand disclosed blockchain digital identity authentication system of claim 6, wherein the verifiable claim management module further comprises: the VC creation module applies for creating the VC to the verifiable statement management module, the VC management module checks whether each field in the VC accords with the data specification of the CT and whether an authority of issuing the VC is possessed by the authority, after checking, a random character string is generated for each attribute and is added into the VC as a salt value, and the issuing date and the digital signature of the authority also need to be added into the VC; And the VC verification module is used for enabling the verifier conforming to the access strategy to inquire ciphertext of the VC on an identity chain for decryption after receiving the VC verification request, checking whether the VC conforms to the data specification of a template CT corresponding to the VC, inquiring a corresponding DID document on the identity chain according to the DID of a certification party in the VC to obtain a public key, comparing the public key with a signature, and providing service for the verifier after proving that the certification party issued the VC.
  8. 8. The on-demand disclosed blockchain digital identity authentication system of claim 7, wherein the cryptographic service management module further comprises: The identity verification module disclosed according to the requirement comprises the steps of encrypting the VC by using a symmetric encryption algorithm, storing the encrypted ciphertext on the identity chain, and encrypting a symmetric encrypted master key MK by using a CP-ABE algorithm.
  9. 9. A client, which is an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, implements the steps of the blockchain digital identity authentication method as disclosed on demand as claimed in any one of claims 1 to 5.
  10. 10. A blockchain digital identity authentication network comprising a prover, a user side, a verifier and a DID user agent, the blockchain digital identity authentication network employing the blockchain digital identity authentication method as disclosed in any one of claims 1 to 5, wherein the blockchain digital identity authentication network further comprises an identity chain, a verifiable statement VC of the user side is stored on the identity chain, and all the verifiable statements VC are taken from the identity chain by the verifier.

Description

Block chain digital identity authentication method and system based on disclosure Technical Field The application relates to the field of distributed digital identity authentication, in particular to a blockchain digital identity authentication method and a blockchain digital identity authentication system disclosed according to requirements. Background In recent years, in order to solve the problem of unified digital identity authentication among multiple fields, distributed digital identities (Decentralized Identity, DID) using blockchain technology are becoming a new exploration direction in the digital identity industry. The distributed digital identity (Decentralized Identifier, DID) is one of the digital identities, with global uniqueness, high availability, resolvable and cryptographically verifiable, is a de-centralized identity that is fully owned and controlled by the user himself. The current mainstream distributed digital identity scheme is the W3C DID specification proposed by the web consortium, including the DID identifier of the base layer, DI document, and verifiable declarations (Verifiable Credential, VC) of the application layer. The DID identifier is a format-specific globally unique string that represents the digital identity of an entity. Each DID identity corresponds to a DID document of JSON string. The DID document contains public keys, asymmetric encryption authentication methods, authorization information, service endpoints, and information about the document itself. Verifiable claims are the value of the whole scheme, which is a descriptive credential that one DID endorses certain properties of another DID and attaches its own digital signature, and is a core component for verifying the identity of a user. In the authentication process of the W3C DID specification, there are the following disadvantages: The W3C DID does not specify details of the storage of the verifiable claims, which the user can store in a storage area controlled by himself or a trusted third party. For privacy, the verifiable statement is usually stored in the clear on the client under the chain, and the digest after hash encryption is stored on the chain, so that the credential verifier can verify the integrity of the VC conveniently. The existing DID project follows the W3C DID specification, storing only hash digests of verifiable claims on the blockchain, and the user needs to save the verifiable claims himself. It is common practice to host through clients under chains, which makes users strongly dependent on the clients. And the plaintext information of the user identity is recorded on the verifiable statement, and once the client information is revealed or lost, the user is at risk of privacy disclosure. Therefore, reducing the coupling degree of the user authentication process and the client, storing the verifiable statement on the chain becomes a crucial task. What is needed is a blockchain digital identity authentication method and system that can be disclosed as needed to reduce the coupling degree between the user authentication process and the client, and store the verifiable statement on the blockchain. Disclosure of Invention In order to solve the problem that the prior distributed digital identity authentication scheme cannot ensure that the privacy of a user is not affected when the information of a client is revealed or lost, the invention provides a blockchain digital identity authentication system which is disclosed according to the requirement, and the design and realization requirements of the distributed digital identity system are met. In a first aspect, an embodiment of the present application provides a blockchain digital identity authentication method that is disclosed as needed, where the method is applied to a blockchain digital identity authentication network, where the blockchain digital identity authentication network includes a issuer, a user side, a verifier, a DID user agent, and where the blockchain digital identity authentication network further includes an identity chain; The method comprises the following steps: The distributed digital identity registration step comprises the steps that a user sends a DID registration instruction to a DID user agent, the DID user agent generates a DID for the user, and a certification party generates a verifiable statement VC for the user based on the DID; the user end adopts encryption algorithm to encrypt the VC in layers, provides selective disclosure service of the VC, and stores the encrypted VC and digital signature on an identity chain; and the step of verification statement verification, in which the user applies for service to the verifier, and the verifier decrypts the VC and provides service for the user after verification. As an optional implementation manner, in the first aspect of the present invention, the step of storing the verifiable statement encryption further includes: The user end sets an attribute structure, estab