Nothing Special   »   [go: up one dir, main page]

CN113312597A - Digital identity verification method, device, system, equipment and storage medium - Google Patents

Digital identity verification method, device, system, equipment and storage medium Download PDF

Info

Publication number
CN113312597A
CN113312597A CN202110860623.6A CN202110860623A CN113312597A CN 113312597 A CN113312597 A CN 113312597A CN 202110860623 A CN202110860623 A CN 202110860623A CN 113312597 A CN113312597 A CN 113312597A
Authority
CN
China
Prior art keywords
identity
verifier
information
hash value
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110860623.6A
Other languages
Chinese (zh)
Inventor
庞新宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Microchip Sensing Technology Co ltd
Original Assignee
Beijing Microchip Sensing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Microchip Sensing Technology Co ltd filed Critical Beijing Microchip Sensing Technology Co ltd
Priority to CN202110860623.6A priority Critical patent/CN113312597A/en
Publication of CN113312597A publication Critical patent/CN113312597A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a digital identity verification method, a device, a system, an electronic device and a storage medium, wherein the method comprises the following steps: receiving information to be verified sent by a verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information; acquiring second identity credential information matched with the first identity credential information from a Trusted Execution Environment (TEE); and performing identity authentication on the party to be authenticated according to the first hash value of the first identity certificate information and the second identity certificate information. The method and the device have the advantages that the trusted execution environment TEE is used for storing the digital identity information, the digital identity contract module is used for carrying out authority verification on a verifier, and the information to be verified is verified after the verification is passed, so that the verification function of the identity information is provided, and the safety of storing the digital identity certificate information is improved.

Description

Digital identity verification method, device, system, equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a system, a device, and a storage medium for digital identity authentication.
Background
Digital identity authentication has become a common scene in the modern information society, is applied to various scenes such as identity management, asset management, digital transaction and the like, and if digital identity information is leaked due to improper storage, great loss can be caused.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, a first objective of the present application is to provide a digital identity authentication method to improve the security of storing the digital identity credential information.
A second object of the present application is to provide a digital identity verification device.
A third object of the present application is to provide a digital identity verification system.
A fourth object of the present application is to provide an electronic device.
A fifth object of the present application is to propose a non-transitory computer readable storage medium.
To achieve the above object, an embodiment of a first aspect of the present application provides a digital identity verification method, where the method is applied to a digital identity contract module on a blockchain, and the method includes:
receiving information to be verified sent by a verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information;
acquiring second identity credential information matched with the first identity credential information from a Trusted Execution Environment (TEE);
and performing identity authentication on the party to be authenticated according to the first hash value of the first identity certificate information and the second identity certificate information.
In some embodiments of the present application, the information to be verified further includes a signature of the verifier on the signature information; the method further comprises the following steps:
according to the signature information and the signature, performing authority verification on the verifier;
and after the authority of the verifier passes the verification, executing the step of acquiring second identity credential information matched with the first identity credential information from a Trusted Execution Environment (TEE).
In some embodiments of the present application, the performing, according to the signature information and the signature, the authority verification on the verifier includes:
calculating the public key of the verifier according to the signature information and the signature;
and performing authority verification on the verifier according to the reference public key of the verifier and the public key of the verifier, which are stored in the digital identity contract module.
In some embodiments of the present application, the performing, according to the reference public key of the verifier and the public key of the verifier stored in the digital identity contract module, right verification on the verifier includes:
and when the reference public key of the verifier stored in the digital identity contract module is consistent with the public key of the verifier, determining that the authority of the verifier passes verification.
In some embodiments of the present application, the second identity credential information comprises at least a second hash value; the performing identity authentication on the party to be authenticated according to the first hash value of the first identity credential information and the second identity credential information includes:
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
In some embodiments of the present application, the second identity credential information comprises at least identity credential plaintext; the performing identity authentication on the party to be authenticated according to the first hash value of the first identity credential information and the second identity credential information includes:
carrying out hash operation on the identity certificate plaintext to obtain a corresponding second hash value;
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
In order to achieve the above object, a second aspect of the present application provides a digital identity verification apparatus, which is applied to a digital identity contract module on a blockchain, and includes:
the receiving module is used for receiving the information to be verified sent by the verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information;
the obtaining module is used for obtaining second identity certificate information matched with the first identity certificate information from a Trusted Execution Environment (TEE);
and the verification module is used for verifying the identity of the party to be verified according to the first hash value of the first identity certificate information and the second identity certificate information.
To achieve the above object, a third aspect of the present application provides a digital identity verification system, including:
the verification party is used for receiving an inquiry request initiated by a party to be verified, acquiring first identity certificate information from the inquiry request, and performing hash operation on the first identity certificate information to obtain a first hash value;
the digital identity contract module is used for receiving the information to be verified sent by the verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information;
the TEE system is used for receiving the first identity certificate information sent by the digital identity contract module, inquiring according to the first identity certificate information to obtain second identity certificate information matched with the first identity certificate information, and returning the second identity certificate information to the digital identity contract module;
and the digital identity contract module is further used for performing identity authentication on the party to be authenticated according to the first hash value of the first identity certificate information and the second identity certificate information.
In some embodiments of the present application, the information to be verified further includes a signature of the verifier on the signature information; the digital identity contract module is further configured to:
according to the signature information and the signature, performing authority verification on the verifier;
and after the authority of the verifier passes verification, acquiring second identity certificate information matched with the first identity certificate information from a Trusted Execution Environment (TEE).
In some embodiments of the present application, the digital identity contract module is specifically configured to:
calculating the public key of the verifier according to the signature information and the signature;
and performing authority verification on the verifier according to the reference public key of the verifier and the public key of the verifier, which are stored in the digital identity contract module.
In some embodiments of the present application, the digital identity contract module is specifically configured to:
and when the reference public key of the verifier stored in the digital identity contract module is consistent with the public key of the verifier, determining that the authority of the verifier passes verification.
In some embodiments of the present application, the second identity credential information comprises at least a second hash value; the digital identity contract module is specifically configured to:
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
In some embodiments of the present application, the second identity credential information comprises at least identity credential plaintext; the digital identity contract module is specifically configured to:
carrying out hash operation on the identity certificate plaintext to obtain a corresponding second hash value;
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
To achieve the above object, a fourth aspect of the present application provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the digital authentication method as described in the embodiments of the first aspect of the present application.
To achieve the above object, a fifth aspect of the present application provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the digital identity authentication method according to the first aspect of the present application.
According to the technical scheme of the embodiment of the application, the digital identity voucher information is stored through the trusted execution environment TEE, and the safety risk caused by the fact that the digital identity voucher is stored in a non-safety environment is solved. The method comprises the steps that information to be verified is sent to a digital identity contract module through a verifier, the digital identity contract module verifies the authority of the verifier, an inquiry request is sent to a trusted execution environment TEE after verification is passed, second identity credential information corresponding to first identity credential information is inquired in the trusted execution environment TEE, the second identity credential information is returned to the digital identity contract module, the first identity credential information sent by the verifier is compared with the second identity credential information sent by the TEE through the digital identity contract module, and a verification result is sent to the verifier. Therefore, the TEE does not allow any user to directly read the data stored in the TEE, the verifying party is verified through the digital identity contract, the data stored in the TEE is sent to the verifying party only after the verification is passed, the operating right of the data is guaranteed to be mastered on the digital identity contract, and therefore the safety risk that the digital identity voucher is violently cracked due to improper storage and leakage can be solved.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flowchart of a digital identity verification method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart illustrating a process of performing authority verification on a verifier according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a digital identity authentication apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a digital identity verification system according to an embodiment of the present application;
fig. 5 is an interaction diagram of a digital identity authentication system according to an embodiment of the present application;
fig. 6 is a block diagram of an electronic device for implementing a digital identity authentication method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
Aiming at the problem of storage safety of digital identity card information, the disclosure provides a digital identity verification method, which can solve the safety risk caused by the storage of the digital identity information in a non-safety environment. It should be noted that, the digital identity authentication process includes: the system comprises four main bodies of a to-be-verified party, a verifying party, a digital identity contract module and a TEE (Trusted Execution Environment). Wherein, the function of the trusted execution environment TEE is designed as an information entry method and an information authentication method, the registration authentication authority is in the information entry method to the trusted execution environment TEE, the submitted information includes but is not limited to: request parameters such as information type, information attribution digital identity (identity) id, information hash value, registration certification authority signature and the like; in the information authentication method of the trusted execution environment TEE by the trusted authentication authority, the submitted information includes but is not limited to: request parameters such as information attribution digital identity id, information category, trusted certification authority and the like. Because the trusted execution environment TEE does not allow any user to directly read the data stored in the TEE, the related data can be acquired only by possessing a specific key or being authorized, and the digital identity information is stored in the trusted execution environment TEE, thereby ensuring the safety of the digital identity information.
A digital authentication method, apparatus, system, electronic device, and storage medium according to embodiments of the present application are described below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a digital identity verification method according to an embodiment of the present application, where the digital identity verification method is applied to a digital identity contract module in a block chain. As shown in fig. 1, the digital identity authentication method includes the following steps:
step 101, receiving information to be verified sent by a verifier; the information to be verified comprises first identity certificate information obtained by a verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information.
It should be noted that, when the party to be authenticated needs to authenticate the identity information, an inquiry request is sent to the authenticator. And after receiving the query request sent by the party to be verified, the verifying party acquires the first identity certificate information in the query request. The first identity credential information may include first identity credential plaintext. The verifier performs hash calculation on the plaintext of the first identity certificate to obtain a first hash value, and sends information to be verified, including the information of the first identity certificate and the first hash value, to the digital identity contract module. It should be noted that the verifier may perform Hash calculation on the plaintext of the first identity credential through SHA-3(Secure Hash Algorithm 3, third generation Secure Hash Algorithm), and may also perform Hash calculation on the plaintext of the first identity credential through other algorithms, which is not specifically limited in this application.
Optionally, in some embodiments of the present application, the to-be-verified information sent by the digital contract module by the verifier may further include information such as an address of the to-be-verified party, a category of the identity credential, and the like, so as to locate the address of the to-be-verified party and determine the category of the digital identity credential.
And 102, acquiring second identity certificate information matched with the first identity certificate information from the trusted execution environment TEE.
It should be noted that, after the digital identity contract module determines that the authority of the verifier passes the verification, the digital identity contract sends the first identity credential information to the trusted execution environment TEE, and the trusted execution environment TEE queries, through the first identity credential information, the second identity credential information matched with the first identity credential information. In some embodiments of the present application, the digital identity contract module may verify whether the verifier has the right to authenticate the identity of the party to be authenticated by verifying the public key of the verifier. Specific implementation can be seen in the following examples.
As an example, the digital identity contract module may match the identity credential type of the first identity credential information to the corresponding internal application of the trusted execution environment TEE, send the first identity credential information to the trusted execution environment TEE through the TEE interface, and the trusted execution environment TEE returns the second identity credential information matched with the first identity credential information to the digital identity contract module.
And 103, performing identity authentication on the party to be authenticated according to the first hash value of the first identity certificate information and the second identity certificate information.
It should be noted that, in some embodiments of the present application, the second identity credential information at least includes a second hash value, that is, the trusted execution environment TEE stores the hash value, and the trusted execution environment TEE returns the queried second hash value to the digital identity contract module. And the second hash value is obtained by carrying out hash calculation on the identity certificate plaintext. And after the verifying party is confirmed to pass the authority verification, the digital identity contract module sends the first identity certificate information to the trusted execution environment TEE, the trusted execution environment TEE inquires a matched second hash value according to the first identity certificate information, and the trusted execution environment TEE returns the inquired second hash value to the digital identity contract module. And the digital identity contract module compares the first hash value with the second hash value, determines an identity verification result of the party to be verified according to the comparison result, and sends the identity verification result to the verifying party. That is to say, if the first hash value is consistent with the second hash value, that is, the information to be authenticated sent by the party to be authenticated is consistent with the identity information stored in the trusted execution environment TEE, it can be determined that the identity authentication of the party to be authenticated succeeds, and the digital identity module sends the authentication result that is successfully authenticated to the party to be authenticated.
It should be further noted that, in some embodiments of the present application, the second identity credential information at least includes identity credential plaintext, that is, identity credential plaintext is stored in the trusted execution environment TEE, and the trusted execution environment TEE returns the queried identity credential plaintext to the digital identity contract module. And after the verifying party is confirmed to pass the authority verification, the digital identity contract module sends the first identity certificate information to the trusted execution environment TEE, the trusted execution environment TEE inquires the matched identity certificate plaintext according to the first identity certificate information, and the trusted execution environment TEE returns the inquired identity certificate plaintext to the digital identity contract module. The digital identity contract module performs hash calculation on the identity certificate plaintext to obtain a corresponding second hash value, wherein the digital identity contract module can perform hash calculation on the identity certificate plaintext through SHA-3 and can also perform hash calculation on the first identity certificate plaintext through other algorithms, which is not specifically limited in the present application. And comparing the first hash value with the second hash value, determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party. That is to say, if the first hash value is consistent with the second hash value, that is, the information to be authenticated sent by the party to be authenticated is consistent with the identity information stored in the trusted execution environment TEE, it can be determined that the identity authentication of the party to be authenticated succeeds, and the digital identity module sends the authentication result that is successfully authenticated to the party to be authenticated. The verification party processes the identity verification result and sends the processing result to the party to be verified.
According to the digital identity authentication method, the trusted execution environment TEE is used for storing the digital identity certificate information, so that the safety risk caused by the fact that the digital identity certificate is stored in a non-safety environment is solved. The method comprises the steps that information to be verified is sent to a digital identity contract module through a verifier, the digital identity contract module verifies the authority of the verifier, an inquiry request is sent to a trusted execution environment TEE after verification is passed, second identity credential information corresponding to first identity credential information is inquired in the trusted execution environment TEE, the second identity credential information is returned to the digital identity contract module, the first identity credential information sent by the verifier is compared with the second identity credential information sent by the TEE through the digital identity contract module, and a verification result is sent to the verifier. Therefore, the TEE does not allow any user to directly read the data stored in the TEE, the verifying party is verified through the digital identity contract, the data stored in the TEE is sent to the verifying party only after the verification is passed, the operating right of the data is guaranteed to be mastered on the digital identity contract, and therefore the safety risk that the digital identity voucher is violently cracked due to improper storage and leakage can be solved.
It should be noted that the digital identity contract module also needs to authenticate the authority of the verifier, so the verification information may also include the signature of the verifier on the signature information. In some embodiments of the present application, the authority of the verifier may be verified according to the signature information and the signature, and after the verification is passed and it is determined that the verifier has authority to verify the identity information, the step of obtaining the second identity credential information matching the first identity credential information from the trusted execution environment TEE is performed.
In some embodiments of the present application, the digital identity contract module may verify whether the verifier has the right to authenticate the identity of the party to be authenticated by verifying the public key of the verifier. As an example, as shown in fig. 2, fig. 2 is a schematic flow chart illustrating a process of performing rights verification on a verifier by using signature information and a public key of the verifier.
And step 201, calculating the public key of the verifier according to the signature information and the signature.
Optionally, the verifier sends information to be verified including a signature of the verifier for the signature information to the digital identity contract module, and the digital identity contract module calculates a public key of the verifier according to the signature information and the signature.
Step 202, when the reference public key of the verifier stored in the digital identity contract module is consistent with the public key of the verifier, determining that the authority of the verifier passes verification.
It should be noted that when the digital identity contract module registers the verifier, the reference public key of the verifier is recorded and stored in the digital identity contract module. If the calculated public key of the verifier is consistent with the reference public key of the verifier stored in the digital identity contract module, the verifier is determined to pass the authority verification, namely the verifier has the authority to perform identity verification on the verifier, and the step of acquiring second identity certificate information matched with the first identity certificate information from the trusted execution environment TEE can be executed.
The signature information may include, but is not limited to: the address of the verifier, the address of the party to be verified, the identity certificate type, the certificate information contained in the certificate, the certificate verification time and other information. As an example, the verifier performs hash calculation on the signature information, and after obtaining the hash value of the signature information, the verifier performs signature on the hash value of the signature information using a private key of the verifier. In addition, the verifier may also perform hash calculation on the signature information using other algorithms, which is not specifically limited in this application.
Fig. 3 is a schematic structural diagram of a digital identity authentication device according to an embodiment of the present application. It should be noted that the digital identity authentication apparatus of the embodiment of the present application can be applied to a digital identity contract module on a block chain. As shown in fig. 3, the digital authentication apparatus includes: a receiving module 301, an obtaining module 302 and a verifying module 303.
Specifically, the receiving module 301 is configured to receive information to be verified sent by a verifier; the information to be verified comprises first identity certificate information obtained by a verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information.
An obtaining module 302, configured to obtain, from the trusted execution environment TEE, second identity credential information that matches the first identity credential information.
The verification module 303 is configured to perform identity verification on the party to be verified according to the first hash value of the first identity credential information and the second identity credential information.
With regard to the digital authentication apparatus in the above embodiments, the specific manner in which each module performs operations has been described in detail in the embodiments related to the digital authentication method, and will not be described in detail here.
According to the digital identity authentication device, the receiving module is used for receiving information to be authenticated sent by an authenticator; the information to be verified comprises first identity certificate information obtained by a verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information; the obtaining module is used for obtaining second identity certificate information matched with the first identity certificate information from a Trusted Execution Environment (TEE); the verification module is used for performing identity verification on the party to be verified according to the first hash value of the first identity certificate information and the second identity certificate information. The digital identity authentication device provided by the application not only provides an authentication function for identity information, but also improves the safety of storing digital identity certificate information.
Fig. 4 is a schematic structural diagram of a digital identity verification system according to an embodiment of the present application. Fig. 5 is an interaction diagram of a digital identity authentication system according to an embodiment of the present application. As shown in fig. 4, the digital authentication system includes: authenticator 401, digital identity contract module 402, and TEE system 403.
Specifically, the to-be-verified party initiates an inquiry request to the verifier (S501), and the verifier 401 is configured to receive the inquiry request initiated by the to-be-verified party, obtain the first identity credential information from the inquiry request, perform hash operation on the first identity credential information to obtain a first hash value (S502), and send the to-be-verified information to the digital identity contract module (S503).
A digital identity contract module 402, configured to receive information to be verified sent by a verifier (S504); the information to be verified comprises first identity certificate information obtained by a verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information.
Optionally, in some embodiments of the present application, the information to be verified further includes a signature of the verifier on the signature information. A digital identity contract module further configured to: performing authority verification on the verifier according to the signature information and the signature (S505); after the authority of the verifier passes the verification, the digital identity contract sends the first identity credential information to the trusted execution environment TEE (S506), and obtains second identity credential information matched with the first identity credential information from the trusted execution environment TEE.
Optionally, the digital identity contract module 402 may verify whether the verifier has the right to authenticate the verifier by verifying the public key of the verifier. In some embodiments of the present application, digital identity contract module 402 may be configured to: calculating a public key of the verifier according to the signature information and the signature; and performing authority verification on the verifier according to the reference public key of the verifier and the public key of the verifier, which are stored in the digital identity contract module.
Optionally, in some embodiments of the present application, the digital identity contract module 402 may be configured to: and when the reference public key of the verifier and the public key of the verifier stored in the digital identity contract module are consistent, determining that the authority of the verifier passes verification.
The TEE system 403 is configured to receive the first identity credential information sent by the digital identity contract module, perform query according to the first identity credential information to obtain second identity credential information matched with the first identity credential information (S507), and return the second identity credential information to the digital identity contract module (S508).
Optionally, in some embodiments of the present application, the digital identity contract module 402 is further configured to authenticate (S509) the party to be authenticated according to the first hash value of the first identity credential information and the second identity credential information, and send the authentication result to the authenticator (S510).
Optionally, in some embodiments of the present application, the second identity credential information includes at least a second hash value; the digital identity contract module is specifically configured to: comparing the first hash value with the second hash value; and determining the identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
Optionally, in some embodiments of the present application, the second identity credential information includes at least identity credential plaintext; the digital identity contract module is specifically configured to: carrying out hash operation on the identity certificate plaintext to obtain a corresponding second hash value; comparing the first hash value with the second hash value; and determining the identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
Optionally, in some embodiments of the present application, after the verifying party 401 receives the authentication result sent by the digital identity contract module, the verifying party 401 is further configured to: the authentication result is processed (S511), and the processed result is transmitted to the party to be authenticated (S512).
With regard to the digital authentication system in the above-described embodiment, the specific manner in which each part performs the operation has been described in detail in the embodiment related to the digital authentication method, and will not be described in detail here.
According to the digital identity authentication system, the trusted execution environment TEE is used for storing the digital identity certificate information, and the safety of storing the digital identity certificate information is improved. The method comprises the steps that a verifier sends information to be verified to a digital identity contract module, the trusted execution environment TEE does not allow any user to directly read data stored in the TEE, the digital identity contract module verifies the authority of the verifier according to signature information and a signature sent by the verifier, and only if the verifier is verified to have the verification authority, the digital identity contract module can send a query request to the trusted execution environment TEE and query second identity credential information corresponding to first identity credential information in the trusted execution environment TEE. And the digital identity contract module compares the first identity certificate information in the information to be verified sent by the verifier with the second identity certificate information sent by the TEE and sends the verification result to the verifier. The digital identity authentication method provided by the application not only provides an authentication function for identity information, but also improves the safety of storing the digital identity certificate information and keeps the privacy data of the user more safely.
In order to implement the above embodiments, the present application further provides an electronic device.
Fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 6, the electronic device 600 may include a memory 601, a processor 602, and a computer program 603 stored in the memory 601 and running on the processor 602, and when the processor 602 executes the computer program 603, the digital authentication method according to any of the above embodiments of the present application is executed.
To achieve the above embodiments, the present application also proposes a non-transitory computer-readable storage medium storing computer instructions that, when executed by a processor, enable the processor to perform the digital authentication method of any of the above embodiments of the present application.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.

Claims (15)

1. A digital identity verification method applied to a digital identity contract module on a blockchain, the method comprising:
receiving information to be verified sent by a verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information;
acquiring second identity credential information matched with the first identity credential information from a Trusted Execution Environment (TEE);
and performing identity authentication on the party to be authenticated according to the first hash value of the first identity certificate information and the second identity certificate information.
2. The method of claim 1, wherein the information to be verified further comprises a signature of the verifier on the signature information; the method further comprises the following steps:
according to the signature information and the signature, performing authority verification on the verifier;
and after the authority of the verifier passes the verification, executing the step of acquiring second identity credential information matched with the first identity credential information from a Trusted Execution Environment (TEE).
3. The method of claim 2, wherein the performing the authority verification on the verifier according to the signature information and the signature comprises:
calculating the public key of the verifier according to the signature information and the signature;
and performing authority verification on the verifier according to the reference public key of the verifier and the public key of the verifier, which are stored in the digital identity contract module.
4. The method according to claim 3, wherein said performing the right verification on the verifier according to the reference public key of the verifier and the public key of the verifier stored in the digital identity contract module comprises:
and when the reference public key of the verifier stored in the digital identity contract module is consistent with the public key of the verifier, determining that the authority of the verifier passes verification.
5. The method of claim 1, wherein the second identity credential information comprises at least a second hash value; the performing identity authentication on the party to be authenticated according to the first hash value of the first identity credential information and the second identity credential information includes:
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
6. The method of claim 1, wherein the second identity credential information comprises at least identity credential plaintext; the performing identity authentication on the party to be authenticated according to the first hash value of the first identity credential information and the second identity credential information includes:
carrying out hash operation on the identity certificate plaintext to obtain a corresponding second hash value;
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
7. A digital identity verification apparatus, wherein the apparatus is applied to a digital identity contract module on a blockchain, the apparatus comprising:
the receiving module is used for receiving the information to be verified sent by the verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information;
the obtaining module is used for obtaining second identity certificate information matched with the first identity certificate information from a Trusted Execution Environment (TEE);
and the verification module is used for verifying the identity of the party to be verified according to the first hash value of the first identity certificate information and the second identity certificate information.
8. A digital identity verification system, comprising:
the verification party is used for receiving an inquiry request initiated by a party to be verified, acquiring first identity certificate information from the inquiry request, and performing hash operation on the first identity certificate information to obtain a first hash value;
the digital identity contract module is used for receiving the information to be verified sent by the verifier; the information to be verified comprises first identity certificate information obtained by the verifier from a received query request initiated by the verifier, and a first hash value of the verifier on the first identity certificate information;
the TEE system is used for receiving the first identity certificate information sent by the digital identity contract module, inquiring according to the first identity certificate information to obtain second identity certificate information matched with the first identity certificate information, and returning the second identity certificate information to the digital identity contract module;
and the digital identity contract module is further used for performing identity authentication on the party to be authenticated according to the first hash value of the first identity certificate information and the second identity certificate information.
9. The system of claim 8, wherein the information to be verified further comprises a signature of the verifier on the signature information; the digital identity contract module is further configured to:
according to the signature information and the signature, performing authority verification on the verifier;
and after the authority of the verifier passes verification, acquiring second identity certificate information matched with the first identity certificate information from a Trusted Execution Environment (TEE).
10. The system of claim 9, wherein the digital identity contract module is specifically configured to:
calculating the public key of the verifier according to the signature information and the signature;
and performing authority verification on the verifier according to the reference public key of the verifier and the public key of the verifier, which are stored in the digital identity contract module.
11. The system of claim 10, wherein the digital identity contract module is specifically configured to:
and when the reference public key of the verifier stored in the digital identity contract module is consistent with the public key of the verifier, determining that the authority of the verifier passes verification.
12. The system of claim 8, wherein the second identity credential information comprises at least a second hash value; the digital identity contract module is specifically configured to:
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
13. The system according to claim 8, wherein the second identity credential information comprises at least identity credential plaintext; the digital identity contract module is specifically configured to:
carrying out hash operation on the identity certificate plaintext to obtain a corresponding second hash value;
comparing the first hash value with the second hash value;
and determining an identity verification result of the party to be verified according to the comparison result, and sending the identity verification result to the verifying party.
14. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the digital identity verification method of any one of claims 1 to 6.
15. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the digital authentication method according to any one of claims 1 to 6.
CN202110860623.6A 2021-07-29 2021-07-29 Digital identity verification method, device, system, equipment and storage medium Pending CN113312597A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110860623.6A CN113312597A (en) 2021-07-29 2021-07-29 Digital identity verification method, device, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110860623.6A CN113312597A (en) 2021-07-29 2021-07-29 Digital identity verification method, device, system, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113312597A true CN113312597A (en) 2021-08-27

Family

ID=77381936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110860623.6A Pending CN113312597A (en) 2021-07-29 2021-07-29 Digital identity verification method, device, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113312597A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472544A (en) * 2021-08-31 2021-10-01 北京微芯感知科技有限公司 Digital identity verification method and device, computer equipment and storage medium
CN113722690A (en) * 2021-09-08 2021-11-30 北京华鼎博视数据信息技术有限公司 Data transmitting method, data receiving device, certificate recording method and certificate recording device
CN114266662A (en) * 2021-12-30 2022-04-01 广发证券股份有限公司 Decentralized digital identity management method and device based on block chain
CN118656814A (en) * 2024-08-19 2024-09-17 支付宝(杭州)信息技术有限公司 Digital driving security verification method and device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429760A (en) * 2015-12-01 2016-03-23 神州融安科技(北京)有限公司 Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment)
CN110990827A (en) * 2019-10-28 2020-04-10 上海隔镜信息科技有限公司 Identity information verification method, server and storage medium
US20200287901A1 (en) * 2018-08-21 2020-09-10 HYPR Corp. Out-of-band authentication based on secure channel to trusted execution environment on client device
CN112307455A (en) * 2020-12-28 2021-02-02 支付宝(杭州)信息技术有限公司 Identity authentication method and device based on block chain and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429760A (en) * 2015-12-01 2016-03-23 神州融安科技(北京)有限公司 Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment)
US20200287901A1 (en) * 2018-08-21 2020-09-10 HYPR Corp. Out-of-band authentication based on secure channel to trusted execution environment on client device
CN110990827A (en) * 2019-10-28 2020-04-10 上海隔镜信息科技有限公司 Identity information verification method, server and storage medium
CN112307455A (en) * 2020-12-28 2021-02-02 支付宝(杭州)信息技术有限公司 Identity authentication method and device based on block chain and electronic equipment

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472544A (en) * 2021-08-31 2021-10-01 北京微芯感知科技有限公司 Digital identity verification method and device, computer equipment and storage medium
CN113722690A (en) * 2021-09-08 2021-11-30 北京华鼎博视数据信息技术有限公司 Data transmitting method, data receiving device, certificate recording method and certificate recording device
CN113722690B (en) * 2021-09-08 2023-11-10 北京华鼎博视数据信息技术有限公司 Data transmitting and receiving and certificate recording method and device
CN114266662A (en) * 2021-12-30 2022-04-01 广发证券股份有限公司 Decentralized digital identity management method and device based on block chain
CN118656814A (en) * 2024-08-19 2024-09-17 支付宝(杭州)信息技术有限公司 Digital driving security verification method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN113312597A (en) Digital identity verification method, device, system, equipment and storage medium
KR102193644B1 (en) Facility verification method and device
JP4774235B2 (en) Certificate revocation list distribution management method
US20190253260A1 (en) Electronic certification system
US9276752B2 (en) System and method for secure software update
CN106161350B (en) Method and device for managing application identifier
CN114008968B (en) System, method, and storage medium for license authorization in a computing environment
US12008145B2 (en) Method and server for certifying an electronic document
EP1622301A2 (en) Methods and system for providing a public key fingerprint list in a PK system
US20230071022A1 (en) Zero-knowledge proof-based certificate service method using blockchain network, certification support server using same, and user terminal using same
CN112437068B (en) Authentication and key agreement method, device and system
CN106209730B (en) Method and device for managing application identifier
CN110611647A (en) Node joining method and device on block chain system
CN108540447B (en) Block chain-based certificate verification method and system
CN115514492A (en) BIOS firmware verification method, device, server, storage medium and program product
CN112702315B (en) Cross-domain device access control method, device, computer device and storage medium
CN116541872B (en) Data information safety transmission method and system
CN117692185A (en) Electronic seal using method and device, electronic equipment and storage medium
CN116707758A (en) Authentication method, equipment and server of trusted computing equipment
CN116707983A (en) Authorization authentication method and device, access authentication method and device, equipment and medium
CN106454826A (en) Method and apparatus of AP to access AC
CN113472544B (en) Digital identity verification method and device, computer equipment and storage medium
CN116522356A (en) Data query method and device
CN113343204B (en) Digital identity management system and method based on block chain
JP5872588B2 (en) Trace device and trace method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210827

RJ01 Rejection of invention patent application after publication