CN118869177A

CN118869177A - Digital identity management method, system, electronic equipment and computer readable storage medium based on blockchain

Info

Publication number: CN118869177A
Application number: CN202410821153.6A
Authority: CN
Inventors: 熊翱; 林嘉琪; 钱旭盛; 潘熙; 王伟; 张楠; 张秀永; 张郁颀; 郎嘉忆; 孙爽; 王伟宇; 杨珂
Original assignee: State Grid Co ltd Customer Service Center; State Grid Digital Technology Holdings Co ltd; State Grid Jiangsu Electric Power Co ltd Marketing Service Center; Beijing University of Posts and Telecommunications
Current assignee: State Grid Co ltd Customer Service Center; State Grid Digital Technology Holdings Co ltd; State Grid Jiangsu Electric Power Co ltd Marketing Service Center; Beijing University of Posts and Telecommunications
Priority date: 2024-06-24
Filing date: 2024-06-24
Publication date: 2024-10-29

Abstract

The application provides a digital identity management method, a digital identity management system, electronic equipment and a computer readable storage medium based on a blockchain, wherein the method comprises the following steps: performing at least one of a digital identity querying step, a digital identity verifying step, and a digital identity revocation step in a blockchain network; and generating audit log entries for each key event in real time in the process of executing the digital identity management step, and storing the audit log entries in the blockchain after encryption so as to enable authorized users who send audit log access to trace back and check the audit log entries. The application can ensure the authenticity of the digital identity information of the user while protecting the privacy of the user, and simultaneously realize the tracking and auditing of the digital identity authentication process, thereby effectively improving the convenience and transparency of digital identity management.

Description

Digital identity management method, system, electronic equipment and computer readable storage medium based on blockchain

Technical Field

The present application relates to the field of data processing technologies, and in particular, to a blockchain-based digital identity management method, a blockchain-based digital identity management system, an electronic device, and a computer readable storage medium.

Background

Digital identity management plays an important role in business scenarios such as power. With the digital development of business scenes such as electric power, the application of the electronic license has important practical demands. Digitization and the development of internet technology have made license management and identity authentication in power business more and more important. Industries such as electricity require efficient authentication mechanisms to ensure reliable, secure and trusted identities of practitioners, businesses and users such as electricity.

However, the conventional digital identity management method has the risks of single-point failure and data leakage, and the safety of the user identity information cannot be ensured. The centralized management also easily causes an 'information island' effect, namely identity information among different organizations cannot be effectively shared and communicated, so that users need to repeatedly submit the same information for identity authentication. Furthermore, even if the existing digital identity management mode can ensure the privacy of the user, it is difficult to ensure the transparency degree of the digital identity management flow on the basis, so that the digital identity authentication process is difficult to trace, and the confusion of digital identity management is easily caused.

Based on this, there is a need to design a digital identity management method that can protect the privacy of a user and ensure the authenticity of identity information, and at the same time can track the digital identity authentication process.

Disclosure of Invention

In view of the above, embodiments of the present application provide a blockchain-based digital identity management method, system, electronic device, and computer-readable storage medium that obviate or mitigate one or more disadvantages in the prior art.

One aspect of the present application provides a blockchain-based digital identity management method, comprising:

performing a preset digital identity management step in a blockchain network, the digital identity management step comprising: at least one of a digital identity registration step, a digital identity inquiry step, a digital identity verification step, and a digital identity revocation step;

And generating an audit log entry in real time for each key event in the digital identity management step based on a preset key event type in the process of executing the digital identity management step, encrypting the audit log entry and storing the audit log entry into a blockchain so as to send the audit log entry to an authorized user sending the audit log access based on a preset log access interface and access rules.

In some embodiments of the present application, the digital identity registration step is implemented based on a CP-ABE encryption scheme, IPFS system, and AES encryption scheme, the digital identity lookup step is implemented based on a zero knowledge proof scheme, and the digital identity verification step is implemented based on a distributed plurality of verification nodes in the blockchain network.

In some embodiments of the present application, if the current digital identity management step is the digital identity registration step, the performing a preset digital identity management step in a blockchain network includes:

Receiving a digital identity registration request sent by a target user in a blockchain network, wherein the digital identity registration request comprises: the identity information of the target user and a plurality of verification nodes in the blockchain network specified by the target user;

Performing CP-ABE encryption on the identity information of the target user to obtain a corresponding identity information hash value, and storing the identity information hash value into a IPFS system to obtain a IPFS address uniquely corresponding to the encrypted data generated and returned by the IPFS system;

Performing AES encryption on the IPFS address to obtain an encrypted IPFS address;

Generating a unique identity of the target user based on the identity information of the target user, the authentication node addresses corresponding to the authentication nodes specified by the target user and the encryption IPFS address;

The unique identity of the target user, the identity information hash value, verification node addresses corresponding to a plurality of verification nodes appointed by the target user, the encryption IPFS address and preset supplementary information are used as identity credentials of the target user to be stored in a blockchain; the identity certificate also comprises the current certificate verification state and certificate expiration time of the identity certificate.

In some embodiments of the present application, if the current digital identity management step is the digital identity inquiry step, the performing a preset digital identity management step in a blockchain network includes:

receiving a digital identity inquiry request sent by a target user in a blockchain network, wherein the digital identity inquiry request comprises the following components: the unique identity of the target user and the zero knowledge proof generated by the target user aiming at the identity information of the target user in advance;

Verifying the zero knowledge proof; if the verification of the zero knowledge proof is passed, based on the unique identity of the target user, invoking an intelligent contract to inquire the identity certificate corresponding to the target user in the blockchain;

And sending the identity credential to the target user.

In some embodiments of the present application, if the current digital identity management step is the digital identity verification step, the performing a preset digital identity management step in a blockchain network includes:

Receiving a digital authentication request for the target user in a blockchain network, wherein the digital authentication request includes: the unique identity of the target user and the identity information signature value of the target user;

searching verification node addresses corresponding to a plurality of verification nodes pre-designated by the target user according to the unique identity of the target user;

based on each verification node address, forwarding a digital identity verification request aiming at the target user to each verification node pre-designated by the target user, so that each verification node calls an intelligent contract according to the unique identity of the target user, and therefore each verification node verifies based on the identity information signature value of the target user and the identity certificate of the target user pre-stored in the blockchain, and returns verification result data generated by each verification node;

Receiving the verification result data sent back by each verification node;

Judging whether the number of the verification result data which is displayed to pass the verification meets a preset passing threshold value, if so, determining that the target user passes the digital authentication, and returning a corresponding digital authentication passing message like the sending end of the digital authentication request.

In some embodiments of the present application, if the current digital identity management step is the digital identity revocation step, the performing a preset digital identity management step in a blockchain network includes:

Receiving a digital identity revocation request issued by the target user in a blockchain network, wherein the digital identity revocation request comprises: the identity information signature value of the target user;

And invoking an intelligent contract to verify based on the identity information signature value of the target user and the identity credential of the target user prestored in the blockchain, and if the verification is passed, modifying the verification state in the identity credential of the target user from data used for representing that the verification is passed to data used for representing that the identity is revoked.

Receiving a digital identity revocation request from a target authentication node in a blockchain network, wherein the digital identity revocation request comprises: a signature value of the identity information hash value; the signature value of the identity information hash value is obtained by the target verification node after signing the identity information hash value of the target user on the basis of a private key of the target verification node in advance;

verifying the private key of the target verification node based on the signature value of the identity information hash value;

If the verification of the private key of the target verification node is passed, invoking an intelligent contract to verify whether the target verification node is contained in each verification node specified in the identity credentials of the target user pre-stored in the blockchain;

And if the target verification node is contained in each verification node appointed by the target user, modifying the verification state in the identity credential of the target user from data used for representing verification passing to data used for representing identity revocation.

In some embodiments of the application, the audit log entry is used to store a correspondence between a timestamp, a key event type, a hash digest of identity information, and an operator identification of the key event.

Another aspect of the present application provides a blockchain-based digital identity management system, comprising:

The digital identity management module is used for executing a preset digital identity management step in the blockchain network, and the digital identity management step comprises the following steps: at least one of a digital identity registration step, a digital identity inquiry step, a digital identity verification step, and a digital identity revocation step;

And the audit log record and trace module is used for generating audit log entries in real time for each key event in the digital identity management step based on a preset key event type in the process of executing the digital identity management step, encrypting the audit log entries and storing the audit log entries into a blockchain so as to send the audit log entries to an authorized user sending the audit log access based on a preset log access interface and access rules.

In some embodiments of the present application, if the current digital identity management step is the digital identity registration step, the digital identity management module includes: a digital identity registration unit for performing the following:

In some embodiments of the present application, if the current digital identity management step is the digital identity inquiry step, the digital identity management module includes: the digital identity inquiry unit is used for executing the following contents:

And sending the identity credential to the target user.

In some embodiments of the present application, if the current digital identity management step is the digital identity verification step, the digital identity management module includes: a digital authentication unit for performing the following:

Receiving the verification result data sent back by each verification node;

In some embodiments of the present application, if the current digital identity management step is the digital identity revocation step, the digital identity management module includes: a first digital identity revocation unit for performing the following:

In some embodiments of the present application, if the current digital identity management step is the digital identity revocation step, the digital identity management module includes: a second digital identity revocation unit for performing the following:

if the verification of the private key of the target verification node is passed, invoking an intelligent contract to verify whether the target verification node is contained in each verification node specified in the identity credential of the target user pre-stored in the blockchain;

A third aspect of the present application provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the blockchain-based digital identity management method when executing the computer program.

A fourth aspect of the present application provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the blockchain-based digital identity management method.

A fifth aspect of the application provides a computer program product comprising a computer program which when executed by a processor implements the blockchain-based digital identity management method.

The application provides a digital identity management method based on a block chain, which executes a preset digital identity management step in a block chain network, wherein the digital identity management step comprises the following steps: at least one of a digital identity registration step, a digital identity inquiry step, a digital identity verification step, and a digital identity revocation step; and generating an audit log entry in real time for each key event in the digital identity management step based on a preset key event type in the process of executing the digital identity management step, encrypting the audit log entry and storing the audit log entry into a blockchain so as to send the audit log entry to an authorized user sending the audit log access based on a preset log access interface and access rules. The application can ensure the authenticity of the digital identity information of the user while protecting the privacy of the user, and simultaneously realize the tracking and auditing of the digital identity authentication process, thereby effectively improving the convenience and transparency of digital identity management.

Additional advantages, objects, and features of the application will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.

It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present application are not limited to the above-described specific ones, and that the above and other objects that can be achieved with the present application will be more clearly understood from the following detailed description.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate and together with the description serve to explain the application. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the application. Corresponding parts in the drawings may be exaggerated, i.e. made larger relative to other parts in an exemplary device actually manufactured according to the present application, for convenience in showing and describing some parts of the present application. In the drawings:

FIG. 1 is a flow chart of a blockchain-based digital identity management method according to an embodiment of the application.

FIG. 2 is a first flowchart illustrating a block chain based digital identity management method according to an embodiment of the present application.

FIG. 3 is a diagram illustrating the user digital identity credential information uplink according to one embodiment of the present application.

FIG. 4 is a second flowchart of step 100 of a blockchain-based digital identity management method according to an embodiment of the present application.

FIG. 5 is a third flowchart illustrating a step 100 of a blockchain-based digital identity management method according to an embodiment of the present application.

FIG. 6 is a fourth flowchart illustrating a step 100 of a blockchain-based digital identity management method according to an embodiment of the present application.

FIG. 7 is a fifth flowchart illustrating a step 100 of a blockchain-based digital identity management method according to an embodiment of the present application.

FIG. 8 is a schematic diagram illustrating functional blocks of a blockchain-based digital identity management system in accordance with an embodiment of the present application.

FIG. 9 is an exemplary schematic diagram of role interactions in blockchain-based digital identity management for power traffic in an application example of the present application.

FIG. 10 is a flow chart of digital identity registration and authentication of a user in an application example of the application.

Detailed Description

The present application will be described in further detail with reference to the following embodiments and the accompanying drawings, in order to make the objects, technical solutions and advantages of the present application more apparent. The exemplary embodiments of the present application and the descriptions thereof are used herein to explain the present application, but are not intended to limit the application.

It should be noted here that, in order to avoid obscuring the present application due to unnecessary details, only structures and/or processing steps closely related to the solution according to the present application are shown in the drawings, while other details not greatly related to the present application are omitted.

It should be emphasized that the term "comprises/comprising" when used herein is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.

It is also noted herein that the term "coupled" may refer to not only a direct connection, but also an indirect connection in which an intermediate is present, unless otherwise specified.

Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.

With the development of digitization and internet technology, license management and identity authentication in power business are becoming more and more important. The digital identity authentication can verify the identities of power practitioners, enterprises and users, and ensure that only legal persons can access the power service system. Based on the digital identity, fine data access control can also be achieved, ensuring that only authorized personnel can view and modify specific data.

The traditional identity authentication system has the problems of centralized management, data leakage, single-point failure and the like, and threatens the privacy and safety of users. To address these challenges, blockchain technology is introduced into the field of digital authentication, by virtue of its decentralised, non-tamperable and secure nature, providing users with a more secure and reliable digital authentication solution.

In an existing blockchain-based digital authentication method, system, electronic device and computer-readable storage medium, it includes: acquiring an identity authentication request submitted by a user, digitally signing the identity authentication request based on a random number generated by a blockchain, and then sending the digital signature to an identity authentication node in the blockchain; invoking an execution contract based on the identity verification node, decrypting the digital signature based on the execution contract to obtain an identity verification certificate, and mapping and comparing the identity verification certificate with registered digital identity information in a blockchain to obtain a digital identity verification result; and feeding back the digital identity verification result to the transaction terminal, and recording and retaining the full-flow parameter of the identity verification in a recording node in the blockchain based on the feedback result. However, in this scheme, there is still a decryption operation on the digital signature, which may cause information leakage after decryption, and the recorded full-flow parameters may also cause risk of private information leakage.

In another existing digital identity authentication method based on blockchain technology, the method comprises the following steps: building a blockchain network: building a blockchain network in a alliance chain mode for storing and verifying user identity information identity registration: providing personal basic information and an identity document by a user, carrying out hash calculation on the personal basic information of the user by using an encryption algorithm, generating a unique identity identifier, and recording the unique identity identifier on a blockchain; and (3) identity authentication: providing corresponding identity document by the user in the scene of identity verification, and verifying the validity and the authenticity of the identity information of the user by the verification node through the record on the blockchain; identity authorization: the user authorizes the identity of the user to a specific organization or person, and authorization information is recorded on a blockchain; updating the identity: when the personal information of the user changes, the personal digital identity information is updated through an identity updating mechanism on the blockchain. The application adopts a alliance chain form to construct a block chain network; registering the identity, and generating a unique identity identifier through hash calculation; identity authentication, adopting a double-factor authentication method to combine a plurality of authentication modes; identity authorization and identity updating, a new public-private key pair is generated through an intelligent contract, ownership of an old public key is verified, the new public key is bound with identity information, and the original asset is transferred to the new public key. However, hash computation to generate a unique identity identifier may present a duplication risk, and identity authorization and updating through smart contracts is vulnerable to vulnerability.

In a third existing identity authentication method, it includes: a service node receives an access request sent by a client, wherein the access request comprises an access key AK and a signature, the signature is generated by the client according to a first security key SK corresponding to the AK, and the AK comprises a check field; the service node verifies whether the AK is generated by an identity authentication node according to the verification field, the locally stored version number and the public key corresponding to the version number; if the AK is determined to be generated by the identity authentication node, the service node sends the AK to the identity authentication node to acquire a second SK corresponding to the AK; and when the first SK is consistent with the second SK, the service node provides the service requested to be accessed by the access request for the client. However, it still relies on a centralized service node, with a single point of failure risk. When checking the access key, only the check field, the version number and the public key are relied on, and the risk of information tampering exists.

From the analysis, the prior art scheme has certain defects in the aspects of privacy information protection, data security and system reliability. Meanwhile, in the prior art, the opacity and the complicated flow of the digital identity authentication flow lead to difficulty in effectively tracking and auditing the identity of electric personnel, and further influence the operation safety and reliability of an electric power business system. How to ensure the authenticity of identity information while protecting the privacy of users is another technical difficulty in existing identity authentication systems.

Based on the above, in order to solve the problems that the transparency degree of a digital identity management flow is difficult to ensure on the basis of ensuring the privacy of a user, and further the digital identity authentication process is difficult to trace and is easy to cause confusion of digital identity management and the like in the existing digital identity management method, the embodiment of the application respectively provides a digital identity management method based on a blockchain, a digital identity management system based on the blockchain, electronic equipment, a computer readable storage medium and a computer program product, which are used for executing the digital identity management method based on the blockchain, can ensure the authenticity of digital identity information of the user while protecting the privacy of the user, and simultaneously realize tracking and auditing of the digital identity authentication process, thereby effectively improving the convenience and transparency degree of digital identity management.

The following examples are provided to illustrate the invention in more detail.

Based on this, the embodiment of the application provides a blockchain-based digital identity management method which can be implemented by a blockchain-based digital identity management system, referring to fig. 1, the blockchain-based digital identity management method specifically includes the following contents:

Step 100: performing a preset digital identity management step in a blockchain network, the digital identity management step comprising: at least one of a digital identity registration step, a digital identity inquiry step, a digital identity verification step, and a digital identity revocation step.

It will be appreciated that digital identity management is an important means of ensuring information security and preventing identity theft. Through the effective and safe digital identity management system, the security risks such as phishing, information leakage and the like can be reduced, and the privacy security of personal information of a user is protected. In addition, the digital identity management can also promote information sharing and interconnection among departments and platforms, and personal identity information among different institutions can be authorized to be shared through a unified and reliable digital identity management system, so that more efficient data flow and resource integration are realized, and the development of digital economy is promoted. The digital identity management plays an important role in the electronic license trusted verification and security management and control facing the power business.

The digital identity management method provided by the application is realized based on the blockchain, and the decentralization and non-falsifiable characteristics of the blockchain are adapted to the security requirements in the field of identity authentication. By constructing the identity authentication system by means of the block chain technology, the safety, the credibility and the transparency of the system can be improved, and safer and more reliable identity recognition and authentication services are provided for users.

Specifically, a blockchain is a block chain stored, tamper-proof, secure, trusted, decentralized, distributed ledger. It skillfully combines the techniques of distributed storage, point-to-point transmission, consensus mechanisms, cryptography, etc., each data block being linked to the previous block to form a continuous chain. In a blockchain, each block contains the hash value of the previous block (also called a data digest), any modification to the data in the block will result in a change in the hash value, and the hash value of the next block will depend on the hash value of the previous block, so that once the data is modified, the hash value of the subsequent block will be affected, thereby making the data of the entire blockchain inconsistent. Thus, once data is recorded on the blockchain, it cannot be modified or deleted, ensuring the authenticity, security and integrity of the data through the growing chain of data blocks.

An intelligent contract is an automated contract based on blockchain technology, which is a piece of computer program running on a blockchain that is capable of automatically executing contract terms. The smart contract programmatically defines terms and execution logic of the contract and is capable of executing automatically upon satisfaction of predetermined conditions without human intervention. Smart contracts are typically written in a particular programming language (e.g., solidity) provided by a smart contract platform (e.g., ethernet). Once the encoding is complete, the smart contract is uploaded onto the blockchain network, i.e., the smart contract is received by all network authentication nodes. The smart contract periodically checks whether a trigger condition exists and the time when the condition is met is pushed to the queue to be verified. The verification nodes in the blockchain can conduct signature verification on the event to be verified, and after the majority of verification nodes reach consensus, the intelligent contract is successfully executed.

The Ethernet is an intelligent contract platform based on a blockchain technology, and the creation and execution of intelligent contracts are realized through a set of graphic complete script language, namely Ethernet virtual machine codes (Ethereum Virtual Machine code, EVM codes for short). The EVM is a virtual machine on the ethernet platform that can run the code of the smart contract and execute programs stored on the blockchain. Ethernet provides a high-level contract language named Solidity, and the smart contract code written by Solidity is compiled into EVM bytecode and then deployed onto the ethernet blockchain. Once deployment is complete, the code of the smart contract will execute on the EVM, the state and results of which will be recorded in the blockchain, ensuring transparency and non-tamper-ability of the smart contract. Because the script language of the ethernet is primitive, it means that all computable questions can be calculated. This makes the ethernet platform very flexible, can support various types of smart contracts and decentralised applications (DApps), providing rich functionality and innovation possibilities for the developer.

In the power business scenario, the user may refer to a power user, and the visitor sending the digital identity authentication request for the target user may be a role of the power user, a service provider, a supplier, and the like with authentication rights. Meanwhile, users such as power users and suppliers can interact with the blockchain-based digital identity management system through operating the client terminal.

In addition, in one or more embodiments of the present application, the blockchain-based digital identity management system may be one or more management nodes in a blockchain network, where the management nodes may also be verification nodes, and meanwhile, the management nodes in the blockchain network and the verification nodes may be client devices or servers, and may be specifically set according to practical application requirements.

Step 200: and in the process of executing the digital identity management step, generating an audit log entry in real time for each key event in the digital identity management step based on a preset key event type, encrypting the audit log entry and storing the audit log entry into a blockchain so as to send the audit log entry to an authorized user sending the audit log access based on a preset log access interface and access rules.

From the above description, it can be seen that the blockchain-based digital identity management method provided by the embodiment of the application can ensure the authenticity of the digital identity information of the user while protecting the privacy of the user, and simultaneously realize tracking and auditing of the digital identity authentication process, so that the convenience and transparency degree of digital identity management can be effectively improved.

In the blockchain-based digital identity management method provided by the embodiment of the application, the digital identity registration step is realized based on a CP-ABE encryption mode, a IPFS system and an AES encryption mode, the digital identity inquiry step is realized based on a zero knowledge proof mode, and the digital identity verification step is realized based on a plurality of distributed verification nodes in the blockchain network.

In one or more embodiments of the application, IPFS system refers to the interplanetary file system (INTERPLANETARY FILE SYSTEM), which may be abbreviated as IPFS. IPFS is a global, content-addressing based, point-to-point distributed file system and network hypermedia protocol. IPFS adopts a distributed storage mode, the file can be divided into a plurality of blocks and stored on a plurality of nodes in a network, so that the redundancy and reliability of the data are ensured. It uses content addressing to locate a file, i.e., to obtain a file based on a hash value of the file's content, rather than based on the location or address of the file. IPFS also support caching files and allow users to manage data updates and histories through versioning. The hypermedia protocol portion of IPFS involves the acquisition and transmission of various data over the IPFS network so that users can access and share various types of media files, such as pictures, video, audio, etc., via the IPFS protocol. Therefore IPFS is often used to construct a decentralized, reliable data storage and transmission network.

In one or more embodiments of the present application, the CP-ABE Encryption mode refers to an Attribute Encryption algorithm (cipert-Policy Attribute-Based Encryption), which may be abbreviated as CP-ABE. Attribute encryption algorithms are a modern cryptographic technique that allows a data owner to encrypt and decrypt data based on a user's attributes or set of attributes without requiring a specific key. Only users who meet the access policy, i.e. who possess specific properties, can decrypt the data. The attribute-based encryption algorithm provides data owners with finer granularity of access control capabilities, resulting in improved data security and privacy protection levels. The encryption mode is very useful in the scene of realizing individuation or specific authority access control, such as fields of cloud storage, medical care, internet of things and the like. By using an attribute-based encryption algorithm, users can more conveniently share data while ensuring that the data is only accessed by authorized users.

In one or more embodiments of the application, the AES encryption mode is referred to as the advanced encryption standard (Advanced Encryption Standard), which may be abbreviated as AES. AES is a powerful and secure mainstream symmetric encryption algorithm. This standard is used to replace the original data encryption standard DES (Data Encryption Standard), and is faster and more excellent than DES. The AES algorithm encrypts and decrypts a block of data using a fixed-length key (128 bits, 192bits, or 256 bits), and the encryption and decryption processes are based on operations such as matrix operations and byte substitution. Encryption will group plaintext data into 16 bytes (128 bits), and if the number of bytes is less than 16, the specific Padding (e.g. PCKS) characters will be used for Padding, so that the last section of ciphertext in different Padding modes may be different.

That is, the embodiment of the application adopts the Ethernet block chain platform and the intelligent contract technology to construct a decentralised identity authentication system, and can realize the distributed storage and high security of the user identity information. The CP-ABE attribute encryption algorithm is adopted to encrypt the identity information, and the IPFS and AES encryption algorithm are combined, so that a multilayer encryption storage mode can be realized, and the safety and the credibility of the user identity information are improved. The verification process obtains the encrypted ciphertext through the blockchain, decrypts IPFS addresses, and after obtaining the user identity ciphertext, a server (visitor) generates a decryption key through the attribute set of the server to decrypt the ciphertext to obtain the user identity plaintext information, so that safe and reliable identity verification is ensured, cross-organization and cross-organization sharing of the user identity information is promoted, the information island effect is eliminated, and finally the convenience, the high efficiency and the safety of digital identity authentication are greatly improved.

Furthermore, in the digital identity management method based on the blockchain provided by the embodiment of the application, user identity registration and identity verification are two key steps in the digital identity authentication process. Identity registration refers to the addition of user identity information to a system for subsequent use. The authentication is to ensure the authenticity of the information on the chain, and when the user performs identity registration, a blockchain node is designated for subsequent authentication. The verification node performs verification and confirmation on the integrity and the authenticity of the uplink digital identity, and the authenticity and the credibility of the on-chain digital identity are ensured. In this model, users can autonomously register and manage their own in-chain identities rather than relying on third party authorities to create and manage.

Therefore, in order to further improve the confidentiality, integrity, availability and attack resistance of the blockchain-based digital identity registration and simplify the digital identity registration flow, referring to fig. 2, if the current digital identity management step is the digital identity registration step, step 100 in the blockchain-based digital identity management method specifically includes the following steps:

step 111: receiving a digital identity registration request sent by a target user in a blockchain network, wherein the digital identity registration request comprises: the identity information of the target user and the plurality of authentication nodes in the blockchain network specified by the target user.

Step 112: and performing CP-ABE encryption on the identity information of the target user to obtain a corresponding identity information hash value, and storing the identity information hash value into a IPFS system to obtain a IPFS address uniquely corresponding to the encrypted data generated and returned by the IPFS system.

Step 113: AES encryption is performed on the IPFS address to obtain an encrypted IPFS address.

Step 114: and generating a unique identity of the target user based on the identity information of the target user, the authentication node addresses corresponding to the authentication nodes specified by the target user and the encryption IPFS address.

Step 115: taking the unique identity of the target user, the identity information hash value, verification node addresses corresponding to a plurality of verification nodes appointed by the target user, the expiration time of the certificate and preset supplementary information as the identity certificate of the target user to be stored in a blockchain; the identity certificate also comprises the current certificate verification state and certificate expiration time of the identity certificate.

It is understood that identity credentials refer to an encrypted data structure used to verify the identity of a user and authorize access to a particular resource. In particular, the identity credential may contain key information such as a user's identity information hash value, authentication status, expiration time, etc., and be securely stored on the blockchain. The system has the function of providing necessary identity information and authority verification when a user performs identity verification or requests access control, and ensuring the security of the system and the integrity of data.

In one example of the present application, referring to FIG. 3, the contents of user digital identity credential information and the process of storing into a blockchain is illustrated. The personal information of the user may include name, qualification level, training record, etc., the personal information is processed by a hash algorithm to form a hash code, the hash code is stored in an identity information data structure defined in the intelligent contract, and then the credentials are stored in the blockchain. The "User DIGITAL IDENTITY CERTIFICATE" refers to an identity credential, and the unique identity identifier may be abbreviated as "UserID", that is, a User digital identity credential identifier. The hash value of the identity information, namely the hash code of the user identity information, can be written as 'userinfoHash'; the verification node address may be written as "verifyNodeAddr"; the encrypted IPFS address is the IPFS address after encryption and can be written as 'encipher (ipfsAddr)'; the credential verification state may also be referred to as a credential verification state, which may be written as "verificationStatus"; the credential expiration time may be written as "expireTime"; the supplemental information is other needed supplemental information, and may be abbreviated as other information, namely "otherinfo". The identity information (User Identity Information) of the target user may include: name (name), qualification level (qualifications), and training record (trainingRecord). "BlockChain" refers to a blockchain.

That is, in the digital identity management system designed by the present application, two crucial steps are involved, namely user identity registration and user identity verification. The identity registration process is to add and input the identity information of the user into the system, so that the identity information can be conveniently used in subsequent operations. This process not only simplifies the user's operation, but also provides the necessary data for subsequent authentication.

That is, when a user performs identity registration using the off-center avatar authentication system of the present application, the following procedure is followed:

(1) Creating identity information: the user submits basic identity information to the system and designates a group of authentication nodes, which subsequently perform authentication of the identity information registered at this time on the uplink, compared with the method that only one verification node is designated for verification, the method realizes a distributed identity verification mechanism and increases the availability and robustness of the module.

(2) Attribute encryption and hash processing: the system encrypts the identity information input by the user using a ciphertext-based attribute encryption algorithm CP-ABE. The encrypted identity information is stored in IPFS (interstellar file system) and forms a unique hash code.

(3) AES encryption of IPFS addresses (hash codes): the generated IPFS hash code is extracted and encrypted using AES encryption.

(4) Blockchain storage: the system obtains the user identity information, the verification node address and the encrypted IPFS hash code and then generates a unique identifier UserID of the user identity information. The UserID, hash of the identity information, authentication node address, current authentication status and identity expiration time, encrypted IPFS address, and other supplemental information are stored as identity credentials on the blockchain.

In order to further improve convenience and reliability of blockchain-based digital identity management, referring to fig. 4, if the current digital identity management step is the digital identity inquiry step, step 100 in the blockchain-based digital identity management method specifically includes the following steps:

Step 121: receiving a digital identity inquiry request sent by a target user in a blockchain network, wherein the digital identity inquiry request comprises the following components: the unique identity of the target user and the zero knowledge proof generated by the target user aiming at the identity information of the target user in advance;

Step 122: verifying the zero knowledge proof; if the verification of the zero knowledge proof is passed, based on the unique identity of the target user, invoking an intelligent contract to inquire the identity certificate corresponding to the target user in the blockchain;

step 123: and sending the identity credential to the target user.

That is, when a user uses the de-centralized identity authentication system of the present application to perform a digital identity lookup, the following procedure is followed:

(1) A user initiates a query request: where a user needs to query for a particular digital identity, such as when verifying the identity of a person, obtaining a particular right, or viewing personal information.

(2) The user provides a digital identification UserID and a signature value to the identity information. The signature is verified to ensure that the user currently requesting the query for identity has ownership of the identity information on the chain.

(3) Zero knowledge proof verification: in this step, the present module verifies the identity of the user using zero knowledge proof techniques without exposing the actual identity information of the user. The method comprises the following specific steps:

1) Generating a proof: users first need to generate a zero knowledge proof that they know secret information related to their digital identity, but do not need to disclose this information. This proof may be generated using some pre-existing Zero knowledge proof scheme, such as zk-SNARKs (Zero-Knowledge Succinct Non-INTERACTIVE ARGUMENT OF KNOWLEDGE) Zero-knowledge compact non-interactive proof or zk-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge) Zero-knowledge extensible transparent proof.

2) Submitting a proof: the user submits the generated zero knowledge proof to the system together with their digital identification UserID. This proof contains secret information that the user knows about his digital identity, but does not reveal any actual information.

3) Verification proves that: the module performs verification after receiving the certification submitted by the user. This authentication process requires only a public portion of the certificate and does not require knowledge of any user's secret information. If the verification is valid, the system can confirm that the user does have secret information associated with his digital identity.

(4) Querying identity: once the user's zero knowledge proof is verified, the system may invoke the smart contract for a query of digital identity. This query process is performed on the chain, ensuring transparency and non-tamper resistance.

(5) The system returns a query result including userID, hash code of identity information, authentication node address, authentication status and expiration time, encrypted IPFS address, etc.

Further, during user authentication, it is necessary to ensure the authenticity of the information on the chain. To achieve this objective, the subject requires that a user be registered for identity, and a set of blockchain nodes be designated for subsequent authentication. The verification node performs verification and confirmation on the integrity and the authenticity of the uplink digital identity, so that the authenticity and the credibility of the on-chain digital identity are ensured. The process fully utilizes the decentralization characteristic of the blockchain, and improves the safety and the credibility of the data. In the system provided by the application, the user can autonomously register and manage own on-chain identities, so that a third party mechanism is not required to be relied on for creating and managing. The method breaks through the traditional identity authentication mode, so that the user can enjoy convenient service while protecting the privacy of the user.

Based on this, in order to further improve the confidentiality, integrity, availability and attack resistance of the blockchain-based digital identity verification and simplify the digital identity verification process, in the blockchain-based digital identity management method provided by the embodiment of the present application, referring to fig. 5, if the current digital identity management step is the digital identity verification step, step 100 in the blockchain-based digital identity management method specifically includes the following steps:

Step 131: receiving a digital authentication request for the target user in a blockchain network, wherein the digital authentication request includes: the unique identity of the target user and the identity information signature value of the target user;

Step 132: searching verification node addresses corresponding to a plurality of verification nodes pre-designated by the target user according to the unique identity of the target user;

Step 133: based on each verification node address, forwarding a digital identity verification request aiming at the target user to each verification node pre-designated by the target user, so that each verification node calls an intelligent contract according to the unique identity of the target user, and therefore each verification node verifies based on the identity information signature value of the target user and the identity certificate of the target user pre-stored in the blockchain, and returns verification result data generated by each verification node;

Step 134: receiving the verification result data sent back by each verification node;

Step 135: judging whether the number of the verification result data which is displayed to pass the verification meets a preset passing threshold value, if so, determining that the target user passes the digital authentication, and returning a corresponding digital authentication passing message like the sending end of the digital authentication request.

In one or more verification or determination processes of the present application, if not, the system issues verification failure information and stops performing subsequent steps of the verification or determination.

That is, the user registers the identity information on the link, and in order to ensure the authenticity and integrity of the information on the link, the authentication of the identity information on the link is required, and the following process is followed:

(1) Authentication initiation of identity request: in order to initiate an authentication request, a user needs to submit parameters such as a unique identity UserID of an identity credential and a signature value of identity information, and submit the information to a set of designated authentication nodes to initiate an authentication request.

(2) Acquisition of on-chain credential information: after receiving the request, each verification node invokes the intelligent contract to perform digital identity inquiry in order to acquire the registered identity information and credentials of the user on the blockchain network.

(3) And (3) verifying identity information: the authentication node confirms the authenticity, integrity of the registered identity information and whether the user initiating the digital authentication request is the actual owner of the registered identity. The verification process comprises the following steps:

1) And confirming the format and the authenticity of the identity information submitted by the user.

2) The signature is checked to confirm that the current user does have the corresponding private key.

3) The authentication node locally calculates and confirms whether the identity information of the user registration uplink is truly complete.

(4) Modification of credential status: once more than 2/3 (the ratio may be adjusted based on the different consensus mechanisms chosen) of the number of nodes authenticated, the authentication node will modify the state of the user credentials and set an expiration time, indicating that the authenticating digital identity is authenticated on the chain.

In order to further improve the confidentiality, integrity, availability and attack resistance of the blockchain-based digital identity revocation and simplify the digital identity revocation procedure, in the blockchain-based digital identity management method according to the embodiment of the present application, referring to fig. 6, if the current digital identity management step is the digital identity revocation step, a specific implementation of step 100 in the blockchain-based digital identity management method includes the following:

Step 141: receiving a digital identity revocation request issued by the target user in a blockchain network, wherein the digital identity revocation request comprises: the identity information signature value of the target user;

In one or more embodiments of the present application, the different types of requests may each include a unique identifier of the target user, so that the blockchain-based digital identity management system may determine, subsequently, the target user for which the current request is directed according to the unique identifier, and may extract, according to the unique identifier, pre-stored relevant data corresponding to the target user.

Step 142: and invoking an intelligent contract to verify based on the identity information signature value of the target user and the identity credential of the target user prestored in the blockchain, and if the verification is passed, modifying the verification state in the identity credential of the target user from data used for representing that the verification is passed to data used for representing that the identity is revoked.

Referring to fig. 7, if the current digital identity management step is the digital identity revocation step, another implementation of step 100 in the blockchain-based digital identity management method includes the following:

Step 151: receiving a digital identity revocation request from a target authentication node in a blockchain network, wherein the digital identity revocation request comprises: a signature value of the identity information hash value; the signature value of the identity information hash value is obtained by the target verification node after signing the identity information hash value of the target user on the basis of a private key of the target verification node in advance.

Step 152: and verifying the private key of the target verification node based on the signature value of the identity information hash value.

Step 153: and if the verification of the private key of the target verification node is passed, invoking an intelligent contract to verify whether the target verification node is contained in each verification node specified in the identity credential of the target user prestored in the blockchain.

Step 154: and if the target verification node is contained in each verification node appointed by the target user, modifying the verification state in the identity credential of the target user from data used for representing verification passing to data used for representing identity revocation.

That is, the revocation function of digital identity is critical to ensure the security, accuracy and trustworthiness of identity information. When designing revocation of digital identities, it is necessary to ensure validity and security, following the following procedure:

(1) The authentication node or user initiates a revocation request: to ensure security, only the authentication node or the user may initiate an identity revocation request and only the authenticated credentials. When a request is initiated, the unique identity (UserID) of the identity credential and the signature value of the private key of the authentication node on the user identity information hash value userInfoHash are provided.

(2) The system verifies the request. The system first verifies the signature of the initiator of the identity revocation request to confirm that the initiator has the private key of the verifying node: the smart contract is then invoked to verify that the node is the same as the verification node specified when the user registered the digital identity. If the two are the same, the next step is carried out.

(3) The system modifies the verification state in the identity credential from "verification pass" to "identity revocation".

In order to further improve the real-time performance and reliability of tracking and auditing of the digital identity authentication process, and further effectively improve the convenience and transparency degree of digital identity management, in the blockchain-based digital identity management method provided by the embodiment of the application, the audit log entry in the blockchain-based digital identity management method is used for storing the corresponding relation among the timestamp, the key event type, the hash abstract of the identity information and the operator identifier of the key event.

Specifically, in order to solve the transparency problem of the authentication flow in the prior art and enhance the privacy protection of users, the application introduces a security audit log system. The system records key events in the identity authentication process, but does not relate to sensitive personal data, so that the security and transparency of the identity authentication are improved.

1. Technical components:

1) Event recorder: a lightweight component for capturing and recording critical events in the authentication process.

2) Hash function: the hash digest is used for generating the identity information, so that privacy protection is ensured.

3) Timestamp service: an accurate event record is provided for each entry of the log.

4) Blockchain storage: for securely storing log entries, ensuring against tampering.

5) Access control: ensuring that only authorized users and systems can generate and access logs.

2. The realization steps are as follows:

s1, defining key events: it is determined which events need to be logged, such as "authentication request", "authentication success", "authentication failure", "revoked identity", etc.

S2, generating a hash abstract: when a user submits identity information, the system uses a hash function (e.g., SHA-256) to generate a hash digest of the identity information, and only stores this hash digest, not the original identity information.

S3, adding a time stamp and an operator identifier: an accurate time stamp is generated for each event, adding a unique identification of the operator or verifying node, if applicable.

S4: creating a log entry: each log entry contains an event type, a hash digest, a timestamp, and an operator identification. The entry format is for example: timestamp, event type, hash digest, operator identification ].

S5: storing log entries: storing the log entries in encrypted form (using AES encryption algorithm, etc.) on the blockchain, ensuring security and non-tamper ability; an existing blockchain platform, such as ethernet, may be used alternatively.

S6: access control: an access control mechanism is implemented to ensure that only authorized auditors and systems can access log data.

S7: log audit interface: a simple user interface or API is developed that allows authorized users to query and audit log entries.

In summary, according to the blockchain-based digital identity management method provided by the embodiment of the application, the problems of safety risk, data leakage risk, information island effect and the like in the prior art scheme are effectively solved by introducing the attribute encryption algorithm, the multi-layer encryption storage and the decentralization characteristic of the blockchain, and the safety and the credibility of identity authentication are improved. Aiming at the problem that the prior art scheme cannot solve, the application effectively improves the safety and reliability of the digital identity authentication system through an innovative encryption storage and verification mechanism, and ensures that the power service system can verify the identity of a user and issue a trusted electronic license. The method plays a key role in the trusted verification and the security management and control of the electronic license facing the power service, and ensures the credibility of the user identity, the security of data and the validity of the electronic license. The method and the system can solve the problems of safety risk, data leakage risk, information island effect and the like existing in the traditional identity authentication system.

Specifically, the blockchain-based digital identity management method provided by the embodiment of the application has the following beneficial effects:

(1) Data confidentiality

First, consider data confidentiality. The identity authentication scheme adopts a CP-ABE attribute encryption algorithm and an AES encryption technology, so that only authorized users can access and decrypt the identity information stored in IPFS. In addition, by using zero knowledge proof technology, the user can verify his identity without revealing any actual identity information, thereby further enhancing the confidentiality of the data.

(2) Data integrity

Second, data integrity is another important aspect of the assessment. The system stores the hash value of the user identity information, and associated authentication node address and status information, on the blockchain via the smart contract. Due to the non-tamper-resistance of the blockchain, once the data is written, it cannot be modified or deleted, which guarantees the integrity of the data.

(3) Availability of

In terms of availability, a group of verification nodes instead of a single node is designated in the design through a distributed identity verification mechanism, so that not only is the robustness of the system improved, but also the system is ensured to continue to operate when part of nodes are not available, and therefore high availability is ensured.

(4) Resistance to attack

Finally, the protocol is analyzed for its ability to resist various potential attacks. For example, for man-in-the-middle attacks, since all communications are encrypted, an attacker cannot decrypt or forge an identity even if he intercepts the data. In addition, the digital identity management system related to the application also needs to resist other common network attacks such as replay attacks, denial of service attacks and the like.

(5) Simplified authentication flow: by reducing unnecessary steps, the design of the application improves the efficiency of identity verification and reduces the authentication time.

(6) Security audit log: the introduced audit log system records all critical operations, such as validation requests and results, but does not record any sensitive personal identity information. The beneficial effects of these approaches include improving system efficiency and enhancing transparency and security while ensuring protection of user privacy.

(7) Key operation hash digest: the system generates a hash digest for each step in the authentication process, enhancing the integrity verification of the data.

(8) Timestamp and operator identification: each log entry contains a time stamp and a unique identification of the operator, ensuring the integrity and non-repudiation of the log.

The present application also provides a blockchain-based digital identity management system for executing all or part of the blockchain-based digital identity management method, referring to fig. 8, the blockchain-based digital identity management system specifically includes the following contents:

A digital identity management module 10 for performing a preset digital identity management step in a blockchain network, the digital identity management step comprising: at least one of a digital identity registration step, a digital identity inquiry step, a digital identity verification step, and a digital identity revocation step;

And the audit log record and trace module 20 is configured to generate an audit log entry in real time for each key event in the digital identity management step based on a preset key event type in the process of executing the digital identity management step, encrypt the audit log entry, and store the encrypted audit log entry in a blockchain to send the audit log entry to an authorized user who sends an audit log access based on a preset log access interface and access rules.

From the above description, it can be seen that the blockchain-based digital identity management system provided by the embodiments of the present application uses the blockchain to provide a decentralised platform for storing and verifying identity information applications, thereby ensuring transparency and traceability of transactions. The intelligent contract is used for storing the identity registration, verification process and other related operation rules and automatically executing the operations, so that the digital identity registration, verification, transaction confirmation and uplink processes can be effectively simplified, the execution efficiency of digital identity authentication and transaction can be effectively improved, the time cost can be reduced, and the error rate can be reduced.

In the blockchain-based digital identity management system provided by the embodiment of the application, the digital identity registration step is realized based on a CP-ABE encryption mode, a IPFS system and an AES encryption mode, the digital identity inquiry step is realized based on a zero knowledge proof mode, and the digital identity verification step is realized based on a plurality of verification nodes distributed in the blockchain network.

In addition, the use of Encryption techniques such as CP-ABE (cipert-Policy Attribute-Based Encryption) and AES (Advanced Encryption Standard) can ensure security and privacy of data transmission and storage. CP-ABE allows a user to perform data access control according to attributes, while AES encryption can provide a powerful data encryption function, which can protect data from unauthorized access.

Finally, IPFS (InterPlanetary File System) is used as a distributed file storage and transmission protocol, which can provide safer, more efficient and lower-cost data storage, is used for storing ciphertext of identity information and other related data, and simultaneously supports rapid retrieval of large-scale data.

In order to further improve the confidentiality, integrity, availability and attack resistance of the blockchain-based digital identity registration and simplify the digital identity registration process, in the blockchain-based digital identity management method provided by the embodiment of the present application, in the blockchain-based digital identity management system provided by the embodiment of the present application, if the current digital identity management step is the digital identity registration step, the digital identity management module 10 includes: a digital identity registration unit for performing the following:

In order to further improve convenience and reliability of blockchain-based digital identity management, in the blockchain-based digital identity management system provided by the embodiment of the present application, if the current digital identity management step is the digital identity inquiry step, the digital identity management module 10 includes: the digital identity inquiry unit is used for executing the following contents:

step 123: and sending the identity credential to the target user.

In order to further improve the confidentiality, integrity, availability and attack resistance of the blockchain-based digital identity authentication and simplify the digital identity authentication process, in the blockchain-based digital identity management system provided by the embodiment of the present application, if the current digital identity management step is the digital identity authentication step, the digital identity management module 10 includes: a digital authentication unit for performing the following:

In order to further improve the confidentiality, integrity, availability and attack resistance of the blockchain-based digital identity revocation and simplify the digital identity revocation procedure, in the blockchain-based digital identity management system provided by the embodiment of the present application, if the current digital identity management step is the digital identity revocation step, the digital identity management module 10 includes: a first digital identity revocation unit for performing the following:

In the blockchain-based digital identity management system according to the embodiment of the present application, if the current digital identity management step is the digital identity revocation step, the digital identity management module 10 includes: a second digital identity revocation unit for performing the following:

In order to further improve the real-time performance and reliability of tracking and auditing of the digital identity authentication process and further effectively improve the convenience and transparency degree of digital identity management, in the blockchain-based digital identity management system provided by the embodiment of the application, the audit log entry is used for storing the corresponding relation among the timestamp, the key event type, the hash abstract of the identity information and the operator identifier of the key event.

In order to further illustrate the blockchain-based digital identity management method mentioned in the above embodiment, the present application also provides a specific application example of the blockchain-based digital identity management method for power service, referring to fig. 9, in the digital identity management system according to the present application, first, an electric power person (user) occupies a central location as an owner of a digital identity. A provider refers to an entity contracting with an electric utility company, a company or individual providing electric equipment, services, or other business transactions. In the context of the present application, the power personnel need to verify their identity through digital authentication to prove that they have access to a particular power system or resource, or to obtain services provided by a provider. The provider verifies the digital identity and qualification of the electric personnel through the digital identity management system, ensures the legitimacy and reputation of the electric personnel, and provides corresponding services and operations for the electric personnel.

In order to clearly demonstrate the working principle of the digital identity authentication system of the present application, referring to fig. 10, the flowchart not only intuitively depicts the various components of the system and their interactions, but also illustrates how to securely store and verify the identity information of a user using blockchain technology, ethernet smart contracts, IPFS distributed storage, and CP-ABE and AES encryption technologies to improve the security and efficiency of digital identity authentication.

Specifically, the specific application example of the blockchain-based digital identity management method for the power service specifically includes the following steps:

The first stage: user login and identity information submission: a carbon market participant (user for short) first logs into the system by entering a user name and password. After successful login, the user needs to submit a series of personal identity information, including but not limited to, submitting personal identity information such as name, qualification level, training records, address, etc.

And a second stage: encryption and storage of identity information. Next, the system encrypts the identity information of the user using an attribute encryption algorithm CP-ABE: the advantage of this encryption is that even if the data is obtained illegally, the actual identity information cannot be read out due to the incorrect decryption key. The system then stores the encrypted information in IPFS and generates a hash that is the only path to access the encrypted information stored in IPFS. To further protect the identity data new message, the system would use a hash of IPFS, the address where the identity information is stored, to be encrypted twice.

And a third stage: registering identity information: the system stores the hash code after the secondary encryption in the blockchain to finish the registration of the user identity information. In this way, the identity information of the user is securely stored in the blockchain network.

Fourth stage: authentication request and processing: when a user needs to verify his identity, for example, when performing some operations requiring identity authentication, a verification request is sent to the system. The verification node is a preset node in the blockchain network with verification authority. The authentication state of the user is modified in the blockchain after the authentication node verifies the identity of the user, and the authentication node marks that the identity of the user is verified and is divided into two states of passing authentication and failing authentication.

Fifth stage: identity authentication request and vendor query for identity credentials: the user may issue an authentication request to the provider when certain services are required. For example, when a carbon quota is purchased or a carbon neutralization service is performed by a carbon quota trader, market participants need to ensure the safety and credibility of the trade through digital identity authentication. After receiving the request of the user, the provider queries the blockchain for the identity credential of the user. This credential is an encrypted hash of the user identity information. The provider obtains the ciphertext of IPFS addresses corresponding to the user identity information from the blockchain, and then decrypts the ciphertext by using the decryption key to obtain the hash code of IPFS. The provider obtains the ciphertext of the user identity information from IPFS by using the decrypted hash code, then decrypts the ciphertext of the user identity information by using the CP-ABE decryption key to obtain the plaintext identity information of the user, and performs authentication. The specific authentication process may vary depending on the specific needs and specifications of the vendor, but will typically include comparing information provided by the user with information already available to the vendor to confirm the identity of the user.

The key points of the blockchain-based digital identity management method provided by the application mainly comprise the following aspects:

1. The digital identity management method based on the block chain comprises the following steps: the application builds a decentralised digital identity authentication system by using the blockchain technology, and effectively solves the problems of safety risk, data leakage risk and information island effect in the traditional identity authentication system.

2. Using the ethernet blockchain platform and smart contract technology: the application realizes the automation and decentralization of the identity authentication process by using the Ethernet platform and the intelligent contract, and enhances the safety and the credibility of the system.

3. Multilayer encryption storage mode: the application adopts the CP-ABE attribute encryption algorithm to encrypt the user identity information, and combines IPFS and AES encryption algorithms to realize multi-layer encryption storage of the user identity information and ensure the safety and privacy of data.

4. A safe and trusted identity verification process: the application realizes a safe and reliable identity authentication process. The identity authenticator (vendor) may obtain the encrypted ciphertext through the blockchain, then decrypt IPFS addresses using the decryption key to obtain the ciphertext in IPFS, and finally decrypt the user identity information using the CP-ABE decryption key.

5. Identity information sharing across organizations, across organizations: the application realizes the effective sharing of user identity information by using the blockchain technology, avoids the information island effect and improves the convenience and the high efficiency of digital identity authentication.

6. The security audit log system is introduced, key events in the identity authentication process are recorded, sensitive personal data are not involved, the security and transparency of the identity authentication are improved, and the key technical characteristics of the audit log system are as follows:

generating a hash digest of the identity information;

creating a log entry in combination with a timestamp;

Recording an operator identification;

only access control mechanisms accessible to the user are authorized.

These key points together constitute an efficient, secure and user-friendly digital identity management system.

Therefore, compared with the prior art, the blockchain-based digital identity management method, the blockchain-based digital identity management system, the electronic equipment and the computer-readable storage medium provided by the embodiment of the application have the following beneficial effects:

1. The safety and the credibility are improved: the application obviously improves the safety of the user identity information by adopting the blockchain technology and the multilayer encryption method, and solves the safety risk and the data leakage risk existing in the traditional identity authentication system.

2. Enhancing the convenience and efficiency of authentication: the verification process obtains the encrypted ciphertext through the blockchain, decrypts IPFS addresses, and after obtaining the user identity ciphertext, the provider generates a decryption key through the attribute set of the provider to decrypt the ciphertext to obtain the user identity plaintext information, so that safe and reliable identity verification is ensured. By utilizing the blockchain technology and the intelligent contract technology, the application simplifies the authentication flow, reduces authentication events and improves the convenience and efficiency of the authentication.

3. Promoting information sharing and eliminating information islanding: the application supports the identity information sharing of cross-organization and cross-organization, effectively eliminates the information island effect through the transparency of the authorization mechanism and the blockchain, and promotes the circulation and the utilization of information.

4. Enhancing transparency and user privacy protection of the system: through the security audit log system, the application provides transparency in the authentication process on the premise of not revealing personal sensitive information, and simultaneously enhances protection of user privacy.

In summary, the application provides a safe, efficient and convenient digital identity authentication solution, which is suitable for power business and other scenes requiring high-security and high-credibility identity authentication.

The embodiment of the application also provides an electronic device, which may include a processor, a memory, a receiver and a transmitter, where the processor is configured to perform the blockchain-based digital identity management method mentioned in the foregoing embodiment, and the processor and the memory may be connected by a bus or other manners, for example, through a bus connection. The receiver may be connected to the processor, memory, by wire or wirelessly.

The processor may be a central processing unit (Central Processing Unit, CPU). The Processor may also be other general purpose processors, digital Signal Processors (DSP), application SPECIFIC INTEGRATED Circuits (ASIC), field-Programmable gate arrays (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or a combination of the above.

The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the blockchain-based digital identity management method in the embodiments of the present application. The processor executes the non-transitory software programs, instructions and modules stored in the memory to perform various functional applications and data processing of the processor, i.e., to implement the blockchain-based digital identity management method in the above-described method embodiments.

The memory may include a memory program area and a memory data area, wherein the memory program area may store an operating system, at least one application program required for a function; the storage data area may store data created by the processor, etc. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory may optionally include memory located remotely from the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The one or more modules are stored in the memory that, when executed by the processor, perform the blockchain-based digital identity management method of the embodiments.

In some embodiments of the present application, a user equipment may include a processor, a memory, and a transceiver unit, which may include a receiver and a transmitter, the processor, the memory, the receiver, and the transmitter may be connected by a bus system, the memory being configured to store computer instructions, the processor being configured to execute the computer instructions stored in the memory to control the transceiver unit to transmit and receive signals.

As an implementation manner, the functions of the receiver and the transmitter in the present application may be considered to be implemented by a transceiver circuit or a dedicated chip for transceiver, and the processor may be considered to be implemented by a dedicated processing chip, a processing circuit or a general-purpose chip.

As another implementation manner, a manner of using a general-purpose computer may be considered to implement the server provided by the embodiment of the present application. I.e. program code for implementing the functions of the processor, the receiver and the transmitter are stored in the memory, and the general purpose processor implements the functions of the processor, the receiver and the transmitter by executing the code in the memory.

Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the blockchain-based digital identity management method described above. The computer readable storage medium may be a tangible storage medium such as Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, floppy disks, hard disk, a removable memory disk, a CD-ROM, or any other form of storage medium known in the art.

The embodiment of the application also provides a computer program product, which comprises a computer program, wherein the computer program is executed by a processor to realize the blockchain-based digital identity management method.

Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein can be implemented as hardware, software, or a combination of both. The particular implementation is hardware or software dependent on the specific application of the solution and the design constraints. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave.

It should be understood that the application is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. The method processes of the present application are not limited to the specific steps described and shown, but various changes, modifications and additions, or the order between steps may be made by those skilled in the art after appreciating the spirit of the present application.

In this disclosure, features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.

The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, and various modifications and variations can be made to the embodiments of the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. A blockchain-based digital identity management method, comprising:

2. The blockchain-based digital identity management method of claim 1, wherein the digital identity registration step is implemented based on a CP-ABE encryption scheme, IPFS system and AES encryption scheme, the digital identity query step is implemented based on a zero knowledge proof scheme, and the digital identity verification step is implemented based on a distributed plurality of verification nodes in the blockchain network.

3. The blockchain-based digital identity management method of claim 2, wherein if the current digital identity management step is the digital identity registration step, the performing a preset digital identity management step in a blockchain network includes:

4. The blockchain-based digital identity management method of claim 3, wherein if the current digital identity management step is the digital identity querying step, the performing a preset digital identity management step in a blockchain network includes:

And sending the identity credential to the target user.

5. A blockchain-based digital identity management method as in claim 3, wherein if the current digital identity management step is the digital identity verification step, the performing a preset digital identity management step in a blockchain network comprises:

Receiving the verification result data sent back by each verification node;

6. The blockchain-based digital identity management method of claim 3, wherein if the current digital identity management step is the digital identity revocation step, the performing a preset digital identity management step in a blockchain network includes:

7. The blockchain-based digital identity management method of claim 3, wherein if the current digital identity management step is the digital identity revocation step, the performing a preset digital identity management step in a blockchain network includes:

8. The blockchain-based digital identity management method of any of claims 1 to 7, wherein the audit log entry is used to store correspondence between a timestamp, a key event type, a hash digest of identity information, and an operator identification of a key event.

9. A blockchain-based digital identity management system, comprising:

10. The blockchain-based digital identity management system of claim 9, wherein the digital identity registration step is implemented based on CP-ABE encryption, IPFS system and AES encryption, the digital identity lookup step is implemented based on zero knowledge proof, and the digital identity verification step is implemented based on distributed multiple verification nodes in the blockchain network.

11. The blockchain-based digital identity management system of claim 10, wherein if the current digital identity management step is the digital identity registration step, the digital identity management module comprises: a digital identity registration unit for performing the following:

12. The blockchain-based digital identity management system of claim 11, wherein if the current digital identity management step is the digital identity querying step, the digital identity management module comprises: the digital identity inquiry unit is used for executing the following contents:

And sending the identity credential to the target user.

13. The blockchain-based digital identity management system of claim 11, wherein if the current digital identity management step is the digital identity verification step, the digital identity management module comprises: a digital authentication unit for performing the following:

Receiving the verification result data sent back by each verification node;

14. The blockchain-based digital identity management system of claim 11, wherein if the current digital identity management step is the digital identity revocation step, the digital identity management module comprises: a first digital identity revocation unit for performing the following:

15. The blockchain-based digital identity management system of claim 11, wherein if the current digital identity management step is the digital identity revocation step, the digital identity management module comprises: a second digital identity revocation unit for performing the following:

16. The blockchain-based digital identity management system of any of claims 9 to 15, wherein the audit log entry is used to store correspondence between a timestamp, a key event type, a hash digest of identity information, and an operator identification of a key event.

17. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the blockchain-based digital identity management method of any of claims 1 to 8 when the computer program is executed by the processor.

18. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements a blockchain-based digital identity management method according to any of claims 1 to 8.