本發明是有關於一種身份驗證技術,且特別是有關於一種在公開匿名環境驗證身份及保護隱私的系統與方法。The present invention relates to an authentication technique, and more particularly to a system and method for verifying identity and protecting privacy in a publicly anonymous environment.
習用於區塊鏈系統中的身份驗證與隱私防護技術,大多係在網路架構上採取權限管制的方式,即建置私有或聯盟區塊鏈,並僅允許特定權限的節點進行連接、交易、驗證或採礦等作業。封閉型的鏈結架構可保護系統用戶的隱私資訊,也可追蹤使用者的身份以達到若干法規的要求,因此目前各國的金融業者傾向於應用私有或聯盟鏈的架構。然而,這種限制存取權限的網路架構不僅犧牲了區塊鏈的公開透明特性,系統也不易擴張其應用範圍,更不能防止用戶的隱私與機密資訊被鏈內的使用者洩漏出去,所以並非完善的處理方式。Most of the authentication and privacy protection technologies used in the blockchain system adopt the method of authority control on the network architecture, that is, the establishment of a private or alliance blockchain, and only allows nodes with specific permissions to connect, trade, and Verification or mining operations. The closed-chain architecture protects the privacy information of system users and the identity of users to meet certain regulatory requirements. Therefore, financial companies in various countries tend to apply private or alliance chain architectures. However, this network architecture that restricts access rights not only sacrifices the open and transparent nature of the blockchain, but also makes it difficult for the system to expand its application scope, and it cannot prevent users' privacy and confidential information from being leaked out by users in the chain. Not a perfect treatment.
美國專利公告號US9298806 B1『System and method for analyzing transactions in a distributed ledger』係用於解決公開區塊鏈當中的身份驗證問題。此專利案係應用資料挖礦的方式,並於公開區塊鏈的所有交易紀錄當中進行使用者身份的大數據分析,藉由用戶位址在各項交易行為當中的關聯性建立起群組類別,進而推導出使用者的可能身份以達成驗證的功能。然而,這個方法除了需要耗費大量的運算資源進行各個位址的交易行為分析,其所能達成的身份驗證也屬於機率上的推測,難以確認使用者的真實身份。US Patent Publication No. US9298806 B1 "System and method for analyzing transactions in a distributed ledger" is used to solve the authentication problem in the public blockchain. This patent case is a method of applying data mining, and performs big data analysis of user identity in all transaction records of the public blockchain, and establishes group categories by the relevance of user addresses in various transaction behaviors. In turn, the user's possible identity is derived to achieve verification. However, this method requires a large amount of computing resources to analyze the transaction behavior of each address, and the authentication that can be achieved is also a probabilistic guess, and it is difficult to confirm the true identity of the user.
而美國專利公告號US9436923 B1『Tracking unitization occurring in a supply chain』利用非對稱式加密演算法的金鑰對進行區塊鏈用戶之身份驗證,並延伸應用數位簽章及資料加密至供應鏈的資源管理,以便在分散式的網路環境中達到保護隱私資訊與認證身份的功能。然而,此專利案難以聯結到使用者的真實身份,在公開區塊鏈的匿名環境中仍未能完善地處理身份驗證的問題。U.S. Patent Publication No. US9436923 B1 "Tracking unitization occurring in a supply chain" uses the key pair of the asymmetric encryption algorithm to perform identity verification of the blockchain user, and extends the application of the digital signature and data encryption to the resources of the supply chain. Manage to protect privacy information and authenticated identities in a decentralized network environment. However, this patent is difficult to link to the user's true identity, and the problem of authentication is still not fully handled in the anonymous environment of the public blockchain.
由此可見,上述習用技術仍有諸多缺失,實非一良善之設計者,而亟待加以改良。It can be seen that there are still many shortcomings in the above-mentioned conventional technology, which is not a good designer, but needs to be improved.
有鑑於此,本發明提供一種在公開匿名環境驗證身份及保護隱私的系統與方法,既可維持區塊鏈的公開及匿名特性,亦能驗證使用者的真實身份。In view of this, the present invention provides a system and method for verifying identity and protecting privacy in a public anonymous environment, which can maintain the public and anonymous characteristics of the blockchain and also verify the true identity of the user.
為達成上述發明目的,本發明提出一種在公開匿名環境驗證身份及保護隱私的方法,其適用於公開區塊鏈之環境。此方法包括下列步驟。取得註冊資訊,並驗證該註冊資訊。註冊資訊包括憑證及區塊鏈位址,且憑證紀錄身份資訊及公開金鑰。確認憑證的狀態是否為正常。若此憑證之狀態為正常,則將此註冊資訊對區塊鏈智能合約註冊以發佈到公開區塊鏈。In order to achieve the above object, the present invention proposes a method of verifying identity and protecting privacy in a publicly anonymous environment, which is applicable to the environment of a public blockchain. This method includes the following steps. Get registration information and verify the registration information. The registration information includes the voucher and the blockchain address, and the voucher records the identity information and the public key. Confirm that the status of the voucher is normal. If the status of this credential is normal, this registration information is registered with the blockchain smart contract for publication to the public blockchain.
另一方面,本發明提出一種在公開匿名環境驗證身份及保護隱私的系統,其適用於公開區塊鏈之環境中驗證身份。此系統包括客戶端設備、公開金鑰憑證機構、區塊鏈智能合約及身份註冊伺服器。客戶端設備發送註冊資訊。此註冊資訊包括憑證及區塊鏈位址,且憑證紀錄身份資訊及公開金鑰。公開金鑰憑證機構提供憑證狀態資訊。身份註冊伺服器驗證註冊資訊,透過公開金鑰憑證機構驗證憑證的狀態是否為正常。若憑證之狀態為正常,則身份註冊伺服器將註冊資訊對區塊鏈智能合約註冊以發佈到公開區塊鏈。In another aspect, the present invention provides a system for verifying identity and protecting privacy in a publicly anonymous environment that is suitable for verifying identity in an environment that exposes blockchains. This system includes client devices, public key certificate authorities, blockchain smart contracts, and identity registration servers. The client device sends the registration information. This registration information includes the voucher and the blockchain address, and the voucher records the identity information and the public key. The public key certificate authority provides voucher status information. The identity registration server verifies the registration information and verifies that the status of the credentials is normal through the public key certificate authority. If the status of the credential is normal, the identity registration server registers the information with the blockchain smart contract for publication to the public blockchain.
藉此,在應用階段中,應用系統可藉由本發明實施例在公開區塊鏈所提供的查詢驗證服務,來確認某一用戶的真實身份。因此,在公開區塊鏈的匿名環境中,本發明實施例能完善地處理身份驗證的問題。Thereby, in the application phase, the application system can confirm the true identity of a certain user by using the query verification service provided by the public blockchain in the embodiment of the present invention. Therefore, in the anonymous environment of the public blockchain, the embodiment of the present invention can perfectly handle the problem of identity verification.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。The above described features and advantages of the invention will be apparent from the following description.
圖1所示係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的系統之架構示意圖。此身份驗證系統1包括一或更多個客戶端設備100、公開金鑰憑證機構200、身份註冊伺服器300、區塊鏈應用系統400及區塊鏈智能合約503。FIG. 1 is a schematic diagram showing the architecture of a system for verifying identity and protecting privacy in a public anonymous environment according to an embodiment of the invention. This authentication system 1 includes one or more client devices 100, a public key voucher authority 200, an identity registration server 300, a blockchain application system 400, and a blockchain smart contract 503.
客戶端設備100可以係桌上型電腦、筆記型電腦、智慧型手機、平板電腦等各類型可連網之電子裝置。客戶端設備100紀錄有身份註冊客戶端模組104程式、憑證501、共享金鑰等相關檔案或資訊。The client device 100 can be a type of network-connectable electronic device such as a desktop computer, a notebook computer, a smart phone, or a tablet computer. The client device 100 records related files or information such as an identity registration client module 104 program, a certificate 501, a shared key, and the like.
公開金鑰憑證機構200係發行並驗證憑證的組織。憑證狀態檢查模組322係利用公開金鑰基礎建設架構(Public Key Infrastructure,PKI)所提供的線上憑證狀態協定(Online Certificate Status Protocol,OCSP)或憑證廢止清冊(Certificate revocation list,CRL)來作為憑證狀態之檢查作業。公開金鑰憑證機構200所簽發及公告的憑證501,其中的公開金鑰與個人身份資訊連結(即,憑證501紀錄身份資訊及公開金鑰)。The public key certificate authority 200 is an organization that issues and verifies the voucher. The voucher status check module 322 utilizes an online certificate status protocol (OCSP) or a certificate revocation list (CRL) provided by a public key infrastructure (PKI) as a voucher. Status check operation. The voucher 501 issued and announced by the public key voucher organization 200, wherein the public key is linked with the personal identity information (ie, the voucher 501 records the identity information and the public key).
身份註冊伺服器300可以係伺服器、工作站、桌上型電腦、筆記型電腦、等各類型可連網之電子裝置。身份註冊伺服器300包括身份註冊伺服端模組321、憑證狀態檢查模組322、區塊鏈介接模組323、定時更新狀態模組324等程式、憑證註冊資料、共享金鑰、區塊鏈帳戶資訊等相關檔案或資訊。需說明的是,各模組的運作待後續實施例詳細說明。The identity registration server 300 can be a type of network-connectable electronic device such as a server, a workstation, a desktop computer, a notebook computer, and the like. The identity registration server 300 includes an identity registration server module 321, a voucher status check module 322, a block chain interface module 323, a timing update status module 324, a voucher registration data, a shared key, and a blockchain. Relevant files or information such as account information. It should be noted that the operation of each module is described in detail in the following embodiments.
區塊鏈應用系統400屬於一應用分散式區塊鏈網路之系統,而公開區塊鏈502係指所有參與者終端都可存取所有資料並發出交易。本發明實施例係藉由區塊鏈智能合約503而在公開區塊鏈502提供身分註冊、狀態更新及身份驗證等功能。Blockchain application system 400 belongs to a system that uses a decentralized blockchain network, while public blockchain 502 refers to all participant terminals having access to all data and issuing transactions. Embodiments of the present invention provide functions such as identity registration, status update, and identity verification in the public blockchain 502 by the blockchain smart contract 503.
為了方便理解本發明實施例的操作流程,以下將舉諸多實施例詳細說明本發明實施例中於公開區塊鏈502之環境中驗證身份之方法。圖2是依據本發明一實施例說明一種註冊階段之流程圖。請參照圖2,本實施例的方法適用於圖1中身份驗證系統1中的各裝置。下文中,將搭配客戶端設備100及身份註冊伺服器300的各項元件及模組說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to facilitate the understanding of the operation flow of the embodiment of the present invention, a method for verifying the identity in the environment of the disclosed blockchain 502 in the embodiment of the present invention will be described in detail below. 2 is a flow chart illustrating a registration phase in accordance with an embodiment of the present invention. Referring to FIG. 2, the method of this embodiment is applicable to each device in the identity verification system 1 of FIG. Hereinafter, the methods described in the embodiments of the present invention will be described in conjunction with the components and modules of the client device 100 and the identity registration server 300. The various processes of the method can be adjusted accordingly according to the implementation situation, and are not limited thereto.
客戶端設備100之身份註冊客戶端模組104先以欲註冊的區塊鏈位址組成註冊請求所需資訊,然後經由網際網路504傳送註冊請求到身份註冊伺服器300(步驟S201)。此身份註冊客戶端模組104需包括可信賴的網路元件,例如適當簽署過的Java applet或ActiveX元件。註冊時,身份註冊伺服端模組321與身份註冊客戶端模組104進行挑戰-回應協定(Challenge-response protocol)的相關程序。身份註冊伺服端模組321接收到這個註冊請求之後(步驟S202),產生隨機亂數(碼)R並計算伺服端回應碼(步驟S203),然後回應註冊請求(此回應包括伺服端回應碼)(步驟S204)。伺服端回應碼SR的計算法為:SR = Hash ( Address, Key),身份註冊伺服端模組321係利用收到的區塊鏈位址Address加上共享金鑰Key進行雜湊演算而得,Key值係身份註冊伺服端與客戶端模組321, 104所內建的共享金鑰。The identity registration client module 104 of the client device 100 first composes the information required for the registration request with the blockchain address to be registered, and then transmits the registration request to the identity registration server 300 via the Internet 504 (step S201). The identity registration client module 104 needs to include trusted network elements, such as appropriately signed Java applets or ActiveX components. At the time of registration, the identity registration server module 321 and the identity registration client module 104 perform a related procedure of a challenge-response protocol. After receiving the registration request (step S202), the identity registration server module 321 generates a random random number (code)R and calculates a server response code (step S203), and then responds to the registration request (this response includes the server response code) (Step S204). The calculation method of the server response codeSR is:SR = Hash (Address, Key) , and the identity registration server module 321 uses the received blockchain addressAddress plus the shared keyKey for hash calculation,Key The value is a shared key built into the identity registration server and the client modules 321, 104.
身份註冊客戶端模組104獲得回應之後需驗證回應資訊(步驟S205),其係計算伺服端回應碼SR是否等於Hash ( Address, Key)以驗證伺服端回應碼。伺服端回應碼通過驗證之後,則讓使用者選取欲註冊的憑證501(例如,符合X.509標準)並啟用其私密金鑰(步驟S206),接著組裝憑證501的註冊資訊及進行數位簽章(步驟S207)。此憑證501的註冊資訊至少包括但不僅限於:區塊鏈位址、憑證501、客戶端回應碼、數位簽章。而客戶端回應碼CR的算法為:CR = Hash ( R, Key),利用收到的隨機亂數R加上共享金鑰進行雜湊演算而得。客戶端設備100接著傳送憑證501之註冊資訊到身份註冊伺服器300。身份註冊伺服端模組321接收到憑證501的註冊資訊後,需驗證註冊資訊裡的客戶端回應碼及數位簽章(步驟S209)(例如,客戶端回應碼CR必須等於Hash ( R, Key)),而數位簽章則以憑證501裡的公開金鑰進行驗證。這兩項檢驗都通過以後再進入憑證狀態的檢驗流程(步驟S210),否則傳回錯誤訊息(至客戶端設備100)並結束註冊程序(步驟S213)。憑證狀態檢查模組322連線至公開金鑰憑證機構200以確認此憑證501的狀態是否為正常。After the identity registration client module 104 obtains the response, it needs to verify the response information (step S205), which is to calculate whether the server response code SR is equal toHash (Address, Key) to verify the server response code. After the server response code passes the verification, the user is allowed to select the voucher 501 to be registered (for example, conforms to the X.509 standard) and enable its private key (step S206), and then assemble the registration information of the voucher 501 and perform digital signature. (Step S207). The registration information of the voucher 501 includes at least but not limited to: a blockchain address, a voucher 501, a client response code, and a digital signature. The algorithm of the client response codeCR is:CR = Hash (R, Key) , which is obtained by using the random random numberR received and the shared key for hash calculation. The client device 100 then transmits the registration information of the credential 501 to the identity registration server 300. After receiving the registration information of the credential 501, the identity registration server module 321 needs to verify the client response code and the digital signature in the registration information (step S209) (for example, the client response code CR must be equal toHash (R, Key)) ), and the digital signature is verified by the public key in voucher 501. Both of these checks pass the verification process of the voucher status later (step S210), otherwise the error message is returned (to the client device 100) and the registration process is ended (step S213). The voucher status check module 322 is wired to the public key voucher mechanism 200 to confirm whether the status of the voucher 501 is normal.
若數位簽章通過檢驗且憑證501之狀態正常,則身份註冊伺服端模組321記錄憑證501之註冊資訊(包括憑證雜湊訊息鑑別碼、憑證簽發者、憑證到期日、憑證狀態及相對應的用戶位址等資訊)並透過區塊鏈介接模組323呼叫智能合約503而將註冊資訊註冊到公開區塊鏈502。身份註冊伺服端模組321係先解析憑證501並記錄相關的註冊資訊到資料庫,再將諸如憑證501的訊息鑑別碼、憑證簽發者、憑證到期日、憑證狀態及相對應的用戶位址等註冊資訊當作輸入參數,透過區塊鏈介接模組323呼叫區塊鏈智能合約503的註冊功能。此處憑證雜湊訊息鑑別碼係為了進一步保護用戶的隱私權,採用金鑰雜湊訊息鑑別碼(Keyed-hash message authentication code,HMAC)以防止憑證501之註冊資訊在區塊鏈智能合約503的查詢功能中被用來暴力搜尋相關的憑證。區塊鏈智能合約503的註冊功能接收到這個註冊資訊時,則以憑證501的雜湊訊息鑑別碼、憑證簽發者、憑證到期日、憑證狀態、用戶位址等作為註冊資訊發佈到公開區塊鏈502。同時,區塊鏈智能合約503也需要建立以用戶之區塊鏈位址對應到憑證資訊的對應關係(例如,檢索鍵),及以憑證雜湊訊息鑑別碼對應到用戶之區塊鏈位址的檢索鍵。若憑證501之狀態檢驗(步驟S210)不通過或以區塊鏈智能合約503註冊到公開區塊鏈502的作業(步驟S211)失敗,則傳回錯誤訊息並結束註冊程序(步驟S213)。身份註冊伺服器300等待區塊鏈智能合約503的註冊交易在公開區塊鏈502上被挖礦確認之後,再傳回註冊成功之訊息(步驟S212)至客戶端設備100。客戶端設備100則可透過顯示單元(例如,LCD、LED等顯示螢幕)顯示註冊結果訊息並結束註冊程序(步驟S214)。If the digital signature passes the verification and the status of the certificate 501 is normal, the identity registration server module 321 records the registration information of the certificate 501 (including the certificate hash message authentication code, the certificate issuer, the certificate expiration date, the voucher status, and the corresponding The information such as the user address) and the smart link 503 is called through the blockchain interface module 323 to register the registration information to the public blockchain 502. The identity registration server module 321 first parses the voucher 501 and records the relevant registration information to the database, and then the message authentication code such as the voucher 501, the voucher issuer, the voucher expiration date, the voucher status, and the corresponding user address. The registration information is used as an input parameter, and the registration function of the blockchain smart contract 503 is called through the blockchain interface module 323. Here, the voucher hash message authentication code is used to further protect the privacy of the user, and a Keyed-hash message authentication code (HMAC) is used to prevent the registration information of the voucher 501 from being queried in the blockchain smart contract 503. Used to violently search for relevant credentials. When the registration function of the blockchain smart contract 503 receives the registration information, the hash message authentication code of the voucher 501, the voucher issuer, the voucher expiration date, the voucher status, the user address, etc. are posted as registration information to the public block. Chain 502. At the same time, the blockchain smart contract 503 also needs to establish a correspondence relationship (for example, a search key) corresponding to the credential information of the user's blockchain address, and corresponding to the blockchain address of the user by the credential hash message authentication code. Search key. If the status check of the certificate 501 (step S210) does not pass or the job registered to the public blockchain 502 with the blockchain smart contract 503 fails (step S211), the error message is returned and the registration process is ended (step S213). The identity registration server 300 waits for the registration transaction of the blockchain smart contract 503 to be confirmed by the mining on the public blockchain 502, and then returns a message of successful registration (step S212) to the client device 100. The client device 100 can display the registration result message through the display unit (for example, a display screen such as an LCD or an LED) and end the registration process (step S214).
而若註冊資訊中的簽章未能通過檢驗或是憑證501的狀態為已廢止或過期等不可用的情形,則身分註冊伺服端模組321傳回註冊失敗的訊息至客戶端設備100而結束註冊程序(步驟S213)。If the signature in the registration information fails to pass the verification or the status of the certificate 501 is unavailable or expired, the identity registration server module 321 returns the registration failure message to the client device 100 and ends. The registration procedure (step S213).
另一方面,身份註冊伺服器300之定時更新狀態模組324定時執行更新憑證狀態程序,其於系統設定的時間連線到公開金鑰憑證機構200查詢已註冊之憑證501的最新狀態,此查詢及確認憑證501之狀態的作業係利用公開金鑰憑證架構所提供的憑證狀態協定(OCSP)或憑證廢止清冊(CRL)來達成。當偵測到已註冊的憑證501之狀態有所改變時,憑證狀態檢查模組322透過區塊鏈介接模組323利用區塊鏈智能合約503將憑證501的狀態資訊更新到公開區塊鏈502當中。On the other hand, the timing update status module 324 of the identity registration server 300 periodically executes an update voucher status program, which is connected to the public key voucher authority 200 to query the latest status of the registered voucher 501 at the time set by the system. And the operation of confirming the status of the voucher 501 is achieved by using the Voucher Status Agreement (OCSP) or the Credential Revocation List (CRL) provided by the public key voucher architecture. When it is detected that the status of the registered certificate 501 has changed, the voucher status check module 322 updates the status information of the voucher 501 to the public blockchain through the blockchain interface module 323 by using the blockchain smart contract 503. 502.
成功完成註冊程序後,區塊鏈位址與憑證即產生關聯,使後續應用中可供交易雙方驗證真實身份。例如,透過區塊鏈智能合約503之身份驗證功能,回應於以一區塊鏈位址為參數之查詢作業請求(例如,交易、投票等應用),驗證此區塊鏈位址所註冊之憑證501。Upon successful completion of the registration process, the blockchain address is associated with the voucher, enabling subsequent parties to verify the true identity of the transaction. For example, through the identity verification function of the blockchain smart contract 503, in response to a query job request (for example, transaction, voting, etc.) with a blockchain address as a parameter, verify the certificate registered by the blockchain address. 501.
舉例而言,圖3係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的應用例流程圖。假設一情境為公開區塊鏈502的電子投票系統(亦即,區塊鏈應用系統400),投票者透過客戶端設備100與區塊鏈應用系統400呼叫處理選票的區塊鏈智能合約503進行投票作業,投票的區塊鏈智能合約503接受投票請求(步驟S301),然後以投票者的區塊鏈位址103呼叫身份的區塊鏈智能合約503。身份的區塊鏈智能合約503則以此區塊鏈位址103查詢已註冊的憑證501相關資訊並傳回查詢結果(步驟S303)。投票的區塊鏈智能合約503收到回傳結果後檢查憑證501的註冊資訊(步驟S304),區塊鏈應用系統400驗證此憑證501的簽發者、到期日、狀態等資訊符合投票系統對身份驗證的要求(例如,簽發者是否正確、有無超過憑證501的到期日、憑證501之狀態是否正常可用等程序),註冊資訊的驗證通過之後,檢查投票者的憑證雜湊訊息鑑別碼以確認此憑證501是否已投票(步驟S305),可避免多位址灌票的情形。之後,投票的區塊鏈智能合約503紀錄此憑證501的金鑰雜湊訊息鑑別碼(HMAC)值(步驟S306)並登記投票數(步驟S307),再傳回成功訊息即能完成投票作業。反之,若註冊資訊的檢驗不通過或是此憑證501已投過票,就傳回錯誤訊息並結束投票程序(步驟S308)。For example, FIG. 3 is a flow chart illustrating an application example for verifying identity and protecting privacy in a public anonymous environment according to an embodiment of the invention. Assuming that the context is an electronic voting system that exposes the blockchain 502 (i.e., the blockchain application system 400), the voter performs a blockchain smart contract 503 through the client device 100 and the blockchain application system 400 to process the ballot. In the voting operation, the voting blockchain smart contract 503 accepts the voting request (step S301), and then calls the identity blockchain smart contract 503 with the voter's blockchain address 103. The identity blockchain smart contract 503 queries the registered credential 501 related information with the blockchain address 103 and returns the query result (step S303). The voted blockchain smart contract 503 checks the registration information of the voucher 501 after receiving the return result (step S304), and the blockchain application system 400 verifies that the issuer, expiration date, status, and the like of the voucher 501 are in accordance with the voting system. The authentication request (for example, whether the issuer is correct, whether the expiration date of the voucher 501 is exceeded, whether the status of the voucher 501 is normally available, etc.), after the verification of the registration information is passed, the voter's voucher message authentication code is checked to confirm Whether or not this voucher 501 has been voted (step S305) can avoid the situation of multi-address filling. Thereafter, the voted blockchain smart contract 503 records the key hash message authentication code (HMAC) value of the voucher 501 (step S306) and registers the vote number (step S307), and returns the success message to complete the voting operation. On the other hand, if the verification of the registration information does not pass or the voucher 501 has voted, the error message is returned and the voting process is ended (step S308).
又例如區塊鏈應用系統400在公開區塊鏈502進行金融交易時,可利用區塊鏈智能合約503之查詢服務來驗證交易雙方具有憑證501所代表的真實身分,從而達到金融業認識您的客戶(KYC)確認客戶身分的要求。此外本發明實施例也可於交易雙方使用其他管道互換憑證501之後提供驗證服務,輸入憑證501的雜湊值並由區塊鏈智能合約503查出相對應的用戶區塊鏈位址,讓區塊鏈應用系統400能夠在公開區塊鏈502中結合數位簽章及信封等密碼技術進行更安全的網路交易。For example, when the blockchain application system 400 performs the financial transaction in the public blockchain 502, the query service of the blockchain smart contract 503 can be used to verify that the two parties have the true identity represented by the voucher 501, thereby reaching the financial industry to know you. The customer (KYC) confirms the customer's identity requirements. In addition, the embodiment of the present invention may also provide a verification service after the transaction parties use other pipe interchange voucher 501, input the hash value of the voucher 501, and find the corresponding user blockchain address by the blockchain smart contract 503, and let the block Chain application system 400 is capable of more secure network transactions in public blockchain 502 in conjunction with cryptographic techniques such as digital signatures and envelopes.
需說明的是,本發明實施例中所註冊的憑證501與區塊鏈位址103,兩者屬於多對多的關係,即一個憑證可註冊多個區塊鏈位址,而一個區塊鏈位址也可以註冊多個不同簽發體系的憑證。身份驗證系統1則需設定可註冊的位址或憑證對應數目之上限,於記錄憑證註冊資訊(步驟S211)的流程中加以檢查及限制。It should be noted that the voucher 501 and the blockchain address 103 registered in the embodiment of the present invention belong to a many-to-many relationship, that is, one voucher can register multiple blockchain addresses, and one blockchain. The address can also register credentials for multiple different issuance systems. The authentication system 1 needs to set an upper limit of the address address or the corresponding number of the voucher, and checks and limits the process of recording the voucher registration information (step S211).
而關於區塊鏈智能合約503的設計,其權限管理機制須確保註冊與更新憑證狀態的功能僅由合約的管理者來執行,但查詢功能則無需限制。註冊時區塊鏈智能合約503建立憑證501之註冊資訊與用戶區塊鏈位址的對應關係,並建立憑證雜湊訊息鑑別碼與用戶區塊鏈位址的對應關係。區塊鏈智能合約503的依憑證雜湊值查詢用戶區塊鏈位址功能,在收到憑證雜湊值的輸入參數時,先以此雜湊值計算出憑證的金鑰雜湊訊息鑑別碼(HMAC),係採用與身份註冊伺服端同樣的HMAC計算方式,然後再透過註冊時建立的檢索鍵查出相對應的區塊鏈位址。而為了避免區塊鏈智能合約503中以憑證雜湊值查詢位址的功能,被以暴力搜尋方式不當查詢所有憑證的相對應位址,而可能損及區塊鏈用戶的隱私權,區塊鏈智能合約503的這項查詢功能應加上限制條件,例如:查詢者的位址必須已通過憑證註冊程序、一定時間內允許查詢的次數等,以防止上述不當查詢的情形。With regard to the design of the blockchain smart contract 503, its rights management mechanism must ensure that the function of registering and updating the voucher status is performed only by the contract manager, but the query function is not limited. The registration blockchain smart contract 503 establishes the correspondence between the registration information of the voucher 501 and the user blockchain address, and establishes the correspondence between the voucher hash message authentication code and the user blockchain address. The blockchain smart contract 503 queries the user blockchain address function according to the voucher hash value. When receiving the input parameter of the voucher hash value, the hash key authentication code (HMAC) of the voucher is calculated by using the hash value. The HMAC calculation method is used in the same manner as the identity registration server, and then the corresponding blockchain address is detected through the search key established at the time of registration. In order to avoid the function of querying the address by the voucher hash value in the blockchain smart contract 503, the corresponding address of all the voucher is improperly searched by violent search, which may damage the privacy of the blockchain user, blockchain The query function of the smart contract 503 should be subject to restrictions, for example, the address of the querier must have passed the voucher registration procedure, the number of times the query is allowed for a certain period of time, etc., to prevent the above-mentioned improper query.
特點及功效Features and effects
本發明實施例所提供之在公開匿名環境驗證身份及保護隱私的系統與方法,與其他習用技術相互比較時,更具有下列之優點:The system and method for verifying identity and protecting privacy in a public anonymous environment provided by the embodiments of the present invention have the following advantages when compared with other conventional technologies:
習用技術常在網路架構採取權限管制以建置私有或聯盟區塊鏈,如此便犧牲了區塊鏈的公開透明及匿名等特性,系統較不易擴張其應用範圍,也不能防止用戶的隱私與機密資訊被鏈內的使用者洩漏出去。反觀本發明實施例,可在維持區塊鏈的公開及匿名特性下驗證真實身份及保護機密。Conventional technology often adopts permission control in the network architecture to build a private or alliance blockchain, thus sacrificing the characteristics of openness and anonymity of the blockchain. The system is not easy to expand its application scope, nor can it prevent user privacy and Confidential information is leaked out by users in the chain. In contrast, embodiments of the present invention can verify real identity and protect confidentiality while maintaining the open and anonymous nature of the blockchain.
相較於採用大數據分析來推導用戶可能身份的技術,本發明實施例不需耗費大量的運算資源進行交易的分析,且能夠確認使用者的真實身份。Compared with the technique of using big data analysis to derive the user's possible identity, the embodiment of the present invention does not require a large amount of computing resources to perform transaction analysis, and can confirm the true identity of the user.
本發明實施例利用公開金鑰基礎建設的憑證信任架構,可驗證使用者的真實身份,讓應用系統能夠在公開區塊鏈中結合數位簽章及信封等密碼技術進行更安全的網路交易。The embodiment of the present invention utilizes the credential trust architecture of the public key infrastructure to verify the true identity of the user, and enables the application system to combine the digital signature and envelope and other cryptographic techniques for more secure online transactions in the public blockchain.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention, and any one of ordinary skill in the art can make some changes and refinements without departing from the spirit and scope of the present invention. The scope of the invention is defined by the scope of the appended claims.
1‧‧‧身份驗證系統1‧‧‧Identity verification system
100‧‧‧客戶端設備100‧‧‧Client equipment
104‧‧‧身份註冊客戶端模組104‧‧‧ Identity Registration Client Module
200‧‧‧公開金鑰憑證機構200‧‧‧ Public Key Voucher Agency
300‧‧‧身份註冊伺服器300‧‧‧identity registration server
321‧‧‧身份註冊伺服端模組321‧‧‧identity registration server module
322‧‧‧憑證狀態檢查模組322‧‧‧Voucher Status Check Module
323‧‧‧區塊鏈介接模組323‧‧‧block chain interface module
324‧‧‧定時更新狀態模組324‧‧‧Timed update status module
400‧‧‧區塊鏈應用系統400‧‧‧ Blockchain Application System
501‧‧‧憑證501‧‧‧Voucher
502‧‧‧公開區塊鏈502‧‧ ‧ public blockchain
503‧‧‧區塊鏈智能合約503‧‧‧ Blockchain Smart Contract
504‧‧‧網際網路504‧‧‧Internet
S201~S214、S301~S308‧‧‧步驟S201~S214, S301~S308‧‧‧ steps
圖1係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的系統之架構示意圖; 圖2係依據本發明一實施例說明一種註冊階段之流程圖; 圖3係依據本發明一實施例說明在公開匿名環境驗證身份及保護隱私的應用例流程圖。1 is a schematic structural diagram of a system for verifying identity and protecting privacy in a public anonymous environment according to an embodiment of the present invention; FIG. 2 is a flowchart illustrating a registration phase according to an embodiment of the present invention; FIG. 3 is an embodiment of the present invention. For example, a flow chart of an application example for verifying identity and protecting privacy in a public anonymous environment is described.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106123596ATWI661331B (en) | 2017-07-14 | 2017-07-14 | System and method for identity verification and privacy protection in public blockchain |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106123596ATWI661331B (en) | 2017-07-14 | 2017-07-14 | System and method for identity verification and privacy protection in public blockchain |
| Publication Number | Publication Date |
|---|---|
| TW201909013Atrue TW201909013A (en) | 2019-03-01 |
| TWI661331B TWI661331B (en) | 2019-06-01 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106123596ATWI661331B (en) | 2017-07-14 | 2017-07-14 | System and method for identity verification and privacy protection in public blockchain |
| Country | Link |
|---|---|
| TW (1) | TWI661331B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110958253A (en)* | 2019-12-05 | 2020-04-03 | 全链通有限公司 | Electronic voting method, device and storage medium based on block chain |
| TWI695608B (en)* | 2019-06-21 | 2020-06-01 | 中華電信股份有限公司 | Verification system and method based on mobile network address |
| CN111683083A (en)* | 2020-06-05 | 2020-09-18 | 成都质数斯达克科技有限公司 | Block chain user identity authentication method, device, equipment and medium |
| TWI724813B (en)* | 2019-08-30 | 2021-04-11 | 開曼群島商創新先進技術有限公司 | Transaction scheduling method and device |
| TWI755210B (en)* | 2020-12-22 | 2022-02-11 | 天宿智能科技股份有限公司 | Anonymous disclosure and many-to-many recognition system based on blockchain and allowing identity confirmation and method thereof |
| CN115314219A (en)* | 2022-08-03 | 2022-11-08 | 网易(杭州)网络有限公司 | Method, device, equipment and storage medium for voting in block chain |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160321435A1 (en)* | 2015-05-01 | 2016-11-03 | Monegraph, Inc. | Managing digital content via block chain registers |
| CN106533696B (en)* | 2016-11-18 | 2019-10-01 | 江苏通付盾科技有限公司 | Identity identifying method, certificate server and user terminal based on block chain |
| TWM543413U (en)* | 2016-12-05 | 2017-06-11 | Taiwan United Financial Technology Co Ltd | Web lending platform using technology of blockchain for deal |
| CN106934619B (en)* | 2017-03-13 | 2021-07-06 | 杭州复杂美科技有限公司 | Transaction recording method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI695608B (en)* | 2019-06-21 | 2020-06-01 | 中華電信股份有限公司 | Verification system and method based on mobile network address |
| TWI724813B (en)* | 2019-08-30 | 2021-04-11 | 開曼群島商創新先進技術有限公司 | Transaction scheduling method and device |
| CN110958253A (en)* | 2019-12-05 | 2020-04-03 | 全链通有限公司 | Electronic voting method, device and storage medium based on block chain |
| CN111683083A (en)* | 2020-06-05 | 2020-09-18 | 成都质数斯达克科技有限公司 | Block chain user identity authentication method, device, equipment and medium |
| CN111683083B (en)* | 2020-06-05 | 2022-07-08 | 成都质数斯达克科技有限公司 | Block chain user identity authentication method, device, equipment and medium |
| TWI755210B (en)* | 2020-12-22 | 2022-02-11 | 天宿智能科技股份有限公司 | Anonymous disclosure and many-to-many recognition system based on blockchain and allowing identity confirmation and method thereof |
| CN115314219A (en)* | 2022-08-03 | 2022-11-08 | 网易(杭州)网络有限公司 | Method, device, equipment and storage medium for voting in block chain |
| CN115314219B (en)* | 2022-08-03 | 2025-09-05 | 网易(杭州)网络有限公司 | Method, device, equipment and storage medium for voting in blockchain |
| Publication number | Publication date |
|---|---|
| TWI661331B (en) | 2019-06-01 |
| Publication | Publication Date | Title |
|---|---|---|
| US12309296B2 (en) | Systems and methods for notary agent for public key infrastructure names | |
| US11924358B2 (en) | Method for issuing digital certificate, digital certificate issuing center, and medium | |
| Chen et al. | XAuth: Efficient privacy-preserving cross-domain authentication | |
| CN111213147B (en) | Systems and methods for blockchain-based cross-entity authentication | |
| CN114586315B (en) | Systems, methods, and computer readable media for decentralised data authentication | |
| CN110569674B (en) | Authentication method and device based on block chain network | |
| US10664577B2 (en) | Authentication using delegated identities | |
| TWI661331B (en) | System and method for identity verification and privacy protection in public blockchain | |
| CN111316303A (en) | System and method for block chain based cross entity authentication | |
| WO2020073513A1 (en) | Blockchain-based user authentication method and terminal device | |
| CN111212095A (en) | Authentication method, server, client and system for identity information | |
| CN109687965B (en) | A real-name authentication method for protecting user identity information in the network | |
| Li et al. | Decentralized public key infrastructures atop blockchain | |
| Garba et al. | LightLedger: A novel blockchain-based domain certificate authentication and validation scheme | |
| CN111651794A (en) | Alliance chain-based electronic data management method and device and storage medium | |
| CN114760071B (en) | Zero-knowledge proof based cross-domain digital certificate management method, system and medium | |
| EP3883204B1 (en) | System and method for secure generation, exchange and management of a user identity data using a blockchain | |
| CN114444134A (en) | Data use authorization method, system and device | |
| CN111460457A (en) | Real estate property registration supervision method, device, electronic equipment and storage medium | |
| CN105978855A (en) | System and method for protecting personal information security in real-name system | |
| WO2019198131A1 (en) | Authentication system and authentication program | |
| CN118611919A (en) | A system and method for secure sharing of identity resolution data based on optimized Shiro framework | |
| CN118764212A (en) | Anonymous identity authentication method, system and product based on group signature and blockchain | |
| US20240143730A1 (en) | Multi-factor authentication using blockchain | |
| WO2019198130A1 (en) | Authentication system and authentication program |