阅读说明：本技术 数字身份管理方法、平台、装置、电子设备和存储介质 (Digital identity management method, platform, device, electronic equipment and storage medium ) 是由 李�杰 郭玮 时宝旭 于 2021-08-10 设计创作，主要内容包括：本申请提供一种数字身份管理方法、平台、装置、电子设备和计算机存储介质,所述方法应用于数字身份拥有者的客户端,包括：获取用户输入的用于创建数字身份的身份信息；根据非对称加密算法确定用于对身份信息进行加密的公私钥对；根据公私钥对中的公钥对身份信息进行加密,生成身份标识信息；将身份标识信息保存于分布式账本系统中,以解决目前数字身份存在的安全性较低的问题。(The application provides a digital identity management method, a platform, a device, an electronic device and a computer storage medium, wherein the method is applied to a client of a digital identity owner and comprises the following steps: acquiring identity information which is input by a user and used for creating a digital identity; determining a public and private key pair for encrypting identity information according to an asymmetric encryption algorithm; encrypting the identity information according to a public key in a public and private key pair to generate identity identification information; identity identification information is stored in a distributed account book system to solve the problem of low safety of the existing digital identity.)

1. A digital identity management method is applied to a client of a digital identity owner, and comprises the following steps:

acquiring identity information which is input by a user and used for creating a digital identity;

determining a public and private key pair for encrypting the identity information according to an asymmetric encryption algorithm;

encrypting the identity information according to a public key in the public and private key pair to generate identity identification information;

and storing the identification information in a distributed account book system.

2. The method of claim 1, wherein after saving the identification information in a distributed ledger system, the method further comprises:

determining a first sub public and private key pair according to an asymmetric encryption algorithm;

encrypting identity information to be authenticated according to a first sub public key in a first sub public and private key pair, generating identity identification information to be authenticated and storing the identity identification information to be authenticated in a distributed account book system; the identity information to be authenticated is information required by an authentication mechanism in the identity information during authentication and information required to be authenticated;

and sending a first distributed account book ID and a first sub private key in a first sub public and private key pair to the certification authority, so that the certification authority acquires the identity identification information to be certified from the distributed account book system according to the first distributed account book ID and decrypts the identity identification information to be certified according to the first sub private key to obtain the identity information to be certified.

3. The method of claim 2, wherein the first sub-private key has a usage time limit or a usage number limit.

4. The method of claim 1, further comprising:

obtaining an authorization application sent by a digital identity user, wherein the authorization application comprises an identifier corresponding to identity information to be authorized of the digital identity user; the identity information to be authorized is information which needs to be used by the digital identity user in the identity information;

determining a second sub public and private key pair according to an asymmetric encryption algorithm;

encrypting the identity information to be authorized according to a second sub public key in a second sub public and private key pair, generating identity identification information to be authorized and storing the identity identification information to be authorized in the distributed account book system;

and sending a second distributed account book ID and a second sub private key in a second sub public and private key pair to the digital identity user, so that the digital identity user can acquire the identification information to be authorized from the distributed account book system according to the second distributed account book ID and decrypt the identification information to be authorized according to the second sub private key to obtain the identification information to be authorized.

5. The method of claim 4, wherein the second sub-private key has a usage time limit or a usage number limit.

6. The method of claim 1, further comprising:

determining the copy number of the identity identification information according to the network performance, the storage capacity and the node number of the distributed account book system;

and storing the identification information corresponding to the copy number in a plurality of nodes of the distributed account book system.

7. The digital identity management platform is connected with a client of a digital identity owner, and is used for receiving identity information sent by the client of the digital identity owner and storing the identity information in a distributed account book system.

8. A digital identity management device is applied to a client of a digital identity owner, and comprises the following components:

the acquisition module is used for acquiring identity information which is input by a user and used for creating a digital identity;

the key determining module is used for determining a public and private key pair for encrypting the identity information according to an asymmetric encryption algorithm;

the generating module is used for encrypting the identity information according to a public key in the public and private key pair to generate identity identification information;

and the storage module is used for storing the identification information in the distributed account book system.

9. An electronic device, comprising: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1-6.

10. A computer storage medium having computer program instructions stored thereon that, when read and executed by a computer, perform the method of any one of claims 1-6.

Technical Field

The present application relates to the field of information security technologies, and in particular, to a digital identity management method, a digital identity management platform, a digital identity management apparatus, an electronic device, and a computer storage medium.

Background

With the advent of the internet, paper materials are gradually transformed into electronic information, and the documents for certifying identity information of people are transformed from paper materials into electronic information, i.e. digital identity. The digital identity is an identification of the identity of a user in the internet and is used for providing social identity information and related behavior data of an identity owner for related personnel, units and organizations.

At present, the digital identity of a user on the internet is generally managed by a digital identity service provider, and the digital identity service provider stores user identity information in a centralized manner in a server. However, the digital identity management in the above manner leads to high concentration of user information, forms a monopoly trend, and once user data is leaked, significant loss is caused to users, and the security is low.

Disclosure of Invention

An embodiment of the present application provides a digital identity management method, a digital identity management platform, a digital identity management apparatus, an electronic device, and a computer storage medium, so as to solve the problem of low security of the current digital identity.

In a first aspect, the present invention provides a digital identity management method, applied to a client of a digital identity owner, including: acquiring identity information which is input by a user and used for creating a digital identity; determining a public and private key pair for encrypting the identity information according to an asymmetric encryption algorithm; encrypting the identity information according to a public key in the public and private key pair to generate identity identification information; and storing the identification information in a distributed account book system.

In the embodiment of the application, the identity information of the user is encrypted through the asymmetric algorithm to generate the identity identification information, and then the identity identification information is stored in the distributed account book system, and the security of the digital identity of the user is greatly improved due to the characteristics of the asymmetric encryption algorithm, the decentralized characteristics of the distributed account book system and the characteristic that the identity identification cannot be tampered.

In an optional embodiment, after saving the identification information in the distributed ledger system, the method further comprises: determining a first sub public and private key pair according to an asymmetric encryption algorithm; encrypting identity information to be authenticated according to a first sub public key in a first sub public and private key pair, generating identity identification information to be authenticated and storing the identity identification information to be authenticated in a distributed account book system; the identity information to be authenticated is information required by an authentication mechanism in the identity information during authentication and information required to be authenticated; and sending a first distributed account book ID and a first sub private key in a first sub public and private key pair to the certification authority, so that the certification authority acquires the identity identification information to be certified from the distributed account book system according to the first distributed account book ID and decrypts the identity identification information to be certified according to the first sub private key to obtain the identity information to be certified.

In the embodiment of the application, the identity information to be authenticated is encrypted according to the first sub public key to generate identity identification information to be authenticated and stored in the distributed account book system, and the first sub private key is sent to the authentication mechanism so that the authentication mechanism can decrypt the identity identification information to be authenticated according to the first sub private key, thereby completing authentication of the identity information to be authenticated. In addition, the authentication mechanism can only obtain the identity information to be authenticated but cannot obtain all the identity information, so that the risk of divulging the identity information of the user is reduced.

In an alternative embodiment, the first sub-private key has a usage time limit or a usage number limit.

In the embodiment of the application, by limiting the use times or the use time of the first sub-private key, even if the first sub-private key is leaked, other people or organizations cannot decrypt the identity identification information to be authenticated by using the first sub-private key any more, so that the safety of the identity information to be authenticated is improved.

In an alternative embodiment, the method further comprises: obtaining an authorization application sent by a digital identity user, wherein the authorization application comprises an identifier corresponding to identity information to be authorized of the digital identity user; the identity information to be authorized is information which needs to be used by the digital identity user in the identity information; determining a second sub public and private key pair according to an asymmetric encryption algorithm; encrypting the identity information to be authorized according to a second sub public key in a second sub public and private key pair, generating identity identification information to be authorized and storing the identity identification information to be authorized in the distributed account book system; and sending a second distributed account book ID and a second sub private key in a second sub public and private key pair to the digital identity user, so that the digital identity user can acquire the identification information to be authorized from the distributed account book system according to the second distributed account book ID and decrypt the identification information to be authorized according to the second sub private key to obtain the identification information to be authorized.

In the embodiment of the application, the identity information to be authenticated is encrypted according to the second sub public key to generate identity information to be authorized and stored in the distributed account book system, and the second sub private key is sent to the digital identity user so that the digital identity user can decrypt the identity information to be authenticated according to the second sub private key, so that the digital identity user can obtain the identity information to be authorized. In addition, the embodiment of the application also enables the digital identity user to obtain the identity information to be authorized only and not obtain all the identity information, thereby reducing the risk of divulging the identity information of the user.

In an alternative embodiment, the second sub-private key has a usage time limit or a usage number limit.

In the embodiment of the application, by limiting the use times or the use time of the second sub-private key, even if the second sub-private key is leaked, other people or organizations cannot decrypt the identity identification information to be authenticated by using the second sub-private key any more, so that the safety of the identity information to be authenticated is improved.

In an alternative embodiment, the method further comprises: determining the copy number of the identity identification information according to the network performance, the storage capacity and the node number of the distributed account book system; and storing the identification information corresponding to the copy number in a plurality of nodes of the distributed account book system.

In the embodiment of the application, the number of the copies is determined, and then the identification information corresponding to the number of the copies is stored in the nodes of the distributed account book system, so that even if a certain node in the distributed account book system goes wrong, the identification information can be obtained from other nodes, and the safety of the identification information is improved.

In a second aspect, the present invention provides a digital identity management platform, where the digital identity management platform is connected to a client of a digital identity owner, and is configured to receive identity information sent by the client of the digital identity owner, and store the identity information in a distributed ledger system.

In a third aspect, the present invention provides a digital identity management apparatus, applied to a client of a digital identity owner, including: the acquisition module is used for acquiring identity information which is input by a user and used for creating a digital identity; the key determining module is used for determining a public and private key pair for encrypting the identity information according to an asymmetric encryption algorithm; the generating module is used for encrypting the identity information according to a public key in the public and private key pair to generate identity identification information; and the storage module is used for storing the identification information in the distributed account book system.

In an alternative embodiment, the key determination module is further configured to determine a first sub-public-private key pair according to an asymmetric cryptographic algorithm; the generating module is further used for encrypting the identity information to be authenticated according to a first sub public key in the first sub public and private key pair to generate identity identification information to be authenticated; the identity information to be authenticated is information required by an authentication mechanism in the identity information during authentication and information required to be authenticated; the storage module is also used for storing the identity identification information to be authenticated in the distributed account book system; the device further comprises: and the sending module is used for sending a first distributed account book ID and a first sub private key in a first sub public and private key pair to the certification authority so that the certification authority can obtain the identity information to be certified from the distributed account book system according to the first distributed account book ID and decrypt the identity information to be certified according to the first sub private key to obtain the identity information to be certified.

In an alternative embodiment, the first sub-private key has a usage time limit or a usage number limit.

In an optional embodiment, the obtaining module is further configured to obtain an authorization application issued by a digital identity using party, where the authorization application includes an identifier corresponding to identity information to be authorized of the digital identity using party; the identity information to be authorized is information which needs to be used by the digital identity user in the identity information; the key determining module is further used for determining a second sub public and private key pair according to an asymmetric encryption algorithm; the generating module is further used for encrypting the identity information to be authorized according to a second sub public key in a second sub public and private key pair to generate identity identification information to be authorized; the storage module is further used for storing the identification information to be authorized in the distributed account book system; the sending module is further configured to send a second distributed ledger ID and a second sub-private key of a second sub-public-private key pair to the digital identity user, so that the digital identity user obtains the identification information to be authorized from the distributed ledger system according to the second distributed ledger ID, and decrypts the identification information to be authorized according to the second sub-private key to obtain the identification information to be authorized.

In an alternative embodiment, the second sub-private key has a usage time limit or a usage number limit.

In an alternative embodiment, the apparatus further comprises: the copy number determining module is used for determining the copy number of the identity identification information according to the network performance, the storage capacity and the node number of the distributed account book system; the storage module is further configured to store the identification information corresponding to the number of copies in a plurality of nodes of the distributed ledger system.

In a fourth aspect, the present invention provides an electronic device comprising: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor being capable of executing the method of any one of the preceding embodiments when invoked by the processor.

In a fifth aspect, the present invention provides a computer storage medium having stored thereon computer program instructions which, when read and executed by a computer, perform the method of any of the preceding embodiments.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a schematic structural diagram of a digital identity management system according to an embodiment of the present application;

fig. 2 is a flowchart of a digital identity management method according to an embodiment of the present application;

fig. 3 is a block diagram illustrating a digital identity management apparatus according to an embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Icon: 100-digital identity management system; 101-digital identity management platform; 102-a client of a digital identity owner; 300-a digital identity management device; 301-an obtaining module; 302-a key determination module; 303-a generation module; 304-a save module; 305-a sending module; 306-a number of copies determination module; 400-an electronic device; 401-a processor; 402-a communication interface; 403-a memory; 404-bus.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

Distributed Ledger (Distributed Ledger DLT) is a technology and protocol for sharing, replicating, and synchronizing among network members. In essence, a database of assets that can be shared across multiple sites, different geographic locations, or a network of multiple institutions. Participants in a network may obtain a copy of a unique, real ledger.

Asymmetric encryption algorithm: two keys, a public key and a private key, are required. The public key and the private key are a pair, and if data is encrypted by the public key, the data can be decrypted only by the corresponding private key. Since encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm.

Based on this, the applicant thinks that the distributed ledger technology and the asymmetric encryption algorithm can be applied to the management process of the digital identity, thereby solving the problem of low security of the current digital identity. Therefore, the present application provides a digital identity management method, a digital identity management platform, a digital identity management apparatus, an electronic device, and a computer storage medium, so as to solve the problem of low security of the current digital identity.

Referring to fig. 1, fig. 1 is a schematic structural diagram of a digital identity management system according to an embodiment of the present application, where the digital identity management system 100 includes: the system comprises a digital identity management platform 101 and at least one client 102 of a digital identity owner, wherein one digital identity owner corresponds to one client, and the digital identity management platform 101 is connected with the client 102 of the digital identity owner.

For ease of understanding of the scheme, the working of the digital identity management platform 101 and the client 102 of the digital identity owner in the digital identity management system 100 is described below.

Referring to fig. 2, fig. 2 is a flowchart of a digital identity management method according to an embodiment of the present disclosure, the digital identity management method is applied to a client 102 of a digital identity owner, and the method may include the following steps:

step 101: acquiring identity information which is input by a user and used for creating a digital identity;

step 102: determining a public and private key pair for encrypting identity information according to an asymmetric encryption algorithm;

step 103: encrypting the identity information according to a public key in a public and private key pair to generate identity identification information;

step 104: and storing the identity identification information in the distributed account book system.

The above-described flow will be described in detail with reference to examples.

Step 101: acquiring identity information which is input by a user and used for creating a digital identity;

in the embodiment of the present application, the client 102 of the digital identity owner is owned by a user, and the client 102 of the digital identity owner may be an intelligent terminal, which may be a computer, a smart phone, or the like. The user inputs the identity information for creating the digital identity on the client 102 of the digital identity owner, and the input mode may be a keyboard or shooting related content through a camera, and the like, which is not limited in the present application. Further, the client 102 of the digital identity owner may also be a software application installed on the smart terminal.

The digital identity owner's client 102 may provide an identity information template, which may include: name, age, sex, ID card number, nationality, academic information and other identity information. The identity information template can be flexibly adjusted according to actual requirements. For example, add mailboxes, marital status, home addresses, etc. The user can select to fill in all or part of the contents in the identity information template according to the actual requirements of the user.

It should be noted that, in order to prevent the leakage of the user identity information, when the user inputs the identity information, the client 102 of the digital identity owner may not be connected to the internet, that is, the identity information input by the user is stored in the local memory of the client 102 of the digital identity owner, so as to prevent others from stealing the identity information of the user when the user inputs the identity information through the internet.

Step 102: determining a public and private key pair for encrypting identity information according to an asymmetric encryption algorithm;

in the embodiment of the application, after the client 102 of the digital identity owner obtains the identity information used for creating the digital identity and input by the user, a public and private key pair used for encrypting the identity information is determined according to an asymmetric encryption algorithm.

Optionally, the asymmetric encryption algorithm may be an RSA encryption algorithm, an RAE2 encryption algorithm, and the like, which is not limited in this application.

It should be noted that, also, in order to prevent the disclosure of the user identity information, the client 102 of the digital identity owner may not be connected to the internet in the process of determining the public-private key pair.

Step 103: encrypting the identity information according to a public key in a public and private key pair to generate identity identification information;

in the embodiment of the application, after receiving identity information input by a user and determining a public and private key pair, a client 102 of a digital identity owner encrypts the identity information according to a public key in the public and private key pair to generate identity identification information. The private key in the public and private key pair is saved by the user.

It should be noted that the identification information is a string that does not have practical significance, and the identification information can be decrypted and restored to the user information input by the user only through the private key in the public and private keys.

In addition, in order to prevent the leakage of the user identity information, the client of the digital identity owner may not be connected to the internet when performing step 103.

Step 104: and storing the identity identification information in the distributed account book system.

In order to avoid storing the identity information of the user in a server provided by a certain digital identity service in a centralized manner, the embodiment of the present application stores the identity information in a distributed ledger system. The distributed account book is a decentralized account book and has the characteristic of being incapable of being tampered. Therefore, the identity identification information is stored in the distributed accounting book system, and the identity identification information cannot be tampered by hackers or other people. In addition, because the content stored in the distributed account book is the identity information encrypted by the asymmetric encryption algorithm, the identity information is a segment of character string without practical significance, and anyone can only obtain the identity information without a corresponding private key and can not obtain the practical identity information of the user, thereby ensuring the safety of the identity information of the user.

After the identification information is stored in the distributed ledger system, if the identification information of the user is to be acquired from the distributed ledger system, a corresponding private key needs to be requested from the user, and then the identification information stored in the distributed ledger system is decrypted according to the private key, so that the actual identification information of the user can be acquired.

As an alternative embodiment, the client 102 of the digital identity owner sends the identification information to the digital identity management platform 101, and the digital identity management platform 101 stores the identification information in the distributed ledger system.

The identity information of the user is encrypted through the asymmetric algorithm to generate the identity identification information, and then the identity identification information is stored in the distributed account book system.

It is understood that the above steps 101-104 are the creation and preservation process of the digital identity. After the digital identity is created and stored, a third-party certification authority may be required to certify the identity information in the digital identity in order to make the user information in the digital identity have higher credibility. The authentication process of the digital identity is described below.

As an optional implementation manner, the digital identity management method provided in the embodiment of the present application may further include the following steps:

firstly, determining a first public and private key pair according to an asymmetric encryption algorithm;

secondly, encrypting identity information to be authenticated according to a first sub public key in a first sub public and private key pair, generating identity identification information to be authenticated and storing the identity identification information to be authenticated in the distributed account book system;

and thirdly, sending a first distributed account book ID and a first sub private key in a first sub public and private key pair to a certification authority, so that the certification authority can acquire the identification information to be certified from the distributed account book system according to the first distributed account book ID and decrypt the identification information to be certified according to the first sub private key to obtain the identification information to be certified.

In the embodiment of the application, when a third-party certification authority is required to certify the identity information in the digital identity, the identity information to be certified by different certification authorities is different. For example, the a certification authority may certify the authenticity of the user's academic information according to the user's name, identification number and academic information. When the user creates the digital identity information, in addition to inputting the name, identification card number and academic information, other information may be inputted, such as: home address, marital status, family member information, etc. If the private key is directly sent to the third authentication mechanism, the third authentication mechanism can decrypt the identity information stored in the distributed account book system by the user according to the private key, and further acquire all the identity information of the user, so that the risk of disclosure of the identity information of the user is avoided.

To address the above-mentioned problem, the client 102 of the digital identity owner first determines a first public-private key pair according to an asymmetric cryptographic algorithm. The first sub public and private key pair is different from the public and private key pair in the foregoing embodiment, and therefore, the identification information cannot be decrypted by using the private key in the first sub public and private key pair.

After the first sub public and private key pair is determined, the client 102 of the digital identity owner encrypts the identity information to be authenticated according to the first sub public key in the first sub public and private key pair, generates identity identification information to be authenticated and stores the identity identification information to be authenticated in the distributed account book system. The identity information to be authenticated is identity information required by an authentication mechanism during authentication and identity information required to be authenticated in the identity information used for creating the digital identity. For example, when performing academic authentication, the identity information to be authenticated may be the name, identification card number and academic information of the user. The name and the identification number are identification information required by the authentication mechanism during authentication, and the academic information is identification information required to be authenticated.

After generating and storing to-be-authenticated identification information in the distributed ledger system, the client 102 of the digital identity owner sends a first distributed ledger ID and a first sub-private key of a first sub-public-private key pair to the certificate authority.

The certification mechanism obtains the identity information to be certified (the identity information to be certified after being encrypted by the first sub public key) from the distributed account book system according to the first distributed account book ID, and then decrypts the identity information to be certified according to the first sub private key to obtain the identity information to be certified.

The certification authority certifies the identity information to be certified, and after the certification is passed, may send a certification credential to the client 102 of the digital identity owner. The client 102 of the digital identity owner then saves the authentication credentials in the distributed ledger system, binding with the previously uploaded identity information to be authenticated.

As another optional implementation manner, the authentication mechanism authenticates the identity information to be authenticated, and after the authentication passes, may send an authentication credential to the digital identity management platform 101. Then, the digital identity management platform 101 stores the authentication voucher in the distributed ledger system, and binds the authentication voucher with the previously uploaded identity information to be authenticated.

The identity information to be authenticated is encrypted according to the first sub public key to generate identity identification information to be authenticated and stored in the distributed account book system, and the first sub private key is sent to the authentication mechanism so that the authentication mechanism can decrypt the identity identification information to be authenticated according to the first sub private key, so that the authentication mechanism can only obtain the identity information to be authenticated but cannot obtain all identity information, and the risk of identity information leakage of a user is reduced.

As an alternative embodiment, the first sub-private key has a usage time limit or a usage number limit. The authentication mechanism usually needs to decrypt the identity information to be authenticated only once by using the first sub-private key, so that the identity information to be authenticated can be obtained. In order to prevent the first sub private key from leaking identity information of a user, the use times or use time of the first sub private key is limited. For example, the first sub-private key can be used only three times, and then the first sub-private key is destroyed by itself or the effective use time of the first sub-private key is set to 24 hours, and then the first sub-private key is invalidated after 24 hours.

By limiting the use times or the use time of the first sub-private key, even if the first sub-private key is leaked, other people or organizations cannot decrypt the identity information to be authenticated by using the first sub-private key any more, and therefore the safety of the identity information to be authenticated is improved.

It is understood that the above steps 101-104 are the creation and preservation process of the digital identity. After the digital identity is created and stored, a third-party certification authority may be required to certify the identity information in the digital identity in order to make the user information in the digital identity have higher credibility. The authentication process of the digital identity is described below.

In addition to authenticating the digital identity, in order to enable the digital identity to be used in other applications, the digital identity management method provided in the embodiment of the present application may further include the following steps:

the first step, obtain the authorization application that the digital identity user sends out;

secondly, determining a second public and private key pair according to the asymmetric encryption algorithm;

thirdly, encrypting the identity information to be authorized according to a second sub public key in a second sub public and private key pair, generating identity identification information to be authorized and storing the identity identification information to be authorized in the distributed account book system;

and fourthly, sending the second distributed account book ID and a second sub private key in a second sub public and private key pair to the digital identity user.

In the embodiment of the application, if other digital identity users need to acquire some identity information in the digital identity of the user, an authorization application needs to be initiated to the digital identity owner.

It should be noted that the authorization application includes an identifier corresponding to the to-be-authorized identity information of the digital identity user. The identity information to be authorized is the identity information of the user which needs to be used by the digital identity user in the identity information for creating the digital identity.

The authorization application may be directly sent to the client 102 of the digital identity owner, or may be sent to the digital identity management platform 101 first, and then sent to the client 102 of the digital identity owner by the digital identity management platform 101.

If the digital identity owner agrees with the authorization application, the client 102 of the digital identity owner determines a second sub public and private key pair according to the asymmetric encryption algorithm, encrypts the to-be-authorized identity information according to a second sub public key in the second sub public and private key pair, generates to-be-authorized identity identification information, and stores the to-be-authorized identity identification information in the distributed ledger system. It is understood that the above process corresponds to the first step and the second step in the foregoing authentication process of the digital identity, and the same or similar parts may be referred to each other and will not be described herein again.

After the identification information to be authorized is stored in the distributed ledger system, the client 102 of the digital identity owner sends the second distributed ledger ID and the second sub-private key of the second sub-public-private key pair to the digital identity user.

And the digital identity user acquires the identification information to be authorized from the distributed account book system according to the second distributed account book ID, and decrypts the identification information to be authorized according to the second sub-private key to obtain the identification information to be authorized, so that the authorized use of the digital identity is completed.

According to the embodiment of the application, the identity information to be authenticated is encrypted according to the second sub public key to generate the identity information to be authorized and stored in the distributed account book system, and the second sub private key is sent to the digital identity user, so that the digital identity user can decrypt the identity information to be authenticated according to the second sub private key, the digital identity user only can obtain the identity information to be authorized, and cannot obtain all the identity information, and the risk of identity information leakage of a user is reduced.

As an alternative embodiment, the second sub-private key has a usage time limit or a usage number limit. It can be understood that the second sub-private key has the same function as the first sub-private key, and for the sake of brevity, the same or similar parts may be referred to each other, and are not described again here.

By limiting the use times or the use time of the second sub-private key, even if the second sub-private key is leaked, other people or organizations cannot decrypt the identity identification information to be authorized by using the second sub-private key, and therefore the safety of the identity information to be authorized is improved.

As an optional implementation manner, the digital identity management method provided in the embodiment of the present application may further include the following steps:

firstly, determining the copy number of the identity identification information according to the network performance, the storage capacity and the node number of the distributed account book system;

and secondly, storing the identification information corresponding to the number of the copies in a plurality of nodes of the distributed account book system.

In the embodiment of the application, in order to ensure that after the identification information is stored in the distributed account book system, the nodes which cannot be stored have problems and cause data unavailability or data loss, the copy number of the identification information is determined according to the network performance, the storage capacity and the node number of the distributed account book system, and the identification information corresponding to the copy number is stored in a plurality of nodes of the distributed account book system, so that the identification information is stored in a plurality of nodes in the distributed account book system.

For example, the number of copies is 5, and the id information is copied into five copies and stored in five nodes of the distributed ledger system. Through the mode, even if a certain node in the distributed account book system has a problem, the identity identification information can be obtained from other nodes, and the safety of the identity identification information is improved.

One way to determine the number of copies is given below.

Due to the consideration of the network performance of the distributed accounting system, the number of copies accounts for one tenth of the total nodes of the distributed accounting system. The number of copies accounts for one fifth of the total nodes of the distributed ledger system in terms of storage capacity of the distributed ledger system. And considering that the number of the storage nodes is too small, three storage nodes are added on the basis of the number of the copies determined according to the network performance and the storage capacity of the distributed account book system.

The formula for calculating the number of copies determined according to the above rules is (the calculation result is rounded down):

number of copies +3 (total number of nodes 10% 20%).

By determining the number of copies and storing the identification information corresponding to the number of copies in a plurality of nodes of the distributed account book system, even if a certain node in the distributed account book system has a problem, the identification information can be obtained from other nodes, and the safety of the identification information is improved.

Based on the same inventive concept, the embodiment of the application also provides a digital identity management device. Referring to fig. 3, fig. 3 is a block diagram of a digital identity management apparatus according to an embodiment of the present application, where the digital identity management apparatus 300 includes:

an obtaining module 301, configured to obtain identity information used for creating a digital identity, which is input by a user;

a key determining module 302, configured to determine, according to an asymmetric encryption algorithm, a public-private key pair used for encrypting the identity information;

the generating module 303 encrypts the identity information according to the public key in the public and private key pair to generate identity identification information;

the storing module 304 is configured to store the identification information in the distributed ledger system.

In an alternative embodiment, the key determination module 302 is further configured to determine a first public-private key pair according to an asymmetric cryptographic algorithm; the generating module 303 is further configured to encrypt the identity information to be authenticated according to a first sub public key in the first sub public-private key pair, and generate identity identification information to be authenticated; the identity information to be authenticated is information required by an authentication mechanism in the identity information during authentication and information required to be authenticated; the storage module 304 is further configured to store the to-be-authenticated identification information in a distributed ledger system; the device further comprises: a sending module 305, configured to send a first distributed ledger ID and a first sub-private key in a first sub-public-private key pair to the certification authority, so that the certification authority obtains the to-be-certified identity information from the distributed ledger system according to the first distributed ledger ID, and decrypts the to-be-certified identity information according to the first sub-private key to obtain the to-be-certified identity information.

In an alternative embodiment, the first sub-private key has a usage time limit or a usage number limit.

In an optional embodiment, the obtaining module 301 is further configured to obtain an authorization application sent by a digital identity using party, where the authorization application includes an identifier corresponding to identity information to be authorized of the digital identity using party; the identity information to be authorized is information which needs to be used by the digital identity user in the identity information; the key determination module 302 is further configured to determine a second public-private key pair according to an asymmetric cryptographic algorithm; the generating module 303 is further configured to encrypt the to-be-authorized identity information according to a second sub public key in a second sub public-private key pair, and generate to-be-authorized identity identification information; the saving module 304 is further configured to save the to-be-authorized identification information in a distributed ledger system; the sending module 305 is further configured to send a second distributed ledger ID and a second sub-private key in a second sub-public-private key pair to the digital identity user, so that the digital identity user obtains the identification information to be authorized from the distributed ledger system according to the second distributed ledger ID, and decrypts the identification information to be authorized according to the second sub-private key to obtain the identification information to be authorized.

In an alternative embodiment, the second sub-private key has a usage time limit or a usage number limit.

In an alternative embodiment, the apparatus further comprises: a copy number determination module 306, configured to determine the copy number of the identity information according to the network performance, the storage capacity, and the node number of the distributed ledger system; the storage module is further configured to store the identification information corresponding to the number of copies in a plurality of nodes of the distributed ledger system.

Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device 400 according to an embodiment of the present application, where the electronic device 400 includes: at least one processor 401, at least one communication interface 402, at least one memory 403 and at least one bus 404. Wherein the bus 404 is used for implementing direct connection communication of these components, the communication interface 402 is used for communicating signaling or data with other node devices, and the memory 403 stores machine-readable instructions executable by the processor 401. When the electronic device 400 is in operation, the processor 401 communicates with the memory 403 via the bus 404, and the machine-readable instructions, when invoked by the processor 401, perform the steps of the digital identity management method as in the previous embodiments.

The processor 401 may be an integrated circuit chip having signal processing capabilities. The Processor 401 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The Memory 403 may include, but is not limited to, Random Access Memory (RAM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Erasable Read Only Memory (EPROM), electrically Erasable Read Only Memory (EEPROM), and the like.

It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that electronic device 400 may include more or fewer components than shown in fig. 4 or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof. In the embodiment of the present application, the electronic device 400 may be, but is not limited to, an entity device such as a desktop, a laptop, a smart phone, an intelligent wearable device, and a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device 400 is not necessarily a single device, but may be a combination of multiple devices, such as a server cluster, and the like.

In addition, an embodiment of the present application further provides a computer storage medium, where a computer program is stored on the computer storage medium, and when the computer program is executed by a computer, the steps of the digital identity management method in the foregoing embodiment are performed.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.

In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.

It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.

The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.