source:
Decentralized Identity (DID) is a digital identity system based on blockchain technology. It can ensure that identity data is authentic and credible, and at the same time protect the privacy of identity users, ensuring that data related to personal identity belongs to the individual. It is in line with the "China Personal Information Protection Law" that will be implemented in November 2021.
1 Evolution process of identity authentication
V1.0 traditional identity authentication
: the user repeatedly registers an account on each website, and logs in using the account number + password. Each website holds the user's identity information, as shown in Figure 1(a).
Disadvantages
: Repeated account registration, users will often forget the account password; and multiple websites have user information, which also leads to information leakage.
V2.0 uses the identity authentication represented by single sign-on
: the account registered by the user on one website can be authorized to log in to other websites. As shown in Figure 1(b).
Disadvantages
: user information is controlled in several large websites, there will be elements of "big shop bullying customers", and it is also prone to information leakage, such as Facebook's user information leakage problem.
V3.0 Decentralized Identity Authentication
: Users keep their own identity information, and when necessary, show it to each website for confirmation in a minimized manner, as shown in Figure 1(c).
Is it a disadvantage?
The blockchain is needed as the underlying technical support, and the blockchain is used as a trusted third party to ensure the integrity and correctness of identity information.
Figure 1. Evolution process of identity authentication
2 The principle of DID authentication
Decentralized IDentity decentralized identity, referred to as DID, compared with the traditional PKI-based identity system, the DID digital identity system based on blockchain has the characteristics of ensuring data authenticity, protecting user privacy and security, and strong portability. Advantage of:
Decentralization: Based on the blockchain, identity data is prevented from being controlled by a single centralized authority.
Independent and controllable identity: Based on DPKI (Distributed Public Key Infrastructure), the identity of each user is not controlled by a trusted third party, but by its owner, and individuals can independently manage their own identities.
Trusted data exchange: identity-related data is anchored on the blockchain, and the authentication process does not need to rely on the application that provides the identity.
2.1 What does DID look like?
Figure 2. DID identification
Prefix did
: fixed, indicating that it is a did identifier.
The example in the middle
: It is called the DID method, which is used to indicate which set of schemes (methods) are used for definition and operation. It can be customized. For example, the DID logo of Tencent's FISCO BCOS is tdid, and the logo of Hyperledger Indy is indy. For more information, please refer to the W3C website (
https://w3c.github.io/did-spec-registries/#did- methods
).
The following string
: is the unique identification string under the DID method.
For example, we have built a DID system. Let’s call the method cid. If we want to DID all the ID information of Chinese citizens, then my DID logo is: did:cid:5111******** *****5 Here we use the ID card number as the unique identifier under the DID method of cid.
2.2 DID document --> Detailed description of DID
The DID document is a detailed description of the DID, which is a one-to-one relationship. It can be seen as consisting of two parts: DID metadata and DID public key, as shown in Figure 4(a), where the public key is the key, used for digital signatures or encryption operations, etc.
Generally, the DID is saved by the user himself, and the DID document is saved on the blockchain (the DID can be indexed as a key) to ensure the correctness of the DID document.
When a user registers a DID on the blockchain, the DID and related documents can be generated according to the smart contract, and the smart contract is responsible for reading and updating the DID on the chain.
Figure 4. Format of DID document, VC, VP
Personally, I think the most important thing in the DID document is the public key information.
2.3 Verifiable Claims VC (Verifiable Claims)
Verifiable Credential
VC (Verifiable Credential)
VC is a descriptive statement issued by one DID to endorse some attributes of another DID, and attach its own digital signature to prove the authenticity of these attributes, which can be regarded as a digital certificate.
The traditional PKI digital certificate system requires a CA to issue, and DID is also divided into issuers, holders, verifiers, and DID registration systems (that is, blockchains). The specific relationship is shown in the figure:
-
The issuer is the certificate issuing institution. For example, the ID card is the public security organ as the issuer, and the graduation certificate is the university as the issuer.
-
The holder Holder is the holder of the certificate, that is, ordinary people like us.
-
Verifier is the person or organization who checks our certificate when we use it. For example, when we check into a hotel, the front desk needs to verify our ID card, so the hotel front desk is the verifier; another example is that when we enter a new company, we need to provide a college diploma, and the HR of the new company is the verifier.
-
The DID registration system Verifiable Data Registry is where we store the DID identifier and DID document, and the corresponding DID document can be queried through the DID identifier.
When the public security organ issued me an ID card, in DID, this ID card is VC. A VC is also a JSON string, which contains the following information:
-
VC metadata mainly includes information such as the issuer, issue date, and type of statement.
-
declaration, one or more descriptions about the subject. For example, the ID card issued to me as a VC issued by the public security agency will include information such as name, gender, date of birth, ethnicity, and address in the statement.
-
Proof, usually the digital signature of the issuer, ensures that the VC can be verified, prevents the content of the VC from being tampered with and verifies the issuer of the VC.
The following is a specific example of a VC given by the official:
{
// VC内容所遵循的JSON-LD标准
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
// 本VC的唯一标识,也就是证书ID
"id": "http://example.edu/credentials/1872",
// VC内容的格式
"type": ["VerifiableCredential", "AlumniCredential"],
// 本VC的发行人
"issuer": "https://example.edu/issuers/565049",
// 本VC的发行时间
"issuanceDate": "2010-01-01T19:73:24Z",
// VC声明的具体内容
"credentialSubject": {
// 被声明的人的DID
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
// 声明的断言内容
"alumniOf": {
"id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
"name": [{
"value": "Example University",
"lang": "en"
}, {
"value": "Exemple d'Université",
"lang": "fr"
}]
}
},
// 对本VC的证明
"proof": {
// 签名算法
"type": "RsaSignature2018",
// 签名创建时间
"created": "2017-06-18T21:19:10Z",
// 本证明的目的
"proofPurpose": "assertionMethod",
// 验证本签名的公钥的ID
"verificationMethod": "https://example.edu/issuers/keys/1",
// 数字签名的内容
"jws": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..TCYt5X
sITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUc
X16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtj
PAYuNzVBAh4vGHSrQyHUdBBPM"
}}
Because the VC contains the user's private information, the VC is generally stored in a private storage, such as the user's own mobile phone, or a network address that requires authorization. In addition to the data given in the previous example, our VC can also have an expiration date. For example, our ID card is generally valid for 10 years. After the expiration, we need to apply for a new VC from the issuer.
2.4 Verifiable expression VP (Verifiable presentation)
Verifiable expressions are data that VC holders identify themselves to verifiers. Under normal circumstances, we can directly present the full text of the VC, but in some cases, due to the need for privacy protection, we do not need to present the complete VC content, and we only want to selectively disclose some attributes, or not disclose any attributes , it is only necessary to prove a certain assertion.
For example, if a job seeker wants to enter an office building for an interview, the security of the office building requires registration of ID number and name, but our VC also includes information such as ethnicity and address. Our job seekers do not want to disclose their address to the security guard, so The VP he provided to the security guard should only selectively disclose the ID number and name, and no other information should be disclosed.
Another example is that we stipulate that you must be over 18 years old to be eligible to buy cigarettes, so a consumer must prove that he is over 18 years old when buying cigarettes, but directly showing his ID card to the cashier will expose too much private information, even if he chooses Disclosing the birthday attribute will also let the cashier know the specific age and birthday of the consumer. In this case, the consumer only hopes to prove that he is over 18 years old in the VP, and no other information can be disclosed.
-
VP metadata, mainly including the version, the type of this JSON object and other information
-
The VC list, the content of VCs to be displayed to the outside world, if it is a selective disclosure or privacy protection situation, may not contain any VCs.
-
Proof, mainly the holder's signature information on this VP
The following is an official example of a specific VP:
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"type": "VerifiablePresentation",
// 本VP包含的VC的内容
"verifiableCredential": [{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.edu/credentials/1872",
"type": ["VerifiableCredential", "AlumniCredential"],
"issuer": "https://example.edu/issuers/565049",
"issuanceDate": "2010-01-01T19:73:24Z",
"credentialSubject": {
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
"alumniOf": {
"id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
"name": [{
"value": "Example University",
"lang": "en"
}, {
"value": "Exemple d'Université",
"lang": "fr"
}]
}
},
"proof": {
"type": "RsaSignature2018",
"created": "2017-06-18T21:19:10Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "https://example.edu/issuers/keys/1",
"jws": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..TCYt5X
sITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUc
X16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtj
PAYuNzVBAh4vGHSrQyHUdBBPM"
}
}],
// Holder对本VP的签名信息
"proof": {
"type": "RsaSignature2018",
"created": "2018-09-14T21:19:10Z",
"proofPurpose": "authentication",
"verificationMethod": "did:example:ebfeb1f712ebc6f1c276e12ec21#keys-1",
// challenge和domain是为了防止重放攻击而设计的
"challenge": "1f44d55f-f161-4938-a659-f8026467f126",
"domain": "4jt78h47fh47",
"jws": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..kTCYt5
XsITJX1CxPCT8yAV-TVIw5WEuts01mq-pQy7UJiN5mgREEMGlv50aqzpqh4Qq_PbChOMqs
LfRoPsnsgxD-WUcX16dUOqV0G_zS245-kronKb78cPktb3rk-BuQy72IFLN25DYuNzVBAh
4vGHSrQyHUGlcTwLtjPAnKb78"
}}
These are some basic concepts.
3. How to support multiple types of claims
There are many kinds of claims in VC, which may be university graduation certificates, ID cards, driver’s licenses, marriage certificates, etc. In order to be able to resolve them correctly, it is necessary to register their resolution methods in the blockchain in advance. This is
the certificate
.
This kind of thing is generally done by the Authority, which is classified according to the business scenario, defines the Claim structure of different types of data structures, and registers it on the blockchain to ensure that it is universal across the network.
4. How to support selective disclosure
Taking an ID card as an example, its complete VC credentials include name, gender, date of birth, ethnicity, address, photo, etc. When buying a train ticket, you may only need your name and ID number; when registering for school, you may only need your name, date of birth, etc.; when confirming your ethnic minority status, you must specify ethnic information. Therefore, in many scenarios, not all options are required, and only one or two of them may be required, and only the necessary items can be disclosed.
But how to confirm that the disclosed items are correct and have not been modified? The classic Merkle Tree structure is used here, as shown in Figure 5. For example, in the scenario where only the birthday needs to be disclosed, the brother option "nation" of "birthday" can be used to verify the correctness of "birthday" with its path to the tree root <Hash1, Hash34> + MerkleRoot.
Figure 5. Merkle Tree is used to verify the correctness of optional disclosure items
6. Adopt zero-knowledge proof ZKP method to protect privacy
The credentials owned by the user involve a lot of private information, such as age (girls are the least willing to let others know), income, etc. These cannot be directly shown to others, but in many cases it is necessary to verify this information, such as the one in the figure below The age range (ageOver 18), whether you have received a scholarship (degree) at school, these are all derived from the original VC, but in order to ensure the correctness of the derivation process, it must be stored in the VP together with the zero-knowledge proof ZKP proof .
Figure 6. Privacy protection with ZKP
7. DID authentication process
The DID authentication process involves the interaction of four parties: the certificate issuer, the certificate holder (you can have an app to save multiple certificates and credentials VC), the verifier, and the DID registration system (such as the blockchain).
The certificate issuer is an authoritative organization, such as a university, a public security organ, etc.; the holder will save the credential VC issued by the authoritative organization (such as a graduation certificate obtained from a university, an ID card obtained by a public security organ, etc.); the verifier will A representation (VP) of these credentials is validated in conjunction with information on the blockchain.
The premise of DID certification is that authorities, VC holders, and verifiers have all registered their IDs on the blockchain.
8 W3C standards
Decentralized Identifiers (DIDs) v1.0
DID Specification Registries
Code library