The "14th Five-Year Plan for Digital Economy Development" proposes to establish and improve the government data sharing and coordination mechanism, accelerate the unified authentication of digital identities and mutual trust and trust in electronic certificates, electronic signatures, electronic official documents, etc., promote the reform of electronic invoices, and promote the sharing and process of government data. Optimization and business collaboration. In the context of the gradual formation of the digital economy, digital identity plays an important role in promoting the digital transformation of digital government affairs.
1 Identity and digital identity
1.1 Identity
Identity is an extension of a person's legal identity as a member of a certain country. Physical identity in traditional societies usually uses a series of paper materials to prove "I am who I am." These identity certificates can be ID cards that prove legal identity, or they can be extensions based on legal identity, such as diplomas that prove academic qualifications, etc.
1.2 Digital identity
With the emergence and popularization of the Internet, identity has another form of expression, that is, digital identity. It is generally believed that the evolution of digital identity has gone through three stages, namely: centralized digital identity, federated digital identity, and distributed digital identity.
(1) Centralized digital identity: a digital identity managed and controlled by a single authority;
(2) Federation-style digital identity: a digital identity managed and controlled by multiple authoritative organizations or alliances, and the user’s identity data has a certain degree of portability;
(3) Distributed digital identity: Distributed infrastructure changes the mode in which application vendors control digital identities, allowing users to control and manage digital identities, fundamentally solving privacy issues by returning data ownership to users.
From the perspective of the full life cycle of identity development, identity includes four stages from birth to use: registration, issuance, certification and management, and three participants: identity owner (user), identity provider (issuing agency), identity dependency Party (with authentication requirements).
Figure 1 Identity life cycle flow chart
(1) Registration: The user initiates an identity authentication request to the identity owner;
(2) Issuance: The identity provider receives the identity authentication request initiated by the user, successfully records and recognizes the user's identity, and issues a recognizable identity to the user;
(3) Verification: The identity owner uses technical means to verify the authenticity and validity of the identity when a relying party that trusts the identity provider uses the identity;
(4) Management: Management of digital identities, including but not limited to: identity storage, update, revocation, authorization, etc.
2 Traditional digital identity
2.1 Overview
Traditional digital identity implementation methods are mostly centralized and alliance-based. From the perspective of Internet business, user identities and data have been digitized and networked. Internet companies have a complete set of mature identity management systems. From the perspective of encryption trust verification See, each centralized management organization acts as a root of trust and may unite multiple organizations to achieve identity trust endorsement.
2.2 Pain points
With the development of traditional digital identity over the years, it has exposed many problems.
(1) Issues of identity data dispersion, repeated authentication, and multiple authentications
Traditional digital identities are usually managed and controlled by one or more authorities or alliances, resulting in different identity authentication systems and the need for repeated authentication. For example, in a financial scenario, the same citizen needs to perform KYC (Know Your Customer, KYC) separately to open accounts in different banks. The user experience is cumbersome, identity data overlaps, and data may be different or even conflicting. Duplicate construction of identity systems not only wastes resources, but also creates many obstacles to data sharing and use. Different identity systems form "identity islands", hindering the development of digital identity.
(2) Identity data privacy and security issues
The traditional centralized control and centralized management model of digital identity results in user identity information being scattered in the hands of authoritative agencies or identity authenticators of the alliance. It does not rule out that some institutions use user identity data without user authorization. Secondly, user identity information is stored on the servers of various companies. Different companies attach different importance to data security and take different measures, causing user data to leak.
(3) Centralized authentication efficiency and fault tolerance issues
In traditional Public Key Infrastructure (PKI) systems, digital certificates are the core of authentication. They are issued by a relatively authoritative Certificate Authority (CA) and can easily cause performance and security issues. Performance issues: The centralized issuance process involves all operations of the certificate, which is a heavy task and may become a performance shortcoming that drags down efficiency, such as the effective distribution of a huge list of revoked certificates. Security issues: The single-center structure makes it easy to become the target of attacks. Once the upper-level CA is breached, the lower-level CAs associated with it will also be implicated, easily triggering a chain reaction. At the same time, since CAs also have private groups, the credit of each CA cannot be fully guaranteed.
3 Distributed digital identity
Distributed Digital Identifiers (DID), in the distributed digital identity specification released by the World Wide Web Consortium (W3C), defines DID as a new globally unique identifier. Such identifiers can be used not just for people but for everything, including a car, an animal, and even a machine. Below we introduce DID technology from two aspects: technical implementation and scene description.
3.1 Technical implementation
3.1.1 Overview
The core components of DID technology include three: DID, DID document, verifiable certificate and verifiable expression.
Figure 2 Distributed digital identity architecture diagram
3.1.2 DID
The DID identifier is a string in a specific format used to represent the digital identity of an entity. The entity here can be a person, machine, or object. The format of the DID identifier is:
Figure 3 DID example diagram
(1) Scheme: Fixed expression, indicating that this string is a DID identification string. Similar to http, https, ftp and other protocols in URL;
(2) DID Method: DID method is the method used to identify the entire set of DID identifiers. After the method is customized, it is registered to W3C for distributed digital identity recognition that also adopts W3C DID specifications;
(3) DID Method Specific String: The unique identification string under the DID method. The entire DID method namespace is unique.
3.1.3 DID document
DID Document (DID Doc) contains all information related to DID identifiers. It is connected to DID identifiers through Uniform Resource Locator (URL). It is a universal data structure. The DID controller is usually responsible for data writing. Input and change, the file contains key information and verification methods related to DID identification verification, providing a set of mechanisms that enable the DID controller to prove its corresponding DID identification control. The DID controller may be the DID identifier himself, or it may be a third-party organization. Different DID Methods have different authority management for DID Doc.
Figure 4 DID Doc example diagram
3.1.4 Verifiable credentials
The binding of user-centered identity to other identifiers issued by recognized organizations is called Verifiable Credentials (VC). The DID document itself cannot be associated with the user's real identity information, and VC is required to implement the association. The process is the value of the entire system. VC is similar to a digital certificate, which is a proof of user identity. It also provides a system similar to PKI.
Figure 5 Distributed digital identity stakeholder relationship diagram
(1) Issuer: The entity that owns user data and can issue VC, that is, the identity provider;
(2) Holder: The entity that requests, receives, and holds VC from the issuer, that is, the identity holder;
(3) Verifier: An application that needs to verify the user's identity, that is, the identity relying party;
(4) Identifier Registry: An organization that maintains the DID database, stores the DID identifier and DID Doc, and can query the corresponding DID Doc through the DID identifier.
3.1.5 Verifiable expressions
Verifiable Presentation (VP) is data used by VC holders to indicate their identity to verifiers. Under normal circumstances, we can directly show the full text of the VC, but in some cases, due to privacy protection needs, we do not want to show the complete VC content, but only want to selectively disclose certain attributes, or not disclose any attributes, only Just prove a certain assertion.
3.2 Scene description
The boring concepts let you understand the world of DID, and the scene descriptions give you a real experience of the use of DID. Xiao Ming (Holder) is a recent graduate. Xiao Ming took the graduation certificate issued by the school (Issuer) and went to the company (Verifier) to join the company. One of the steps was for the company to verify Xiao Ming's identity and Xiao Ming's graduation certificate. After the verification was passed, Xiao Ming successfully joined the company. , the specific process is as follows:
(1) Xiao Ming generates identity DID and DID Doc: If Xiao Ming wants to obtain a graduation certificate issued by the school, he must have his own DID and generate a random private key and corresponding public key on his mobile phone through a digital identity related APP. And complete the generation of DID logo and DID Doc according to the corresponding specifications;
(2) The school issues a diploma to Xiao Ming: The school itself also has its own DID logo. The school is the DID logo issued by the education system, so the DID Method is different from Xiao Ming’s DID Method as a Chinese citizen. All certified colleges and universities have DID logos. They are all created by the university certification management DID, so this is equivalent to the traditional root CA. The certified regular school is Xiao Ming based on Xiao Ming’s learning situation (enrollment time, graduation time, major, graduation, etc. information) and Xiao Ming’s DID. Issue diploma, i.e. VC;
(3) Xiao Ming submits his academic certificate to the company: Xiao Ming comes to a new company to join the company. On the day of joining, he needs to submit his academic certificate to the company. However, for personal privacy, Xiao Ming does not want to show his diploma directly to the company, so Xiao Ming based on the generated diploma (VC). Generate academic qualification certificate, i.e. VP;
(4) The company verifies Xiao Ming’s academic certificate: After receiving the academic certificate (VP) submitted by Xiao Ming, the company first verifies that the academic certificate (VP) was submitted by Xiao Ming and has not been tampered with, and then verifies that the graduation certificate (VC) is issued by the school. , finally, verify that the school DID is issued by the university certification management DID. After all verifications are passed, Xiao Ming successfully joined the job!
3.3 Domestic situation
In terms of domestic distributed digital identity, CTID (Trusted Credentials for Resident Identity Network) and eID (Internet Electronic Identity Identification) coexist. eID has functions such as online identity authentication, signature verification, and offline identity authentication. eID prefers hard solutions, and CTID prefers soft solutions.
eID is the third research institute of the Ministry of Public Security. It is an identity authentication technology based on domestic independent cryptography technology and using intelligent security chips as the carrier. It can not only identify natural persons online without leaking identity information, but can also be used for offline identity. Certification. At present, it has cooperated with many banks to issue financial IC cards and SIMeID film cards loaded with eID; it has carried out technical docking with three major telecom operators and piloted the issuance of SIM cards loaded with eID; it has cooperated with many mainstream brand mobile phone manufacturers to load eID on mobile phone terminals, and is conducting technical docking with other mobile phone manufacturers.
CTID is the first research institute of the Ministry of Public Security. It provides three major functions: real identity verification, network card opening and management, and network card authentication. Based on various authentication factors such as physical ID cards, network cards, resident identity information, and portraits, CTID has formed Various identity authentication modes range from the simplest identity information comparison to multi-factor authentication that requires the participation of physical documents. According to the official website of Zhongdun Anxin, currently, the CTID platform has formed an Internet trusted identity authentication infrastructure for all regions and industries, with a concurrency capacity of 20,000+ per second, an average response time of 0.5 seconds, and a data volume of up to 5 billion.
4 Risk Control
It has been four years since DID was proposed. After the promotion of various industry associations, Internet platforms, foundations, etc., W3C released the DID 1.0 version white paper on August 3, 2021, proposing a more universal identity identification architecture and specifications. , many associations, organizations and enterprises have proposed many DID Methods based on the W3C DID specification, but there are still many risks and problems before the actual implementation of DID technology. The following will elaborate on the technical risk control and business risk control of the DID implementation process.
4.1 Technical risk control
(1) Cryptographic algorithm risk control: Whether it is a traditional digital identity or a distributed digital identity, its credibility mainly depends on the cryptographic algorithm. Since the key is the top secret in the cryptographic algorithm, stealing the key is often the first priority for attackers. Target, any omissions in the use, storage, and negotiation of keys will make it fall short. At the same time, the process from theory to implementation of cryptographic algorithms has problems such as long cycle time, high complexity, and poor performance;
(2) Identity information leakage risk control: Compared with traditional digital identities, distributed digital identities have greatly improved the security of identity information, but there are still certain risks in applications, such as when a third party deliberately collects and analyzes a distributed digital identity. When identifying data, there is the possibility of reverse reasoning through massive data to deduce the real identity in the physical world, causing identity information to be leaked.
4.2 Business risk control
(1) Compliance requirements: In the early days of traditional digital identity development, platform identity verification was only achieved through username/password. However, in order to meet compliance requirements, physical world identity verification was added. Although this approach is designed to achieve accountability, Traceable network trust system, but caused personal information leakage. Distributed digital identity solves this problem to a certain extent, but for distributed digital identity, there are still compliance issues, such as whether real-name authentication needs to be carried out through the national identity infrastructure;
(2) Anonymous risk control: Another important feature of digital identities compared to traditional identities is their anonymity. The solution provided by the current mainstream distributed digital identity technology is: whoever holds a digital identity has the right to enjoy related rights and interests. This undoubtedly brings certain regulatory risks and application risks after digital identity is stolen. At present, some distributed digital identity solutions are to map DID to a centralized database to achieve personal identity confirmation when using DID. However, this solution cannot fundamentally solve anonymity risk control, but instead protects personal information. leaving holes;
(3) Market-oriented application risk control: At present, technical specifications have been initially formed, but various identity services need to be further interconnected and interoperable, and the role of standards in guiding industry development and promoting industrial layout is continuously improved, so as to realize standards and standardize the industry. Development, industry development promotes a virtuous cycle of standard update and iteration.
5 References
[1] Decentralized Identifiers(DIDs) v1.0[R/OL].World Wide Web Consortium,2021.https://www.w3.org/TR/did-core/.
[2] Blockchain Application Service White Paper Based on Trusted Digital Identity (Version 1.0) [R]. Trusted Blockchain Promotion Plan, 2020.
[3] Yuan Yuming, Huang Huaicheng, et al. Blockchain digital identity: Infrastructure in the digital economy era [R]. Huobi Research Institute, 2020.
[4] DIDA White Paper[R]. Distributed Digital Identity Industry Alliance, 2020.
[5] eID Digital Identity System White Paper [R]. Third Research Institute of the Ministry of Public Security, 2018.
[6] Digital ID cards lead a new era of digital economy [R]. Western Securities, 2022.
[7] Shenzhen Standardization Association. T/SZAS 37-2021 Technical Requirements for Internet-Based Trusted Digital Identity Services [S]. Shenzhen, 2021.
[8] Lee G M, Jayasinghe U, Truong N B, et al. Features, Challenges and Technical Issues[C]//The Second Bright ICT Annual Workshop on Bright ICT 2016. 2016.
[9] Wang Puyu.DID: A brand new identity technology [EB/OL].https://zhuanlan.zhihu.com/p/456469304,2022-01-12
[10] Zeng Yi. Introduction to decentralized digital identity DID [EB/OL]. https://www.cnblogs.com/studyzy/p/14189910.html, 2020-12-25