In the previous article, we gave a zero-knowledge proof method to solve the privacy problem of user identity attributes. Now let’s talk about the scenarios in which we can apply it based on DID technology.
01
Secure login without password
This usage scenario should be familiar to everyone. It is similar to WeChat scan code login. When we want to register or log in to a website, we do not need to fill in information such as user name, password, email address, etc. We only need to use the numbers on the phone. The Identity APP scans the QR code on the login page, and then the scanned information pops up in the APP. Select Confirm Login. The difference between APPs using DID and the traditional WeChat code scanning login is that the user's identity information in DID is controlled by the user himself, while the identity information used to scan the WeChat code to log in is controlled by Tencent. If one day Tencent bans your WeChat account account, then you will not be able to log in to all websites that you have previously logged in with WeChat. DID will not have this problem, because no one can ban your DID. The process of using DID to achieve passwordless login is as follows:
The user opens the website to log in, and the website server generates a QR code containing a randomly assigned ID, website DID, and website server URL.
The user unlocks the DID APP on the phone and scans the QR code on the website.
The APP obtains the ID in the QR code and the URL submitted by the server, generates a login request, and uses the website DID to query the DID document on the blockchain, obtains the public key of the website server, encrypts the request data with the public key, and sends it to the website server.
The website server decrypts the login request with the private key, queries the DID document corresponding to the DID in the blockchain, obtains the public key from it, and uses the public key to verify the signature to ensure that the DID is the corresponding user.
The website server is verified and the login page is refreshed to the logged-in state.
From the entire process, we can see that the server does not know the user's password, and cannot obtain any information other than the user's DID and DID document, thus ensuring the security of the user's private data. From now on, you no longer have to worry about XX website user information being leaked or passwords being hacked by hackers, or logging into other websites to steal useful information.
02
Authentication
In a large number of networks involving value, especially those involving financial products, KYC and AML are required. Especially for KYC, it is necessary to obtain some identity information of the user, and it is very complicated to verify the identity information every time you register for a financial website. Using DID for identity authentication can simplify this process. Taking an Internet financial APP as an example, if a new user wants to invest in it, he or she needs to provide mobile phone verification code, ID card photo verification, face recognition verification, video recording and other procedures. And if the user goes to another Internet financial APP, he has to perform relevant verification again, which is very troublesome. If it is based on DID, the identity authentication procedures can be greatly simplified. Of course, the prerequisite for identity authentication is that the identity information and certificate issuing agencies such as public security agencies and universities have generated the VC and sent it to the user. Users store VC in their own cloud space or their mobile phones.
After the user logs in to the APP without a password, the process of real-name authentication is as follows:
The user logs in to the website or APP or merchant and clicks the authentication button.
The server generates a request for information that requires authentication based on business requirements, and sends the request to the user's DID APP in the form of a QR code or other methods.
After receiving the authentication request, the DID APP queries whether this DID has a VC that meets the requirements and whether there are corresponding fields, etc. If it meets the requirements, it displays the content of the authentication and requests the user to unlock the private key through fingerprint or password for signature to generate a VP .
After confirming that the information is correct, the user unlocks the private key, generates a VP, and sends the VP to the merchant server in the form of a QR code or directly back to the merchant server.
After receiving the VP, the merchant server verifies that the VP signature is correct and meets the verification requirements, indicating that the verification has passed. The merchant server saves the VP and associates it with the user DID.
In addition to the KYC required in financial scenarios, the companies we gave examples earlier require verification of academic qualifications when joining, verification of identity when checking in at a hotel, verification of age over 18 when buying cigarettes and alcohol, and verification of student status when purchasing tickets to scenic spots. Student discounts etc.
03
electronic signature
In the traditional electronic signature scheme, the user needs to pre-make a U-shield, which contains the private key assigned to the user and the certificate issued to the user. Each signature needs to insert the U-shield and install a plug-in before it can be used normally. . The electronic signature scheme based on USB shield has the following problems:
1. It takes a long time to prepare the USB shield (make the certificate), so you cannot apply for it and use it immediately.
2. The USB shield must be carried with you, but users generally only have the habit of carrying their mobile phones with them, and do not have the habit of carrying the USB shield with them.
3. The signer can modify the original document after signing for the first time, and then re-sign, and the verification will still pass.
The electronic signature scheme based on digital identity DID can well solve the three problems mentioned above. Its usage process is as follows:
After the user creates a DID through his or her mobile phone, he first initiates a request to the trusted issuing party, obtains the VC, and stores the VC on the user end. This VC is equivalent to the certificate file of the traditional PKI system.
After the user reviews the document and confirms that there is no problem, the document Hash is calculated, and the document Hash and other summary information are sent to the DID APP through QR code or other methods.
DID APP requests the user to unlock the private key and use the private key to sign the document hash, and at the same time put: DID, document Hash, and signature value on the chain.
The PC side retrieves the blockchain, obtains the DID, signature value and other information uploaded in the previous step, passes the verification, and displays the signature result in the document.
In the above steps, because the generation and download of VC are all implemented by software, there is no need to wait for a long time for the USB shield to be produced; and the private key is encrypted and saved to the mobile phone, so there is no need to carry a separate USB shield with you; the signature result is directly uploaded to the chain. Prevent tampering and prevent the signer from signing multiple versions of the same document multiple times.
04
Personal privacy protection
I have already talked about this in detail in the previous two articles, selective disclosure of user identity attributes and zero-knowledge proof. When the user shows the certificate, he only discloses the information required by the verifier, and does not expose all the information of the entire certificate. Thus achieving the purpose of personal privacy protection.
There is also a further solution called PDC (Personal Data Center). Personal data is encrypted and stored in the personal data center and associated with the personal DID. Everyone is responsible for their own data. When it is necessary to obtain some of the user's When accessing private data, authorization from the DID is required to decrypt and access it. This is a relatively new solution that has not yet been actually applied, so the details will not be repeated.
05
IoT Identity
The application scenarios mentioned earlier are all for human identity. In fact, IOT can also be closely integrated with DID. We assign each IOT device its unique IDD, which is built based on the Internet of Things + blockchain + DID: Product traceability, Internet of Vehicles, smart manufacturing, smart cities and other application scenarios.
Take manufacturing machines in the manufacturing industry as an example. Each machine has a DID, which is generated and assigned to each machine by the manufacturer of the machine. When the machine is running, a large amount of production data will be generated, and the machine will generate the data. Signature, uploading non-sensitive production data, signature results and DID to the chain. The manufacturer of the machine can know the operating status of the machine based on the data on the chain, which facilitates better after-sales maintenance services. When an enterprise needs a loan, the bank can judge the production and operation status of the enterprise and assess the loan risk based on the production data on the blockchain and the endorsement of the machine manufacturer.
Let’s take the IoT anti-counterfeiting traceability of high-value commodities as an example. When each commodity is manufactured, the merchant produces a private key for its IoT device and creates a unique DID. Because the private key cannot be copied and exported, only products with DID registered on the blockchain are authentic. Moreover, the DID of the commodity can be mapped to the corresponding non-fungible token, expressing the circulation process of the commodity in a digital form.
06
Summarize
DID technology is a technology with a wide range of application scenarios. It has obvious advantages especially in the field of e-government affairs regarding resident identity information. However, this technology requires endorsement from the public security department and the like, and there are currently no real application scenarios. But in the near future, with the legislation to protect personal privacy data and the strengthening of people's awareness of privacy protection, DID is bound to shine. In addition to people's identities, with the development of Internet of Things technology, Internet of Vehicles technology, especially the emerging AIoT technology, the identity of items is becoming more and more important, and a large number of application scenarios can be expanded based on Internet of Things identification.
Copyright statement: This article is an original article by CSDN blogger "studyzy" and follows the CC 4.0 BY-SA copyright agreement. Please attach the original source link and this statement when reprinting.
Original link:
https://blog.csdn.net/studyzy/article/details/115266932