On December 12, 2023, the BSN real-name DID service conference was successfully held in Beijing, at which the BSN real-name DID service was officially released. This service fully integrates the two major infrastructures of the BSN blockchain service network and the CTID digital identity chain to meet the management requirements of "anonymity at the front desk and real-name at the backend" and is of great significance to serving the development of the digital economy and supporting the construction of national data infrastructure.
He Yifan, executive director of the BSN Development Alliance, introduced specific application cases of BSN's real-name DID service in various fields at the press conference. The following is a video and text summary of the case introduction of BSN's real-name DID service. The text has been edited for ease of reading. Revise.
BSN real-name DID service scenario case introduction
Whether BSN or CTID system, they are actually very back-end systems. It is difficult to simulate what they do from the front end, so my job is to popularize science and try to explain BSN clearly in a way that everyone can understand. Real-name DID service.
To understand real-name DID, you must first understand a key term in the field of cryptography, namely the "public-private key pair" of asymmetric encryption. This is a set of cryptography algorithms proposed by Americans in 1974. It has been used to this day and is also an important part of cryptography. The most important algorithm used for encryption in practical engineering.
But I think technology is always simulating human behavior. The logic of "public-private key pair" actually appeared in China thousands of years ago. Let me give you two examples to make it clear. They are two idioms and allusions: "Reunion after breaking the mirror" and "Stealing the talisman to save Zhao". One is about something that happened 1,500 years ago, and the other is about something that happened 2,300 years ago.
The story of the broken mirror and the reunion means that when the Sui Dynasty destroyed Chen, the princess of Chen was forced to run away. Before leaving, she divided a mirror into two halves, and each of her husband and wife held one half. They agreed to recognize each other five years later with the half of the mirror they kept. Five years later, at a market, the princess's old servant was holding half of the mirror, and the consort was holding half of the mirror. The two got together, and they recognized each other as expected. This is a pair of public key and private key, which confirms the identity and verifies that one of them is the prince-in-law.
Everyone should be familiar with the story of stealing the talisman to save Zhao. There are two military talismans. One is in the hand of the King of Wei and the other is in the hand of the general. You must hold the half of the King of Wei, which is equivalent to a private key. Find a pair on both sides of the general. Only after verifying the public key can troops be sent out, so Lord Xinling stole King Wei's military talisman.
So as you can see, the "public-private key pair" is actually a very old logic that has existed for thousands of years. It was only calculated mathematically in 1974. Its logic is that there must be two things put together. , can produce a series of effects.
So what exactly can a public-private key pair do? The action initiated by the private key is equivalent to stamping, and then the public key can be used to prove that the stamp was stamped with a specific seal. The public key is equivalent to a secret box. Files or data can be encrypted in this box. After encryption, even the person who packed the box cannot decrypt it. Only the private key can be used to decrypt it.
The function of the public and private key pair is to do these two things: stamping and verifying the stamp, which is actually encryption and decryption. The story of the broken mirror and reunion is actually about encryption. The old servant holding the mirror is equivalent to an encrypted string. No one can recognize his true identity, but the consort used half of his mirror to verify the old servant. It turned out to be the princess's agent. The military talisman in the story of "Stealing the Talisman to Save Zhao" is equivalent to stamping it with King Wei's private key. After the general verifies it with his own public key, he can dispatch his troops.
The function of the public and private key pair is actually these two actions: private key sealing and public key verification; public key encryption and private key unlocking. If you remember this formula, you will become a cryptography expert.
So what is BSN real-name DID service? In fact, it is very simple. The public key must be easily accessible to everyone, so that anyone can verify that a certain seal is stamped with the corresponding private key; or when sending data, the public key can be easily used. The key is used to encrypt, and the recipient uses the corresponding private key to decrypt. Therefore, one of the characteristics of the public key is that it must be stored in a public environment so that everyone can obtain it.
Therefore, the BSN real-name DID service actually consists of two parts of logic. The first part is to connect to the CTID platform. After identity authentication on the CTID platform, a DID identifier is generated for addressing the public key. The public key is stored in the real-name DID document corresponding to the DID identifier. This part of the logic implements two functions: first, it can prove that a public and private key pair is generated for a certain individual; second, the public key is stored in a document that has been authenticated by real name, which also represents the public key and the individual's name and identity. Real-name identities such as identification numbers are associated. The second part of the logic is to store the public key in the public network environment of BSN, and the DID identification is equivalent to an address in Web3.0, and can even be associated with a distributed domain name. Anyone can use the DID identification or distributed domain name to obtain the document, extract the public key, and then encrypt or verify it.
Therefore, the BSN real-name DID service associates the public key with personal identity verification and puts it in a public environment so that everyone can extract it. This is the logic.
Next, let me introduce the application cases of BSN real-name DID service.
First, BSN personal data confirmation service. You can generate a file yourself. No matter what kind of file it is, whether it is a PDF, a picture, a Word document or an email, how can you prove that the file is yours after sending it out? There is actually no way to prove this on the Web2 Internet.
But now it can be proven that we can always generate a public and private key pair. No matter what file is generated, it will be stamped with the private key. Of course, some hash algorithms will also be used. The corresponding public key will be put into the real-name DID document after being authenticated. Here, through a real-name DID document, anyone can use the public key to verify that this file belongs to you.
The BSN real-name DID service allows something that has never happened before on the Internet, that is, a file can always be proven to whom it belongs. And this process is invisible to everyone. For example, when a digital camera is activated, it generates a public and private key pair, and then the camera directly connects to the BSN real-name DID service system, registers the public key, and automatically stamps the photo with the private key when taking a photo. , which is equivalent to putting a real-name watermark, so that you can always prove who took the photo. In addition to photos, it also includes PDF documents and emails. Now we are giving people a way to start to confirm the ownership of data. I think this is a very great change.
Second, personal data transfer. The real-name DID document can not only store one public key, but can store many public keys. A business platform can generate public and private keys and store the public keys in a real-name DID file; a bank can also generate public and private keys for withdrawal business, store the public keys in the DID file, and give the private keys to individual users. Everyone can manage many public and private keys. The two business parties each store a public key in the real-name DID document, so that the data transfer between them can be completely encrypted. And no one can decrypt it except the other party. This provides everyone with a service for absolute encryption of data flow on the Internet, which can be applied in many confidentiality-related scenarios. For example, when two staff members in certain confidential industries send emails between each other, absolute encryption can be achieved throughout the process. encryption.
Third, privacy protection login, which I think is the most important. 30 years ago, our login method was called username and password login. 10 to 15 years ago, it was mobile phone verification code login. In the next 10 years, it will be public and private key pair login. Now using the BSN real-name DID service, you only need a DID identification or an address when registering, and then you can log in using the private key signature generated by yourself on your mobile phone. All business is processed using the DID identification.
In this way, zero collection of personal information is achieved. Usernames and passwords are no longer needed. Usernames and passwords are private data, and mobile phone numbers are also private data. These private data no longer need to be provided. Instead, you only need to provide a DID identifier that is not private data. This will create a completely new situation. Personal privacy data and business data are completely decoupled on the website. This can completely prevent the application platform from reselling user data, because this data has no connection with personal identity and therefore has no value. .
I think that within 10 years, many countries will legislate to prohibit large Internet platforms from saving everyone's private data, and they must use real-name DID means to log in. The current EU GDPR Act stipulates that users can ask Internet platforms to delete data, and Internet platforms must delete data, including backups. The reason for this provision is that the current Internet does not have the means to achieve completely anonymous login. With the advent of real-name DID technology, I believe this law will definitely be changed to directly not allow Internet platforms to save user data. Real-name DID issued by the EU must be used to handle all businesses and solve all problems. This is a huge change and directly changes the way everyone uses the website. This has been implemented. If any website wants to provide anonymous login services, it can be provided now.
Fourth, customize the business DID. The real-name DID document mentioned earlier is called the official DID document. This document can only write the public key to verify the identity and private key. There is no way to verify other information. However, the business party can generate its own business DID document, and it can be many business DID documents, writing various business information.
Just like there are virtual people in the metaverse, the country will definitely require that the virtual people can be related to actual individuals. So we have such a scenario. An individual has an official real-name DID document. He creates 20 virtual people and can generate corresponding 20 business DIDs. This is equivalent to configuring a permanent ID for each virtual person, but the business The DID document does not need to write the public key, but the modeling data of the virtual person. This will make the image displayed by the virtual person consistent in any metaverse, any game platform, and any website, because the data called by all platforms does not exist in a backend, but in a public environment for anyone to use transfer.
This is also a core value of real-name DID technology, that is, through DID technology, the data flows of many businesses can be opened up, allowing everyone to share a set of data flows.
Fifth, personal identity certificate. Credential technology is actually a derivative of real-name DID technology, which is mainly files signed with private keys. The most important function is to be issued by the business party to prove the user's identity. It contains not only the user's DID information and real-name information, but also the signature information of the business party, such as the signature information of a bank.
What effect does this have? With this certificate, users can directly open an account at another cooperative bank without providing any information. Because there is already a bank and CTID system to ensure the user's identity, and the user's information bank and CTID system must be available, which can directly handle many businesses.
Sixth, personal identity information credentials. In fact, it is an electronic certificate with personal information. Its private key must be kept by the individual. The security level is very high and it can only be used after certain technical integration. You can use an electronic device to scan this voucher to verify who you are.
Seventh, customize personal identity certificates. The business party can freely define the template. For example, in order to participate in the auction, the bank needs to provide a deposit certificate, and the deposit amount needs to be added to the certificate. The bank can send an electronic introduction letter based on a customized template, which contains the bank's signature, CTID verification serial number and a series of other things to prove the user's identity and deposit amount.
So, to sum up, the real-name DID is like a connector, helping everyone save the public key; and the certificate is equivalent to an electronic letter of introduction, which is issued to everyone through various private key signatures.
From a technical perspective, DID technology is actually very simple. Even a high school student can deploy a DID system on BSN or any public chain in 20 minutes.
However, real-name DID is very complicated and must first be issued by an authoritative agency. Including in the United States and European countries, when it comes to real-name DID, the country must authenticate the identity later.
Second, there must be legislation. Our country's legislation is already in place, namely the "Personal Data Security Law". Personal data must be protected from the legislative level in order to urge everyone to use new technologies.
Third, the private key must ultimately be in the hands of the individual. Of course, this is difficult to achieve at present, both at home and abroad, because everyone does not yet have the concept of private keys, and there is also a lack of tools to manage private keys. Therefore, in the next two or three years, there will gradually be many private key management tools. Escrow services emerged to help everyone manage private keys. But in the end, individuals still have to master the private key to truly control their own DID and identity.
Fourth, the real-name DID must be placed in a public environment and can be called by anyone at no cost. The BSN real-name DID service is placed on the Yan'an Chain. The Yan'an Chain is an open environment and is co-managed by many companies, including Zhongdun Anxin, a Ministry of Public Security Institute, the National Information Center, China Mobile, etc., which means that no one can shut it down. Yan'an chain. In the future, Yan'an Chain will be co-managed by dozens of companies to ensure that it remains an open and transparent environment.
We believe that December 12, 2023, when the BSN real-name DID service is released, will be an epoch-making day. This does not only refer to BSN real-name DID, but all real-name DID in the future, which will change many architectural things and the underlying layer of the Internet. logic.
First, users no longer use usernames, passwords and mobile phone verification codes that expose privacy, and gradually use real-name DID and private key signatures for registration, login and network browsing. The next ten years are about the management of public and private key pairs. The concept of public and private keys will become more and more intense.
The second is that the data is permanently confirmed. For example, when a word document is generated in the office in the future, just click Save and it will be stamped with a real-name watermark. And you don’t have to worry about disputes, because there will be a timestamp if there is a watermark. At the same time, its ownership can be transferred, and it can even be stratified in the future, with ownership and use rights separated.
The third is encryption, which gives many encryption methods to individuals to ensure which data can be seen by whom, allowing individual users to have certain control over the data.
I think the real-name DID system needs to be emphasized that it is not just a BSN real-name DID service, but will inevitably become a common technology in the future. From now on, people will no longer swim naked on the Internet. The Internet is like a surging river. In the past, if you wanted to play in it, you had to throw data into it. Anyone who wanted to see it could see it. But now the real-name DID system has given us a means to support what data we want to put and what we want to do, with a certain degree of control. This is a huge change in identity authentication on the Internet. Countries are currently studying the issue of distributed identity, but no one has achieved real-name distributed technology. Our project is indeed relatively advanced, but in 5-10 years, every country will launch real-name DID, and real-name DID will become the Internet Standard service.
thank you all!
