随着欧洲通用数据保护条例(GDPR)的实施,基于区块链的分布式身份(Decentralized Identifiers, DID)越来越受到学术界和产业界的关注。究竟什么是分布式身份?其设计原理和实现方式是怎样的?我们可以用它来做什么呢?
With the implementation of the European General Data Protection Regulation (GDPR), 为什么需要分布式身份”这个问题更加好奇。
& nbsp; is more curious about the question of 在上世纪90年代,互联网被定义为Web1.0。用户与网络的交互非常简单,网站提供的几乎都是“只读”服务,不论文字、图片还是音频内容,用户能做的仅仅是阅读或者简单的搜索,不涉及内容发布和评论对身份没有要求。可见此时的互联网,不具备有实际用途的身份体系。
互联网Web2.0定义了一个可“读写”的网络,在短短十几年时间里,应用类型、服务形式、内容生态均得到飞速发展。与此同时,数字身份体系也被重新定义并不断完善。先后产生了中心化身份、联盟身份和以用户为中心的身份三种身份模式。
不难发现,身份体系变化发展背后的主要推动力就是用户对身份自主控制和自我隐私保护意识的不断增强。
& nbsp;
中心化身份的数据由单一的主体负责生成、控制、管理和维护。例如我们熟悉的支付宝、微信等账号。显然,中心化身份的使用权由中心主体和用户共同享有,但身份的生成权、解释权、存储权都集中在身体提供商,由此带来了身份不自主可控、隐私泄漏、可移植性差、互操作性差以及单点风险等一系列问题。
centralized identity data generated by the single subject is responsible for generating , , for example, accounts known to us, such as payment treasures, micro-mails.
联盟身份的提出一定程度上缓解了上述问题,但没有根本解决。例如,当用户通过微信或支付宝授权,作为第三方账户登录某平台时会面临两类问题。一方面平台还会额外收集用户信息,形成新的独立的身份系统。另一方面由于互联网寡头的垄断,多家身份提供商仍可合谋控制用户的数字身份。
Alliance identity offers to alleviate some of these problems but do not resolve them altogether . For example, when a user logs on a platform as a third-party account by means of a micromail or payment authorization, two types of problems arise. On the one hand, the platform will also gather additional user information to create a new independent identity system. On the other hand, because of the oligopoly of the Internet, multiple identity providers can still conspire to control the user's digital identity.
以用户为中心的身份在实践当中由于安全性等种种原因未能广泛推广使用。
& nbsp; user-centred status has not been widely promoted in practice for various reasons, including security.
分布式身份从根本上解决了上述问题,不依赖于中心身份提供商,真正具备身份的自主可控性、安全性、自解释性、可移植性、互操作性。在分布式场景下赋予每个用户自主控制和使用数字身份的能力,并针对身份数据等敏感信息进行隐私保护。
& nbsp; distributed identity fundamentally solves the above problem and does not depend on the central identity provider , , portability , gives each user the ability to control and use digital identities in a distributed setting and to protect privacy with sensitive information such as identity data. /span >
Web3.0向我们描绘了一个万物互联的可信网络世界,实现了数据的确权与授权、强隐私保护、开放的抗审查的自由数据交换。以DID为基础构建去中心化运行的统一身份认证系统正是Web3.0发展的重要实践之一。
& nbsp; Web3.0 depicts a credible web world that is connected to everything, realizing the right to data authenticity and authorization, strong privacy protection, open and uncensored free data exchange. is one of the important practices of development based on DD.
接下来我们讨论,什么是分布式身份以及其设计原理和实现方式。
& nbsp; next we will discuss what a distributed identity is and how it is designed and realized.
分布式身份的技术架构包括分布式账本、标准的DID协议、标准的可验证凭证协议和以此构建的应用生态。在实现上会基于区块链完成身份的注册、发现,可验证凭证的申请、签发、授予和验证,以及相关数据的隐私存储和可信计算。
& nbsp; distributed technical structures include span style="collor: #e67e23;'> >b>DD /span> verifiable document agreements and thus constructed
图1. DID系统基本运转流程和使用方式图
为了方便理解DID系统基本的运转流程和使用方式,我绘制了一张图(图1)。从图中可以看出系统主要有三类实体,包括签发者、持有者和验证者,其中每个实体都可以是设备、应用、个人或者组织。
In order to facilitate understanding of the basic operating processes and usage of the DD system, I have drawn a map (1). It can be seen that there are three main types of entities in the system, including issuer , holder holder certifier , each of which may be equipment, applications, individuals or organizations.
首先,各实体通过简单的密码学工具或者DID SDK生成完全由自己控制的身份文档(具体的数据结构我们后面再展开),并发布到区块链上完成身份的注册。DID文档中还可以包含其所能提供的服务信息,以支持企业用户多样的应用场景。例如签发者是学校A,在其身份文档中可以发布电子学历认证服务;签发者也可以是公司B,在身份文档中声明职位招聘的相关要求。
First, entities generate identity documents that are entirely controlled by themselves (the specific data structure will be rolled out later) through simple cryptography tools or DDSDK, and publish them on block chains to complete identity registration. DD documents can also contain information on the services they can provide to support the diverse applications of business users. For example, the issuer is the school A, where electronic qualification services can be published in their identity documents; the issuer can also be the company B, where the relevant requirements for job recruitment are stated in the identity documents.
具备基础的身份标识之后,通过可验证凭证架设起身份与身份之间的认证体系。凭证的模板会由相关主体注册发布到区块链上,并持续维护。接着,持有者便可以向签发者发起认证申请,获得凭证后组合加工出示给验证者完成校验。例如如下场景,小为(持有者)需要向公司B(验证者)发布的职位招聘发起申请,职位要求申请者需要具备本科学历。小为可以将从学校A处申请到的凭证出示给公司B完成职位申请。
& nbsp; sets up a certification system between identity and identity with a base identifier. The template for the certificate will be registered by the relevant subject to be published on the block chain and maintained on an ongoing basis. Next, the holder may initiate an application for accreditation to the issuer and obtain the certificate combination processing to complete certification to the certifying officer /span >. For example, in the following scenario, the job will need to be filled by (the holder) for post recruitment to be issued by the company B /span > (verifier) and the job will require the applicant to have this scientific history.
最后,业务系统就可以基于DID体系完成上层应用的构建。用户之间无需有信任关系,面向凭证开展业务,细粒度的保护隐私信息。
Finally, the business system can complete the construction of top-level applications based on the DD system.
就这么简单!
& nbsp; is that simple!
知道了为什么和是什么之后,让我们稍微深入一些关键技术的细节,以便更好的运用。
& nbsp; knows why and what, let's go a little deeper into the details of some of the key technologies in order to make better use of them.
身份文档是DID的基础数据结构,其设计简洁、功能丰富、可扩展性强。为了直观理解,我将关键字段组成的JSON(图2)绘图如下。
& nbsp; b> ID document
图2. 身份文档示意图
列举几个有趣的特性:
List a few interesting features:
- “publicKey”列表可以支持不同秘钥体制和类型的公钥。不同的公钥可用于支持不同的业务。(公钥和私钥是成对出现的两个秘钥。公钥可以公开,私钥必须秘密保存。因为加密和解密使用的是两个不同的秘钥,所以这种算法称之为非对称加密算法。)
- “controller”和”authentication”字段可以是本文档的公钥或者其他DID文档的标识、公钥。这样可以轻松扩展出强大的身份层级控制体系。
- “recovery”恢复标识可以在主控私钥丢失的情况下完成文档恢复和更新。
可验证凭证由元数据(Metadata)、属性声明集合(Claims)和证明材料(Proofs)三部分组成。关键组件及字段见图3. 可验证凭证同样具有丰富的功能和极强的扩展性,其中涉及的能力项有很多,例如生命周期管理、可信模型、零知识证明、隐私频谱、凭证安全等。此处通过介绍“凭证细粒度组合出示”帮助大家感受可验证凭证的功能特性。
and supporting documents by meta-data
图3. 可验证凭证关键组件及字段
凭证常见的使用模式是签发者对整个凭证的摘要进行签名,并加密将凭证发送给持有者。持有者解密或者重加密凭证,出示给验证者完成校验。显而易见这样的设计会带来两方面问题,一方面是隐私保护能力较差,在出示验证过程中会导致用户无关属性的暴露。另一方面,凭证的使用场景和签发凭证类型耦合在一起,不利于扩展使用场景。
The usual mode of use of a certificate is for the issuer to sign a summary of the entire certificate and to encrypt it to send to the holder. The holder declassifies or encrypts the certificate and presents it to the certificationer to complete the verification. Clearly, such a design would have two problems: on the one hand, the poor ability to protect privacy, would expose the user to irrelevant properties during the presentation of the certificate . On the other hand, the pattern of use of the document and the type of document issued were combined, Pedersen 承诺”(用于隐私保护属性信息)。再针对所有承诺进行“C-L签名”(起到多属性签名的聚合效果,压缩签名所占空间)。在凭证出示前,小为可以从已有身份凭证和新获得的学历凭证中挑选服务需要的几个属性公开明文,其余属性均出示密文承诺,完成职位申请。下图是小为申请工作例子的详细流程,大家可以跟着序号和描述梳理梳理。
& nbsp; certificate fine-scale combinations are presented by means of to calculate each of the attributes of the document by the issuer. to calculate the attributes in the document collection > b>Pendersen
图4. 基于分布式身份的可验证凭证使用示例流程图
至此,我们简答做个总结吧,细节记没记住不重要,领会其精神就好。
& nbsp; , let's make a brief summary. . /span >. /span >
本文列举了从Web1.0到Web3.0互联网身份体系的发展变化,随着用户对主权和隐私保护诉求的不断提高,分布式身份和可验证凭证是构建未来统一身份认证体系必不可少的技术。国际上,W3C标准组织与2019年底发布了Decentralized Identifiers(DIDs)v1.0 和 Verifiable Credentials(VC)v1.0 标准规范草案,并持续扩展完善。在国内,2020年6月低分布式数字身份产业联盟(DIDA)成立。
& nbsp; lists the technologies essential for a unified identification system from Web1.0 to Web3.0 of Internet identity systems. As users' claims for sovereignty and privacy protection continue to grow, distributed identities and authenticated documents are of .
本文介绍了分布式身份基础的数据结构、技术体系架构、主要的功能特性和应用场景。但分布式身份体系所涵盖的内容远比这些要多,他是上层应用生态的身份和认证底座,可以广泛应用到数字政务、民生生活、医疗健康、交通运输、数字金融等领域中。如果你想了解更多细节或者马上动手实际体验一下话,可以打开华为云官网搜索TDIS。
& nbsp; presents the data structure, technical architecture, key functional features and applications of the distributed identity base. But the distributed identity system covers much more than this, and he is the top-level eco-identification and certification base, which can be widely applied in the fields of digital governance, civil life, medical health, transport, digital finance. If you want to know more about it or to experience it immediately, will open up a cloud network search for DIS/span>.
华为云分布式身份服务(Decentralized Identity Service)是一种基于区块链的 分布式数字身份及可验证凭证的注册、签发、管理平台。符合W3C标准规范。为个人和企业用户提供统一的、可自解释的、移植性强的分布式身份标识,同时支持多场景的可验证凭证管理,细粒度的凭证签发和验证,有效解决跨部门、跨企业、跨地域的身份认证难和隐私泄露等问题。
is a distributed digital identity based on block chains and the registration, issuance, management platform. b> is a cloud distribution identity service . is a personal and business user ; 参考 https://www.w3.org/2019/did-wg/ https://w3c.github.io/vc-data-model/ https://www.huaweicloud.com/product/bcs/tdis.html
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论