Summary:With the implementation of the European general data protection regulation (gdpr), the blockchain based distributed identifiers (did) has attracted more and more attention from academia and industry. What exactly is distributed identity? What is its design principle and implementation? What can we do with it?
Compared with the above questions, I believe you must be right“Why do I need distributed identity? “This question is more curious.
Evolution and characteristics of identity model
In the 1990s, the Internet was defined as web 1 0 The interaction between users and the network is very simple. Almost all the services provided by the website are “read-only”. No matter the text, picture or audio content, all users can do is read or simple search, which does not involve content publishing and comments, and has no requirements for identity. It can be seen that the Internet at this time does not have a practical identity system.
Internet web2 0 defines a “read-write” network. In a short period of more than ten years, application types, service forms and content ecology have developed rapidly. At the same time, the digital identity system has been redefined and constantly improved. Successively producedCentralized identity、Alliance identityandUser centric identityThree identity modes.
It is not difficult to find that the main driving force behind the change and development of identity system is the continuous enhancement of users’ awareness of identity independent control and self privacy protection。
Centralized identity dataA single entity is responsible for generation, control, management and maintenance。 For example, we are familiar with Alipay, WeChat and other accounts. Obviously, the right to use the centralized identity is shared by the central subject and users, but the generation right, interpretation right and storage right of the identity are concentrated in the body provider, which brings a series of problems such as uncontrollable identity, privacy disclosure, poor portability, poor interoperability and single point risk.
The proposal of alliance identity alleviates the above problems to a certain extent, but it has not been fundamentally solved。 For example, when users are authorized by WeChat or Alipay to enter a platform as a third party account, they will face two kinds of problems. On the one hand, the platform will collect additional user information to form a new independent identity system. On the other hand, due to the monopoly of Internet oligarchs, multiple identity providers can still conspire to control users’ digital identity.
User centered identity has not been widely used in practice due to security and other reasons.
Distributed identity fundamentally solves the above problems, does not depend on the central identity provider, and truly has the autonomy, controllability, security, self interpretation, portability and interoperability of identity.In the distributed scenario, each user is given the ability to independently control and use digital identity, and privacy protection is carried out for sensitive information such as identity data.
Web3. 0 depicts us a trusted network world connected by all things, and realizes the confirmation and authorization of data, strong privacy protection, open anti censorship free data exchange.It is Web3.0 to build a decentralized unified identity authentication system based on did One of the important practices of 0 development。
Interpreting distributed identity
Next, we discuss what is distributed identity and how it is designed and implemented.
The technical architecture of distributed identity includesDistributed ledger, standard did protocol, standard verifiable voucher protocol and application ecology based on it。 In the implementation, it will complete the registration and discovery of identity, the application, issuance, grant and verification of verifiable credentials, as well as the private storage and trusted computing of relevant data based on the blockchain.
Figure 1 Basic operation flow and use mode diagram of did system
In order to understand the basic operation process and use mode of did system, I drew a diagram (Figure 1). As can be seen from the figure, the system mainly has three types of entities, includingIssuer, holderandVerifier, where each entity can be a device, an application, an individual, or an organization.
First, each entity generates an identity document completely controlled by itself through a simple cryptography tool or did SDK (the specific data structure will be expanded later), and publishes it to the blockchain to complete identity registration. The did document can also contain the service information it can provide to support a variety of application scenarios for enterprise users. For example, if the issuer is school a, it can publish the electronic diploma authentication service in its identity document; The issuer can also be company B, stating the relevant requirements of job recruitment in the identity document.
After having the basic identity, the authentication system between identity and identity is established through verifiable credentials。 The voucher template will be registered and published to the blockchain by relevant entities and maintained continuously. Then, the holder can initiate an authentication application to the issuer and obtain the certificateCombined machiningShow it to the verifier to complete the verification. For example, in the following scenario, Xiao Wei (holder) needs to initiate an application for job recruitment published by company B (verifier), and the job requires that the applicant must have a bachelor’s degree. Xiao Wei can show the certificate applied from school a to company B to complete the position application.
Finally, the business system can complete the construction of upper application based on did system. Users do not need to have a trust relationship, and conduct business for credentials,Fine grained privacy protectionInformation.
Interesting features and application scenarios
After knowing why and what it is, let’s go a little deeper into the details of some key technologies for better application.
Identity document is the basic data structure of did, it has simple design, rich functions and strong scalability. For intuitive understanding, I plot JSON (Figure 2) composed of key fields as follows.
Figure 2 Schematic diagram of identity document
List several interesting features:
- The “publickey” list can support different secret key systems and types of public keys. Different public keys can be used to support different services. (the public key and private key are two secret keys that appear in pairs. The public key can be made public and the private key must be kept secret. Because encryption and decryption use two different secret keys, this algorithm is called asymmetric encryption algorithm.)
- The “controller” and “authentication” fields can be the public key of this document or the identification and public key of other did documents. That’s OKEasily expand a strong identity hierarchy control system。
- The “recovery” recovery ID can complete document recovery and update when the master private key is lost.
Verifiable certificatefrommetadata(Metadata)、Property declaration collection(claims) andSupporting materials(proofs) consists of three parts. See Figure 3 for key components and fields Verifiable credentials also have rich functions and strong scalability. There are many capability items involved, such as life cycle management, trusted model, zero knowledge proof, privacy spectrum, credential security, etc. Here through the introduction“Voucher fine-grained combination presentation”Help you feel the functional features of verifiable vouchers.
Figure 3 Key components and fields of verifiable voucher
The common usage mode of a voucher is that the issuer signs the summary of the entire voucher and sends the voucher to the holder encrypted. The holder decrypts or re encrypts the certificate and presents it to the verifier to complete the verification. Obviously, this design will bring two problems. On the one hand, it has poor privacy protection ability,In the process of presenting authentication, it will lead to the exposure of user irrelevant attributes。 on the other hand,Voucher usage scenarios are coupled with issuing voucher types, which is not conducive to extending usage scenarios.
For example, school a and company B mentioned earlier have released their own “services”. When Xiaowei wants to apply for a position, the recruitment requirements state that the applicant needs to be a undergraduate graduate under the age of 30. At this time, if Xiao Wei directly presents his ID card (to prove that he is less than 30 years old) and education certificate, irrelevant attributes such as name, native place, gender and college information will be exposed. If you apply to the school for an additional certificate that only includes education and age, this method is obviously very inefficient and the certificate is not reused.
One implementation of credential fine-grained combination presentation is that the issuer calculates the value of each attribute in the credential attribute set“Pedersen commitment” (for privacy protection attribute information)。 Then for all commitments“C-L signature””(play the aggregation effect of multi-attribute signature and compress the space occupied by signature)。 Before the certificate is presented, Xiaowei can select several attributes required for the service from the existing identity certificate and the newly obtained academic certificate, and disclose the plaintext. For the other attributes, the ciphertext commitment is presented to complete the position application. The following figure shows the detailed process of a small application example. You can sort it out with the serial number and description.
Figure 4 Example flow chart of verifiable credential usage based on distributed identity
So far, let’s make a summary,It’s not important to remember the details. Just understand the spirit。
This article lists the examples from web1 0 to Web3 With the development and change of Internet identity system, with the continuous improvement of users’ demands for sovereignty and privacy protection,Distributed identity and verifiable credentials are essential technologies for building a unified identity authentication system in the future。 Internationally, W3C Standards Organization released decentralized identifiers (DIDS) v1.1 at the end of 2019 0 and verifiable credentials (VC) v1 0 standard and specification draft, and continue to expand and improve. In China, the low distributed digital identity Industry Alliance (Dida) was established in June 2020.
This paper introduces the data structure, technical architecture, main functional features and application scenarios of distributed identity infrastructure. However, the distributed identity system covers far more than these. It is the identity and authentication base of the upper application ecology, and can be widely used in the fields of digital government, people’s livelihood, health care, transportation, digital finance and so on. If you want to know more details or experience it immediately, you can open itHuawei cloud official website search TDIS。
Huawei cloud distributed identity service(decentralized identity service) is a blockchain based platform for registration, issuance and management of distributed digital identities and verifiable credentials.Comply with W3C standard specifications。Provide unified and self explanatory information for individual and enterprise usersof, portable distributed identityAt the same time, it supports multi scenario verifiable voucher management, fine-grained voucher issuance and verification, and effectively solves the problems of difficult identity authentication and privacy disclosure across departments, enterprises and regions.
Click focus to learn about Huawei cloud’s new technologies for the first time~