摘要
数字身份认证和管理系统是计算机和互联网应用的安全基础设施,当前的数字身份认证和管理系统暴露出了许多的问题,例如,数字身份的中心化存储和管理、数字身份的自主权特性较差、数字身份的隐私无保障、数字身份的认证过程不公开透明等。伴随着区块链技术的发展,其去中心、防篡改、可追溯和安全透明等特点受到了越来越多的关注,各种基于区块链的数字身份认证和管理架构相继出现,然而这些架构仍然不同程度存在上述问题。对此,本文将区块链智能合约技术、非交互式零知识证明技术、可验证凭证数字身份等结合,提出了一个基于区块链智能合约的数字身份可验证凭证零知识认证和管理架构,并详细描述了架构角色和协议流程等,其中,在协议流程中,服务提供商根据服务授权要求构造零知识证明约束条件验证程序,用户基于该程序生成零知识证明,该零知识证明可以在不透露身份和私钥的情况下向服务提供商证明用户是身份的所有者,且身份满足服务授权要求,而服务提供商对零知识证明的认证和管理等都是在智能合约中完成的,实现了认证和授权的公开透明和安全。此外,本文设计了该架构的原型系统,并基于原型系统,评估了架构中智能合约的成本和时间开销,同时讨论了基于智能合约进行零知识证明认证和管理的安全性和必要性等,最后还对整个架构的有效性和安全性等进行了评估和比较。上述结果表明,本文所提出的架构能较好的实现数字身份认证和管理的去中心化、隐私安全、认证和授权公开透明等,可为相关系统的设计提供有价值的技术参考。
Digital identity authentication and management system(DIAMS) is the security infrastructure of computer and internet applications. However, current DIAMSs have exposed many problems such as centralized storage and management of digital identities, poor self-sovereignty management on user’s own identity, poor privacy protection,non-transparent authentication and authorization and so on. Currently, along with the development of blockchain technology, its features such as decentralization, tamper-proof, traceability, security, and transparency and so on are receiving increasing attentions, resulting in that various DIAMSs based on blockchain are proposed. However, the problems mentioned above still exist in the DIAMSs based on blockchain. Therefore, this paper combines smart contract of blockchain,non-interactive zero knowledge proof with the verifiable certificate of digital identity, and proposes an architecture of DIAMS based on blockchain. Firstly, in the proposed architecture, entity roles and protocol flows are described in detail.Secondly, in the protocol flows, the verification program of constraint conditions of zero-knowledge proof(VPCCZKP) is constructed by service provider based on service authorization requirements, and user takes advantage of the VPCCZKP to generate the zero-knowledge proof which can prove that he/she is the holder of the legal identity which meets service authorization requirements without disclosing his/her private key and legal identity. In the meantime, the generated zero-knowledge proof is provided to service provider, and service provider uses the on-chain smart contracts to authenticate and manage the zero-knowledge proof in order to implement the transparency and security of authentication and authorization. On the other hand, the prototype system of proposed architecture is designed and based on the prototype system, the cost and time overhead of smart contracts of the proposed architecture is assessed. In the meantime, the security and necessity of on-chain authentication and authorization of zero-knowledge proof based on smart contracts is discussed.Furthermore, evaluations and comparisons of effectiveness and safety of the proposed architecture are conducted at the end of this paper. Finally, the results from the prototype system indicate that the proposed architecture can well realize the decentralization, privacy security, openness and transparency of digital identity authentication and management and provide value technology references for designing corresponding DIAMSs.
作者
宋智明
余益民
王贵文
陈韬伟
SONG Zhiming;YU Yimin;WANG Guiwen;CHEN Taowei(School of Information,Yunnan University of Finance and Economics,Kunming 650221,China;Institute of Intelligent Application,Yunnan University of Finance and Economics,Kunming 650221,China;Yunnan Key Laboratory of Smart City and Cyberspace Security,Yuxi Normal University,Yuxi 653100,China)
出处
《信息安全学报》
CSCD
2023年第1期55-77,共23页
Journal of Cyber Security
基金
国家自然科学基金项目(No.71964037)
中央引导地方科技发展专项资金项目(No.202007AD110001)
云南省教育厅科学研究基金(No.2022J0473)
云南省基础研究计划青年项目(No.202101AU070132)
云南省刑事科学技术重点实验室(No.YJXK005)
云南省智慧城市网络空间安全重点实验室(No.202105AG070010-SG-07)的资助。
关键词
数字身份认证和管理
区块链
智能合约
零知识身份认证
可验证凭证
digital identity authentication and management system
blockchain
smart contract
zero-knowledge identity authentication
verifiable certificate