Baidu Cloud DID Specification
基于区块链建立符合W3C标准的数字身份系统,为企业、用户提供去中心化的数字身份, 保证数字身份的绝对可控和绝对拥有,解决企业和用户隐私泄漏难题。
应用场景:
- 数字身份
- 联合会员大客户体系
- 金融KYC
- 交易所
- 智慧城市
- 物联网无设备身份管理
方案特色:
- 基于区块链、联盟链构建去中心化的ID系统,对于系统的控制权近乎于平等,增强合作意向。
- 区块链非对称加密技术公钥、私钥相结合,保证ID、认证的真实性、可靠性。
- 形成更加丰富的用户画像,多标签(VIP认证、特权认证、资产认证……)一个ID行天下。
DID Definition
DID 是用户的数字身份,格式如下:
did:ccp:<method-specific-id>
例如:
did:ccp:1FsbKR6UpV6GW8o8szccdxXkquzTg2VZLL
其中<method-specific-id>=base58(ripemd160(sha256(<Base DID Document>))) (参考比特币,使用双 hash)。
其中<Base DID Document>:
{
"@context": "https://w3id.org/did/v1",
"publicKey": [
{
"id": "#keys-1",
"type": "Secp256k1",
"publicKeyHex": "02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71"
},
{
"id": "#keys-2",
"type": "Secp256k1",
"publicKeyHex": "4b4042665b3235a12fb49730ff620fef1c96e9efa5c90119abd2e8acfe856053"
}
],
"authentication": ["#key-1"],
"recovery": ["#key-2"]
}
在<Base DID Document>中定义了两个公钥,#keys-1主私钥对应的公钥,#keys-2为备私钥对应的公钥。
生成秘钥的算法支持:
- Secp256k1
- RSA(TBD)
注:
你也可以通过基于BIP-32和BIP-39规范生成HD钱包来控制DID。详见DID SDK。
DID Path
支持以下 Path:
/<version>:指定 DID 对应的 DID Document 的版本
DID Query
支持以下 Query:
- 暂无
DID Fragment
支持以下 Fragment:
#keys-<n>:指定引用哪个 publicKey#resolver:DID解析器器#hub:DID Identity Hub
DID Document Definition
设计 DID Document 如下格式:
{
"@context": "https://w3id.org/did/v1",
"id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2",
"version": 1,
"created": "2016-02-08T16:02:20Z",
"updated": "2016-02-08T16:02:20Z",
"publicKey": [
{
"id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#keys-1",
"type": "Secp256k1",
"publicKeyHex": "02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71"
},
{
"id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#keys-2",
"type": "Secp256k1",
"publicKeyHex": "e3080168ee293053ba33b235d7116a3263d29f1450936b71"
}
],
"authentication": ["did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#key-1"],
"recovery": ["did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#key-2"],
"service": [
{
"id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#resolver",
"type": "DIDResolve",
"serviceEndpoint": "https://did.baidu.com"
}
],
"proof": {
"type": "Secp256k1",
"creator": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#keys-1",
"signatureValue": "QNB13Y7Q9...1tzjn4w=="
}
}
其中:
publicKey: 是公钥的列表。authentication: 说明拥有哪个公钥对应的私钥的用户就是此 DID 的拥有者;通过<DID>#keys-<n>来指定。recovery: 是可用于恢复的公钥列表;通过<DID>#keys-<n>来指定哪个公钥。service: 一些能够使用此 DID 的 Endpoint,例如这里放了 DIDResolve 服务的地址。
DID Creation
创建 DID 流程如下:
- 生成两对公私钥,作为主和备。
- 生成
<Base DID Document> - 对
<Base DID Document>做sha256 - 对上面的结果再做
ripemd160 - 对上面的结果做
base58 - 在上面的结果前添加
did:ccp:作为最终的DID
创建 DID 的请求如下:
{
"did": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd",
"document": {
"@context": "https://w3id.org/did/v1",
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd",
"version": 1,
"created": "2019-10-23T09:14:17.961Z",
"updated": "2019-10-23T09:14:17.961Z",
"publicKey": [
{
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-1",
"type": "Secp256k1",
"publicKeyHex": "0440b3fa8e848297ff26b04088263101fa87d3541ac48bbc32fe7b77b73246578241236ab6097d4012ac17a514272a54a7b728790e914bbbff431e49d421aa1eef"
},
{
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-2",
"type": "Secp256k1",
"publicKeyHex": "04df4cf82984c9ecd4cf113e24762fb4404c1653df84ac424e4e2985ba7eb4de9249c2609414a24feea7845649299049b4babd6380ee69ef9e91c843931c877e7f"
}
],
"authentication": [
"did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-1"
],
"recovery": [
"did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-2"
],
"service": [
{
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#resolver",
"type": "DIDResolve",
"serviceEndpoint": "https://did.baidu.com"
}
],
"proof": {
"type": "Secp256k1",
"creator": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-1",
"signatureValue": "3045022100ff51c2629c9eb5d75d9786506ad45e82a87bf91b991a4b37f6d81ce70984220302201f4aa4f609a7ff96de190db68a25603fc849f1098d3f506098dc79af826b4a67"
}
},
"operation": "create",
"timestamp": 253146316
}
DID Read
读取DID,即DID的解析,DID Resolver会根据DID返回相应的DID Document
e.g.
Your DID is did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw
curl https://did.baidu.com/v1/did/resolve/did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw
The result is:
{
"code": 0,
"message": "ok",
"requestId": "",
"content": {
"didDocument": {
"@context": "https://w3id.org/did/v1",
"id": "did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw",
"version": 2,
"created": "2019-10-21T11:12:13.065Z",
"updated": "2019-10-21T11:17:49.379Z",
"publicKey": [
{
"id": "did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw#key-1",
"type": "Secp256k1",
"publicKeyHex": "046fcbedd1107ca45be3e81fc445e5a366886a89e7087fe3d128e6236302f31594740f250433ebe9f0abcbd04dbf9c5979e270a0772ad1cc502cec2d5de9504c8c"
},
{
"id": "did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw#key-2",
"type": "Secp256k1",
"publicKeyHex": "0496712d16b0836684aacd5ab6ba3d489c35efa31f414a1c6a455fc6b37ff28e5fa97ac29c1021b76e5b78e2bbceac1dfc4ec98e6b2b3e65a29f7f1cd4944dfb93"
}
],
"authentication": ["did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw#key-1"],
"recovery": ["did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw#key-2"],
"service": [
{
"id": "did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw#resolver",
"type": "DIDResolve",
"serviceEndpoint": "https://did.baidu.com"
}
],
"proof": {
"type": "Secp256k1",
"creator": "did:ccp:ceNobbK6Me9F5zwyE3MKY88QZLw#key-1",
"signatureValue": "30440220211ffc76ae2858d6baa29faa9b576d6b2e048e8f4f7767ee1c2fba7ae6c2a78102205f5b56cd1431830b45109d716631638d961e5b252c2c2354d8bb96782d8a62ef"
}
}
}
}
DID Update
目前支持:
- 更新主私钥对应的公钥
- 更新备私钥对应的公钥
- 更新
service
更新请求举例如下:
(其中signature是使用上一版本的document中的recovery key进行签名)
{
"did": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd",
"document": {
"@context": "https://w3id.org/did/v1",
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd",
"version": 1,
"created": "2019-10-23T09:14:17.961Z",
"updated": "2019-10-23T09:14:17.961Z",
"publicKey": [
{
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-1",
"type": "Secp256k1",
"publicKeyHex": "0440b3fa8e848297ff26b04088263101fa87d3541ac48bbc32fe7b77b73246578241236ab6097d4012ac17a514272a54a7b728790e914bbbff431e49d421aa1eef"
},
{
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-2",
"type": "Secp256k1",
"publicKeyHex": "04df4cf82984c9ecd4cf113e24762fb4404c1653df84ac424e4e2985ba7eb4de9249c2609414a24feea7845649299049b4babd6380ee69ef9e91c843931c877e7f"
}
],
"authentication": [
"did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-1"
],
"recovery": [
"did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-2"
],
"service": [
{
"id": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#resolver",
"type": "DIDResolve",
"serviceEndpoint": "https://did.baidu.com"
}
],
"proof": {
"type": "Secp256k1",
"creator": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd#key-1",
"signatureValue": "3045022100ff51c2629c9eb5d75d9786506ad45e82a87bf91b991a4b37f6d81ce70984220302201f4aa4f609a7ff96de190db68a25603fc849f1098d3f506098dc79af826b4a67"
}
},
"operation": "edit",
"timestamp": 253146316,
"signature": "212w6nedqdm2wdp2dpdkasxkapp12kw12w12w"
}
DID Revoke
当需要吊销一个DID时,需要发送如下请求:
(其中signature是使用上一版本的document中的recovery key进行签名)
{
"did": "did:ccp:3CzQLF3qfFVQ1CjGVzVRZaFXrjAd",
"operation": "delete",
"timestamp": 253146316,
"signature": "212w6nedqdm2wdp2dpdkasxkapp12kw12w12w"
}
DID Dereference
DID反引用解析,见:DID解析器
DID Authentication Workflow
用户在 App 上使用 DID 时得证明自己是 DID 的所有者,主要运用的机制是挑战-响应机制:App 首先根据用户提供的 DID 用从 DID Resolver 查到对应的 DID Document,然后 App 使用 DID Document 中的公钥加密自己随机生成的一串 nonce,发送给用户,用户用自己的私钥解密后得到这串 nonce,把 nonce 发送给 App 完成挑战。
DID Login Workflow
用户操作流程:
- 选择使用 DID 登入/认证,显示一个二维码
- 用户使用移动端 DID Wallet 扫描此二维码,并在 Wallet 上确认登入
- 登入完成
内部挑战响应流程:
- 选择使用 DID 登入/认证,显示一个二维码,二维码上关键信息:loginId,loginUrl
- 用户使用移动端 DID Wallet 扫描此二维码,获取 loginId 和 loginUrl
- 用户向 loginUrl 发送 did 和 loginId
- 目标 App 后端收到请求后,首先根据此 DID 去 DID Resolver 获取此 DID 对应的 Document,获得 Document 中的公钥;然后使用此公钥加密一个随机生成的 nonce 得到加密结果 ciphertext 并返回给 DID Wallet
- 移动端 DID Wallet 使用 did 对应的私钥解密 ciphertext 得到 plainText
- 移动端 DID Wallet 把此 plainText 和 loginId 发送给目标 App 后端
- 目标 App 后端验证挑战响应结果,即 plainText=nonce
- 目标 App 前端轮询得知挑战成功,即登入成功
注:
- 黄色框内是 App 的接入成本,涉及前端和后端
Signature
签名统一遵循 ASN.1 DER Encoding 格式,详见=>https://en.wikipedia.org/wiki/X.690#DER_encoding
对于 ECDSA Signature R|S 的签名,转换方式为:
ECDSA签名:
Signarure(M) = (r,s)
ASN.1 DER Encoding格式:
0x30|b1|0x02|b2|r|0x02|b3|s
b1 = Length of remaining data,1-byte
b2 = Length of r,1-byte
b3 = Length of s,1-byte
e.g.
r|s =
6f0156091cbe912f2d5d1215cc3cd81c0963c8839b93af60e0921b61a19c5430 c71006dd93f3508c432daca21db0095f4b16542782b7986f48a5d0ae3c583d4
==>
304402206f0156091cbe912f2d5d1215cc3cd81c0963c8839b93af60e0921b61a19c543002200c71006dd93f3508c432daca21db0095f4b16542782b7986f48a5d0ae3c583d4
=>
30
44
02
20
6f0156091cbe912f2d5d1215cc3cd81c0963c8839b93af60e0921b61a19c5430
02
20
0c71006dd93f3508c432daca21db0095f4b16542782b7986f48a5d0ae3c583d4
注:r、s 会有 padding
Privacy considerations
- 与用户隐私相关的信息不上链,而是在发证方(权威机构)侧,用发证方颁发的声明来证明用户的隐私属性,从而更好的保障用户的隐私不被泄露。
- 能证明DID归属的私钥只存在用户的设备上,不会给任何第三方知晓。
- DID Document使用签名技术来防止恶意的篡改。
Security considerations
- 身份恢复:权威机构的私钥丢失后,可以通过 recovery 私钥进行主私钥的 reset,但是这样的话,之前签出来的 claim 都会失效。
- 底层支持使用基于
Quorum改造的联盟的,具备更好的节点准入、隐私交易能力。
References
- W3C DID Spec:https://w3c.github.io/did-core/
- W3C DID Method Registry:https://w3c-ccg.github.io/did-method-registry/
- W3C DID Resolution:https://w3c-ccg.github.io/did-resolution/