A method and system for two-way authentication based on a trusted connector

By storing the connector's distributed identity identifier and user rights certificate on the blockchain, combined with the transport layer security protocol, the public verifiability of the connector's identity and the dynamic management of user authorization are realized. This solves the problems of channel hijacking and offline authorization in connector identity authentication, and improves communication security and access control efficiency.

CN122137675BActive Publication Date: 2026-07-14HEFEI INSTITUTE OF PHYSICAL SCIENCE CHINESE ACADEMY OF SCIENCES +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HEFEI INSTITUTE OF PHYSICAL SCIENCE CHINESE ACADEMY OF SCIENCES
Filing Date
2026-04-30
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing technologies, connector authentication lacks organizational endorsement, making it impossible to determine whether users have legitimate operating permissions. Furthermore, when users are offline, it cannot be proven that the communication operation was actively assigned by the user, posing a risk of channel hijacking and identity credential theft.

Method used

By storing the connector's distributed identity identifier (DID) document and user rights certificate on the blockchain, combined with the transport layer security protocol communication certificate, triple binding verification is achieved, including physical channel, organizational endorsement, and user authorization statement. Dynamic validity period management and selective disclosure technology are adopted to ensure the public verifiability of the connector's identity and the legality of its permissions.

Benefits of technology

It achieves public verifiability of connector identity, eliminates channel hijacking and identity credential theft, improves the flexibility of offline user authorization and the response speed of permission management, and ensures the security depth of connector communication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122137675B_ABST
    Figure CN122137675B_ABST
Patent Text Reader

Abstract

The application discloses a kind of two-way authentication method and system based on trusted connector, it is related to trusted data space technical field.The specific inclusion is as follows: first connector stores its identity document containing first public key in block chain, obtains document containing second public key and user right certificate.Both parties establish secure communication channel, and first connector uses associated certificate to handshake.Second connector obtains current public key and compares with on-chain.Second connector sends identity certificate, and includes authorization declaration certificate and digital signature of right segment and validity period query address.Second connector queries chain according to the address to obtain validity period state.Public key comparison is consistent and not expired, and authentication is successful.The purpose is to eliminate channel hijacking, and meet the needs of user offline authorization.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of trusted data space technology, and in particular to a two-way authentication method and system based on trusted connectors. Background Technology

[0002] Existing two-way authentication between connectors is based on trusted identity credentials. That is, identity authentication is achieved by exchanging trusted identity credentials and verifying the digital signatures of both parties. The trusted identity credentials of the access connector are issued by a trusted identity provider, and the specific authentication process is completed through the Hypertext Transfer Security Protocol.

[0003] Existing blockchain-based cross-domain identity authentication technologies, such as the Chinese invention patent with authorization announcement number CN115664683A, disclose a cross-domain method based on blockchain smart contracts. This method constructs a trust consortium chain and creates a dedicated smart contract for the issuer to issue user certificates and store certificate credentials. While Hypertext Transfer Security (HTTP) is secure, the HTTP certificate and the distributed identity credentials at the business layer are typically two independent systems. If the session after the HTTP handshake is intercepted, or if the connector uses a legitimate HTTP certificate but steals someone else's verifiable credentials, it is difficult for the system to detect such forgery at the underlying level.

[0004] In existing solutions, any connector with valid credentials can communicate with its peer connector, lacking organizational endorsement and making it impossible to determine whether the user operating the connector has legitimate authorization. Furthermore, when the connector operates autonomously, current technology does not consider the real-time authorization intentions of individuals or organizations. If the user is offline, the connector cannot prove that its current communication operation was actively assigned by the user.

[0005] Therefore, how to bind connector identity, transport layer security protocol communication certificate and user rights certificate to prevent channel hijacking and meet users' offline authorization needs has become an urgent technical problem to be solved. Summary of the Invention

[0006] The main objective of this invention is to provide a two-way authentication method and system based on a trusted connector, which aims to bind the connector identity, transport layer security protocol communication certificate, and user rights certificate to prevent channel hijacking and meet the user's offline authorization requirements.

[0007] To achieve the above objectives, this invention proposes a two-way authentication method based on a trusted connector. The method is applied to an authentication system comprising a first connector, a second connector, and a blockchain. The method includes:

[0008] The first connector contains the first public key. The first distributed identity document (DID) is stored on the blockchain.

[0009] Obtain the second DID document and user rights certificate stored by the user on the blockchain, wherein the second DID document contains the second public key. The user rights certificate contains a list of user permissions;

[0010] A secure communication channel is established between the first connector and the second connector, wherein the first connector uses the same public key as the first connector. The associated digital certificate performs a handshake and generates a handshake session;

[0011] The second connector obtains the current public key of the first connector from the handshake session. And verify the current public key. The first public key in the first distributed identity document (DID) retrieved from the blockchain. Are they consistent?

[0012] The first connector sends a connector identity credential, an authorization statement credential signed by the user, and a digital signature for the current message to the second connector through the secure communication channel; wherein, the authorization statement credential includes a rights fragment for the first connector, authorization category, first connector identifier, and validity period query address extracted from the user's rights credential.

[0013] The second connector queries the blockchain for the latest validity status of the authorization statement certificate based on the validity query address;

[0014] When the public key verification is consistent and the current validity period is within the latest validity period, the second connector confirms that the first connector has successfully authenticated; wherein, after the second connector completes the authentication of the first connector, the first connector performs identity credential verification, channel binding verification, authorization statement verification and validity period status verification on the second connector to complete the two-way authentication between the first connector and the second connector;

[0015] The validity period query address points to the validity period variable stored on the blockchain. The validity period variable Asynchronous updates by the user are supported, and the update process does not require re-signing the authorization statement credential.

[0016] Preferably, the first connector contains the first public key. The first distributed identity document (DID) is stored on the blockchain, including:

[0017] The first connector generates the first blockchain account. ;

[0018] The first connector will transmit the first public key. and the first blockchain account Write the first distributed identity identifier (DID) document, and pass the first distributed identity identifier (DID) document through the first blockchain account. On-chain evidence storage is performed on the blockchain.

[0019] Preferably, before sending the connector identity credentials, the process further includes:

[0020] The issuing organization queries the first distributed identity identifier (DID) document on the blockchain and verifies its legitimacy.

[0021] Upon successful verification, the issuing organization issues the connector identity credential to the first connector.

[0022] Preferably, the second connector verifies the validity of the connector identity credential by:

[0023] The second connector queries the blockchain for the first distributed identity identifier (DID) document of the first connector, and the third DID document of the organization issuer;

[0024] The second connector verifies the connector identity credentials based on the public key information in the third DID document, and verifies the received message signature based on the first distributed identity identifier (DID) document.

[0025] Preferably, the rights fragment is extracted from the user's rights certificate using selective disclosure technology, and the rights fragment contains only specific operation permission information for the first connector.

[0026] Preferably, the second connector verifies the claim segment, including:

[0027] The second connector uses the second public key from the second DID document. Verify that the authorization statement credential was signed by the user;

[0028] The second connector verifies whether the authorization category in the authorization statement credential, the first connector identifier, and the current access request match.

[0029] Preferably, the second connector queries the latest validity period status, including:

[0030] The second connector accesses the validity period query address to obtain the validity period variable. The current value;

[0031] Determine the current system time Does it satisfy the relation? ;

[0032] If the conditions are met, the authorization statement credential is deemed to be within the scope of validity.

[0033] Preferably, after the first connector is successfully authenticated, it negotiates and generates a symmetric encryption key with the second connector based on the secure communication channel.

[0034] This application also discloses a two-way authentication system based on a trusted connector, including a first connector, a second connector, a blockchain, and an organization issuer. The system includes a memory and a processor. The memory stores a computer program, which, when executed by the processor, implements the two-way authentication method based on a trusted connector as described in any of the preceding claims.

[0035] The above technical solution has the following advantages:

[0036] The first connector contains the first public key. The first distributed identity document is stored on the blockchain, realizing the public verifiability and immutability of the connector identity, and by obtaining the second public key... The second distributed identity document and user rights credentials containing a list of user permissions establish the legitimacy of user permissions. The first connector and the second connector establish a secure communication channel and perform a handshake using associated digital certificates, generating a handshake session. The second connector then obtains the current public key from the handshake session. And verify its connection with the first public key found in the blockchain. The consistency verification completes the channel-level verification, effectively preventing man-in-the-middle attacks and the use of stolen identity credentials in unauthorized channels. The first connector sends an authorization statement credential containing a rights fragment, personally signed by the user. This effectively prevents the connector from reverse-engineering the user's full organizational permissions. The authorization statement credential also includes a pointer to a validity period variable on the blockchain. The validity period query address achieves physical isolation between the authorization statement credential and its validity period. The second connector uses this address to query the latest validity period status and determine the current system time. Does the time limit condition meet, and is the validity period variable... It supports asynchronous updates by users, and the update process does not require re-signing authorization statement credentials, greatly improving the response speed of permission revocation and change. The above-mentioned physical layer public key verification consistency, organizational layer identity credential validity, and user layer authorization statement matching realize comprehensive multi-factor verification, and finally securely complete the two-way authentication between the first connector and the second connector, significantly improving the security depth of autonomous communication between connectors in the trusted data space. Attached Figure Description

[0037] The present invention will now be described in detail with reference to specific embodiments and accompanying drawings, wherein:

[0038] Figure 1 This is a schematic diagram of the structure of a two-way authentication system based on a trusted connector provided in an embodiment of the present invention.

[0039] Figure 2 This is a flowchart illustrating a two-way authentication method based on a trusted connector provided in an embodiment of the present invention.

[0040] Figure 3 This is a flowchart illustrating the verification logic of a single-sided connector provided in an embodiment of the present invention. The verification process for the other-sided connector is the same. Detailed Implementation

[0041] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0042] Example 1

[0043] like Figures 1 to 3 This embodiment provides a two-way authentication method based on a trusted connector. This method is applied to an authentication system that includes a first connector, a second connector, a blockchain, and an organization issuing the authentication. The system aims to solve problems in existing technologies such as the disconnect between identity and channel, insufficient authorization basis, and offline user authorization through a triple identity binding mechanism, achieving end-to-end trust traceability from physical channel to logical authorization.

[0044] In the specific implementation process, the first connector first contains the first public key. The first distributed identity identifier, or DID document, is stored on the blockchain. In this step, the first connector first generates the first blockchain account locally. Then the first public key mentioned above And the first blockchain account It is written into its corresponding first distributed identity identifier (DID) document. The first connector utilizes the first blockchain account. The private key is used to sign the first distributed identity document (DID) and send it to the blockchain for on-chain storage, thereby ensuring the public verifiability and immutability of the connector identity across the entire network.

[0045] During the authentication preparation phase, it is also necessary to obtain the user's second DID document and user rights certificate stored on the blockchain. The second DID document contains the user's second public key. The user rights certificate contains a list of the user's permissions within their respective region or industry organization. This certificate is typically pre-issued to the user by the issuing organization and is kept by the user. To further ensure the legitimacy of the connector and provide organizational-level credibility, before the first connector initiates authentication, the issuing organization queries the first Distributed Identity Identifier (DID) document on the blockchain. The issuing organization verifies the legitimacy of the public key, account, and other information in the DID document. Once it confirms that the connector is within a trusted scope, it issues a connector identity certificate to the first connector.

[0046] When the first connector needs to communicate with its peer, the second connector, both parties first establish an initial encrypted channel through a security protocol. Specifically, a secure communication channel is established between the first and second connectors, where the first connector uses its first public key. A strongly associated self-signed digital certificate initiates a Transport Layer Security (TLS) handshake request, generating a handshake session in the process. This step initially achieves public key declaration at the channel layer, laying the foundation for subsequent binding verification.

[0047] After receiving the handshake request and initially establishing a connection, the second connector performs the first layer of verification in the triple binding process: channel binding verification. The second connector directly extracts the current public key used by the first connector from the current handshake session. Simultaneously, the second connector, based on the identity identifier provided by the first connector, retrieves its pre-stored first distributed identity identifier (DID) document from the blockchain and parses out the first public key within it. The second connector is for the current public key. With the first public key A consistency check is performed. If the two are identical, it proves that the current communication channel was indeed established by a legitimate connector holding the corresponding private key, and not by a man-in-the-middle using an illegitimate certificate. This mechanism completely eliminates the possibility of man-in-the-middle hijacking and the use of stolen identity credentials in illegitimate channels.

[0048] After successful channel binding verification, the first connector sends specific authentication materials to the second connector via the secure communication channel. These materials primarily include the aforementioned connector identity credentials, an authorization statement credential signed by the user, and a digital signature for the message to be transmitted. In this step, the authorization statement credential plays a crucial role in expressing intent. When generating this credential, the user utilizes selective disclosure technology to extract specific operational permissions specific to the first connector from their complete user rights credentials, forming a rights fragment. This effectively prevents the connector from reverse-engineering the user's full permissions within the organization during communication, achieving minimal disclosure of permissions and privacy protection. Furthermore, the authorization statement credential explicitly includes the authorization category, the authorized connector identifier (i.e., the first connector's unique identification code), and a crucial validity period query address.

[0049] Upon receiving the aforementioned materials, the second connector initiates a multi-factor authentication process. First, the second connector retrieves the third DID document corresponding to the organization's issuer from the blockchain and uses the public key information within it to verify the connector's identity credentials, confirming that the connector's actions have been authorized by the organization. Subsequently, the second connector uses the second public key obtained from the second DID document... The second connector verifies the user signature on the authorization statement credential to ensure that the authorization truly stems from the user's real-time intent or pre-set authorization. Next, the second connector further verifies whether the authorization category and the first connector identifier in the authorization statement match the current access request operation.

[0050] For dynamic authorization control in offline user scenarios, this embodiment employs a validity period decoupling mechanism. The second connector accesses the blockchain online and queries the latest validity period status of the authorization statement credential based on the validity period query address provided in the authorization statement credential. This query address actually points to a validity period variable stored on the blockchain. The validity period variable This dynamic state data on the blockchain allows users to asynchronously update the variable through other trusted terminals, even when offline or without directly participating in connector communication. For example, it can revoke authorization in advance in an emergency or extend the authorization period based on business progress. This process does not require the first connector to re-intervene or re-sign the authorization statement certificate.

[0051] In the specific judgment process, the second connector obtains the validity period variable through the validity period query address. The current value, and read the current system standard time. The second connector determines the current system time through calculation. Does it satisfy the relation? If the inequality is true, then the authorization certificate is currently still within its validity period.

[0052] Ultimately, provided that the public key verification at the physical layer is consistent, the identity credentials at the organizational layer are valid, the authorization statements at the user layer match, and the real-time validity period verification at the blockchain layer is successful, the second connector confirms the first connector's successful authentication. Subsequently, the first connector performs identity authentication on the second connector using the corresponding verification process described above. After both parties have completed the verification of each other's identity credentials, channel binding, authorization statements, and validity period status, the two-way authentication between the first and second connectors is completed. After successful authentication, the first and second connectors will use the first public key... Further negotiation generates a symmetric encryption key for efficient encrypted interaction of subsequent business data. This triple-binding mechanism achieves deep coupling from the underlying channel and organizational endorsement to the user's personal will, significantly improving the security depth of autonomous communication between connectors within the trusted data space.

[0053] Example 2

[0054] This embodiment, based on Embodiment 1 above, further discloses the specific details of the identity registration performed by the first connector. The first connector includes the first public key. The process of storing the first distributed identity document (DID) on the blockchain includes the following steps. First, the first connector generates the first blockchain account locally. The account is typically generated based on asymmetric encryption algorithms, such as elliptic curve digital signature algorithms. Next, the first connector passes the first public key. And the first blockchain account The address information is written into a pre-built first distributed identity document (DID). To ensure the document's authentic origin, the first connector utilizes data from the first blockchain account. The corresponding private key is used to digitally sign the entire First Distributed Identity (DID) document. Subsequently, the First Connector, through the blockchain node's interface, transmits the signed First Distributed Identity (DID) document to the First Blockchain Account. The information is sent to the blockchain for verification. This blockchain-based identity registration mechanism ensures that the connector's identity no longer relies on a single centralized institution, but rather guarantees the persistence and verifiability of the identity through distributed consensus across the entire network.

[0055] Example 3

[0056] This embodiment further illustrates the organizational-level endorsement and verification mechanism. Before the first connector sends its connector identity credential, the credential is issued by the organizational issuer. Specifically, the organizational issuer first queries the first connector's pre-stored first distributed identity identifier (DID) document on the blockchain and verifies its legitimacy. After successful verification, the organizational issuer, acting as the trusted root of the region or industry, issues a trusted identity credential to the first connector. This mechanism establishes a legitimacy chain from the organization to the connector.

[0057] During the two-way authentication process, the second connector verifies the validity of the connector's identity credentials. The second connector first queries the blockchain for the first connector's first Distributed Identity Identifier (DID) document and the organization issuer's third DID document. Since the organization issuer's identity is also based on the DID system, its public key information is also stored on the blockchain. The second connector verifies the received connector identity credentials based on the organization issuer's public key information extracted from the third DID document, ensuring that the credentials were indeed issued by a legitimate industry organization and have not been tampered with. Simultaneously, the second connector also verifies the first public key from the first Distributed Identity Identifier (DID) document. The received message signature is verified to ensure that the message remains intact during transmission and was indeed sent by the first connector.

[0058] Example 4

[0059] This embodiment focuses on the refined control of user rights and authorizations. During the authentication process, users express their operational intentions by signing an authorization statement credential. To protect user privacy, the rights fragment in the authorization statement credential is extracted from the original user rights credential using selective disclosure technology. This rights fragment only contains the permission information required to perform specific business operations for the first connector, without disclosing the complete list of permissions the user possesses within the organization. This approach effectively avoids the risk of excessive exposure of permissions at the connector end.

[0060] Upon receiving the materials, the second connector will rigorously verify the rights fragments. The second connector first uses the second public key from the second DID document obtained from the blockchain. The first connector verifies whether the authorization statement credential was indeed signed by the corresponding user. Then, the second connector further verifies whether the authorization category recorded in the authorization statement credential, the first connector identifier, and the currently initiated access request completely match. For example, if the authorization statement only allows the first connector to perform data read operations, but the current access request involves data modification, the second connector will reject the authentication request. This granular authorization verification ensures that even if a connector is illegally controlled, its operational scope is strictly limited to the user's authorization statement.

[0061] Example 5

[0062] This embodiment discloses a blockchain-based dynamic authorization validity period management mechanism. The authorization statement credential includes a validity period query address, which points to the validity period variable stored on the blockchain. The validity period variable Supports users using a second public key they hold. The associated account is updated asynchronously, and the update process does not require re-signing or re-distributing the entire authorization statement credential. This design achieves physical isolation between the statement credential and its validity period.

[0063] When the second connector performs a validity period status query, the specific steps are as follows: The second connector parses the authorization statement credential, obtains the validity period query address, and accesses that address to retrieve the validity period variable. The latest value. Then, the second connector determines the current system time. Does it satisfy the following relationship:

[0064]

[0065] If the above relationship holds true, the authorization certificate is deemed to be still valid. If not, the authorization is deemed to have expired or been revoked by the user in advance, and the authentication process will terminate immediately. This dynamic update mechanism allows users to quickly respond to emergencies such as lost authorization or business changes.

[0066] Example 6

[0067] This embodiment illustrates the subsequent secure communication phase after successful authentication. Once the second connector completes all the aforementioned verification logic and confirms the first connector's successful authentication, both parties will enter the key negotiation phase. Based on the key material in the secure communication channel, the first and second connectors negotiate and generate a symmetric encryption key for business layer communication using algorithms such as Diffie-Hellman key exchange. Since the previous TLS channel has already been used with the first public key... A strong binding was implemented, and the subsequently generated symmetric encryption key is logically highly consistent with the identity that has undergone multiple authentications, thereby ensuring the security of business data transmission.

[0068] Example 7

[0069] This embodiment provides a two-way authentication system based on a trusted connector. The system includes a first connector, a second connector, a blockchain, and an organization issuing the authentication. The system further includes a memory and a processor. The memory stores a computer-executable program. The processor is connected to the memory, and when the processor executes the computer program in the memory, it implements the two-way authentication method based on a trusted connector as described in any one of embodiments one through six. By integrating a TLS channel binding module, a user rights authorization module, and a blockchain dynamic update module, this system significantly improves the security and flexibility of trusted data space connector interactions.

[0070] It should be noted that the two-way authentication mechanism based on trusted connectors disclosed in the above embodiments solves the risks of identity impersonation and channel hijacking from the underlying technology by triple-binding the connector's distributed identity identifier, transport layer security protocol communication certificate, and user rights and authorization credentials. This invention introduces blockchain as a distributed root of trust, decoupling the originally static authorization credential validity period into a dynamically verifiable on-chain variable. This not only meets the connector's autonomous communication needs in offline user scenarios but also greatly improves the response speed for permission revocation and modification. The selective disclosure technology adopted in this invention ensures that, in multi-tenant or complex organizational environments, the user's complete permission information is not leaked to peer connectors during the authentication process, strictly adhering to the principle of minimizing permission disclosure in the data space.

[0071] Furthermore, the authentication method and system described in this invention can be widely applied to various trusted data space scenarios such as the Industrial Internet, smart cities, and government data sharing. By establishing this triple trust relationship between connectors—based on organizations, users, and devices—identity management and access requirements in data infrastructure can be effectively standardized, providing a solid technical guarantee for the secure and compliant flow of data elements.

[0072] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above descriptions are merely specific embodiments of the present invention and are not intended to limit the invention. Any modifications, equivalent substitutions, or improvements made within the spirit and principles of the present invention should be included within the scope of protection of the present invention. Technical contents not described in detail in this invention, such as specific encryption algorithm implementation details, specific selection of blockchain consensus mechanisms, and specific network communication protocol stack optimizations, are generally common knowledge in the field, and those skilled in the art can select and configure them according to actual application needs.

Claims

1. A two-way authentication method based on a trusted connector, characterized in that, The method is applied to an authentication system including a first connector, a second connector, and a blockchain, and the method includes: The first connector contains the first public key. The first distributed identity document (DID) is stored on the blockchain. Obtain the second DID document and user rights certificate stored by the user on the blockchain, wherein the second DID document contains the second public key. The user rights certificate contains a list of user permissions; A secure communication channel is established between the first connector and the second connector, wherein the first connector uses the same public key as the first connector. The associated digital certificate performs a handshake and generates a handshake session; The second connector obtains the current public key of the first connector from the handshake session. And verify the current public key. The first public key in the first distributed identity document (DID) retrieved from the blockchain. Are they consistent? The first connector sends a connector identity credential, an authorization statement credential signed by the user, and a digital signature for the current message to the second connector through the secure communication channel; wherein, the authorization statement credential includes a rights fragment for the first connector, authorization category, first connector identifier, and validity period query address extracted from the user's rights credential. The second connector queries the blockchain for the latest validity status of the authorization statement certificate based on the validity query address; When the public key verification is consistent and the current validity period is within the latest validity period, the second connector confirms that the first connector has successfully authenticated; wherein, after the second connector completes the authentication of the first connector, the first connector performs identity credential verification, channel binding verification, authorization statement verification and validity period status verification on the second connector to complete the two-way authentication between the first connector and the second connector; The validity period query address points to the validity period variable stored on the blockchain. The validity period variable Asynchronous updates by the user are supported, and the update process does not require re-signing the authorization statement certificate; Before sending the connector identity credentials, the following is also included: The issuing organization queries the first distributed identity identifier (DID) document on the blockchain and verifies its legitimacy. After successful verification, the issuing organization issues the connector identity certificate to the first connector; The second connector verifies the validity of the connector identity credential by: The second connector queries the blockchain for the first distributed identity identifier (DID) document of the first connector, and the third DID document of the organization issuer; The second connector verifies the connector identity credentials based on the public key information in the third DID document, and verifies the received message signature based on the first distributed identity identifier (DID) document.

2. The bidirectional authentication method based on a trusted connector according to claim 1, characterized in that, The first connector contains the first public key. The first distributed identity document (DID) is stored on the blockchain, including: The first connector generates the first blockchain account. ; The first connector will transmit the first public key. and the first blockchain account Write the first distributed identity identifier (DID) document, and pass the first distributed identity identifier (DID) document through the first blockchain account. On-chain evidence storage is performed on the blockchain.

3. The bidirectional authentication method based on a trusted connector according to claim 1, characterized in that, The rights fragment is extracted from the user's rights certificate using selective disclosure technology, and the rights fragment contains only specific operation permission information for the first connector.

4. The two-way authentication method based on a trusted connector according to claim 3, characterized in that, The second connector verifies the claim fragment, including: The second connector uses the second public key from the second DID document. Verify that the authorization statement credential was signed by the user; The second connector verifies whether the authorization category in the authorization statement credential, the first connector identifier, and the current access request match.

5. The bidirectional authentication method based on a trusted connector according to claim 1, characterized in that, The second connector queries the latest validity period status, including: The second connector accesses the validity period query address to obtain the validity period variable. The current value; Determine the current system time Does it satisfy the relation? ; If the conditions are met, the authorization statement credential is deemed to be within the scope of validity.

6. The bidirectional authentication method based on a trusted connector according to claim 1, characterized in that, After the first connector is successfully authenticated, it negotiates and generates a symmetric encryption key with the second connector based on the secure communication channel.

7. A two-way authentication system based on a trusted connector, characterized in that, The system includes a first connector, a second connector, a blockchain, and an organization issuer. The system includes a memory and a processor. The memory stores a computer program that, when executed by the processor, implements the two-way authentication method based on a trusted connector as described in any one of claims 1 to 6.