+

CN114239044B - A decentralized traceable shared access system - Google Patents

A decentralized traceable shared access system Download PDF

Info

Publication number
CN114239044B
CN114239044B CN202111224033.0A CN202111224033A CN114239044B CN 114239044 B CN114239044 B CN 114239044B CN 202111224033 A CN202111224033 A CN 202111224033A CN 114239044 B CN114239044 B CN 114239044B
Authority
CN
China
Prior art keywords
data
user
node
consensus
blockchain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111224033.0A
Other languages
Chinese (zh)
Other versions
CN114239044A (en
Inventor
田桂申
李尧
任春雷
白雪娇
屈春一
刘丽娟
曹阳
朱继阳
李琰
赵璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Times Economic Publishing House Co ltd
Information and Telecommunication Co of State Grid Eastern Inner Mogolia Electric Power Co Ltd
State Grid East Inner Mongolia Electric Power Co Ltd
State Grid Inner Mongolia East Electric Power Energy Saving Service Co Ltd
Original Assignee
China Times Economic Publishing House Co ltd
Information and Telecommunication Co of State Grid Eastern Inner Mogolia Electric Power Co Ltd
State Grid East Inner Mongolia Electric Power Co Ltd
State Grid Inner Mongolia East Electric Power Energy Saving Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Times Economic Publishing House Co ltd, Information and Telecommunication Co of State Grid Eastern Inner Mogolia Electric Power Co Ltd, State Grid East Inner Mongolia Electric Power Co Ltd, State Grid Inner Mongolia East Electric Power Energy Saving Service Co Ltd filed Critical China Times Economic Publishing House Co ltd
Priority to CN202111224033.0A priority Critical patent/CN114239044B/en
Publication of CN114239044A publication Critical patent/CN114239044A/en
Application granted granted Critical
Publication of CN114239044B publication Critical patent/CN114239044B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a decentralised traceable shared access system, comprising: an authentication node and a consensus node; the authentication node is used for realizing management of users, management of document data and business and maintenance of data access information based on each function module deployed on the node; the consensus node is used for carrying out safety management on users accessing the node based on each functional module deployed on the node, initiating a data sharing request and providing data sharing service according to the data sharing request, the shared access system of the invention is based on the block chain technology, ensures the authenticity of data and contract execution force, realizes decentralization and realizes the safe data management of data sharing.

Description

一种去中心化的可追溯共享访问系统A decentralized traceable shared access system

技术领域Technical Field

本发明涉及数据安全技术领域,具体涉及一种去中心化的可追溯共享访问系统。The present invention relates to the field of data security technology, and in particular to a decentralized traceable shared access system.

背景技术Background Art

管理信息系统在运行过程中,产生大量的数据,这些数据涉及管理信息系统相关联的多个子系统,将这些数据进行系统管理,甚至对外共享时,要解决数据共享的合法性,例如企业审计中的数据可能涉及到部门特殊情况,面对不确定的风险或规定时,如何共享的问题;要解决数据的安全和权益:数据被目标用户使用时,可能存在被复制,留存,篡改的风险,数据得不到保障。如果数据不进行共享,各个用户或业务系统会形成信息孤岛,会对管理信息系统带来额外的工作量。During the operation of the management information system, a large amount of data is generated. These data involve multiple subsystems associated with the management information system. When these data are managed systematically or even shared externally, the legitimacy of data sharing must be addressed. For example, data in corporate audits may involve special circumstances of departments. When faced with uncertain risks or regulations, how to share the data? The security and rights of the data must be addressed: when the data is used by the target user, there may be risks of being copied, retained, or tampered with, and the data cannot be guaranteed. If data is not shared, each user or business system will form an information island, which will bring additional workload to the management information system.

管理信息系统的数据管理模式一般包括数据托管模式和数据汇总模式。托管模式中,将数据托管到特定业务系统的中心数据库中,由该中心数据库统一管理和运维。汇总模式中,通过API接口,将不同业务系统的数据进行连接,数据中转系统和数据所有者进行交互并返回查询结果。The data management mode of the management information system generally includes data hosting mode and data aggregation mode. In the hosting mode, the data is hosted in the central database of a specific business system, and the central database is responsible for unified management and operation. In the aggregation mode, the data of different business systems are connected through the API interface, and the data transfer system interacts with the data owner and returns the query results.

然而,托管模式中的缺点是数据的安全性不高,使用用户,使用权限全部依赖于托管系统的诚信度。而汇总模式中的看似不同业务系统数据独立管理,但最终数据汇总中完全有能力也有机会留存各个业务系统的数据。However, the disadvantage of the hosting model is that the data security is not high, and the users and usage rights all depend on the integrity of the hosting system. While the aggregation model seems to manage the data of different business systems independently, the final data aggregation is fully capable of and has the opportunity to retain the data of each business system.

发明内容Summary of the invention

为了解决现有技术中所存在的问题,本发明提供一种去中心化的可追溯共享访问系统,包括认证节点和共识节点;In order to solve the problems existing in the prior art, the present invention provides a decentralized traceable shared access system, including an authentication node and a consensus node;

所述认证节点用于基于认证节点上部署的各个功能模块,实现对用户进行管理、对文档数据和业务进行管理并维护数据访问信息;The authentication node is used to manage users, manage document data and services, and maintain data access information based on various functional modules deployed on the authentication node;

所述共识节点用于基于共识节点上部署的各个功能模块,对访问所述共识节点的用户进行安全管理、发起数据共享请求并根据数据共享请求提供数据共享服务;The consensus node is used to perform security management on users accessing the consensus node, initiate data sharing requests, and provide data sharing services according to the data sharing requests based on the various functional modules deployed on the consensus node;

其中所述共识节点进一步用于接收统计简档,其中统计简档包括共识节点的网络位置和共识节点的性能规范,并且其中所述共享访问系统实现去中心架构,所述去中心架构包括在CDN网络上分层的多种类型的对等连接,所述CDN网络具有多个CDN服务器,用于向共识节点提供文档数据的第一组片段;wherein the consensus node is further configured to receive a statistical profile, wherein the statistical profile includes a network location of the consensus node and a performance specification of the consensus node, and wherein the shared access system implements a decentralized architecture comprising multiple types of peer connections layered on a CDN network, the CDN network having a plurality of CDN servers for providing a first set of segments of the document data to the consensus node;

其中,当所述CDN服务器接收共识节点发送的缓存指令时,所述CDN服务器返回所述文档数据的所述第一组片段的子集,其中所述缓存指令是基于所述统计简档生成的;wherein, when the CDN server receives a cache instruction sent by a consensus node, the CDN server returns a subset of the first group of segments of the document data, wherein the cache instruction is generated based on the statistical profile;

当所述共享访问系统中的数据使用者用户向所述CDN服务器发送用于访问文档数据的多个目标片段的请求时,所述CDN服务器从所接收的请求中提取所请求的文档数据的内容类型和数据使用者用户的网络位置;从所述共享访问系统中当前活动的共识节点中选择多个共识节点来提供对文档数据的多个目标片段的访问,生成缓存列表,其中基于数据使用者用户的网络位置、共识节点的网络位置以及所请求的文档数据的内容类型来选择多个共识节点;并将生成的缓存列表传输到数据使用者用户。When a data user in the shared access system sends a request for accessing multiple target fragments of document data to the CDN server, the CDN server extracts the content type of the requested document data and the network location of the data user from the received request; selects multiple consensus nodes from the currently active consensus nodes in the shared access system to provide access to the multiple target fragments of the document data, generates a cache list, wherein the multiple consensus nodes are selected based on the network location of the data user user, the network location of the consensus nodes, and the content type of the requested document data; and transmits the generated cache list to the data user user.

优选地,所述认证节点进一步确定所述文档数据的多个片段到所述网络的两个以上的共识节点的最优分布状态;Preferably, the authentication node further determines an optimal distribution state of the plurality of segments of the document data to more than two consensus nodes of the network;

其中所述最优分布状态定义所述两个以上共识节点中的每一个需要从所述CDN服务器下载所述文档数据的多个片段的标识;所述缓存列表中的多个共识节点缓存所述文档数据的多个目标片段;The optimal distribution state defines that each of the two or more consensus nodes needs to download identifiers of multiple fragments of the document data from the CDN server; multiple consensus nodes in the cache list cache multiple target fragments of the document data;

所述缓存指令进一步基于所述文档数据的内容优先级来生成;The cache instruction is further generated based on the content priority of the document data;

所述共识节点响应于接收到用户的标识请求,将所述标识传送给所述用户,以在所述共享访问系统中使用。In response to receiving the identification request from the user, the consensus node transmits the identification to the user for use in the shared access system.

优选地,所述缓存列表中的共识节点在被授权向数据使用者用户共享文档数据之前,确认接收到所述认证节点的支付授权证书,并且在所述用户从多个共识节点接收文档数据的多个目标片段之后,所述共识节点接收数据使用者用户签名的服务应答,然后向所述多个共识节点发送更新的链外交易,所述链外交易将总支付额度进行累加,用于确定包括所述文档数据的多个目标片段中的支付额度。Preferably, before the consensus nodes in the cache list are authorized to share document data with data user users, they confirm receipt of the payment authorization certificate of the authentication node, and after the user receives multiple target fragments of document data from multiple consensus nodes, the consensus node receives a service response signed by the data user user, and then sends an updated off-chain transaction to the multiple consensus nodes, and the off-chain transaction accumulates the total payment amount to determine the payment amount in the multiple target fragments including the document data.

优选地,所述认证节点和所述共识节点上部署的各个功能模块包括:物理模块、智能合约模块、动态模块、前端模块和应用模块;Preferably, the functional modules deployed on the authentication node and the consensus node include: a physical module, a smart contract module, a dynamic module, a front-end module and an application module;

所述物理模块用于,封装支持智能合约实现的所有基础设施;The physical module is used to encapsulate all infrastructures that support the implementation of smart contracts;

所述智能合约模块用于,封装静态的合约数据;The smart contract module is used to encapsulate static contract data;

所述动态模块用于,封装对智能合约模块中静态合约数据的动态操作;The dynamic module is used to encapsulate dynamic operations on static contract data in the smart contract module;

所述前端模块用于,封装协议和投票机制;The front-end module is used to encapsulate the protocol and voting mechanism;

所述应用模块用于,封装业务流中各场景和应用。The application module is used to encapsulate various scenarios and applications in the business flow.

优选地,所述物理模块包括:分布式账本、开发环境和预言机;Preferably, the physical module includes: a distributed ledger, a development environment and an oracle;

所述分布式账本用于记录共享访问系统上所有数据处理过程数据;The distributed ledger is used to record all data processing process data on the shared access system;

所述开发环境包括基于计算机代码实现的启动节点,部署合约、调用合约;The development environment includes a startup node based on computer code implementation, contract deployment, and contract invocation;

所述预言机基于区块链的安全规则对加密存储系统的数据源进行安全管理。The oracle performs security management on the data source of the encrypted storage system based on the security rules of the blockchain.

优选地,所述发起数据共享请求包括:Preferably, the initiating a data sharing request includes:

当数据使用者需要使用某个参与业务的项目信息时,先检索区块链上是否存在对应索引;When a data user needs to use information about a project involved in a business, he or she first searches the blockchain to see if there is a corresponding index.

如果存在,数据使用者基于区块链向数据所有者发起数据请求;否则,数据使用者基于所述区块链发起数据请求。If so, the data user initiates a data request to the data owner based on the blockchain; otherwise, the data user initiates a data request based on the blockchain.

优选地,所述根据数据共享请求提供数据共享服务包括:Preferably, providing a data sharing service according to a data sharing request includes:

数据所有者提取公钥信息并确认数据使用者为合法角色后,将符合标准要求的数据利用公钥加密、私钥签名后,生成加密数据包,基于区块链进行发送。After the data owner extracts the public key information and confirms that the data user is a legitimate role, the data that meets the standard requirements is encrypted using the public key and signed with the private key to generate an encrypted data packet, which is sent based on the blockchain.

优选地,所述确认数据使用者为合法角色包括:确认的数据使用者为合法使用者。Preferably, the confirming that the data user is a legitimate role includes: confirming that the data user is a legitimate user.

优选地,所述对用户进行管理包括:对加入区块链的用户角色和属性进行审核。Preferably, the management of users includes: reviewing the roles and attributes of users joining the blockchain.

优选地,所述维护数据访问信息包括:Preferably, the maintenance data access information includes:

对所述区块链中的数据信息进行审核并发送数据证书并存储;Review the data information in the blockchain and send and store the data certificate;

为所述区块链中的数据信息建立索引信息并存储;Creating and storing index information for the data information in the blockchain;

存储数据使用者发起的数据共享请求、存储数据所有者提供的数据共享服务。It stores data sharing requests initiated by data users and data sharing services provided by data owners.

与现有技术相比,本发明的有益效果为:Compared with the prior art, the present invention has the following beneficial effects:

1、本发明构建的共享访问系统基于区块链技术,保证了数据的真实性和合约执行力,实现去中心化,实现数据共享的数据管理方法;1. The shared access system constructed by the present invention is based on blockchain technology, which ensures the authenticity of data and the execution of contracts, realizes decentralization, and realizes a data management method for data sharing;

2、本发明构建的共享访问系统,应用到业务系统中,实现企业文档数据的有效管理,文档数据被业务子系统安全共享,过程公开透明,整体流程保证数据的完整性,可确权性和可追溯性;2. The shared access system constructed by the present invention is applied to the business system to realize the effective management of enterprise document data. The document data is securely shared by the business subsystem, the process is open and transparent, and the overall process ensures the integrity, verifiability and traceability of the data;

3、本发明提供的技术方案中对合法角色的判断包括数据流程合法性验证和数据使用权限验证,这种双重验证保证了数据使用的安全性,符合业务对数据更加严格的安全限定。3. The judgment of legal roles in the technical solution provided by the present invention includes data flow legitimacy verification and data usage authority verification. This double verification ensures the security of data use and complies with the business's stricter security restrictions on data.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明的去中心化的可追溯共享访问系统结构示意图;FIG1 is a schematic diagram of the structure of a decentralized traceable shared access system of the present invention;

图2为本发明智能合约模型结构图;FIG2 is a diagram showing the structure of a smart contract model of the present invention;

图3为本发明数据管理实施方法流程图;FIG3 is a flow chart of a data management implementation method of the present invention;

图4为本发明提供的数据索引信息;FIG4 is data index information provided by the present invention;

图5为本发明的系统运行过程。FIG. 5 is a diagram showing the system operation process of the present invention.

具体实施方式DETAILED DESCRIPTION

本发明利用区块链提供的去中心化的数据管理模式,建立管理信息系统的多个业务系统以及外部用户的联盟链,通过预先确定的认定机制建立区块链上的智能合约,自动对用户审计行为在整个审计流程中的合理性进行认定,并通过联盟链上的多方主体共识生成区块并上链,对各用户对数据的申请和处理形成数据块,进行自动认证,每一个数据块中包含了一批次的网络交互信息,能够防止文档数据被篡改或伪造、以及能够实现文档数据访问记录可追溯验证其信息的有效性。The present invention utilizes the decentralized data management model provided by the blockchain to establish multiple business systems of the management information system and alliance chains of external users, establishes smart contracts on the blockchain through a predetermined identification mechanism, automatically identifies the rationality of user audit behavior in the entire audit process, and generates blocks through consensus among multiple parties on the alliance chain and uploads them to the chain. The application and processing of data by each user form data blocks and are automatically authenticated. Each data block contains a batch of network interaction information, which can prevent document data from being tampered with or forged, and can realize traceability of document data access records to verify the validity of its information.

由于基于区块链技术的去信任、去中心化、集体维护和可靠数据库的特性,在构建共享访问系统运用到管理信息系统的数据管理上,让所有相关业务系统用户参与到数据管理的全过程,使工作流程处于透明被监督的状态,各项操作也都不可篡改的记录。Due to the characteristics of trustlessness, decentralization, collective maintenance and reliable database based on blockchain technology, when building a shared access system and applying it to the data management of the management information system, all relevant business system users can participate in the entire process of data management, making the workflow transparent and supervised, and all operations are recorded in an unalterable manner.

为了更好地理解本发明,下面结合说明书附图和实例对本发明的内容做进一步的说明。In order to better understand the present invention, the content of the present invention is further described below in conjunction with the accompanying drawings and examples.

实施例1:Embodiment 1:

本发明提供一种去中心化的可追溯共享访问系统,采用的区块链技术,如图1所示,由多个节点构成,节点用于连接多个业务系统,主要功能包含接收业务系统的消息;完成自有数据信息的区块链生成和提交;保证通信过程安全。包括认证节点和共识节点。The present invention provides a decentralized traceable shared access system, which adopts blockchain technology, as shown in Figure 1, and is composed of multiple nodes, which are used to connect multiple business systems, and their main functions include receiving messages from business systems; completing blockchain generation and submission of own data information; and ensuring the security of the communication process. It includes authentication nodes and consensus nodes.

1)链上公共区:主业务系统作为公共区,通过组织用户权限系统,实现人员之间的连接,并通过认证机制,实现原有成员和新增成员的管理。(采用多票通过原则,例如新增成员到链上,需要已存在链上的人员进行确认,多数确认后,表示合法增员。同理,其他成员操作,如删除,变更权限也如此)通过维护公共记录块链,实现对数据变更过程的记录,并制定数据规范、使用规则和数据溯源。由认证节点承担,认证节点由链上成员选举或直接指定。1) Public area on the chain: The main business system is used as a public area. Through the organization of the user authority system, the connection between personnel is realized, and the management of the original members and new members is realized through the authentication mechanism. (The principle of multiple votes is adopted. For example, when adding new members to the chain, the existing personnel on the chain need to confirm. After the majority confirmation, it means that the addition is legal. Similarly, other member operations, such as deletion and change of authority, are also the same.) By maintaining the public record block chain, the data change process is recorded, and data specifications, usage rules and data traceability are formulated. The authentication node is responsible for this, and the authentication node is elected or directly designated by the members on the chain.

2)链上成员区:每个成员会保存一份公共记录区块链的备份,监督主业务流程中的区块链数据记录的正确性,同时维护自己用于共享的文档数据,由各共识节点实现。2) On-chain member area: Each member will keep a backup of the public record blockchain, supervise the correctness of the blockchain data records in the main business process, and maintain its own document data for sharing, which is implemented by each consensus node.

其中所述共识节点进一步用于接收统计简档,其中统计简档包括共识节点的网络位置和共识节点的性能规范,并且其中所述共享访问系统实现去中心架构,所述去中心架构包括在CDN网络上分层的多种类型的对等连接,所述CDN网络具有多个CDN服务器,用于向共识节点提供文档数据的第一组片段;wherein the consensus node is further configured to receive a statistical profile, wherein the statistical profile includes a network location of the consensus node and a performance specification of the consensus node, and wherein the shared access system implements a decentralized architecture comprising multiple types of peer connections layered on a CDN network, the CDN network having a plurality of CDN servers for providing a first set of segments of the document data to the consensus node;

其中,当所述CDN服务器接收共识节点发送的缓存指令时,所述CDN服务器返回所述文档数据的所述第一组片段的子集,其中所述缓存指令是基于所述统计简档生成的;wherein, when the CDN server receives a cache instruction sent by a consensus node, the CDN server returns a subset of the first group of segments of the document data, wherein the cache instruction is generated based on the statistical profile;

当所述共享访问系统中的数据使用者用户向所述CDN服务器发送用于访问文档数据的多个目标片段的请求时,所述CDN服务器从所接收的请求中提取所请求的文档数据的内容类型和数据使用者用户的网络位置;从所述共享访问系统中当前活动的共识节点中选择多个共识节点来提供对文档数据的多个目标片段的访问,生成缓存列表,其中基于数据使用者用户的网络位置、共识节点的网络位置以及所请求的文档数据的内容类型来选择多个共识节点;并将生成的缓存列表传输到数据使用者用户。When a data user in the shared access system sends a request for accessing multiple target fragments of document data to the CDN server, the CDN server extracts the content type of the requested document data and the network location of the data user from the received request; selects multiple consensus nodes from the currently active consensus nodes in the shared access system to provide access to the multiple target fragments of the document data, generates a cache list, wherein the multiple consensus nodes are selected based on the network location of the data user user, the network location of the consensus nodes, and the content type of the requested document data; and transmits the generated cache list to the data user user.

所述认证节点进一步确定所述文档数据的多个片段到所述网络的两个以上的共识节点的最优分布状态;The authentication node further determines an optimal distribution state of the plurality of segments of the document data to more than two consensus nodes of the network;

其中所述最优分布状态定义所述两个以上共识节点中的每一个需要从所述CDN服务器下载所述文档数据的多个片段的标识;所述缓存列表中的多个共识节点缓存所述文档数据的多个目标片段;The optimal distribution state defines that each of the two or more consensus nodes needs to download identifiers of multiple fragments of the document data from the CDN server; multiple consensus nodes in the cache list cache multiple target fragments of the document data;

所述缓存指令进一步基于所述文档数据的内容优先级来生成;The cache instruction is further generated based on the content priority of the document data;

所述共识节点响应于接收到用户的标识请求,将所述标识传送给所述用户,以在所述共享访问系统中使用。In response to receiving the identification request from the user, the consensus node transmits the identification to the user for use in the shared access system.

所述缓存列表中的共识节点在被授权向数据使用者用户共享文档数据之前,确认接收到所述认证节点的支付授权证书,并且在所述用户从多个共识节点接收文档数据的多个目标片段之后,所述共识节点接收数据使用者用户签名的服务应答,然后向所述多个共识节点发送更新的链外交易,所述链外交易将总支付额度进行累加,用于确定包括所述文档数据的多个目标片段中的支付额度。Before being authorized to share document data with data user users, the consensus nodes in the cache list confirm receipt of the payment authorization certificate of the authentication node, and after the user receives multiple target fragments of document data from multiple consensus nodes, the consensus node receives a service response signed by the data user user, and then sends an updated off-chain transaction to the multiple consensus nodes, and the off-chain transaction accumulates the total payment amount to determine the payment amount in the multiple target fragments including the document data.

在所述共识过程的预处理阶段,共识节点收集交易内存池中的交易,将交易打包成区块并广播给其他节点共识。当前共识节点广播<precons,h,dig,block,s>预共识消息给其他节点,其中:precons代表消息类型是预共识消息;h代表区块高度;dig代表block的摘要,即区块哈希值,block则为整个区块的内容,包括了所收集的交易及所有交易的签名。In the preprocessing stage of the consensus process, the consensus node collects transactions in the transaction memory pool, packages the transactions into blocks and broadcasts them to other nodes for consensus. The current consensus node broadcasts the <precons, h, dig, block, s> pre-consensus message to other nodes, where: precons represents the message type is a pre-consensus message; h represents the block height; dig represents the summary of the block, that is, the block hash value, and block is the content of the entire block, including the collected transactions and the signatures of all transactions.

当所有的其他共识节点收到当前共识节点发送过来的precons消息后,首先会对该消息进行验证,检查摘要、区块高度以及签名的合法性,验证完毕后会对其中的所有交易进行验证,验证无误后将签名后的消息<convs,h,dig,i>发送给当前共识节点,convs代表消息类型是共识就绪消息。When all other consensus nodes receive the precons message sent by the current consensus node, they will first verify the message, check the validity of the summary, block height and signature, and then verify all transactions in it. After the verification is correct, the signed message <convs, h, dig, i> will be sent to the current consensus node. convs indicates that the message type is a consensus-ready message.

当监听到各个共识节点发送过来的convs消息时,当前共识节点对每个convs信息进行验证,验证通过则收集。一旦主节点收集到2f+1个签名,验证该批签名并将验证通过的签名汇总成一个签名,广播一条<h,d,asign,n>提交消息,asign是汇总之后合成的签名,n指的是参与该汇总签名的所有共识节点的ID列表,f为所有共识节点的数量;后面收到该提交消息的节点能利用参与签名的节点的公钥验证该签名是否正确,此时各共识节点收到当前共识节点的汇总签名后,验证无误则将该区块链接到区块链的链尾,完成同步,实现在不需要全广播通信的情况下各个共识节点能够根据参与签名的节点的公钥验证该汇总签名的真实性。When listening to the convs message sent by each consensus node, the current consensus node verifies each convs message, and collects it if it passes the verification. Once the master node collects 2f+1 signatures, it verifies the batch of signatures and aggregates the verified signatures into one signature, broadcasts a <h, d, asign, n> submission message, asign is the signature synthesized after aggregation, n refers to the ID list of all consensus nodes participating in the aggregated signature, and f is the number of all consensus nodes; the nodes that receive the submission message later can use the public key of the nodes participating in the signature to verify whether the signature is correct. At this time, after each consensus node receives the aggregated signature of the current consensus node, if the verification is correct, it will link the block to the end of the blockchain chain to complete the synchronization, so that each consensus node can verify the authenticity of the aggregated signature based on the public key of the nodes participating in the signature without the need for full broadcast communication.

在最终确认阶段,为了将信息发送给下一轮的共识主节点,设置超时阈值t,如果在t之前下一轮节点已经收到多于一半的确认消息,证明大多数节点已经就绪,可以提前进入下一个区块的共识过程。而在超时阈值t内没有收到多于一半节点的消息,则会重发已完成的共识结果给其余的共识节点,再进行下一轮的共识流程。In the final confirmation phase, in order to send information to the next round of consensus master nodes, a timeout threshold t is set. If the next round of nodes have received more than half of the confirmation messages before t, it proves that most nodes are ready and can enter the consensus process of the next block in advance. If more than half of the nodes have not received messages within the timeout threshold t, the completed consensus results will be resent to the remaining consensus nodes, and then the next round of consensus process will be carried out.

为防止某个共识节点故意不应答的情况,各个共识节点在指定时间t内没有收到当前共识节点的响应,则认为当前共识节点发生故障,选择下一轮共识新节点,下一轮共识的节点不断监听各个共识节点发来的消息,验证消息中的区块高度是否一致。当收集到2f+1个消息后,验证消息的签名,将验证通过后的签名汇总成一个汇总签名,封装共识节点变更消息<next,v,h,asign,n>广播给各个共识节点,n指的是参与该汇总签名的所有节点的列表,方便各个共识节点验证,next表示消息类型是共识节点变更为下一轮共识节点的消息。最后,各个共识节点收到下一轮共识节点发来的next消息后对汇总签名进行验证,验证完毕后对下一轮的主节点发送一个验证应答消息表示验证通过,而下一轮的主节点开始打包区块,开始新一轮的区块共识。To prevent a consensus node from deliberately not responding, if each consensus node does not receive a response from the current consensus node within the specified time t, it is considered that the current consensus node has failed, and a new node for the next round of consensus is selected. The node of the next round of consensus continuously monitors the messages sent by each consensus node to verify whether the block height in the message is consistent. After collecting 2f+1 messages, the signature of the message is verified, and the signatures that have passed the verification are summarized into a summary signature. The consensus node change message <next, v, h, asign, n> is encapsulated and broadcast to each consensus node. n refers to the list of all nodes participating in the summary signature, which is convenient for each consensus node to verify. Next indicates that the message type is a message that the consensus node is changed to the next round of consensus nodes. Finally, each consensus node verifies the summary signature after receiving the next message sent by the next round of consensus nodes. After the verification is completed, a verification response message is sent to the next round of master nodes to indicate that the verification is passed, and the next round of master nodes begins to pack blocks and start a new round of block consensus.

实施例2:Embodiment 2:

所述区块链上每个节点均采用智能合约方案,利用如图2所示的智能合约模型实现,具体包括:Each node on the blockchain adopts a smart contract solution, which is implemented using the smart contract model shown in Figure 2, specifically including:

物理模块:封装了支持智能合约实现的所有基础设施,包括分布式账本、开发环境和预言机等。Physical module: encapsulates all infrastructure supporting the implementation of smart contracts, including distributed ledgers, development environments, and oracles.

分布式账本:智能合约的执行与交互需要依靠共识算法、通信网络等技术实现,最终执行结果将记入由全体节点共同维护的分布式账本。本发明中,利用分布式账本记录共享访问系统的数据内容。Distributed ledger: The execution and interaction of smart contracts need to rely on consensus algorithms, communication networks and other technologies, and the final execution results will be recorded in a distributed ledger maintained by all nodes. In the present invention, a distributed ledger is used to record the data content of the shared access system.

开发环境:智能合约可看作是运行在区块链上的计算机程序,作为计算机程序,开发、部署和调试涉及到开发环境,本发明中还还承担启动节点,部署合约、调用合约等功能。Development environment: Smart contracts can be seen as computer programs running on the blockchain. As a computer program, development, deployment and debugging involve the development environment. The present invention also undertakes functions such as starting nodes, deploying contracts, and calling contracts.

预言机:为保证区块链网络的安全,智能合约一般运行在隔离的沙箱执行环境中,预言机可提供可信沙箱外部数据源供合约查询外或触发合约执行。同时,为保持分布式节点的合约执行结果一致,智能合约也通过查询预言机实现随机性。本发明中,预言机是保证可信的加密存储系统的数据源。Oracle: To ensure the security of the blockchain network, smart contracts generally run in an isolated sandbox execution environment. Oracles can provide trusted sandbox external data sources for contract queries or trigger contract execution. At the same time, in order to keep the contract execution results of distributed nodes consistent, smart contracts also achieve randomness by querying the oracle. In the present invention, the oracle is the data source that ensures a trusted encrypted storage system.

智能合约模块:封装了静态的合约数据,包括合约各方达成一致的合约条款、审计方法,代码化后的情景-应对型规则和合约创建者指定的合约与外界以及合约与合约之间的交互准则等。智能合约模块可看作是智能合约的静态数据库,封装了所有智能合约调用、执行、通信规则。Smart contract module: encapsulates static contract data, including contract terms and audit methods agreed upon by all parties to the contract, coded scenario-response rules, and interaction rules between the contract and the outside world and between contracts specified by the contract creator. The smart contract module can be regarded as a static database of smart contracts, encapsulating all smart contract call, execution, and communication rules.

动态模块:封装了一系列对智能合约模块中静态合约数据的动态操作,包括机制设计、形式验证、安全检查等。智能合约的应用通常关乎企业各部门的利益,恶意的、错误的、有漏洞的智能合约会带来巨大的损失,动态模块是保证智能合约能够按照设计者意愿正确、安全、高效运行的关键。Dynamic module: encapsulates a series of dynamic operations on static contract data in the smart contract module, including mechanism design, formal verification, security check, etc. The application of smart contracts usually concerns the interests of various departments of an enterprise. Malicious, erroneous, and vulnerable smart contracts will bring huge losses. Dynamic modules are the key to ensuring that smart contracts can run correctly, safely, and efficiently according to the designer's wishes.

前端模块:封装了智能合约在本发明应用中的具体表现形式。包括去中心化应用(Decentralized application,DApp)、去中心化组织(Decen-tralized autonomousorganization,DAO);去中心化应用是基于以太坊定义的交易协议,根据区块链上设定的条件来执行的一个合约或者一组合约。去中心化组织为本发明用到的基于节点的投票机制。Front-end module: encapsulates the specific manifestation of smart contracts in the application of the present invention. Including decentralized applications (DApp) and decentralized autonomous organizations (DAO); decentralized applications are based on the transaction protocol defined by Ethereum, and are executed according to the conditions set on the blockchain. A decentralized organization is a node-based voting mechanism used in the present invention.

应用模块:封装了智能合约在本发明应用的场景,共享访问系统。Application module: encapsulates the application scenarios of smart contracts in the present invention and shares the access system.

在所述智能合约的执行阶段,所述认证节点首先在其本地记录第一智能合约的当前版本;当使用多个参数来执行第一智能合约的当前版本后,检索认证节点中的第一认证数据,所述多个参数标识待检索的认证节点和所述第一认证数据,并且将第二智能合约配置为包括来自所述认证节点的认证数据,该来自所述认证节点的认证数据基于所述认证节点的访问交易并基于区块链账本入口地址的属性,从而基于来自所述认证节点的所述第一认证数据并基于所述区块链账本入口地址来实现第二智能合约的访问交易,其中所述区块链账本入口地址标识了不同于当前认证节点的候选认证节点。During the execution phase of the smart contract, the authentication node first records the current version of the first smart contract locally; after using multiple parameters to execute the current version of the first smart contract, the first authentication data in the authentication node is retrieved, the multiple parameters identify the authentication node to be retrieved and the first authentication data, and the second smart contract is configured to include the authentication data from the authentication node, the authentication data from the authentication node is based on the access transaction of the authentication node and based on the attributes of the blockchain ledger entry address, thereby implementing the access transaction of the second smart contract based on the first authentication data from the authentication node and based on the blockchain ledger entry address, wherein the blockchain ledger entry address identifies a candidate authentication node different from the current authentication node.

在优选的实施例中,执行所述第一智能合约的所述当前版本进一步包括:针对多个数据访问者用户指定的感兴趣文档循环监视多个共识节点,其中所述多个数据访问者用户指定的感兴趣文档包括数据访问者用户指定的数字钱包的资产转移;以及基于来自所述认证节点的第一认证数据并且基于所述区块链账本入口地址,将第二智能合约的访问交易的结果传送到多个共识节点。将所述第二智能合约的结果传输到加密的数字钱包,所述数字钱包被配置为接收专用加密令牌的一部分。In a preferred embodiment, executing the current version of the first smart contract further includes: cyclically monitoring a plurality of consensus nodes for a plurality of data accessor user-specified documents of interest, wherein the plurality of data accessor user-specified documents of interest include asset transfers of a digital wallet specified by the data accessor user; and transmitting the result of the access transaction of the second smart contract to the plurality of consensus nodes based on the first authentication data from the authentication node and based on the blockchain ledger entry address. The result of the second smart contract is transmitted to an encrypted digital wallet, the digital wallet being configured to receive a portion of a dedicated encrypted token.

在执行第一智能合约的当前版本过程中,仅当预定义可信度指示达到阈值时,通过循环执行所述第二智能合约的访问交易,循环监视多个共识节点的多个请求用户指定的感兴趣文档信息,其中所述多个数据访问者用户指定的感兴趣文档信息包括属于数据访问者用户指定的数字钱包的交易。During the execution of the current version of the first smart contract, only when the predefined credibility indication reaches a threshold, the access transaction of the second smart contract is cyclically executed, and the document information of interest specified by multiple requesting users of multiple consensus nodes is cyclically monitored, wherein the document information of interest specified by the multiple data accessor users includes transactions belonging to a digital wallet specified by the data accessor user.

在执行第一智能合约的当前版本之后,将第二智能合约的访问交易传输到该候选认证节点。After executing the current version of the first smart contract, an access transaction for the second smart contract is transmitted to the candidate authentication node.

实施例3:Embodiment 3:

本发明中的用户共有3种角色,数据使用者及数据服务方为其他业务系统,数据所有者为主业务系统。There are three types of users in the present invention: data users and data service providers are other business systems, and data owners are the main business system.

1)数据所有者:各个业务系统的数据,通过维护用于共享的文档数据和提供对外的数据查询服务,并按需追踪数据的使用过程。1) Data owner: The data of each business system is maintained by document data for sharing, provides external data query services, and tracks the data usage process on demand.

2)数据使用者:业务系统通过发起数据使用需求并获得被标记的数据使用权。2) Data users: Business systems initiate data usage requirements and obtain the right to use the marked data.

3)数据服务方:同时服务所有者和使用者,通过记录数据流转过程,维持流转秩序,记录相关情况。3) Data service provider: serves both the owner and the user by recording the data flow process, maintaining the flow order, and recording relevant situations.

如图3所示,本发明另一方面提供了一种数据管理实施方法,包括:As shown in FIG3 , another aspect of the present invention provides a data management implementation method, comprising:

第一步:业务系统进行系统实施部署,并公布系统的公钥、数据访问规则、访问内容、访问方式、数据共享的标准格式。Step 1: The business system implements and deploys the system and publishes the system's public key, data access rules, access content, access methods, and standard format for data sharing.

第二步:相关业务系统用户加入区块链并审核通过。Step 2: Relevant business system users join the blockchain and are approved.

第三步:向业务系统发送数据证书。Step 3: Send the data certificate to the business system.

第四步:提交数据索引信息。图4示出了数据索引信息的示例图。Step 4: Submit data index information. FIG4 shows an example diagram of data index information.

第五步:对接受到的所有索引信息进行验证,并将验证完成的记录汇总,加入到区块中,形成区块链。Step 5: Verify all received index information, summarize the verified records, and add them to the block to form a blockchain.

实施例4:Embodiment 4:

基于此,本发明的共享访问系统的运行过程如下:Based on this, the operation process of the shared access system of the present invention is as follows:

1、当数据使用者需要使用某个参与业务的项目信息时,先检索区块链上是否存在对应索引,而不获取真正的数据内容。如存在,得到此索引全部的信息,包含信息描述、密钥信息(公钥和私钥)、签名等。本发明中私钥采用的加密算法包括:DES、3DES、TDEA、Blowfish、Scr2、Scr4、Scr5、IDEA、PKIPJACK、AES等;公钥采用的加密算法包括:RSA、Elgamal、背包算法、Rabin、D-H、ECC等;1. When a data user needs to use the project information of a business, first search whether there is a corresponding index on the blockchain without obtaining the actual data content. If it exists, obtain all the information of this index, including information description, key information (public key and private key), signature, etc. The encryption algorithms used for the private key in the present invention include: DES, 3DES, TDEA, Blowfish, Scr2, Scr4, Scr5, IDEA, PKIPJACK, AES, etc.; the encryption algorithms used for the public key include: RSA, Elgamal, backpack algorithm, Rabin, D-H, ECC, etc.;

2、数据使用者通过业务主系统发起数据请求,数据请求包含利用hash算法生成的数据业务主关键字的HASH值、密钥信息、请求需求等,如果存在对应索引则发送给需提供数据的部门,如果不存在对应索引,则发起请求等待可以数据所有者用户完成业务后再响应该请求。2. The data user initiates a data request through the main business system. The data request contains the HASH value of the data business main keyword generated by the hash algorithm, key information, request requirements, etc. If the corresponding index exists, it is sent to the department that needs to provide data. If the corresponding index does not exist, the request is initiated and waits for the data owner user to complete the business before responding to the request.

3、数据所有者用户提取公钥信息并确认数据使用者为合法角色后(这里的合法角色包括:确认的数据使用者为合法使用者),将符合标准要求的数据利用公钥加密、私钥签名后,生成加密数据包,发送给业务主系统。3. After the data owner user extracts the public key information and confirms that the data user is a legitimate role (the legitimate role here includes: the confirmed data user is a legitimate user), the data that meets the standard requirements is encrypted using the public key and signed with the private key to generate an encrypted data packet and send it to the main business system.

4、业务主系统通过提取公钥,验证合法后,利用私钥解密记录并核对是否为请求的HASH值,如果是,则使用数据,形成交易记录。其过程如图5所示。图5中,Block1表示分布式块;Header表示主关键信息索引,Body,表示信息内容,Signature为签名,表示个人信息。数据使用者为该数据业务指定用户包括:根据数据业务主关键字确定项目信息,根据预先存储的该业务中参与该数据业务的用户信息列表中提取相关用户,并确定该数据访问者用户是否属于该相关用户,如果是则认为数据使用者为该数据业务指定用户。本发明对角色的验证包括了数据流程合法性验证和数据使用权限验证的双重验证,在保证审计流程安全的基础上保证了数据使用的安全性。4. The main business system extracts the public key, verifies its legitimacy, decrypts the record with the private key and checks whether it is the requested HASH value. If so, the data is used to form a transaction record. The process is shown in Figure 5. In Figure 5, Block1 represents a distributed block; Header represents the main key information index, Body represents the information content, and Signature is a signature, which represents personal information. The data user specifies the user for the data service, including: determining the project information based on the main keyword of the data service, extracting relevant users from the user information list of the data service that is pre-stored in the service, and determining whether the data accessor user belongs to the relevant user. If so, the data user is considered to be the designated user of the data service. The role verification of the present invention includes dual verification of the legitimacy of the data process and the data usage authority verification, which ensures the security of data use on the basis of ensuring the security of the audit process.

本发明中公钥加密、私钥签名后,生成加密数据包。In the present invention, after public key encryption and private key signature, an encrypted data packet is generated.

在一个优选的实施例中,共享访问系统的认证节点与业务主系统基于智能合约的方式共同生成密钥SK和再加密密钥;将用户属性相关的数据发送业务主系统和共享访问系统,利用去中心化的共享访问系统完成再加密。In a preferred embodiment, the authentication node of the shared access system and the business main system jointly generate the key SK and the re-encryption key based on a smart contract; the data related to the user attributes is sent to the business main system and the shared access system, and the re-encryption is completed using the decentralized shared access system.

首先业务主系统生成系统公钥,并把系统公钥发送给数据所有者;数据所有者使用系统公钥以及访问策略对数据进行加密并上传至共享访问系统;数据所有者将数据标识以及访问策略返回给业务主系统,由业务主系统写入到区块链中;First, the business main system generates a system public key and sends it to the data owner. The data owner uses the system public key and access policy to encrypt the data and upload it to the shared access system. The data owner returns the data identifier and access policy to the business main system, which writes it into the blockchain.

数据访问者向系统发送注册请求,认证节点对其进行属性验证并发送用户密钥,然后将属性集写入到区块中;业务主系统读取区块中的用户以及其属性集,并向对应用户发送属性密钥;业务主系统对比区块中的数据标识以及访问策略,并将再加密密钥发送给共享访问系统;数据访问者下载存储在共享访问系统上的再加密密文并进行解密操作。The data accessor sends a registration request to the system, the authentication node verifies its attributes and sends the user key, and then writes the attribute set into the block; the business main system reads the users and their attribute sets in the block, and sends the attribute key to the corresponding user; the business main system compares the data identifier and access policy in the block, and sends the re-encryption key to the shared access system; the data accessor downloads the re-encrypted ciphertext stored on the shared access system and performs decryption operations.

以树形结构描述节点身份,采用证书链的方式检验身份。运行于节点的智能合约代码均参与认证和授权区块链操作。节点身份证书由三部分组成:[Scr,psk,ppk],即自签名证书Scr,系统私钥psk以及系统公钥ppk。Scr包含与证书持有者相关属性的文档和被psk加密的数字签名,ppk用于验证根证书的有效性。The node identity is described in a tree structure, and the identity is verified by a certificate chain. The smart contract code running on the node is involved in the authentication and authorization of blockchain operations. The node identity certificate consists of three parts: [Scr, psk, ppk], namely the self-signed certificate Scr, the system private key psk and the system public key ppk. Scr contains a document with attributes related to the certificate holder and a digital signature encrypted by psk. PPK is used to verify the validity of the root certificate.

HGN[i,j]可取值1或0,当其值为0时,则表示第i行组织在其通道内未拥有第j列的权限,反之则拥有该权限。HGN[i, j] can take the value of 1 or 0. When its value is 0, it means that the organization in the i-th row does not have the permission of the j-th column in its channel, otherwise it has the permission.

实施例5:Embodiment 5:

本发明的共享访问系统进一步包括数据监督过程。监督的内容包括,数据所有者用户提供数据的规范性和质量,业务系统有无恶意使用,过程中有无数据泄漏风险。优选的过程如下:The shared access system of the present invention further includes a data supervision process. The supervision content includes the standardization and quality of the data provided by the data owner user, whether the business system is used maliciously, and whether there is a risk of data leakage in the process. The preferred process is as follows:

数据所有者首先与认证节点进行交互,并获得全局认证参数。然后,数据所有者生成有限域和分布函数F。然后数据所有者初始化业务系统用户的等级结构,并为各个业务系统用户分配二维张量(Ai,Bi)。最后通过分布函数F对张量的运算,数据所有者计算全局认证参数中的连接矩阵。每个业务系统用户的张量Bi与所对应的公开张量的乘积是其对应的加密密钥如果两个业务系统不具有等级关系,则与两者关联的张量乘积为零。如果具有等级关系,则通过上一级业务系统用户的张量能够计算获得下一级业务系统用户的加密密钥。The data owner first interacts with the authentication node and obtains the global authentication parameters. Then, the data owner generates a finite field and a distribution function F. Then the data owner initializes the hierarchical structure of the business system users and assigns a two-dimensional tensor (A i , B i ) to each business system user. Finally, by operating the tensor with the distribution function F, the data owner calculates the connection matrix in the global authentication parameters. The product of each business system user's tensor B i and the corresponding public tensor is its corresponding encryption key. If two business systems do not have a hierarchical relationship, the product of the tensors associated with the two is zero. If they have a hierarchical relationship, the encryption key of the user of the business system at the next level can be calculated through the tensor of the user of the business system at the previous level.

所述连接矩阵通过以下过程得到:The connection matrix is obtained by the following process:

数据所有者为业务系统用户Vi随机选择张量Ai=(ai,1,ai,2)和Bi=(bi1,bi,2)。将所有张量Ai通过分布函数F映射到一个新的张量WiThe data owner randomly selects tensors A i = (a i, 1 , a i, 2 ) and B i = (b i , 1 , b i, 2 ) for business system user V i , and maps all tensors A i to a new tensor W i through a distribution function F .

数据所有者将Bi转换到一个n维张量Γi。γi,1=bi,1、γi,2=bi,i而对j≠1,i均有γi,j=0;得到n维张量的集合Γ1=(γ1,1,γ1,2,0,…,0);Γ2=(γ2,1,γ2,2,0,…,0);Γn=(γn,1,0,…,0,γn,n);The data owner converts Bi into an n-dimensional tensor Γi . γi,1 = bi,1 , γi ,2 = bi ,i, and for j≠1,i, γi ,j = 0; the set of n-dimensional tensors Γ1 = ( γ1,1 , γ1,2 , 0, ..., 0); Γ2 = ( γ2,1 , γ2,2 , 0, ..., 0); Γn = (γn ,1 , 0, ..., 0, γn ,n );

计算矩阵Calculating the Matrix

判断张量Γ1,Γ2…Γn是否相关。如果相关,则重新选择B1,B2…Bn。否则为每个类选取一个加密密钥并计算连接矩阵A。即对每个业务系统用户Vi,数据所有者随机选取自身的加密密钥 Determine whether the tensors Γ 1 , Γ 2 …Γ n are related. If so, reselect B 1 , B 2 …B n . Otherwise, select an encryption key for each class and calculate the connection matrix A. That is, for each business system user V i , the data owner randomly selects his own encryption key

定义和Φ=[Φ1,…,Φn]T,则Γ×A=Φ;definition And Φ=[Φ 1 ,...,Φ n ] T , then Γ×A=Φ;

求解上述步骤中的方程组,得到A=Γ-1×Φ;Solve the equations in the above steps to obtain A = Γ -1 × Φ;

数据所有者通过安全信道将发送给业务系统用户Vi,并将F以及A发送给认证节点。The data owner sends Send it to the business system user V i , and send F and A to the authentication node.

本发明方法能够产生以下有益效果:The method of the present invention can produce the following beneficial effects:

1)所有索引链上的信息都含有特定的业务系统密钥,无法导出原文,所以无泄漏风险。1) All information on the index chain contains specific business system keys and the original text cannot be exported, so there is no risk of leakage.

2)作业系统与数据所有者间的数据请求与响应,无第三方参与,过程无泄漏风险。2) Data requests and responses between the operating system and the data owner, without the involvement of a third party, and no risk of leakage in the process.

3)数据包只有业务系统的私钥能解密,无第三方泄密风险。3) Only the private key of the business system can decrypt the data packet, and there is no risk of third-party leakage.

4)数据最终的使用结果生成到业务系统的交易链中,实现“留痕”,是可追溯的。4) The final usage results of the data are generated into the transaction chain of the business system, leaving traces and being traceable.

显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。Obviously, the described embodiments are only some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented on a plurality of computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that contain computer-usable program codes.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

以上仅为本发明的实施例而已,并不用于限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均包含在申请待批的本发明的权利要求范围之内。The above are merely embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention are included in the scope of the claims of the present invention to be approved.

Claims (10)

1.一种去中心化的可追溯共享访问系统,其特征在于,包括认证节点和共识节点;1. A decentralized traceable shared access system, characterized by including authentication nodes and consensus nodes; 所述认证节点用于基于认证节点上部署的各个功能模块,实现对用户进行管理、对文档数据和业务进行管理并维护数据访问信息;The authentication node is used to manage users, manage document data and services, and maintain data access information based on various functional modules deployed on the authentication node; 所述共识节点用于基于共识节点上部署的各个功能模块,对访问所述共识节点的用户进行安全管理、发起数据共享请求并根据数据共享请求提供数据共享服务;The consensus node is used to perform security management on users accessing the consensus node, initiate data sharing requests, and provide data sharing services according to the data sharing requests based on the various functional modules deployed on the consensus node; 其中所述共识节点进一步用于接收统计简档,其中统计简档包括共识节点的网络位置和共识节点的性能规范,并且其中所述共享访问系统实现去中心架构,所述去中心架构包括在CDN网络上分层的多种类型的对等连接,所述CDN网络具有多个CDN服务器,用于向共识节点提供文档数据的第一组片段;wherein the consensus node is further configured to receive a statistical profile, wherein the statistical profile includes a network location of the consensus node and a performance specification of the consensus node, and wherein the shared access system implements a decentralized architecture comprising multiple types of peer connections layered on a CDN network, the CDN network having a plurality of CDN servers for providing a first set of segments of the document data to the consensus node; 其中,当所述CDN服务器接收共识节点发送的缓存指令时,所述CDN服务器返回所述文档数据的所述第一组片段的子集,其中所述缓存指令是基于所述统计简档生成的;wherein, when the CDN server receives a cache instruction sent by a consensus node, the CDN server returns a subset of the first group of segments of the document data, wherein the cache instruction is generated based on the statistical profile; 当所述共享访问系统中的数据使用者用户向所述CDN服务器发送用于访问文档数据的多个目标片段的请求时,所述CDN服务器从所接收的请求中提取所请求的文档数据的内容类型和数据使用者用户的网络位置;从所述共享访问系统中当前活动的共识节点中选择多个共识节点来提供对文档数据的多个目标片段的访问,生成缓存列表,其中基于数据使用者用户的网络位置、共识节点的网络位置以及所请求的文档数据的内容类型来选择多个共识节点;并将生成的缓存列表传输到数据使用者用户。When a data user in the shared access system sends a request for accessing multiple target fragments of document data to the CDN server, the CDN server extracts the content type of the requested document data and the network location of the data user from the received request; selects multiple consensus nodes from the currently active consensus nodes in the shared access system to provide access to the multiple target fragments of the document data, generates a cache list, wherein the multiple consensus nodes are selected based on the network location of the data user user, the network location of the consensus nodes, and the content type of the requested document data; and transmits the generated cache list to the data user user. 2.如权利要求1所述的系统,其特征在于,所述认证节点进一步确定所述文档数据的多个片段到所述网络的两个以上的共识节点的最优分布状态;2. The system of claim 1, wherein the authentication node further determines an optimal distribution state of the plurality of segments of the document data to more than two consensus nodes of the network; 其中所述最优分布状态定义所述两个以上共识节点中的每一个需要从所述CDN服务器下载所述文档数据的多个片段的标识;所述缓存列表中的多个共识节点缓存所述文档数据的多个目标片段;The optimal distribution state defines that each of the two or more consensus nodes needs to download identifiers of multiple fragments of the document data from the CDN server; the multiple consensus nodes in the cache list cache multiple target fragments of the document data; 所述缓存指令进一步基于所述文档数据的内容优先级来生成;The cache instruction is further generated based on the content priority of the document data; 所述共识节点响应于接收到用户的标识请求,将所述标识传送给所述用户,以在所述共享访问系统中使用。In response to receiving the identification request from the user, the consensus node transmits the identification to the user for use in the shared access system. 3.如权利要求1所述的系统,其特征在于,所述缓存列表中的共识节点在被授权向数据使用者用户共享文档数据之前,确认接收到所述认证节点的支付授权证书,并且在所述用户从多个共识节点接收文档数据的多个目标片段之后,所述共识节点接收数据使用者用户签名的服务应答,然后向所述多个共识节点发送更新的链外交易,所述链外交易将总支付额度进行累加,用于确定包括所述文档数据的多个目标片段中的支付额度。3. The system as described in claim 1 is characterized in that the consensus nodes in the cache list confirm receipt of the payment authorization certificate of the authentication node before being authorized to share document data with the data user user, and after the user receives multiple target fragments of document data from multiple consensus nodes, the consensus node receives a service response signed by the data user user, and then sends an updated off-chain transaction to the multiple consensus nodes, and the off-chain transaction accumulates the total payment amount to determine the payment amount in the multiple target fragments including the document data. 4.如权利要求1所述的系统,其特征在于,所述认证节点和所述共识节点上部署的各个功能模块包括:物理模块、智能合约模块、动态模块、前端模块和应用模块;4. The system according to claim 1, characterized in that the functional modules deployed on the authentication node and the consensus node include: a physical module, a smart contract module, a dynamic module, a front-end module and an application module; 所述物理模块用于,封装支持智能合约实现的所有基础设施;The physical module is used to encapsulate all infrastructures that support the implementation of smart contracts; 所述智能合约模块用于,封装静态的合约数据;The smart contract module is used to encapsulate static contract data; 所述动态模块用于,封装对智能合约模块中静态合约数据的动态操作;The dynamic module is used to encapsulate dynamic operations on static contract data in the smart contract module; 所述前端模块用于,封装协议和投票机制;The front-end module is used to encapsulate the protocol and voting mechanism; 所述应用模块用于,封装业务流中各场景和应用。The application module is used to encapsulate various scenarios and applications in the business flow. 5.如权利要求4所述的系统,其特征在于,所述物理模块包括:分布式账本、开发环境和预言机;5. The system of claim 4, wherein the physical module comprises: a distributed ledger, a development environment, and an oracle; 所述分布式账本用于记录共享访问系统上所有数据处理过程数据;The distributed ledger is used to record all data processing process data on the shared access system; 所述开发环境包括基于计算机代码实现的启动节点,部署合约、调用合约;The development environment includes a startup node based on computer code implementation, contract deployment, and contract invocation; 所述预言机基于区块链的安全规则对加密存储系统的数据源进行安全管理。The oracle performs security management on the data source of the encrypted storage system based on the security rules of the blockchain. 6.如权利要求5所述的系统,其特征在于,所述发起数据共享请求包括:6. The system according to claim 5, wherein the initiating a data sharing request comprises: 当数据使用者需要使用某个参与业务的项目信息时,先检索区块链上是否存在对应索引;When a data user needs to use information about a project involved in a business, he or she first searches the blockchain to see if there is a corresponding index. 如果存在,数据使用者基于区块链向数据所有者发起数据请求;否则,数据使用者基于所述区块链发起数据请求。If so, the data user initiates a data request to the data owner based on the blockchain; otherwise, the data user initiates a data request based on the blockchain. 7.如权利要求5所述的系统,其特征在于,所述根据数据共享请求提供数据共享服务包括:7. The system according to claim 5, wherein providing a data sharing service according to a data sharing request comprises: 数据所有者提取公钥信息并确认数据使用者为合法角色后,将符合标准要求的数据利用公钥加密、私钥签名后,生成加密数据包,基于区块链进行发送。After the data owner extracts the public key information and confirms that the data user is a legitimate role, the data that meets the standard requirements is encrypted using the public key and signed with the private key to generate an encrypted data packet, which is sent based on the blockchain. 8.如权利要求7所述的系统,其特征在于,所述确认数据使用者为合法角色包括:确认的数据使用者为合法使用者。8. The system as claimed in claim 7, characterized in that the confirming that the data user is a legitimate role includes: confirming that the data user is a legitimate user. 9.如权利要求5所述的系统,其特征在于,所述对用户进行管理包括:对加入区块链的用户角色和属性进行审核。9. The system as claimed in claim 5, characterized in that the management of users includes: reviewing the roles and attributes of users joining the blockchain. 10.如权利要求5所述的系统,其特征在于,所述维护数据访问信息包括:10. The system of claim 5, wherein the maintenance data access information comprises: 对所述区块链中的数据信息进行审核并发送数据证书并存储;Review the data information in the blockchain and send and store the data certificate; 为所述区块链中的数据信息建立索引信息并存储;Creating and storing index information for the data information in the blockchain; 存储数据使用者发起的数据共享请求、存储数据所有者提供的数据共享服务。It stores data sharing requests initiated by data users and data sharing services provided by data owners.
CN202111224033.0A 2021-10-18 2021-10-18 A decentralized traceable shared access system Active CN114239044B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111224033.0A CN114239044B (en) 2021-10-18 2021-10-18 A decentralized traceable shared access system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111224033.0A CN114239044B (en) 2021-10-18 2021-10-18 A decentralized traceable shared access system

Publications (2)

Publication Number Publication Date
CN114239044A CN114239044A (en) 2022-03-25
CN114239044B true CN114239044B (en) 2024-09-03

Family

ID=80743161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111224033.0A Active CN114239044B (en) 2021-10-18 2021-10-18 A decentralized traceable shared access system

Country Status (1)

Country Link
CN (1) CN114239044B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726866B (en) * 2022-04-07 2024-07-16 网易(杭州)网络有限公司 Method for maintaining consensus node of alliance chain, electronic equipment and storage medium
CN117037988B (en) * 2023-08-22 2024-05-17 广州视景医疗软件有限公司 Electronic medical record storage method and device based on blockchain

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965247A (en) * 2018-06-04 2018-12-07 上海交通大学 A kind of threat information exchange shared system and method based on block chain
CN109729168A (en) * 2018-12-31 2019-05-07 浙江成功软件开发有限公司 A kind of data share exchange system and method based on block chain

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6872078B2 (en) * 2017-06-06 2021-05-19 リニウス(エイ・ユー・エス・ティー)プロプライエタリー・リミテッド Content trading agreement system and method
CN111448781B (en) * 2019-07-11 2022-08-26 创新先进技术有限公司 Computer-implemented method for communicating shared blockchain data
US12273448B2 (en) * 2019-08-13 2025-04-08 Db Results Pty Ltd Secure information sharing systems and methods
WO2021072417A1 (en) * 2019-10-11 2021-04-15 Theta Labs, Inc. Methods and systems for decentralized data streaming and delivery network
US11271742B2 (en) * 2020-01-26 2022-03-08 International Business Machines Corporation Decentralized secure data sharing
CN111444258A (en) * 2020-02-11 2020-07-24 江苏荣泽信息科技股份有限公司 Medical data sharing method based on block chain
CN112100665A (en) * 2020-09-23 2020-12-18 江苏四象软件有限公司 A blockchain-based data sharing system
CN113132103B (en) * 2021-03-11 2022-07-12 西安电子科技大学 Data cross-domain security sharing system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965247A (en) * 2018-06-04 2018-12-07 上海交通大学 A kind of threat information exchange shared system and method based on block chain
CN109729168A (en) * 2018-12-31 2019-05-07 浙江成功软件开发有限公司 A kind of data share exchange system and method based on block chain

Also Published As

Publication number Publication date
CN114239044A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
US12273470B2 (en) Data processing method and apparatus, intelligent device, and storage medium
US11025435B2 (en) System and method for blockchain-based cross-entity authentication
US11533164B2 (en) System and method for blockchain-based cross-entity authentication
US10708060B2 (en) System and method for blockchain-based notification
JP7626562B2 (en) Low Trust Privileged Access Management
CN113065961B (en) Power block chain data management system
JP7607754B2 (en) Consensus Service for Blockchain Networks
TW202103029A (en) System and method for mapping decentralized identifiers to real-world entities
US20100058054A1 (en) Mssan
Lu et al. A Fine‐Grained IoT Data Access Control Scheme Combining Attribute‐Based Encryption and Blockchain
JP2023504492A (en) Efficient threshold storage of data objects
US20220407729A1 (en) Data processing method and apparatus, device, and medium
CN111698198B (en) Secret generation and share distribution
CN114239043B (en) A shared encrypted storage system based on blockchain technology
Sharma et al. Blockchain-based distributed application for multimedia system using Hyperledger Fabric
Subathra et al. [Retracted] Decentralized Consensus Blockchain and IPFS‐Based Data Aggregation for Efficient Data Storage Scheme
CN114239044B (en) A decentralized traceable shared access system
Cui et al. IoT data management and lineage traceability: A blockchain-based solution
WO2024045552A1 (en) Data processing method and related devices
Zhang et al. Blockchain based big data security protection scheme
Liu et al. Secure resource sharing on hyperledger fabric based on cp-abe
Tian et al. A trusted control model of cloud storage
Ma et al. Research on High-Throughput Blockchain-Based Solutions for Large-Scale Medical Data Sharing
CN118197580A (en) Digital medical sharing system based on editable blockchain and attribute passwords
CN117155575A (en) Data processing system, method, node and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载