CN118214614B - Method, device and system for access control of data on blockchain system - Google Patents
Method, device and system for access control of data on blockchain system Download PDFInfo
- Publication number
- CN118214614B CN118214614B CN202410622278.6A CN202410622278A CN118214614B CN 118214614 B CN118214614 B CN 118214614B CN 202410622278 A CN202410622278 A CN 202410622278A CN 118214614 B CN118214614 B CN 118214614B
- Authority
- CN
- China
- Prior art keywords
- key
- ciphertext
- encryption algorithm
- access control
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 177
- 238000004590 computer program Methods 0.000 claims description 29
- 238000012795 verification Methods 0.000 claims description 13
- 238000011084 recovery Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 15
- 230000008569 process Effects 0.000 description 15
- 230000000694 effects Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 230000036541 health Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 2
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 2
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 101150003389 tdh2 gene Proteins 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种区块链系统上数据的访问控制方法、装置及系统,该方法包括:接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表,消息密文采用第一加密算法对消息明文进行加密获得,密钥密文采用第二加密算法对第一加密算法的密钥进行加密获得;采用第二加密算法生成密钥密文对应的分布式解密份额;使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;将解密密文发送至数据库,数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储;将消息密文的哈希值共享给所有数据访问者。本发明可以在对用户隐私数据进行安全保障的同时,实现细粒度访问控制。
The present invention discloses a method, device and system for access control of data on a blockchain system, the method comprising: receiving a hash value of a message ciphertext sent by a blockchain client, a key ciphertext and an access control list of a data owner, the message ciphertext is obtained by encrypting a message plaintext using a first encryption algorithm, and the key ciphertext is obtained by encrypting a key of the first encryption algorithm using a second encryption algorithm; the distributed decryption share corresponding to the key ciphertext is generated using the second encryption algorithm; the distributed decryption share is encrypted using the access control list of the data owner to obtain the decrypted ciphertext; the decrypted ciphertext is sent to a database, and the database asynchronously waits for a first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then stores them asynchronously; the hash value of the message ciphertext is shared with all data accessors. The present invention can realize fine-grained access control while ensuring the security of user privacy data.
Description
技术领域Technical Field
本发明涉及软件开发、分布式系统、区块链技术领域,尤其涉及一种区块链系统上数据的访问控制方法、装置及系统。The present invention relates to the fields of software development, distributed systems, and blockchain technology, and in particular to a method, device, and system for controlling access to data on a blockchain system.
背景技术Background technique
本部分旨在为权利要求书中陈述的本发明实施例提供背景或上下文。此处的描述不因为包括在本部分中就承认是现有技术。This section is intended to provide a background or context to the embodiments of the invention recited in the claims. No description herein is admitted to be prior art by inclusion in this section.
区块链是一种结合了分布式系统和密码学的新一代信息技术。区块链技术的安全数据存储与处理模式使其有望成为信息技术变革的推动力。从技术层面讲,区块链可大致分为非许可链和许可链。非许可链一般应运行在公开网络上,大多为公有链,参与者无需经过准入审批过程即可参与共识和交易。许可链要求参与系统运营的节点(服务器)需经过管理员或管理机构授权和认证。许可链可分为单一机构维护的私有链和由互知身份的机构共同维护的联盟链。Blockchain is a new generation of information technology that combines distributed systems and cryptography. The secure data storage and processing mode of blockchain technology makes it likely to become a driving force for information technology reform. From a technical perspective, blockchain can be roughly divided into non-permissioned chains and permissioned chains. Non-permissioned chains should generally run on open networks, mostly public chains, and participants can participate in consensus and transactions without going through the access approval process. Permissioned chains require that nodes (servers) participating in system operations must be authorized and authenticated by administrators or management agencies. Permissioned chains can be divided into private chains maintained by a single organization and consortium chains maintained by organizations with mutually known identities.
BFT (Byzantine fault tolerance, 拜占庭容错,共识)是公认的许可链的模型。随着区块链的兴起,作为区块链操作系统和关键核心的BFT共识系统,得到了大范围使用。BFT (Byzantine fault tolerance, consensus) is a recognized model of permissioned chains. With the rise of blockchain, the BFT consensus system, as the operating system and key core of blockchain, has been widely used.
BFT是基于状态机复制的“用户—服务器”工作模式。BFT应满足安全性和活性。安全性要求各个服务器状态保持一致,活性要求服务实现可用性。共识协议是区块链技术中至关重要的组成部分,它确保了分布式系统中的所有节点都能够就共享的数据达成一致从而使区块链网络中没有中心化的机构或者机构能够控制整个网络,确保了区块链的去中心化特性,而且它直接决定了区块链的性能。基于共识协议的分布式存储是一种将数据存储在多个节点上的技术,每个节点都存储数据的一部分,所有节点协同工作以提供数据存储和访问服务。与传统的集中式存储不同,分布式存储具有高可用性、高性能和强大的扩展性等优点。由于数据存储在多个节点上,分布式存储具有较高的可用性和容错性,即使某个节点或多个节点出现故障,也不会影响整个系统的运行。BFT is a "user-server" working mode based on state machine replication. BFT should meet security and activity. Security requires that the states of each server remain consistent, and activity requires that the service achieves availability. The consensus protocol is a crucial component of blockchain technology. It ensures that all nodes in the distributed system can reach a consensus on the shared data, so that there is no centralized organization or organization in the blockchain network that can control the entire network, ensuring the decentralized nature of the blockchain, and it directly determines the performance of the blockchain. Distributed storage based on consensus protocol is a technology that stores data on multiple nodes. Each node stores part of the data, and all nodes work together to provide data storage and access services. Unlike traditional centralized storage, distributed storage has the advantages of high availability, high performance, and strong scalability. Because data is stored on multiple nodes, distributed storage has high availability and fault tolerance. Even if one or more nodes fail, it will not affect the operation of the entire system.
区块链具有高可靠性、容错性、完整性、可用性,以及溯源、存证等功能。但是,在现有区块链系统存在以下问题:Blockchain has high reliability, fault tolerance, integrity, availability, traceability, and evidence storage. However, the existing blockchain system has the following problems:
(1)仅对微量数据进行链上存储,核心数据不能进行上链存储并进行链上运算,限制了数据的真正流通,数据孤岛的现象并没有因为区块链的存在而消除。(1) Only a small amount of data is stored on the chain. The core data cannot be stored on the chain and operated on the chain, which limits the real circulation of data. The phenomenon of data islands has not been eliminated due to the existence of blockchain.
(2)传统的区块链系统无法对数据的机密性作出保障,数据的备份存储反而降低数据机密性。(2) Traditional blockchain systems cannot guarantee the confidentiality of data, and data backup storage actually reduces data confidentiality.
(3)现有的区块链系统无法安全、细粒度控制数据的读写,增大了数据访问的安全隐患。(3) Existing blockchain systems cannot securely and fine-grainedly control the reading and writing of data, increasing the security risks of data access.
发明内容Summary of the invention
本发明实施例提供一种区块链系统上数据的访问控制方法,用以在对用户隐私数据进行安全保障的同时,实现细粒度访问控制,应用于区块链系统上的任一节点,该方法包括:The embodiment of the present invention provides a method for access control of data on a blockchain system, which is used to implement fine-grained access control while ensuring the security of user privacy data. The method is applied to any node on the blockchain system, and includes:
接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表,其中,消息密文是区块链客户端采用第一加密算法对消息明文进行加密获得的,密钥密文是区块链客户端采用第二加密算法对第一加密算法的密钥进行加密获得的,消息明文和数据所有者的访问控制列表是数据所有者发送至区块链客户端的;Receive the hash value of the message ciphertext, the key ciphertext, and the access control list of the data owner sent by the blockchain client, wherein the message ciphertext is obtained by the blockchain client encrypting the message plaintext using the first encryption algorithm, the key ciphertext is obtained by the blockchain client encrypting the key of the first encryption algorithm using the second encryption algorithm, and the message plaintext and the access control list of the data owner are sent by the data owner to the blockchain client;
采用第二加密算法,生成密钥密文对应的分布式解密份额;Using the second encryption algorithm, generating a distributed decryption share corresponding to the key ciphertext;
使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;The distributed decryption shares are encrypted using the access control list of the data owner to obtain the decrypted ciphertext;
将解密密文发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储;Sending the decrypted ciphertext to a database, the database asynchronously waiting for a first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously storing the decrypted ciphertexts;
将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文。The hash value of the message ciphertext is shared with all data accessors, and the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, and then decrypt the message plaintext.
本发明实施例还提供另一种区块链系统上数据的访问控制方法,用以在对用户隐私数据进行安全保障的同时,实现细粒度访问控制,应用于区块链客户端,该方法包括:The embodiment of the present invention also provides another method for access control of data on a blockchain system, which is used to implement fine-grained access control while ensuring the security of user privacy data. The method is applied to a blockchain client, and includes:
接收数据所有者输入的消息明文和数据所有者访问控制列表;Receiving a message plain text input by a data owner and an access control list of the data owner;
采用第一加密算法对消息明文进行加密获得消息密文;Encrypting the message plaintext using a first encryption algorithm to obtain a message ciphertext;
采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文;Using the second encryption algorithm to encrypt the key of the first encryption algorithm to obtain a key ciphertext;
生成消息密文的哈希值,所述哈希值用于数据访问者获得消息明文;Generate a hash value of the message ciphertext, wherein the hash value is used by a data accessor to obtain the message plaintext;
将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统,其中,密钥密文通过节点私钥获得分布式解密份额后,区块链系统上的节点使用数据所有者的访问控制列表对解密份额进行加密得到解密密文,并发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储。The hash value of the message ciphertext, the key ciphertext and the access control list are sent to the blockchain system, wherein after the key ciphertext obtains the distributed decryption share through the node private key, the node on the blockchain system uses the access control list of the data owner to encrypt the decryption share to obtain the decrypted ciphertext, and sends it to the database, and the database asynchronously waits for the first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them.
本发明实施例提供一种区块链系统上数据的访问控制装置,用以在对用户隐私数据进行安全保障的同时,实现细粒度访问控制,应用于区块链系统上的任一节点,该装置包括:The embodiment of the present invention provides an access control device for data on a blockchain system, which is used to implement fine-grained access control while ensuring the security of user privacy data, and is applied to any node on the blockchain system. The device includes:
第一接收模块,用于接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表,其中,消息密文是区块链客户端采用第一加密算法对消息明文进行加密获得的,密钥密文是区块链客户端采用第二加密算法对第一加密算法的密钥进行加密获得的,消息明文和数据所有者的访问控制列表是数据所有者发送至区块链客户端的;A first receiving module is used to receive a hash value of a message ciphertext, a key ciphertext, and an access control list of a data owner sent by a blockchain client, wherein the message ciphertext is obtained by the blockchain client encrypting the message plaintext using a first encryption algorithm, the key ciphertext is obtained by the blockchain client encrypting the key of the first encryption algorithm using a second encryption algorithm, and the message plaintext and the access control list of the data owner are sent by the data owner to the blockchain client;
分布式解密份额生成模块,用于采用第二加密算法,生成密钥密文对应的分布式解密份额;A distributed decryption share generation module, used to generate a distributed decryption share corresponding to the key ciphertext by using a second encryption algorithm;
解密密文获得模块,用于使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;A decrypted ciphertext obtaining module is used to encrypt the distributed decryption shares using the access control list of the data owner to obtain the decrypted ciphertext;
发送模块,用于将解密密文发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储;A sending module, used for sending the decrypted ciphertext to a database, and the database asynchronously stores the decrypted ciphertexts corresponding to the access control list of the first number of matching data owners after asynchronously waiting;
哈希值共享模块,用于将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文。The hash value sharing module is used to share the hash value of the message ciphertext with all data accessors. After the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, they decrypt the message plaintext.
本发明实施例提供一种区块链系统上数据的访问控制装置,用以在对用户隐私数据进行安全保障的同时,实现细粒度访问控制,应用于区块链客户端,该装置包括:The embodiment of the present invention provides an access control device for data on a blockchain system, which is used to implement fine-grained access control while ensuring the security of user privacy data, and is applied to a blockchain client. The device includes:
第二接收模块,用于接收数据所有者输入的消息明文和数据所有者访问控制列表;A second receiving module, used for receiving a message plain text input by a data owner and a data owner access control list;
第一加密模块,用于采用第一加密算法对消息明文进行加密获得消息密文;A first encryption module, used to encrypt the message plaintext using a first encryption algorithm to obtain a message ciphertext;
第二加密模块,用于采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文;A second encryption module, used to encrypt the key of the first encryption algorithm using a second encryption algorithm to obtain a key ciphertext;
哈希值生成模块,用于生成消息密文的哈希值,所述哈希值用于数据访问者获得消息明文;A hash value generation module, used to generate a hash value of a message ciphertext, wherein the hash value is used by a data accessor to obtain a message plaintext;
第二发送模块,用于将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统,其中,密钥密文通过节点私钥获得分布式解密份额后,区块链系统上的节点使用数据所有者的访问控制列表对解密份额进行加密得到解密密文,并发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储。The second sending module is used to send the hash value of the message ciphertext, the key ciphertext and the access control list to the blockchain system, wherein after the key ciphertext obtains the distributed decryption share through the node private key, the node on the blockchain system uses the access control list of the data owner to encrypt the decryption share to obtain the decrypted ciphertext, and sends it to the database, and the database asynchronously waits for the first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them.
本发明实施例提供一种区块链系统上数据的访问控制系统,用以在对用户隐私数据进行安全保障的同时,实现细粒度访问控制,该系统包括:区块链系统、区块链客户端和数据库,其中,The embodiment of the present invention provides an access control system for data on a blockchain system, which is used to achieve fine-grained access control while ensuring the security of user privacy data. The system includes: a blockchain system, a blockchain client and a database, wherein:
区块链客户端,用于:接收数据所有者输入的消息明文和访问控制列表;采用第一加密算法对消息明文进行加密获得消息密文,采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文,生成消息密文的哈希值;将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统;The blockchain client is used to: receive a message plaintext and an access control list input by a data owner; encrypt the message plaintext using a first encryption algorithm to obtain a message ciphertext, encrypt the key of the first encryption algorithm using a second encryption algorithm to obtain a key ciphertext, and generate a hash value of the message ciphertext; send the hash value of the message ciphertext, the key ciphertext and the access control list to the blockchain system;
区块链系统上的节点,用于:接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表;采用第二加密算法,生成密钥密文对应的分布式解密份额,使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;将解密密文发送至数据库;将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文;The node on the blockchain system is used to: receive the hash value of the message ciphertext sent by the blockchain client, the key ciphertext and the access control list of the data owner; use the second encryption algorithm to generate the distributed decryption share corresponding to the key ciphertext, and use the access control list of the data owner to encrypt the distributed decryption share to obtain the decrypted ciphertext; send the decrypted ciphertext to the database; share the hash value of the message ciphertext with all data accessors, and the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, and then decrypt to obtain the message plaintext;
数据库,用于:异步等待第一数量的匹配访问控制列表对应的解密密文后,进行异步存储。The database is used to asynchronously store the decrypted ciphertexts corresponding to the first number of matching access control lists after asynchronously waiting.
本发明实施例还提供一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述区块链系统上数据的访问控制方法。An embodiment of the present invention also provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the access control method for data on the above-mentioned blockchain system when executing the computer program.
本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述区块链系统上数据的访问控制方法。An embodiment of the present invention also provides a computer-readable storage medium, which stores a computer program. When the computer program is executed by a processor, it implements the access control method for data on the above-mentioned blockchain system.
本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,所述计算机程序被处理器执行时实现上述区块链系统上数据的访问控制方法。An embodiment of the present invention also provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, it implements the access control method for data on the above-mentioned blockchain system.
本发明实施例中,区块链客户端可以接收数据所有者输入的消息明文和访问控制列表;采用第一加密算法对消息明文进行加密获得消息密文,采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文,生成消息密文的哈希值;将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统;区块链系统上的节点可以接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表;采用第二加密算法,生成密钥密文对应的分布式解密份额,使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;将解密密文发送至数据库;将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文;数据库可以异步等待第一数量的匹配访问控制列表对应的解密密文后,进行异步存储。相比于性能低下的传统的区块链系统,本发明实施例提出的方法及系统不依赖开源软件或者已有区块链平台,能够快速进行更新迭代,通过数据库,可对大量的核心数据进行上链存储并支持链上运算,打通数据孤岛壁垒,真正实现数据资源协同共享、高效使用,能够保证系统的活性,减少数据维护的困难与压力,能够降低系统存储和调用过程的成本,并提高系统的安全性与可靠性;通过数据所有者的访问控制列表,问控制能够做到细粒度精确可控,能够决定有哪些数据、在什么时间、被什么人读取或者使用,亦能够动态决定并修改访问控制权限,能够保证全过程无单点错误,无须可信第三方,且保证区块链系统的可靠性、活性与完整性。In an embodiment of the present invention, a blockchain client can receive a message plaintext and an access control list input by a data owner; encrypt the message plaintext using a first encryption algorithm to obtain a message ciphertext, encrypt the key of the first encryption algorithm using a second encryption algorithm to obtain a key ciphertext, and generate a hash value of the message ciphertext; send the hash value of the message ciphertext, the key ciphertext and the access control list to the blockchain system; a node on the blockchain system can receive the hash value of the message ciphertext, the key ciphertext and the access control list of the data owner sent by the blockchain client; use the second encryption algorithm to generate a distributed decryption share corresponding to the key ciphertext, and use the access control list of the data owner to encrypt the distributed decryption share to obtain a decrypted ciphertext; send the decrypted ciphertext to a database; share the hash value of the message ciphertext with all data accessors, and the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, and then decrypt to obtain the message plaintext; the database can asynchronously wait for the first number of decrypted ciphertexts corresponding to the matching access control lists, and then perform asynchronous storage. Compared with the traditional blockchain system with low performance, the method and system proposed in the embodiment of the present invention do not rely on open source software or existing blockchain platforms, can be quickly updated and iterated, and can store a large amount of core data on the chain and support on-chain operations through the database, breaking through the barriers of data islands, truly realizing the collaborative sharing and efficient use of data resources, ensuring the activity of the system, reducing the difficulty and pressure of data maintenance, reducing the cost of system storage and call processes, and improving the security and reliability of the system; through the access control list of the data owner, the access control can be fine-grained and accurately controllable, and can determine which data, at what time, and by whom to read or use, and can also dynamically determine and modify access control permissions, which can ensure that there is no single point of error in the whole process, without the need for a trusted third party, and ensure the reliability, activity and integrity of the blockchain system.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。在附图中:In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the drawings required for use in the embodiments or the prior art descriptions. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work. In the drawings:
图1为本发明实施例中区块链系统上数据的访问控制方法的流程图;FIG1 is a flow chart of a method for controlling access to data on a blockchain system according to an embodiment of the present invention;
图2为本发明实施例中写操作的原理图;FIG2 is a schematic diagram of a write operation in an embodiment of the present invention;
图3为本发明实施例中另一种区块链系统上数据的访问控制方法的流程图;FIG3 is a flow chart of another method for controlling access to data on a blockchain system according to an embodiment of the present invention;
图4为本发明实施例中读操作的原理图;FIG4 is a schematic diagram of a read operation in an embodiment of the present invention;
图5为本发明实施例中区块链系统上数据的访问控制装置的示意图;FIG5 is a schematic diagram of a device for controlling access to data on a blockchain system according to an embodiment of the present invention;
图6为本发明实施例中另一种区块链系统上数据的访问控制装置的示意图;FIG6 is a schematic diagram of another device for controlling access to data on a blockchain system according to an embodiment of the present invention;
图7本发明实施例中区块链系统上数据的访问控制系统的示意图;FIG7 is a schematic diagram of an access control system for data on a blockchain system according to an embodiment of the present invention;
图8为本发明实施例中计算机设备的示意图。FIG. 8 is a schematic diagram of a computer device according to an embodiment of the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚明白,下面结合附图对本发明实施例做进一步详细说明。在此,本发明的示意性实施例及其说明用于解释本发明,但并不作为对本发明的限定。To make the purpose, technical solution and advantages of the embodiments of the present invention more clear, the embodiments of the present invention are further described in detail below in conjunction with the accompanying drawings. Here, the exemplary embodiments of the present invention and their descriptions are used to explain the present invention, but are not intended to limit the present invention.
图1为本发明实施例中区块链系统的细粒度访问控制方法的流程图,该方法应用于区块链系统上的任一节点,该方法包括:FIG1 is a flow chart of a fine-grained access control method for a blockchain system in an embodiment of the present invention. The method is applied to any node on the blockchain system. The method includes:
步骤101,接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表,其中,消息密文是区块链客户端采用第一加密算法对消息明文进行加密获得的,密钥密文是区块链客户端采用第二加密算法对第一加密算法的密钥进行加密获得的,消息明文和数据所有者的访问控制列表是数据所有者发送至区块链客户端的;Step 101, receiving a hash value of a message ciphertext, a key ciphertext, and an access control list of a data owner sent by a blockchain client, wherein the message ciphertext is obtained by encrypting a message plaintext by the blockchain client using a first encryption algorithm, the key ciphertext is obtained by encrypting a key of the first encryption algorithm by the blockchain client using a second encryption algorithm, and the message plaintext and the access control list of the data owner are sent by the data owner to the blockchain client;
步骤102,采用第二加密算法,生成密钥密文对应的分布式解密份额;Step 102, using a second encryption algorithm to generate a distributed decryption share corresponding to the key ciphertext;
步骤103,使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;Step 103, using the access control list of the data owner to encrypt the distributed decryption share to obtain a decrypted ciphertext;
步骤104,将解密密文发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储;Step 104, sending the decrypted ciphertext to a database, and the database asynchronously waits for a first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them;
步骤105,将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文。Step 105, sharing the hash value of the message ciphertext with all data accessors, and the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, and then decrypt the message plaintext.
本发明实施例中,消息明文包括用户隐私数据:用户隐私数据包含用户个人信息(例如,年龄、性别等信息),也包括通过个人电子设备产生的数据。In the embodiment of the present invention, the plain text of the message includes user privacy data: the user privacy data includes user personal information (for example, age, gender, etc.) and also includes data generated by personal electronic devices.
本发明实施例提出的区块链系统包括区块链共识模块、区块链存储模块、访问控制模块、网络通信协议模块和密码组件。The blockchain system proposed in the embodiment of the present invention includes a blockchain consensus module, a blockchain storage module, an access control module, a network communication protocol module and a cryptographic component.
区块链共识模块:共识算法是指在分布式场景中,多个节点为了达成相同的数据状态而运行的一种分布式算法。在分布式场景中,可能出现网络丢包、时钟漂移、节点宕机、节点作恶等等故障情况,共识算法需要能够容忍这些错误,保证多个节点取得相同的数据状态。根据可容忍的故障类型的不同,可以将共识算法分为两类:容忍宕机错误类算法(crash fault tolerant consensus algorithm),可以容忍网络丢包、时钟漂移、部分节点宕机这种节点为良性的错误,常见算法有 Paxos、Raft。容忍拜占庭错误类算法(byzantinefault tolerant consensus algorithm),可以容忍部分节点任意类型错误,包括节点作恶的情况,常见算法有 PBFT、PoW、PoS等。Blockchain consensus module: A consensus algorithm refers to a distributed algorithm that multiple nodes run in a distributed scenario to achieve the same data state. In a distributed scenario, network packet loss, clock drift, node downtime, node malicious behavior, and other faults may occur. The consensus algorithm needs to be able to tolerate these errors to ensure that multiple nodes obtain the same data state. According to the different types of tolerable faults, consensus algorithms can be divided into two categories: crash fault tolerant consensus algorithms, which can tolerate benign errors such as network packet loss, clock drift, and partial node downtime. Common algorithms include Paxos and Raft. Byzantine fault tolerant consensus algorithms, which can tolerate any type of errors in some nodes, including node malicious behavior. Common algorithms include PBFT, PoW, PoS, etc.
根据使用场景的不同,又可将共识算法分为公链共识、联盟链共识两类。在分布式技术中,共识已成为单个函数内特定算法的同义词。然而,共识不仅包括简单地就信息顺序达成一致,通过其在整个信息流程中的基本角色,从提案和背书到排序、验证和提交,突出了这种区别。简而言之,共识被定义为组成区块的一组信息的正确性的闭环验证。联盟链的特点是节点之间网络较为稳定且节点有准入要求,根据需要容忍的错误类型可以选择Raft和PBFT类算法,这类算法的优点是TPS较高且交易可以在毫秒级确认,缺点是支持的节点数量有限,通常不多于100个节点。According to different usage scenarios, consensus algorithms can be divided into two categories: public chain consensus and consortium chain consensus. In distributed technology, consensus has become synonymous with a specific algorithm within a single function. However, consensus includes more than simply agreeing on the order of information. This distinction is highlighted by its basic role in the entire information process, from proposal and endorsement to sorting, verification and submission. In short, consensus is defined as a closed-loop verification of the correctness of a set of information that makes up a block. The characteristics of the consortium chain are that the network between nodes is relatively stable and there are access requirements for nodes. Raft and PBFT algorithms can be selected according to the type of errors that need to be tolerated. The advantages of this type of algorithm are high TPS and transactions can be confirmed at the millisecond level. The disadvantage is that the number of supported nodes is limited, usually not more than 100 nodes.
区块链存储模块:存储模块负责持久化存储链上的区块、交易、状态、历史读写集等账本数据,并对外提供上述数据的查询功能。区块链以区块为单位进行批量的数据提交,一次区块提交会涉及到多项账本数据的提交,比如:交易提交,状态数据修改等,所以存储模块需要维护账本数据的原子性。本发明实施例拟支持常用的数据库来存储账本数据,如LevelDB、BadgerDB、TikvDB、MySQL等数据库,业务可选择其中任意一种数据库来部署区块链。本发明实施例中,消息密文的哈希值、密钥密文和数据所有者的访问控制列表可存在区块链存储模块。Blockchain storage module: The storage module is responsible for persistent storage of ledger data such as blocks, transactions, status, historical read-write sets, etc. on the chain, and provides external query functions for the above data. The blockchain submits data in batches in units of blocks. One block submission involves the submission of multiple ledger data, such as transaction submission, status data modification, etc., so the storage module needs to maintain the atomicity of the ledger data. The embodiment of the present invention intends to support commonly used databases to store ledger data, such as LevelDB, BadgerDB, TikvDB, MySQL and other databases. The business can choose any of these databases to deploy the blockchain. In the embodiment of the present invention, the hash value of the message ciphertext, the key ciphertext and the access control list of the data owner may exist in the blockchain storage module.
访问控制模块:访问控制用来定义如何做出决策和实现特定结果。为此,访问控制一般描述了谁和什么,比如一个人对隐私数据访问或者权限。在本发明实施例中访问控制是基础设施的管理机制。访问控制表示成员如何同意或者拒绝网络等。访问控制在网络最初配置的时候由联盟成员一致同意,但是在网络演化的过程中可以进行修改。例如,他们定义了添加或者删除成员的标准,改变区块格式或者指定需要背书的组织数量。所有这些定义谁可以干什么的行为都在访问控制中描述。简单来说,在区块链平台中所有想做的事情,都要受到访问控制。而现有的区块链系统中,不能实现无法安全、细粒度控制数据的读写,增大了数据访问的安全隐患,而本发明实施例提出的区块链系统上数据的访问控制方案可以解决这个问题。Access control module: Access control is used to define how decisions are made and specific results are achieved. To this end, access control generally describes who and what, such as a person's access or permissions to private data. In the embodiment of the present invention, access control is a management mechanism for the infrastructure. Access control indicates how members agree to or reject the network, etc. Access control is unanimously agreed upon by alliance members when the network is initially configured, but can be modified during the evolution of the network. For example, they define criteria for adding or removing members, changing the block format, or specifying the number of organizations that need endorsements. All of these behaviors that define who can do what are described in access control. Simply put, everything you want to do in the blockchain platform is subject to access control. In existing blockchain systems, it is impossible to achieve secure and fine-grained control of data reading and writing, which increases the security risks of data access. The access control scheme for data on the blockchain system proposed in the embodiment of the present invention can solve this problem.
网络通信协议模块:区块链系统中所有节点之间采用国密TLS+gRPC进行通信,其中,TLS是基于TCP协议的传输层协议,而TCP协议具有数据重传的特性,确保数据传输的可靠性和高效性;同时,gRPC的名称解析器和负载平衡器等组件,确保了连接的活动性、健康性和可用性。Network communication protocol module: All nodes in the blockchain system use national secret TLS+gRPC for communication. TLS is a transport layer protocol based on the TCP protocol, and the TCP protocol has the feature of data retransmission, ensuring the reliability and efficiency of data transmission; at the same time, components such as gRPC's name resolver and load balancer ensure the activity, health and availability of the connection.
密码组件:提供基于sm2和sm3算法的签名与验签、哈希计算、加密与解密函数、密码协议的软件实现。Cryptographic component: provides software implementation of signature and verification, hash calculation, encryption and decryption functions, and cryptographic protocols based on SM2 and SM3 algorithms.
图2为本发明实施例中写操作的原理图,对应步骤101-步骤105的写操作。对称加密无法创新。但是本发明实施例是采用第一加密算法和第二加密算法组成的混合加密模式,其中,第一加密算法为对称加密算法,第二加密算法为分布式加密算法,由于对称加密没有办法加密大数据,所以采用分布式加密对消息进行加密,但是为了保证机密性,采用对称加密对密钥进行加密。FIG2 is a schematic diagram of a write operation in an embodiment of the present invention, corresponding to the write operation of step 101 to step 105. Symmetric encryption cannot be innovated. However, an embodiment of the present invention adopts a hybrid encryption mode consisting of a first encryption algorithm and a second encryption algorithm, wherein the first encryption algorithm is a symmetric encryption algorithm and the second encryption algorithm is a distributed encryption algorithm. Since symmetric encryption cannot encrypt large data, distributed encryption is used to encrypt messages. However, in order to ensure confidentiality, symmetric encryption is used to encrypt keys.
(1)区块链客户端接收数据所有者发送的消息明文m和数据所有者的访问控制列表ACL,其中,数据所有者的访问控制列表包括数据访问者的公钥。区块链客户端可以是客户端浏览器,可通过界面与数据所有者沟通。(1) The blockchain client receives the plaintext message m sent by the data owner and the data owner's access control list ACL, where the data owner's access control list includes the public key of the data accessor. The blockchain client can be a client browser and can communicate with the data owner through an interface.
(2)区块链客户端采用第一加密算法对消息明文m进行加密获得消息密文C,本发明实施例中,第一加密算法为对称加密算法,那么区块链客户端采用第一加密算法的密钥keysm4对消息明文m进行加密获得消息密文C。(2) The blockchain client uses the first encryption algorithm to encrypt the message plaintext m to obtain the message ciphertext C. In the embodiment of the present invention, the first encryption algorithm is a symmetric encryption algorithm. Then the blockchain client uses the key key sm4 of the first encryption algorithm to encrypt the message plaintext m to obtain the message ciphertext C.
对称加密算法使用同一个密钥(或称为私钥)来加密和解密数据。在对称加密中,发送方和接收方必须事先共享相同的密钥,这意味着加密和解密都使用相同的密钥,因此也称为“共享密钥加密”。Symmetric encryption algorithms use the same key (or private key) to encrypt and decrypt data. In symmetric encryption, the sender and receiver must share the same key in advance, which means that the same key is used for both encryption and decryption, so it is also called "shared key encryption."
所述对称加密算法(可采用国密SM4)的步骤包括:The steps of the symmetric encryption algorithm (which may adopt the national encryption SM4) include:
在对称加密密钥生成阶段,根据安全参数l,确定对称加密算法所需的密钥keysm4;In the symmetric encryption key generation phase, the key key sm4 required by the symmetric encryption algorithm is determined according to the security parameter l;
在加密阶段,获得消息明文m和密钥keysm4,对消息明文m通过对称加密算法加密得到消息密文C;In the encryption phase, the plaintext message m and the key key sm4 are obtained, and the plaintext message m is encrypted by a symmetric encryption algorithm to obtain the ciphertext message C;
在解密阶段,获得消息密文C和密钥keysm4,通过对称加密算法解密得到消息明文m。In the decryption stage, the message ciphertext C and key key sm4 are obtained, and the message plaintext m is decrypted through the symmetric encryption algorithm.
(3)区块链客户端采用第二加密算法对第一加密算法的密钥keysm4进行加密获得密钥密文c;(3) The blockchain client uses the second encryption algorithm to encrypt the key key sm4 of the first encryption algorithm to obtain the key ciphertext c;
分布式加密算法可避免单个节点获得密钥,造成单点错误。分布式加密算法用于保护机密信息免受单个密钥持有人的泄露或滥用。它基于分布式密钥生成和分享的概念,将密钥分成多个部分,并分发给多个参与者,使得只有在满足预定条件时,这些参与者才能合作解密。本发明实施例采用健壮的基于标签的分布式加密方案。其中,标签lb也就是数据所有者可以规定数据访问者“以何种方式,何时,何地”访问数据,这里的标签即以下的访问控制列表ACL。本发明实施例创新性的将分布式加密算法和细粒度访问控制方式结合起来。在传统的分布式加密方案中,在加密阶段只输入了消息的标签。本发明实施例通过改造分布式加密算法,将分布式加密算法中的标签替换为了对于数据的细粒度访问控制列表,从而形成了针对消息的细粒度访问控制方法。Distributed encryption algorithms can prevent a single node from obtaining a key, causing a single point of error. Distributed encryption algorithms are used to protect confidential information from being leaked or abused by a single key holder. It is based on the concept of distributed key generation and sharing, divides the key into multiple parts, and distributes it to multiple participants, so that these participants can only cooperate in decryption when predetermined conditions are met. The embodiment of the present invention adopts a robust label-based distributed encryption scheme. Among them, the label lb, that is, the data owner can specify "how, when, and where" the data accessor accesses the data. The label here is the following access control list ACL. The embodiment of the present invention innovatively combines the distributed encryption algorithm with the fine-grained access control method. In the traditional distributed encryption scheme, only the label of the message is input in the encryption stage. The embodiment of the present invention replaces the label in the distributed encryption algorithm with a fine-grained access control list for data by transforming the distributed encryption algorithm, thereby forming a fine-grained access control method for messages.
在一实施例中,所述第二加密算法为分布式加密算法(可称为TDH2);In one embodiment, the second encryption algorithm is a distributed encryption algorithm (which may be referred to as TDH2);
所述分布式加密算法的步骤包括:The steps of the distributed encryption algorithm include:
在分布式加密密钥生成阶段,根据安全参数、区块链系统中节点的个数n以及区块链系统中可容错的错误节点个数t,获得区块链系统公钥pk及每个节点的私钥(sk1,...,skn)、验证密钥vk;In the distributed encryption key generation stage, the public key pk of the blockchain system and the private key (sk 1 ,...,sk n ) of each node and the verification key vk are obtained according to the security parameters, the number n of nodes in the blockchain system and the number t of faulty nodes that can be tolerated in the blockchain system;
在加密阶段,获得第一加密算法的密钥keysm4、数据所有者的访问控制列表(包括数据访问者的公钥)和区块链系统公钥pk,对第一加密算法的密钥keysm4通过加密算法输出密钥密文c;In the encryption phase, the key key sm4 of the first encryption algorithm, the access control list of the data owner (including the public key of the data accessor) and the blockchain system public key pk are obtained, and the key key sm4 of the first encryption algorithm is output as the key ciphertext c through the encryption algorithm;
在解密份额生成阶段,节点输入密钥密文c,节点的私钥ski以及数据所有者的访问控制列表,输出相应节点的分布式解密份额σi;In the decryption share generation phase, the node inputs the key ciphertext c, the node's private key sk i and the data owner's access control list, and outputs the corresponding node's distributed decryption share σ i ;
在解密份额验证阶段,根据数据访问者输入的解密密文EpkSM2i(σi)、验证密钥vk、数据所有者的访问控制列表和一个解密份额σi,验证解密密文EpkSM2i(σi),在验证结果为1时确定验证成功,在验证结果为0时确定验证失败;In the decryption share verification phase, the decryption ciphertext E pkSM2i (σ i ) is verified according to the decryption ciphertext E pkSM2i (σ i ) input by the data accessor, the verification key vk, the access control list of the data owner and a decryption share σ i . When the verification result is 1, the verification is determined to be successful, and when the verification result is 0, the verification is determined to be failed.
在恢复阶段,根据数据访问者输入的验证密钥vk、(t个)解密份额σi和数据所有者的访问控制列表,输出消息明文m或者不合法标记。In the recovery phase, the message plaintext m or an illegal mark is output based on the verification key vk, (t) decryption shares σ i and the access control list of the data owner input by the data accessor.
(4)区块链客户端对C生成消息密文哈希值h;(4) The blockchain client generates a message ciphertext hash value h for C;
(5)区块链客户端将消息密文的哈希值、密钥密文和数据所有者的访问控制列表发送至区块链系统上的节点,将消息密文的哈希值、消息密文数据所有者的访问控制列表发送到数据库。(5) The blockchain client sends the hash value of the message ciphertext, the key ciphertext, and the access control list of the data owner to the node on the blockchain system, and sends the hash value of the message ciphertext and the access control list of the message ciphertext data owner to the database.
(6)节点采用第二加密算法,生成密钥密文对应的分布式解密份额,即对应分布式加密算法的解密份额生成阶段。(6) The node uses the second encryption algorithm to generate a distributed decryption share corresponding to the key ciphertext, which corresponds to the decryption share generation stage of the distributed encryption algorithm.
(7)所述数据访问者的访问控制列表包括数据访问者的公钥pkSM2i;节点使用数据所有者的访问控制列表pkSM2i对分布式解密份额σi进行加密得到解密密文EpkSM2i(σi);将解密密文发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储;(7) The access control list of the data accessor includes the public key pk SM2i of the data accessor; the node uses the access control list pk SM2i of the data owner to encrypt the distributed decryption share σ i to obtain the decrypted ciphertext Epk SM2i (σ i ); the decrypted ciphertext is sent to the database, and the database asynchronously waits for the first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them;
为了避免在传统区块链体系中,在读取信息需要从链上获取信息,造成整个系统的性能下降等问题。本发明实施例可以直接对数据库进行操作,极大地提升了区块链系统性能。整个读操作是基于写操作的,即本发明实施例中在写数据库时,采用了全新的流程,避免了数据库可能存在的单点错误等,该写数据库的操作创新性的与分布式加密算法的极大融合。In order to avoid the problem that in the traditional blockchain system, when reading information, it is necessary to obtain information from the chain, which causes the performance of the entire system to decline. The embodiment of the present invention can directly operate the database, greatly improving the performance of the blockchain system. The entire read operation is based on the write operation, that is, when writing to the database in the embodiment of the present invention, a new process is adopted to avoid single point errors that may exist in the database. The operation of writing to the database is innovatively integrated with the distributed encryption algorithm.
在一实施例中,所述数据库为SQL数据库;In one embodiment, the database is a SQL database;
所述SQL数据库在存储时的主键为消息密文的哈希值,键值为消息密文;The primary key of the SQL database during storage is the hash value of the message ciphertext, and the key value is the message ciphertext;
所述第一数量为区块链系统中可容错的错误节点个数加1;The first number is the number of fault-tolerant error nodes in the blockchain system plus 1;
所述第一数量的匹配数据所有者的访问控制列表ACL对应的解密密文是根据同一个数据所有者的访问控制列表获得的。The first number of decrypted ciphertexts corresponding to the access control lists ACL of matching data owners are obtained according to the access control lists of the same data owner.
其中,第一数量可以表示为t+1;例如有4个区块链节点(有1个是错误节点),也就是数据库收到2个EpkSM2i(σi)并且他们拥有同样的ACL后,才写入EpkSM2i(σi)到数据库。The first quantity can be expressed as t+1; for example, there are 4 blockchain nodes (one of which is an error node), that is, the database receives 2 Epk SM2i (σ i ) and they have the same ACL before writing Epk SM2i (σ i ) to the database.
综上可见,每个区块链节点会生成解密密文。但是如果只将解密密文存在区块链本地,用户读取区块链会带来性能下降;因此,区块链节点会将解密密文发送给SQL数据库。但是由于在发送信息的时候解密密文有可能会丢失;SQL数据库需要异步等待,异步等待非常重要,因为解密密文可能因为网络因素等问题无法同时到达数据库,所以,SQL数据库异步等待到达的解密密文;SQL不仅需要异步等待解密密文,并且需要等待t+1个解密密文才写入SQL数据库,这样的做法是不仅避免单点错误,同时这也是后续恢复阶段需要解密密文的数量。有了写数据库操作,才可以在读阶段让数据访问者直接读取t+1个解密密文。As can be seen from the above, each blockchain node will generate decrypted ciphertext. However, if the decrypted ciphertext is only stored locally in the blockchain, the performance of users reading the blockchain will be reduced; therefore, the blockchain node will send the decrypted ciphertext to the SQL database. However, the decrypted ciphertext may be lost when sending information; the SQL database needs to wait asynchronously, which is very important because the decrypted ciphertext may not arrive at the database at the same time due to network factors and other issues. Therefore, the SQL database waits asynchronously for the decrypted ciphertext to arrive; SQL not only needs to wait asynchronously for the decrypted ciphertext, but also needs to wait for t+1 decrypted ciphertexts before writing them to the SQL database. This approach not only avoids single point errors, but also is the number of decrypted ciphertexts required in the subsequent recovery phase. Only with the database write operation can the data accessor directly read t+1 decrypted ciphertexts in the read phase.
(8)将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文。(8) The hash value of the message ciphertext is shared with all data accessors. The data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, and then decrypt the message plaintext.
图3为本发明实施例中另一种区块链系统上数据的访问控制方法的流程图,应用于区块链客户端,包括:FIG3 is a flow chart of another method for controlling access to data on a blockchain system according to an embodiment of the present invention, which is applied to a blockchain client and includes:
步骤301,接收数据所有者输入的消息明文和数据所有者访问控制列表;Step 301, receiving a plain text message input by a data owner and a data owner access control list;
步骤302,采用第一加密算法对消息明文进行加密获得消息密文;Step 302, encrypt the message plaintext using a first encryption algorithm to obtain a message ciphertext;
步骤303,采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文;Step 303, using the second encryption algorithm to encrypt the key of the first encryption algorithm to obtain a key ciphertext;
步骤304,生成消息密文的哈希值,所述哈希值用于数据访问者获得消息明文;Step 304, generating a hash value of the message ciphertext, wherein the hash value is used by the data accessor to obtain the message plaintext;
步骤305,将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统,其中,密钥密文通过节点私钥获得分布式解密份额后,区块链系统上的节点使用数据所有者的访问控制列表对解密份额进行加密得到解密密文,并发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储。Step 305: Send the hash value of the message ciphertext, the key ciphertext and the access control list to the blockchain system, wherein after the key ciphertext obtains the distributed decryption share through the node private key, the node on the blockchain system uses the data owner's access control list to encrypt the decryption share to obtain the decrypted ciphertext, and sends it to the database, and the database asynchronously waits for the first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them.
图3为从区块链客户端角度叙述的写操作,在一实施例中,所述方法还包括:FIG3 is a write operation described from the perspective of a blockchain client. In one embodiment, the method further includes:
采用第三加密算法,生成数据访问者的私钥和公钥,将数据访问者的公钥发送至区块链系统;Using a third encryption algorithm, generating a private key and a public key of the data accessor, and sending the public key of the data accessor to the blockchain system;
采用第三加密算法,使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文,所述数据访问者的访问控制列表包括数据访问者的公钥。The third encryption algorithm is adopted to encrypt the distributed decryption share using the access control list of the data owner to obtain the decrypted ciphertext, wherein the access control list of the data accessor includes the public key of the data accessor.
在一实施例中,第三加密算法为公钥加密算法;In one embodiment, the third encryption algorithm is a public key encryption algorithm;
公钥加密算法的步骤包括:The steps of the public key encryption algorithm include:
在公钥机密算法密钥生成阶段,根据安全参数,获得数据访问者的私钥skSM2和公钥pkSM2;In the key generation phase of the public key confidentiality algorithm, the private key sk SM2 and the public key pk SM2 of the data accessor are obtained according to the security parameters;
在加密阶段,获得分布式解密份额和数据访问者的公钥,对分布式解密份额进行加密输出解密密文。In the encryption phase, the distributed decryption shares and the public key of the data accessor are obtained, and the distributed decryption shares are encrypted to output the decrypted ciphertext.
在解密阶段,获得解密密文和数据访问者的私钥,解密得到分布式解密份额。In the decryption phase, the decrypted ciphertext and the private key of the data accessor are obtained, and the distributed decryption share is obtained by decryption.
本发明实施例使用公钥加密算法,并创新提出区块链采用访问控制中的数据访问者的公钥加密了解密密文,这样更加保护了解密密文的机密性。The embodiment of the present invention uses a public key encryption algorithm and innovatively proposes that the blockchain uses the public key of the data accessor in the access control to encrypt the decrypted ciphertext, which further protects the confidentiality of the decrypted ciphertext.
数据访问者得到消息明文的过程为读操作。接下来介绍读操作的步骤。The process by which a data accessor obtains the plaintext of a message is called a read operation. The following describes the steps of a read operation.
图4为本发明实施例中读操作的原理图。FIG. 4 is a schematic diagram of a read operation in an embodiment of the present invention.
(1)将消息密文的哈希值h、消息密文C和数据所有者的访问控制列表ACL发送至数据库;(1) Send the hash value h of the message ciphertext, the message ciphertext C, and the access control list ACL of the data owner to the database;
(2)接收数据访问者通过区块链客户端发送的读请求并发送至数据库,所述读请求包括消息密文的哈希值h和数据访问者的访问控制列表ACL,所述数据库在比对数据访问者的数据访问者的访问数据库列表在数据所有者的访问控制列表的范围内时,反馈消息密文C和解密密文EpkSM2i(σi);(2) Receive a read request sent by a data accessor through a blockchain client and send it to the database. The read request includes the hash value h of the message ciphertext and the access control list ACL of the data accessor. When the database compares the access database list of the data accessor to be within the range of the access control list of the data owner, it feedbacks the message ciphertext C and the decrypted ciphertext Epk SM2i (σ i );
(3)对解密密文EpkSM2i(σi)进行解密,获得消息明文m,具体包括:(3) Decrypt the decrypted ciphertext Epk SM2i (σ i ) to obtain the message plaintext m, which specifically includes:
(3.1)根据数据访问者的私钥skSM2对解密密文EpkSM2i(σi)进行解密,得到分布式解密份额σi;(3.1) Decrypt the decrypted ciphertext Epk SM2i (σ i ) according to the data accessor’s private key sk SM2 to obtain the distributed decryption share σ i ;
(3.2)采用第二加密算法验证分布式解密份额σi是否合法;(3.2) Using the second encryption algorithm to verify whether the distributed decryption share σ i is legal;
(3.3)若是,将分布式解密份额σi加入到队列中;(3.3) If yes, add the distributed decryption share σ i to the queue;
(3.4)当队列中存在第一数量的合法的分布式解密份额σi时,采用第二加密算法得到第一加密算法的密钥;(3.4) When there are a first number of legal distributed decryption shares σ i in the queue, the second encryption algorithm is used to obtain the key of the first encryption algorithm;
(3.5)使用第一加密算法的密钥解密消息密文C得到消息明文m。(3.5) Use the key of the first encryption algorithm to decrypt the message ciphertext C to obtain the message plaintext m.
参见图5,本发明实施例还提出一种区块链系统上数据的访问控制装置,应用于区块链系统上的任一节点,包括:Referring to FIG. 5 , an embodiment of the present invention further provides an access control device for data on a blockchain system, which is applied to any node on the blockchain system, and includes:
第一接收模块501,用于接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表,其中,消息密文是区块链客户端采用第一加密算法对消息明文进行加密获得的,密钥密文是区块链客户端采用第二加密算法对第一加密算法的密钥进行加密获得的,消息明文和数据所有者的访问控制列表是数据所有者发送至区块链客户端的;The first receiving module 501 is used to receive the hash value of the message ciphertext, the key ciphertext and the access control list of the data owner sent by the blockchain client, wherein the message ciphertext is obtained by the blockchain client encrypting the message plaintext using the first encryption algorithm, the key ciphertext is obtained by the blockchain client encrypting the key of the first encryption algorithm using the second encryption algorithm, and the message plaintext and the access control list of the data owner are sent by the data owner to the blockchain client;
分布式解密份额生成模块502,用于采用第二加密算法,生成密钥密文对应的分布式解密份额;A distributed decryption share generation module 502, configured to generate a distributed decryption share corresponding to a key ciphertext by using a second encryption algorithm;
解密密文获得模块503,用于使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;A decrypted ciphertext obtaining module 503 is used to encrypt the distributed decryption shares using the access control list of the data owner to obtain the decrypted ciphertext;
发送模块504,用于将解密密文发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储;A sending module 504 is used to send the decrypted ciphertext to a database, and the database asynchronously waits for a first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them;
哈希值共享模块505,用于将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文。The hash value sharing module 505 is used to share the hash value of the message ciphertext with all data accessors. After the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, they decrypt the message plaintext.
参见图6,本发明实施例还提出另一种区块链系统上数据的访问控制装置,应用于区块链客户端,包括:Referring to FIG. 6 , an embodiment of the present invention further provides another device for controlling access to data on a blockchain system, which is applied to a blockchain client and includes:
第二接收模块601,用于接收数据所有者输入的消息明文和数据所有者访问控制列表;The second receiving module 601 is used to receive a message plain text and a data owner access control list input by a data owner;
第一加密模块602,用于采用第一加密算法对消息明文进行加密获得消息密文;A first encryption module 602, configured to encrypt a message plaintext using a first encryption algorithm to obtain a message ciphertext;
第二加密模块603,用于采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文;The second encryption module 603 is used to encrypt the key of the first encryption algorithm using the second encryption algorithm to obtain a key ciphertext;
哈希值生成模块604,用于生成消息密文的哈希值,所述哈希值用于数据访问者获得消息明文;A hash value generation module 604 is used to generate a hash value of a message ciphertext, and the hash value is used by a data accessor to obtain a message plaintext;
第二发送模块605,用于将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统,其中,密钥密文通过节点私钥获得分布式解密份额后,区块链系统上的节点使用数据所有者的访问控制列表对解密份额进行加密得到解密密文,并发送至数据库,所述数据库异步等待第一数量的匹配数据所有者的访问控制列表对应的解密密文后进行异步存储。The second sending module 605 is used to send the hash value of the message ciphertext, the key ciphertext and the access control list to the blockchain system, wherein after the key ciphertext obtains the distributed decryption share through the node private key, the node on the blockchain system uses the access control list of the data owner to encrypt the decryption share to obtain the decrypted ciphertext, and sends it to the database, and the database asynchronously waits for the first number of decrypted ciphertexts corresponding to the access control list of the matching data owner and then asynchronously stores them.
参见图7,本发明实施例还提出一种区块链系统上数据的访问控制系统,包括区块链系统702、区块链客户端701和数据库703,其中,Referring to FIG. 7 , an embodiment of the present invention further proposes an access control system for data on a blockchain system, including a blockchain system 702 , a blockchain client 701 , and a database 703 , wherein:
区块链客户端,用于:接收数据所有者输入的消息明文和访问控制列表;采用第一加密算法对消息明文进行加密获得消息密文,采用第二加密算法对第一加密算法的密钥进行加密获得密钥密文,生成消息密文的哈希值;将消息密文的哈希值、密钥密文和访问控制列表发送至区块链系统;The blockchain client is used to: receive a message plaintext and an access control list input by a data owner; encrypt the message plaintext using a first encryption algorithm to obtain a message ciphertext, encrypt the key of the first encryption algorithm using a second encryption algorithm to obtain a key ciphertext, and generate a hash value of the message ciphertext; send the hash value of the message ciphertext, the key ciphertext and the access control list to the blockchain system;
区块链系统上的节点,用于:接收区块链客户端发送的消息密文的哈希值、密钥密文和数据所有者的访问控制列表;采用第二加密算法,生成密钥密文对应的分布式解密份额,使用数据所有者的访问控制列表对分布式解密份额进行加密得到解密密文;将解密密文发送至数据库;将消息密文的哈希值共享给所有数据访问者,所述数据访问者通过所述哈希值和数据访问者的访问控制列表从数据库中获得解密密文后,解密得到消息明文;The node on the blockchain system is used to: receive the hash value of the message ciphertext sent by the blockchain client, the key ciphertext and the access control list of the data owner; use the second encryption algorithm to generate the distributed decryption share corresponding to the key ciphertext, and use the access control list of the data owner to encrypt the distributed decryption share to obtain the decrypted ciphertext; send the decrypted ciphertext to the database; share the hash value of the message ciphertext with all data accessors, and the data accessors obtain the decrypted ciphertext from the database through the hash value and the access control list of the data accessors, and then decrypt to obtain the message plaintext;
数据库,用于:异步等待第一数量的匹配访问控制列表对应的解密密文后,进行异步存储。The database is used to asynchronously store the decrypted ciphertexts corresponding to the first number of matching access control lists after asynchronously waiting.
本发明实施例提出的方法及系统可用于个人数字健康档案系统,涵盖医疗数据采集安全,医疗数据传输安全,医疗数据存储安全,医疗数据交换安全,医疗数据处理安全,医疗数据销毁安全的医疗数据全生命周期安全体系标准,该个人数字健康档案系统基于个人电子健康码作为居民健康身份的唯一标识,动态感知居民就医行为,记录医疗服务轨迹,精准汇聚诊疗服务信息,结合居民日常健康监测数据的输入上传,形成规范、可信、权威的、居民可自主管理的全生命周期个人数字健康档案。The method and system proposed in the embodiments of the present invention can be used for a personal digital health record system, covering the medical data full life cycle security system standards for medical data collection security, medical data transmission security, medical data storage security, medical data exchange security, medical data processing security, and medical data destruction security. The personal digital health record system is based on the personal electronic health code as the unique identifier of the resident's health identity, dynamically perceives the resident's medical behavior, records the medical service trajectory, accurately aggregates diagnosis and treatment service information, and combines the input and upload of residents' daily health monitoring data to form a standardized, credible, authoritative, and resident-manageable full-life cycle personal digital health record.
本发明实施例提出的方法及系统可用于公共服务领域的数据记录系统,通过建立去中心化的、透明的、不可篡改的数据记录系统来提升公共服务的效率和透明度,提高公共服务部门之间、公共服务部门与公民之间的数据共享与安全性,以及简化行政程序和公共服务的提供。通过将关键信息和交易记录存储在区块链上,公共服务部门能够实现更高水平的数据可追溯性和合规性,加强监管与治理能力,从而为公众提供更加公正、高效和可信的服务。The method and system proposed in the embodiment of the present invention can be used for data recording systems in the field of public services, and can improve the efficiency and transparency of public services by establishing a decentralized, transparent, and tamper-proof data recording system, improve data sharing and security between public service departments and between public service departments and citizens, and simplify administrative procedures and the provision of public services. By storing key information and transaction records on the blockchain, public service departments can achieve a higher level of data traceability and compliance, strengthen supervision and governance capabilities, and thus provide the public with more fair, efficient, and reliable services.
本发明实施例中提出的方法、系统的有益效果为:The beneficial effects of the method and system proposed in the embodiments of the present invention are:
相比于性能低下的传统的区块链系统,本发明实施例提出的方法及系统不依赖开源软件或者已有区块链平台,能够快速进行更新迭代,通过数据库,可对大量的核心数据进行上链存储并支持链上运算,打通数据孤岛壁垒,真正实现数据资源协同共享、高效使用,能够保证系统的活性,减少数据维护的困难与压力,能够降低系统存储和调用过程的成本,并提高系统的安全性与可靠性;通过数据所有者的访问控制列表,问控制能够做到细粒度精确可控,能够决定有哪些数据、在什么时间、被什么人读取或者使用,亦能够动态决定并修改访问控制权限,能够保证全过程无单点错误,无须可信第三方,且保证区块链系统的可靠性、活性与完整性。本方案在细粒度访问控制中,可以除了加入数据访问者的属性,同时可以加入监管方的属性。这样可以保证数据的合法性,可以让监管方追溯信息。Compared with the traditional blockchain system with low performance, the method and system proposed in the embodiment of the present invention do not rely on open source software or existing blockchain platforms, can be updated and iterated quickly, and can store a large amount of core data on the chain and support on-chain operations through the database, break through the barriers of data islands, truly realize the collaborative sharing and efficient use of data resources, ensure the activity of the system, reduce the difficulty and pressure of data maintenance, reduce the cost of system storage and call processes, and improve the security and reliability of the system; through the access control list of the data owner, the access control can be fine-grained and accurately controllable, and can determine which data, at what time, and by whom to read or use, and can also dynamically determine and modify access control permissions, which can ensure that there is no single point error in the whole process, no trusted third party is required, and the reliability, activity and integrity of the blockchain system are guaranteed. In the fine-grained access control of this scheme, in addition to adding the attributes of the data accessor, the attributes of the regulator can also be added. This can ensure the legitimacy of the data and allow the regulator to trace the information.
本发明实施例还提供一种计算机设备,图8为本发明实施例中计算机设备的示意图,所述计算机设备800包括存储器810、处理器820及存储在存储器810上并可在处理器820上运行的计算机程序830,所述处理器820执行所述计算机程序830时实现上述区块链系统上数据的访问控制方法。An embodiment of the present invention further provides a computer device. FIG8 is a schematic diagram of a computer device in an embodiment of the present invention. The computer device 800 includes a memory 810, a processor 820, and a computer program 830 stored in the memory 810 and executable on the processor 820. When the processor 820 executes the computer program 830, the access control method for data on the above-mentioned blockchain system is implemented.
本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述区块链系统上数据的访问控制方法。An embodiment of the present invention also provides a computer-readable storage medium, which stores a computer program. When the computer program is executed by a processor, it implements the access control method for data on the above-mentioned blockchain system.
本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,所述计算机程序被处理器执行时实现上述区块链系统上数据的访问控制方法。An embodiment of the present invention also provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, it implements the access control method for data on the above-mentioned blockchain system.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Furthermore, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowchart and/or block diagram of the method, device (system), and computer program product according to the embodiment of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing device generate a device for implementing the functions specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施例而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above further illustrate the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention should be included in the scope of protection of the present invention.
Claims (16)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410622278.6A CN118214614B (en) | 2024-05-20 | 2024-05-20 | Method, device and system for access control of data on blockchain system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410622278.6A CN118214614B (en) | 2024-05-20 | 2024-05-20 | Method, device and system for access control of data on blockchain system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118214614A CN118214614A (en) | 2024-06-18 |
| CN118214614B true CN118214614B (en) | 2024-07-30 |
Family
ID=91448923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410622278.6A Active CN118214614B (en) | 2024-05-20 | 2024-05-20 | Method, device and system for access control of data on blockchain system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118214614B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118646608B (en) * | 2024-08-15 | 2024-11-19 | 中科国信南京科技有限公司 | A public service terminal data encryption system and method based on the Internet of Things |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109120639A (en) * | 2018-09-26 | 2019-01-01 | 众安信息技术服务有限公司 | A kind of data cloud storage encryption method and system based on block chain |
| CN112836229A (en) * | 2021-02-10 | 2021-05-25 | 北京深安信息科技有限公司 | A trusted data access control scheme combining attribute-based encryption and blockchain |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10084600B1 (en) * | 2018-04-16 | 2018-09-25 | Xage Security, Inc. | Decentralized information protection for confidentiality and tamper-proofing on distributed database |
| CN111371561B (en) * | 2020-02-27 | 2023-07-11 | 华信咨询设计研究院有限公司 | Alliance block chain data access control method based on CP-ABE algorithm |
| CN113098697B (en) * | 2021-06-08 | 2022-03-18 | 清华大学 | Block chain data writing and accessing method and device |
| CN113783836B (en) * | 2021-08-02 | 2023-06-20 | 南京邮电大学 | IoT data access control method and system based on block chain and IBE algorithm |
| CN114679271A (en) * | 2022-05-25 | 2022-06-28 | 南京理工大学 | Blockchain privacy data access control method and system |
| CN118013573A (en) * | 2024-01-30 | 2024-05-10 | 安徽师范大学 | Block chain-based health data multilayer secure sharing method and system |
-
2024
- 2024-05-20 CN CN202410622278.6A patent/CN118214614B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109120639A (en) * | 2018-09-26 | 2019-01-01 | 众安信息技术服务有限公司 | A kind of data cloud storage encryption method and system based on block chain |
| CN112836229A (en) * | 2021-02-10 | 2021-05-25 | 北京深安信息科技有限公司 | A trusted data access control scheme combining attribute-based encryption and blockchain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118214614A (en) | 2024-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895248B2 (en) | Method and apparatus for generating blockchain transaction | |
| US11159307B2 (en) | Ad-hoc trusted groups on a blockchain | |
| CN111095256A (en) | Securely executing intelligent contract operations in a trusted execution environment | |
| CN111095899A (en) | Distributed key management for trusted execution environments | |
| CN110601830B (en) | Key management method, device, equipment and storage medium based on block chain | |
| CN117997616B (en) | A method for protecting enterprise digital assets across intranet communication and blockchain | |
| CN110599163B (en) | Transaction record outsourcing method facing block chain transaction supervision | |
| CN115412568A (en) | Distributed data transmission method, device and system | |
| US12113914B2 (en) | Systems and methods for enforcing cryptographically secure actions in public, non-permissioned blockchains using bifurcated self-executing programs comprising shared digital signature requirements | |
| CN116562874A (en) | Privacy protection cross-chain transaction verification method based on zero knowledge proof | |
| CN118214614B (en) | Method, device and system for access control of data on blockchain system | |
| WO2024174720A1 (en) | Method, system, apparatus and device for monitoring heterogeneous consortium blockchain, and storage medium | |
| CN115913513A (en) | Distributed trusted data transaction method, system and device supporting privacy protection | |
| CN117857075A (en) | Chain-up and chain-down trusted collaboration method for quantum-resistant blockchain system | |
| CN112926983A (en) | Block chain-based deposit certificate transaction encryption system and method | |
| CN110827034B (en) | Method and apparatus for initiating a blockchain transaction | |
| WO2024045552A1 (en) | Data processing method and related devices | |
| Cui et al. | DSChain: A blockchain system for complete lifecycle security of data in Internet of Things | |
| WO2021057124A1 (en) | Fpga-based privacy block chain implementing method and device | |
| CN114239044B (en) | A decentralized traceable shared access system | |
| CN112187767A (en) | Multi-party contract consensus system, method and medium based on block chain | |
| CN116938985A (en) | Data transfer methods, devices, terminal equipment and media based on digital certificates | |
| CN113691373B (en) | A quantum-resistant key escrow system and method based on consortium blockchain | |
| TWI774204B (en) | Storage virtualization architecture with hybrid blockchain and the method thereof | |
| CN115361147A (en) | Device registration method and device, computer device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40105751 Country of ref document: HK |