HK40004251B

HK40004251B - Service data access method, apparatus and system, and electronic device

Info

Publication number: HK40004251B
Application number: HK19127722.7A
Authority: HK
Inventors: 邱鹏
Original assignee: 创新先进技术有限公司
Filing date: 2019-08-05
Publication date: 2021-12-03

Description

Method, device, electronic device and system for accessing business data

技术领域Technical Field

本申请涉及区块链技术领域，更具体地涉及业务数据的访问方法、装置、电子设备和系统。The present application relates to the field of blockchain technology, and more specifically to methods, devices, electronic devices, and systems for accessing business data.

背景技术Background Art

目前区块链技术除了数字货币领域外，也渗透到了众多行业领域中，例如商保健康链项目中，医院将病人的就诊病例加密后上传到区块链上，保险公司通过下载解密分析区块链上存储的病人就诊病例，实现快速保险赔付。At present, in addition to the field of digital currency, blockchain technology has also penetrated into many industries and fields. For example, in the commercial health insurance chain project, the hospital encrypts the patient's medical records and uploads them to the blockchain. The insurance company downloads, decrypts and analyzes the patient's medical records stored on the blockchain to achieve rapid insurance compensation.

由上述例子可见目前的区块链技术，通过加密技术保证病人就诊病例对第三方不可见，一定程度上保证了数据的隐私性，但是随着用户对隐私保护越来越重视，仅保证数据对第三方不可见，已不能满足用户对数据隐私性的要求。From the above examples, we can see that the current blockchain technology, through encryption technology, ensures that patient medical records are invisible to third parties, which to a certain extent guarantees the privacy of data. However, as users pay more and more attention to privacy protection, simply ensuring that data is invisible to third parties can no longer meet users' requirements for data privacy.

因此，需要一种业务数据的访问方法，来克服上述技术问题。Therefore, a method for accessing business data is needed to overcome the above technical problems.

发明内容Summary of the Invention

本申请的目的之一在于提供一种业务数据的访问方法、装置、电子设备和系统，能够最大程度的满足用户对数据隐私性的要求。One of the purposes of this application is to provide a method, device, electronic device and system for accessing business data that can meet the user's requirements for data privacy to the greatest extent.

为解决上述技术问题，本申请实施例是这样实现的：To solve the above technical problems, the embodiments of the present application are implemented as follows:

第一方面，提供了一种业务数据的访问方法，包括：In a first aspect, a method for accessing business data is provided, comprising:

第一服务节点接收业务发起方的访问请求，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；The first service node receives an access request from a service initiator, the access request being used to request access to target service data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target service data. Target encrypted service data on the blockchain based on the target service is associated with the identity identifier and the service identifier, which is used to identify the access service corresponding to the access request.

所述第一服务节点向授权认证服务器发送所述访问请求；The first service node sends the access request to the authorization and authentication server;

所述授权认证服务器基于所述身份标识，对所述归属人进行授权认证；The authorization authentication server performs authorization authentication on the owner based on the identity identifier;

所述授权认证服务器基于授权认证的结果，对所述访问请求进行响应。The authorization authentication server responds to the access request based on the result of the authorization authentication.

第二方面，提供了一种业务数据的访问方法，包括：In a second aspect, a method for accessing business data is provided, including:

所述第一服务节点向授权认证服务器发送所述访问请求，所述授权认证服务器用于基于所述身份标识，对所述归属人进行授权认证，并基于授权认证的结果，对所述访问请求进行响应。The first service node sends the access request to an authorization and authentication server, and the authorization and authentication server is configured to perform authorization and authentication on the owner based on the identity identifier, and respond to the access request based on a result of the authorization and authentication.

第三方面，提供了一种业务数据的访问方法，包括：A third aspect provides a method for accessing business data, including:

授权认证服务器接收第一服务节点发送的访问请求，所述访问请求由业务发起方发送给所述第一服务节点，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务数据上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；The authorization and authentication server receives an access request sent by the first service node. The access request is sent by the service initiator to the first service node. The access request is used to request access to target service data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target service data. The target encrypted service data on the blockchain based on the target service data is associated with the identity identifier and the service identifier, and the service identifier is used to identify the access service corresponding to the access request.

第四方面，提供了一种业务数据的访问系统，包括：In a fourth aspect, a business data access system is provided, comprising:

第一服务节点，接收业务发起方的访问请求，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；A first service node receives an access request from a service initiator, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, and the target encrypted service data on the blockchain based on the target service being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

所述第一服务节点，向授权认证服务器发送所述访问请求；The first service node sends the access request to the authorization and authentication server;

授权认证服务器，基于所述身份标识，对所述归属人进行授权认证；The authorization authentication server performs authorization authentication on the owner based on the identity identifier;

所述授权认证服务器，基于授权认证的结果，对所述访问请求进行响应。The authorization authentication server responds to the access request based on the result of the authorization authentication.

第五方面，提供了一种业务数据的访问装置，包括：In a fifth aspect, a device for accessing business data is provided, comprising:

接收单元，接收业务发起方的访问请求，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；A receiving unit receives an access request from a service initiator, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify a person to whom the target service data belongs, and the target encrypted service data on the blockchain based on the target service being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

发送单元，向授权认证服务器发送所述访问请求，所述授权认证服务器用于基于所述身份标识，对所述归属人进行授权认证，并基于授权认证的结果，对所述访问请求进行响应。The sending unit sends the access request to the authorization and authentication server, and the authorization and authentication server is used to perform authorization and authentication on the owner based on the identity identifier, and respond to the access request based on the result of the authorization and authentication.

第六方面，提供了一种授权认证装置，包括：In a sixth aspect, an authorization and authentication device is provided, comprising:

收发单元，接收第一服务节点发送的访问请求，所述访问请求由业务发起方发送给所述第一服务节点，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务数据上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；A transceiver unit receives an access request sent by a first service node, the access request being sent by a service initiator to the first service node, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify a person to whom the target service data belongs, target encrypted service data on the blockchain based on the target service data being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

处理单元，基于所述身份标识，对所述归属人进行授权认证；A processing unit, performing authorization authentication on the owner based on the identity identifier;

所述处理单元，基于授权认证的结果，对所述访问请求进行响应。The processing unit responds to the access request based on the result of the authorization authentication.

第七方面，提供了一种电子设备，包括：According to a seventh aspect, an electronic device is provided, including:

处理器；以及processor; and

被安排成存储计算机可执行指令的存储器，所述可执行指令在被执行时使用所述处理器执行以下操作：a memory arranged to store computer-executable instructions which, when executed, cause the processor to:

接收业务发起方的访问请求，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；Receive an access request from a service initiator, the access request being used to request access to target service data on the blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, and the target encrypted service data on the blockchain based on the target service being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

向授权认证服务器发送所述访问请求，所述授权认证服务器用于基于所述身份标识，对所述归属人进行授权认证，并基于授权认证的结果，对所述访问请求进行响应。The access request is sent to an authorization and authentication server, which is used to perform authorization and authentication on the owner based on the identity identifier and respond to the access request based on the result of the authorization and authentication.

第八方面，提供了一种电子设备，包括：According to an eighth aspect, an electronic device is provided, including:

处理器；以及processor; and

接收第一服务节点发送的访问请求，所述访问请求由业务发起方发送给所述第一服务节点，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务数据上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；Receiving an access request sent by a first service node, the access request being sent by a service initiator to the first service node, the access request being used to request access to target service data on the blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, target encrypted service data on the blockchain based on the target service data being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

基于所述身份标识，对所述归属人进行授权认证；Based on the identity identifier, authorization and authentication are performed on the owner;

基于授权认证的结果，对所述访问请求进行响应。Based on the result of the authorization authentication, respond to the access request.

第九方面，提供了一种计算机可读介质，所述计算机可读介质存储一个或多个程序，所述一个或多个程序当被包括多个应用程序的电子设备执行时，使得电子设备执行以下操作：In a ninth aspect, a computer-readable medium is provided, wherein the computer-readable medium stores one or more programs, and when the one or more programs are executed by an electronic device including a plurality of application programs, the electronic device performs the following operations:

第十方面，提供了一种计算机可读介质，所述计算机可读介质存储一个或多个程序，所述一个或多个程序当被包括多个应用程序的电子设备执行时，使得电子设备执行以下操作：In a tenth aspect, a computer-readable medium is provided, wherein the computer-readable medium stores one or more programs, and when the one or more programs are executed by an electronic device including a plurality of application programs, the electronic device performs the following operations:

由以上本申请的技术方案可见，本申请实施例在业务发送方向区块链上的第一服务节点请求访问区块链上的目标业务数据时，第一服务节点将访问请求转发给授权认证服务器，使得授权认证服务器对目标业务数据的归属人进行授权认证，并基于授权认证的结果，对访问请求进行响应，由于授权认证的结果能够反映目标业务数据的归属人是否有意愿对目标业务数据进行分享，因此在现有区块链技术的基础上，基于授权认证的结果对访问请求进行响应能够最大程度的满足用户对数据隐私性的要求。It can be seen from the above technical solution of the present application that in the embodiment of the present application, when the business sending direction requests the first service node on the blockchain to access the target business data on the blockchain, the first service node forwards the access request to the authorization authentication server, so that the authorization authentication server performs authorization authentication on the owner of the target business data, and responds to the access request based on the result of the authorization authentication. Since the result of the authorization authentication can reflect whether the owner of the target business data is willing to share the target business data, based on the existing blockchain technology, responding to the access request based on the result of the authorization authentication can meet the user's requirements for data privacy to the greatest extent.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请中记载的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are only some embodiments recorded in this application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative labor.

图1是根据本申请的一个实施例的业务数据的访问方法的示意性流程图。FIG1 is a schematic flowchart of a method for accessing business data according to an embodiment of the present application.

图2是根据本申请的一个实施例的业务数据的访问方法的另一示意性流程图。FIG2 is another schematic flowchart of a method for accessing business data according to an embodiment of the present application.

图3是根据本申请的另一个实施例的业务数据的访问方法的示意性流程图。FIG3 is a schematic flowchart of a method for accessing business data according to another embodiment of the present application.

图4是根据本申请的再一个实施例的业务数据的访问方法的示意性流程图。FIG4 is a schematic flowchart of a method for accessing business data according to yet another embodiment of the present application.

图5是根据本申请的一个实施例的业务数据访问的系统。FIG5 is a system for accessing business data according to an embodiment of the present application.

图6是根据本申请的一个实施例的数据结构的示意图。FIG6 is a schematic diagram of a data structure according to an embodiment of the present application.

图7是根据本申请的另一个实施例的业务数据的访问系统。FIG7 is a system for accessing business data according to another embodiment of the present application.

图8是根据本申请的一个实施例的电子设备的结构示意图。FIG8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

图9是根据本申请的另一个实施例的电子设备的结构示意图。FIG9 is a schematic structural diagram of an electronic device according to another embodiment of the present application.

图10是根据本申请的一个实施例的业务数据的访问装置的结构示意图。FIG10 is a schematic structural diagram of a device for accessing business data according to an embodiment of the present application.

图11是根据本申请的一个实施例的授权认证装置的结构示意图。FIG11 is a schematic structural diagram of an authorization and authentication device according to an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

为了使本技术领域的人员更好地理解本申请中的技术方案，下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都应当属于本申请保护的范围。In order to enable those skilled in the art to better understand the technical solutions in this application, the technical solutions in the embodiments of this application will be clearly and completely described below in conjunction with the drawings in the embodiments of this application. Obviously, the described embodiments are only part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by ordinary technicians in this field without making creative efforts should fall within the scope of protection of this application.

图1示出了本申请一个实施例的业务数据的访问方法。图1的方法可以由业务数据的访问系统执行。如图1所示出的，方法包括：FIG1 shows a method for accessing business data according to an embodiment of the present application. The method of FIG1 can be executed by a business data access system. As shown in FIG1 , the method includes:

S102，第一服务节点接收业务发起方的访问请求，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务。S102, the first service node receives an access request from a business initiator, wherein the access request is used to request access to target business data on the blockchain, and the access request includes an identity identifier, which is used to identify the owner of the target business data. The target encrypted business data on the chain based on the target business is associated with the identity identifier and the business identifier, and the business identifier is used to identify the access business corresponding to the access request.

在S102中，业务发起方具体可以是申请访问目标业务数据的群体使用的终端设备。例如，业务发起方可以是保险业务员等办理具体业务的群体使用的终端设备。终端设备包括PC段和移动终端，移动终端或者叫移动通信终端是指可以在移动中使用的计算机设备，广义的讲包括手机、笔记本、平板电脑、POS机甚至包括车载电脑。但大部分情况下移动终端指手机或者具有多种应用功能的智能手机以及平板电脑。In S102, the service initiator can specifically be a terminal device used by a group requesting access to the target service data. For example, the service initiator can be a terminal device used by a group such as insurance agents handling specific services. Terminal devices include PCs and mobile terminals. Mobile terminals, or mobile communication terminals, refer to computer devices that can be used on the move. Broadly speaking, they include mobile phones, laptops, tablets, POS terminals, and even in-vehicle computers. However, in most cases, mobile terminals refer to mobile phones, smartphones with multiple application functions, and tablets.

在S102中，身份标识可以是目标业务数据的归属人的身份证号等能唯一标识该归属人的信息。In S102 , the identity identifier may be information that can uniquely identify the owner, such as the ID number of the owner of the target business data.

S104，所述第一服务节点向授权认证服务器发送所述访问请求。S104: The first service node sends the access request to an authorization and authentication server.

可选地，在一些实施例中，在S104中，第一服务节点向授权认证服务器发送目标加密业务数据，所述目标加密业务数据由所述目标业务数据通过所述第一服务节点对应的第一加密密钥和所述归属人对应的第二加密密钥进行加密得到。Optionally, in some embodiments, in S104, the first service node sends target encrypted business data to the authorization authentication server, where the target encrypted business data is obtained by encrypting the target business data using a first encryption key corresponding to the first service node and a second encryption key corresponding to the owner.

例如，第一服务节点可以将访问请求和目标加密业务数据一起发给授权认证服务器。For example, the first service node may send the access request and the target encrypted service data together to the authorization and authentication server.

进一步地，访问请求中还可以包括业务发起方的标识、数字签名、以及目标业务数据的存储地址等信息。第一服务节点可以根据业务发起方的标识和数字签名确认业务发起方是合法时，向授权认证服务器发送所述访问请求。Furthermore, the access request may also include the service initiator's identification, digital signature, and storage address of target service data. When the first service node confirms that the service initiator is legitimate based on the service initiator's identification and digital signature, it sends the access request to the authorization authentication server.

S106，所述授权认证服务器基于所述身份标识，对所述归属人进行授权认证。S106: The authorization authentication server performs authorization authentication on the owner based on the identity identifier.

可选地，在一些实施例中，授权认证服务器基于身份标识，对归属人进行授权认证的具体实现方式可以是授权认证服务器通过移动终端对该归属人进行授权认证。这里的授权认证也可以理解为身份认证。Optionally, in some embodiments, the authorization authentication server may authenticate the owner based on the identity identifier by performing authorization authentication on the owner through a mobile terminal. The authorization authentication here may also be understood as identity authentication.

例如，授权认证服务器向移动终端发送授权认证请求，所述授权认证请求中包括身份标识，以使移动终端基于身份标识，对归属人进行授权认证；授权认证服务器接收移动终端的身份认证响应，身份认证响应中包括认证记录数据。For example, the authorization authentication server sends an authorization authentication request to the mobile terminal, which includes an identity identifier, so that the mobile terminal can perform authorization authentication on the owner based on the identity identifier; the authorization authentication server receives an identity authentication response from the mobile terminal, which includes authentication record data.

可以理解的是，移动终端接收到授权认证请求时，通过解析授权认证请求即可以知道需要对哪一用户进行授权认证，并采用可用的授权认证手段对该用户进行授权认证。这里的授权认证手段可以包括密码认证、指纹认证等常规认证手段，本申请实施例对此不作限定。It is understood that when the mobile terminal receives the authorization and authentication request, it can determine which user needs to be authorized and authenticated by parsing the authorization and authentication request, and use available authorization and authentication means to authenticate the user. The authorization and authentication means here may include conventional authentication means such as password authentication and fingerprint authentication, which are not limited in the embodiments of the present application.

进一步地，授权认证请求中还包括授权认证方式指示信息，授权认证方式指示信息用于指示移动终端进行授权认证采用的认证方式。移动终端接收到授权认证请求后，采用授权认证方式指示信息指示的认证方式对目标业务数据的归属人进行授权认证。Furthermore, the authorization authentication request also includes authorization authentication mode indication information, which is used to indicate the authentication mode to be used by the mobile terminal for authorization authentication. After receiving the authorization authentication request, the mobile terminal uses the authentication mode indicated by the authorization authentication mode indication information to perform authorization authentication on the owner of the target service data.

上述的授权认证记录数据包括授权认证时间、移动终端的标识、身份标识、授权认证结果以及授权认证过程采集到的待验证信息中的至少一个。这里授权认证过程采集到的待验证信息例如可以是指纹验证过程中采集到的指纹图像。The authorization authentication record data includes at least one of the authorization authentication time, mobile terminal identification, identity identification, authorization authentication result, and information to be verified collected during the authorization authentication process. The information to be verified collected during the authorization authentication process may be, for example, a fingerprint image collected during fingerprint authentication.

可选地，在一些实施例中，第一服务节点向授权认证服务器发送访问请求包括：第一服务节点向授权认证服务器发送访问请求和业务标识。图1所示的方法还包括：授权认证服务器建立授权认证的认证记录数据、所述身份标识和所述业务标识之间的关联关系；所述授权认证服务器确定所述认证记录数据的哈希值，建立所述哈希值与所述身份标识和所述业务标识之间的关联关系，并将所述哈希值发送给第一服务节点，第一服务节点将哈希值同步到区块链中的节点上，实现所述哈希值的上链。Optionally, in some embodiments, the first service node sending an access request to the authorization authentication server includes: the first service node sending the access request and the service identifier to the authorization authentication server. The method shown in FIG1 further includes: the authorization authentication server establishing an association relationship between authentication record data for authorization authentication, the identity identifier, and the service identifier; the authorization authentication server determining a hash value of the authentication record data, establishing an association relationship between the hash value, the identity identifier, and the service identifier, and sending the hash value to the first service node; the first service node synchronizing the hash value to a node in the blockchain, thereby uploading the hash value to the blockchain.

由于第一服务节点建立并存储了认证记录数据、身份标识和业务标识之间的关联关系，且区块链上的哈希值与身份标识和业务标识之间具有关联关系，因此能够保证授权认证结果的可追溯和防篡改。并且认证记录数据的哈希值上链使得区块链上留存目标业务数据的归属人的分享意愿，便于审计和监管。Because the first service node establishes and stores the association between the authentication record data, identity identifier, and business identifier, and the hash value on the blockchain is associated with the identity identifier and business identifier, the authorization and authentication results can be traced and tamper-proof. Furthermore, the hash value of the authentication record data is uploaded to the blockchain, preserving the sharing intentions of the owner of the target business data, facilitating auditing and supervision.

进一步地，授权认证服务器将哈希值发送给第一服务节点可以是：授权认证服务器将哈希值、归属人的电子凭证和授权认证服务器的电子凭证发送给第一服务节点，所述归属人的电子凭证用于区块链上的节点认证和追溯所述归属人，授权认证服务器的电子凭证用于区块链上的节点认证和追溯授权认证服务器。将归属人的电子凭证和授权认证服务器的电子凭证上链，能够避免归属人和授权认证服务器抵赖。这里归属人的电子凭证可以是归属人的数字证书签名，授权认证服务器的电子凭证可以是授权认证服务器的数字证书签名。Furthermore, the authorization authentication server sending the hash value to the first service node may be as follows: the authorization authentication server sends the hash value, the owner's electronic certificate, and the authorization authentication server's electronic certificate to the first service node, wherein the owner's electronic certificate is used for node authentication and tracing the owner on the blockchain, and the authorization authentication server's electronic certificate is used for node authentication and tracing the authorization authentication server on the blockchain. Linking the owner's electronic certificate and the authorization authentication server's electronic certificate to the blockchain can prevent denial of ownership by the owner and the authorization authentication server. Here, the owner's electronic certificate can be the owner's digital certificate signature, and the authorization authentication server's electronic certificate can be the authorization authentication server's digital certificate signature.

S108，所述授权认证服务器基于授权认证的结果，对所述访问请求进行响应。S108: The authorization authentication server responds to the access request based on the result of the authorization authentication.

可选地，在一些实施例中，如果第一服务节点向授权认证服务器发送了目标加密业务数据，则在S108中，授权认证服务器在授权认证通过的情况下，采用第二加密密钥对应的第二解密密钥对目标加密业务数据进行解密，得到目标初始解密业务数据；向第一服务节点发送目标初始解密业务数据，以使第一服务节点对目标初始解密业务数据进行解密得到所述目标业务数据后发送给所述业务发起方，第一服务节点采用第一加密密钥对应的第一解密密钥对目标初始解密业务数据进行解密。Optionally, in some embodiments, if the first service node sends the target encrypted business data to the authorization authentication server, then in S108, the authorization authentication server uses the second decryption key corresponding to the second encryption key to decrypt the target encrypted business data to obtain the target initial decrypted business data if the authorization authentication is passed; the target initial decrypted business data is sent to the first service node, so that the first service node decrypts the target initial decrypted business data to obtain the target business data and then sends it to the business initiator, and the first service node uses the first decryption key corresponding to the first encryption key to decrypt the target initial decrypted business data.

可选地，在另一些实施例中，如果第一服务节点没有向授权认证服务器发送目标加密业务数据，则在S108中，授权认证服务器在授权认证通过的情况下，向所述第一服务节点发送所述第二加密密钥对应的第二解密密钥，以使所述第一服务节点对所述目标加密业务数据进行解密得到所述目标业务数据后发送给所述业务发起方，所述第一服务节点采用所述第二解密密钥以及所述第一加密数据对应的第一解密密钥对所述目标加密业务数据进行解密。Optionally, in other embodiments, if the first service node does not send the target encrypted business data to the authorization authentication server, then in S108, the authorization authentication server sends the second decryption key corresponding to the second encryption key to the first service node if the authorization authentication is passed, so that the first service node decrypts the target encrypted business data to obtain the target business data and then sends it to the business initiator. The first service node uses the second decryption key and the first decryption key corresponding to the first encrypted data to decrypt the target encrypted business data.

上述的第一服务节点对应的第一加密密钥可以是第一服务节点的公钥，第一加密密钥对应的第一解密密钥可以是第一服务节点的私钥。归属人对应的第二加密密钥可以是归属人的公钥，第二加密密钥对应的第二解密密钥可以是归属人的私钥。The first encryption key corresponding to the first service node may be the public key of the first service node, and the first decryption key corresponding to the first encryption key may be the private key of the first service node. The second encryption key corresponding to the owner may be the public key of the owner, and the second decryption key corresponding to the second encryption key may be the private key of the owner.

具体地，在一些实施例中，基于目标业务数据上链的目标加密业务数据是由区块链中的第二服务节点实现上链的。如图2所示出的，图1所示的方法还包括：Specifically, in some embodiments, the target encrypted business data based on the target business data is uploaded to the blockchain by a second service node in the blockchain. As shown in FIG2 , the method shown in FIG1 further includes:

S110，第二服务节点接收业务数据提供方发送的目标业务数据。S110: The second service node receives target service data sent by a service data provider.

在S110中，业务数据提供方具体可以是提供目标业务数据的群体使用的终端设备。例如，业务数据提供方可以是医生等办理具体业务的群体使用的终端设备。终端设备包括PC段和移动终端，移动终端或者叫移动通信终端是指可以在移动中使用的计算机设备，广义的讲包括手机、笔记本、平板电脑、POS机甚至包括车载电脑。但大部分情况下移动终端指手机或者具有多种应用功能的智能手机以及平板电脑。In S110, the service data provider may specifically be a terminal device used by the group providing the target service data. For example, the service data provider may be a terminal device used by a group such as doctors handling specific services. Terminal devices include PCs and mobile terminals. Mobile terminals, or mobile communication terminals, refer to computer devices that can be used on the move. Broadly speaking, they include mobile phones, laptops, tablets, POS terminals, and even in-vehicle computers. However, in most cases, mobile terminals refer to mobile phones, smartphones with multiple application functions, and tablets.

S112，第二服务节点采用第一服务节点对应的第一加密密钥和所述归属人对应的第二加密密钥对所述目标业务数据进行加密，得到所述目标加密业务数据。S112: The second service node encrypts the target service data using the first encryption key corresponding to the first service node and the second encryption key corresponding to the owner to obtain the target encrypted service data.

具体地，业务提供方将目标业务数据发送给第二服务节点，并同时带上自身的数字签名，第二服务节点通过运行智能合约验证业务提供方的数字签名以验证该业务提供方的身份，身份验证通过后，第二服务节点通过执行智能合约将目标业务数据依次采用第一服务节点对应的第一加密密钥和归属人对应的第二加密密钥对目标业务数据进行加密，得到目标加密业务数据。Specifically, the service provider sends the target service data to the second service node, and at the same time brings its own digital signature. The second service node verifies the digital signature of the service provider by running the smart contract to verify the identity of the service provider. After the identity authentication is passed, the second service node executes the smart contract to encrypt the target service data in turn using the first encryption key corresponding to the first service node and the second encryption key corresponding to the owner to obtain the target encrypted service data.

第二服务节点在对目标业务数据进行加密之前需要获取到归属人的第二加密密钥，因此第二服务节点调用第二服务节点与授权认证服务器之间的通信接口，获取归属人的第二加密密钥。Before encrypting the target service data, the second service node needs to obtain the second encryption key of the owner. Therefore, the second service node calls the communication interface between the second service node and the authorization authentication server to obtain the second encryption key of the owner.

S114，第二服务节点将目标加密业务数据同步到区块链的节点上，实现目标加密业务数据的上链。S114, the second service node synchronizes the target encrypted business data to the node of the blockchain, and realizes the on-chain of the target encrypted business data.

在S114中，第二服务节点可以将目标加密业务数据结合业务提供方的数字签名、业务提供方的唯一索引、业务发起方的唯一索引以及目标加密业务数据与归属人的身份标识和业务标识之间的关联关系一起封装成数字信封，之后通过共识算法将数字信封同步到区块链中的其他节点上，实现目标加密业务数据的上链。In S114, the second service node can encapsulate the target encrypted business data into a digital envelope together with the digital signature of the business provider, the unique index of the business provider, the unique index of the business initiator, and the association between the target encrypted business data and the identity identifier and business identifier of the owner, and then synchronize the digital envelope to other nodes in the blockchain through the consensus algorithm to realize the on-chain of the target encrypted business data.

下面将结合图3详细描述根据本申请另一实施例的业务数据的访问方法。需要说明的是，从第一服务节点侧描述的第一服务节点与授权认证服务器的交互与图1中的描述相同，为避免重复，在此不再赘述。如图3所示出的，方法包括：The following describes in detail a method for accessing service data according to another embodiment of the present application in conjunction with FIG3. It should be noted that the interaction between the first service node and the authorization authentication server described from the first service node side is the same as that described in FIG1. To avoid repetition, it will not be repeated here. As shown in FIG3, the method includes:

S302，第一服务节点接收业务发起方的访问请，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务。S302, the first service node receives an access request from a business initiator, where the access request is used to request access to target business data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target business data. The target encrypted business data on the chain based on the target business is associated with the identity identifier and the business identifier, and the business identifier is used to identify the access business corresponding to the access request.

S304，第一服务节点向授权认证服务器发送所述访问请求，所述授权认证服务器用于基于所述身份标识，对所述归属人进行授权认证，并基于授权认证的结果，对所述访问请求进行响应。S304: The first service node sends the access request to the authorization and authentication server. The authorization and authentication server is configured to perform authorization and authentication on the owner based on the identity identifier, and respond to the access request based on the result of the authorization and authentication.

可选地，作为一个实施例，所述目标加密业务数据由所述目标业务数据通过所述第一服务节点对应的第一加密密钥和所述归属人对应的第二加密密钥进行加密得到。Optionally, as an embodiment, the target encrypted service data is obtained by encrypting the target service data using a first encryption key corresponding to the first service node and a second encryption key corresponding to the owner.

可选地，作为一个实施例，在S304中第一服务节点向授权认证服务器发送所述访问请求，包括：向授权认证服务器发送所述访问请求和目标加密业务数据。在这种情况下，授权认证服务器在授权认证通过的情况下，采用第二加密密钥对应的第二解密密钥对目标加密业务数据进行解密，得到目标初始解密业务数据，之后向第一服务节点发送目标初始解密业务数据，第一服务节点接收到目标初始解密业务数据之后，采用第一加密密钥对应的第一解密密钥对目标初始解密业务进行解密，得到目标业务数据并发送给业务发起方。Optionally, as an embodiment, in S304, the first service node sending the access request to the authorization authentication server includes: sending the access request and target encrypted service data to the authorization authentication server. In this case, if the authorization authentication passes, the authorization authentication server decrypts the target encrypted service data using the second decryption key corresponding to the second encryption key to obtain target initial decrypted service data, and then sends the target initial decrypted service data to the first service node. After receiving the target initial decrypted service data, the first service node decrypts the target initial decrypted service data using the first decryption key corresponding to the first encryption key to obtain the target service data and sends it to the service initiator.

可选地，作为一个实施例，图3所示的方法还包括：接收授权认证服务器发送的第二加密密钥对应的第二解密密钥；采用所述第一加密密钥对应的第一解密密钥和第二解密密钥对目标加密业务数据进行解密得到目标业务数据后发送给业务发起方。Optionally, as an embodiment, the method shown in Figure 3 also includes: receiving a second decryption key corresponding to a second encryption key sent by the authorization authentication server; using the first decryption key and the second decryption key corresponding to the first encryption key to decrypt the target encrypted business data to obtain the target business data and then sending it to the business initiator.

可选地，作为一个实施例，图3所示的方法还包括：向授权认证服务器发送访问请求和业务标识。在这种情况下，授权认证服务器将建立并存储授权认证的认证记录数据、身份标识和业务标识之间的关联关系，并在确定认证记录数据的哈希值后，建立哈希值与身份标识和业务标识之间的关联关系，并将哈希值发送给该第一服务节点。第一服务节点将哈希值同步到区块链中的节点上，实现哈希值的上链。Optionally, as an embodiment, the method shown in FIG3 further includes: sending an access request and a service identifier to an authorization authentication server. In this case, the authorization authentication server establishes and stores an association between the authentication record data for authorization authentication, the identity identifier, and the service identifier. After determining a hash value of the authentication record data, the server establishes an association between the hash value, the identity identifier, and the service identifier, and sends the hash value to the first service node. The first service node synchronizes the hash value with a node in the blockchain, thereby uploading the hash value to the blockchain.

可选地，作为一个实施例，第一服务节点接收所述哈希值、所述归属人的电子凭证和所述授权认证服务器的电子凭证；所述第一服务节点将所述哈希值、所述归属人的电子凭证和所述授权认证服务器的电子凭证，同步到区块链中的节点上。Optionally, as an embodiment, the first service node receives the hash value, the electronic certificate of the owner and the electronic certificate of the authorization authentication server; the first service node synchronizes the hash value, the electronic certificate of the owner and the electronic certificate of the authorization authentication server to a node in the blockchain.

下面将结合图4详细描述根据本申请再一实施例的业务数据的访问方法。需要说明的是，从授权认证服务器侧描述的第一服务节点与授权认证服务器的交互与图1中的描述相同，为避免重复，在此不再赘述。如图4所示出的，方法包括：The following describes in detail a method for accessing service data according to another embodiment of the present application in conjunction with FIG4. It should be noted that the interaction between the first service node and the authorization authentication server described from the authorization authentication server side is the same as that described in FIG1. To avoid repetition, it will not be repeated here. As shown in FIG4, the method includes:

S402，授权认证服务器接收第一服务节点发送的访问请求，所述访问请求由业务发起方发送给所述第一服务节点，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务数据上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；S402: The authorization authentication server receives an access request sent by a first service node. The access request is sent by a service initiator to the first service node. The access request is used to request access to target service data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target service data. Target encrypted service data on the blockchain based on the target service data is associated with the identity identifier and the service identifier, and the service identifier is used to identify the access service corresponding to the access request.

S404，所述授权认证服务器基于所述身份标识，对所述归属人进行授权认证；S404, the authorization authentication server performs authorization authentication on the owner based on the identity identifier;

S406，所述授权认证服务器基于授权认证的结果，对所述访问请求进行响应。S406: The authorization authentication server responds to the access request based on the authorization authentication result.

可选地，作为一个实施例，在S404之前，图4所示的方法还包括：接收第一服务节点发送的目标加密业务数据。相对应的在S406中，授权认证服务器在授权认证通过的情况下，采用第二加密密钥对应的第二解密密钥对目标加密业务数据进行解密，得到目标初始解密业务数据；向第一服务节点发送目标初始解密业务数据，以使第一服务节点对目标初始解密业务数据进行节目得到目标业务数据后发送给业务发起方，第一服务节点采用第一加密密钥对应的第一解密密钥对目标初始解密业务数据进行解密。Optionally, as an embodiment, before S404, the method shown in FIG4 further includes: receiving target encrypted service data sent by the first service node. Correspondingly, in S406, if the authorization authentication is successful, the authorization authentication server decrypts the target encrypted service data using the second decryption key corresponding to the second encryption key to obtain target initial decrypted service data; and sends the target initial decrypted service data to the first service node, so that the first service node performs a program on the target initial decrypted service data to obtain the target service data and then sends it to the service initiator, and the first service node decrypts the target initial decrypted service data using the first decryption key corresponding to the first encryption key.

可选地，作为一个实施例，在S406中，在授权认证通过的情况下，向第一服务节点发送第二加密密钥对应的第二解密密钥，以使第一服务节点对目标加密业务数据进行解密得到目标业务数据后发送给业务发起方；其中，第一服务节点采用所述第二解密密钥以及所述第一加密密钥对应的第一解密密钥对目标加密业务数据进行解密。Optionally, as an embodiment, in S406, when the authorization authentication is passed, the second decryption key corresponding to the second encryption key is sent to the first service node, so that the first service node decrypts the target encrypted business data to obtain the target business data and then sends it to the business initiator; wherein, the first service node uses the second decryption key and the first decryption key corresponding to the first encryption key to decrypt the target encrypted business data.

可选地，作为一个实施例，在S402中，接收第一服务节点发送的所述访问请求和所述业务标识；相对应的，图4所示的方法还包括：建立并存储授权认证的认证记录数据、身份标识和业务标识之间的关联关系；确定认证记录数据的哈希值，建立哈希值与身份标识和业务标识之间的关联关系，并将所述哈希值发送给第一服务节点，以使第一服务节点将哈希值同步到区块链中的节点上，实现哈希值的上链。Optionally, as an embodiment, in S402, the access request and the business identifier sent by the first service node are received; correspondingly, the method shown in Figure 4 also includes: establishing and storing an association relationship between the authentication record data of the authorized authentication, the identity identifier and the business identifier; determining the hash value of the authentication record data, establishing an association relationship between the hash value and the identity identifier and the business identifier, and sending the hash value to the first service node, so that the first service node synchronizes the hash value to the node in the blockchain to realize the hash value on-chain.

可选地，作为一个实施例，授权认证服务器将哈希值、所述归属人的电子凭证和所述授权认证服务器的电子凭证发送给第一服务节点。Optionally, as an embodiment, the authorization authentication server sends the hash value, the electronic certificate of the owner, and the electronic certificate of the authorization authentication server to the first service node.

可选地，作为一个实施例，在S404中，授权认证服务器向器向移动终端发送授权认证请求，所述授权认证请求中包括所述身份标识，以使所述移动终端基于所述身份标识，对所述归属人进行授权认证；所述授权认证服务器接收所述移动终端的身份认证响应，所述身份认证响应中包括所述认证记录数据。Optionally, as an embodiment, in S404, the authorization authentication server sends an authorization authentication request to the mobile terminal, and the authorization authentication request includes the identity identifier, so that the mobile terminal performs authorization authentication on the owner based on the identity identifier; the authorization authentication server receives the identity authentication response of the mobile terminal, and the identity authentication response includes the authentication record data.

可选地，作为一个实施例，所述授权认证请求中还包括授权认证方式指示信息，所述授权认证方式指示信息用于指示所述移动终端进行授权认证采用的认证方式。Optionally, as an embodiment, the authorization authentication request further includes authorization authentication mode indication information, and the authorization authentication mode indication information is used to indicate an authentication mode adopted by the mobile terminal for authorization authentication.

可选地，作为一个实施例，所述授权认证记录数据包括授权认证时间、所述移动终端的标识、所述身份标识、授权验证结果以及授权认证过程采集到的待验证信息中的至少一个。Optionally, as an embodiment, the authorization authentication record data includes at least one of the authorization authentication time, the identifier of the mobile terminal, the identity identifier, the authorization verification result, and the information to be verified collected during the authorization authentication process.

下面将结合本发明实施例的一个业务数据访问的系统，描述根据本申请一个具体实施例的业务数据的访问方法。如图5所示出的，系统包括业务数据提供方、业务发起方、区块链、身份认证中心和移动身份认证装置。图5中的业务数据提供方可以理解为发送方，业务发起方可以理解为接收方。区块链中包括智能合约、通信模块和区块链数据库，身份认证中心包括用户密钥加密解密模块、用户信息管理模块、认证数据索引模块、身份认证模块以及身份认证数据库。The following describes a method for accessing business data according to a specific embodiment of the present application, in conjunction with a business data access system according to an embodiment of the present invention. As shown in Figure 5, the system includes a business data provider, a business initiator, a blockchain, an identity authentication center, and a mobile identity authentication device. The business data provider in Figure 5 can be understood as the sender, and the business initiator can be understood as the receiver. The blockchain includes smart contracts, a communication module, and a blockchain database. The identity authentication center includes a user key encryption and decryption module, a user information management module, an authentication data index module, an identity authentication module, and an identity authentication database.

基于图5所示出的系统架构，发送方将原始数据data和发送方数字签名上传到区块链中的发送节点上，发送节点通过运行智能合约采用接收方对应的接收节点的公钥对data进行加密，生成密文data’，之后调用身份认证中心接口，从用户密钥加解密模块获取到用户的公钥，并采用用户的公钥对data’进行加密生成密文data”，之后发送节点将data”结合发送方数字签名、发送方唯一索引、接收方唯一索引、以及data”与用户唯一索引和业务唯一索引的关联关系一起等装成数字信封，通过通信模块将数字信封同步到区块链中的节点上，使数字信封存储到区块链数据库中。通过这个过程，存储到区块链数据库中与一个用户相关的用户数据具有图6所示的数据结构，即用户数据包括用户唯一索引、业务唯一索引、加密数据、接收方唯一索引、发送方唯一索引以及发送方数字签名。Based on the system architecture shown in Figure 5, the sender uploads the original data (data) and the sender's digital signature to the sending node in the blockchain. The sending node runs a smart contract and encrypts data using the public key of the corresponding receiving node, generating the ciphertext (data'). The node then calls the identity authentication center interface, obtains the user's public key from the user key encryption and decryption module, and uses the user's public key to encrypt data' to generate the ciphertext (data",). The sending node then packages data", along with the sender's digital signature, the sender's unique index, the receiver's unique index, and the association between data", the user's unique index, and the service's unique index, into a digital envelope. The node then synchronizes the digital envelope with the nodes in the blockchain via the communication module, storing it in the blockchain database. Through this process, the user data associated with a user stored in the blockchain database has the data structure shown in Figure 6: user data includes the user's unique index, service unique index, encrypted data, receiver's unique index, sender's unique index, and the sender's digital signature.

在接收方向区块链中的接收节点发送访问请求时，接收节点通过运行智能合约将data”和访问请求转发给身份认证中心，身份认证中心中的身份认证模块基于访问请求和用户信息关联模块中存储的用户唯一索引信息，与移动身份认证装置进行通信完成对数据的归属人的认证。认证完成后身份认证模块将认证结果数据存储到身份认证数据库中。认证数据索引模块将建立认证结果数据与用户唯一索引、业务唯一索引之间的关联关系，并将该关联关系存储到身份认证数据库中。并且认证数据索引模块确定认证结果数据的Hash值，建立Hash值与用户唯一索引、业务唯一索引之间的关联关系，并将该关联关系存储到身份认证数据库中，且通过与接收节点之间进行通信实现Hash值上链。具体在实现Hash值上链时，认证数据索引模块将Hash值、Hash与用户唯一索引、业务唯一索引之间的关联关系、用户数字签名和身份认证中心数字签名一起发送给接收节点，实现这些信息的上链。通过这个过程，存储到区块链数据库中与一个用户相关的用户认证记录数据具有图6所示的数据结构，即用户认证记录数据包括用户唯一索引、业务唯一索引、认证结果数据Hash值、用户数字签名和身份认证中心数字签名。用户数据和用户认证记录数据之间通过用户唯一索引和业务唯一索引相关联，用户认证记录数据通过Hash值与身份认证数据库相关联。When the receiving direction sends an access request to the receiving node in the blockchain, the receiving node forwards the "data" and the access request to the identity authentication center by running the smart contract. The identity authentication module in the identity authentication center communicates with the mobile identity authentication device based on the access request and the user unique index information stored in the user information association module to complete the authentication of the owner of the data. After the authentication is completed, the identity authentication module stores the authentication result data in the identity authentication database. The authentication data index module will establish an association relationship between the authentication result data and the user unique index and the business unique index, and store the association relationship in the identity authentication database. The authentication data index module determines the hash value of the authentication result data, establishes an association relationship between the hash value and the user unique index and the business unique index, and stores the association relationship in the identity authentication database. The data is stored in the blockchain database, and the Hash value is uploaded to the chain by communicating with the receiving node. Specifically, when the Hash value is uploaded to the chain, the authentication data index module sends the Hash value, the association between the Hash and the user unique index, the business unique index, the user digital signature, and the identity authentication center digital signature to the receiving node to upload this information to the chain. Through this process, the user authentication record data related to a user stored in the blockchain database has the data structure shown in Figure 6, that is, the user authentication record data includes the user unique index, the business unique index, the authentication result data Hash value, the user digital signature, and the identity authentication center digital signature. The user data and the user authentication record data are associated through the user unique index and the business unique index, and the user authentication record data is associated with the identity authentication database through the Hash value.

在身份认证中心确认身份认证通过时，身份认证中心通过用户密钥加解密模块对data”进行解密得到data’，发送给接收节点，接收节点利用自身私钥对data’进行解密得到data，并将data发送给接收方。When the identity authentication center confirms that the identity authentication is successful, the identity authentication center decrypts data" through the user key encryption and decryption module to obtain data' and sends it to the receiving node. The receiving node uses its own private key to decrypt data' to obtain data and sends data to the recipient.

需要说明的是，图5中的区块链节点与身份认证中心之间的通信过程与图1至图4中描述的实施例中第一服务节点、第二服务节点与授权认证服务器之间的通信过程类似，具体细节不再赘述。且身份认证中心与移动身份认证装置之间的通信过程与图1至图4中描述的实施例中授权认证服务器与移动终端之间的通信过程类似，具体细节不再赘述。It should be noted that the communication process between the blockchain node and the identity authentication center in FIG5 is similar to the communication process between the first service node, the second service node, and the authorization authentication server in the embodiments described in FIG1 to FIG4 , and the specific details are not repeated here. Furthermore, the communication process between the identity authentication center and the mobile identity authentication device is similar to the communication process between the authorization authentication server and the mobile terminal in the embodiments described in FIG1 to FIG4 , and the specific details are not repeated here.

可以看出，通过图5中的系统架构，不仅能够在发送双方之间做到数据隐私保护，而且通过引入身份认证中心和加解密机制，确保在用户本人授权后才分享数据，最大程度的满足了用户对数据安全隐私的要求。并且用户认证结果数据上链，区块链上留存有用户授权意愿，便于后续审计和监管。As can be seen, the system architecture in Figure 5 not only ensures data privacy protection between the sending and receiving parties, but also, through the introduction of an identity authentication center and encryption and decryption mechanisms, ensures that data is shared only after the user's authorization, thus meeting the user's requirements for data security and privacy to the greatest extent possible. Furthermore, user authentication results are uploaded to the blockchain, and the user's authorization intention is retained on the blockchain, facilitating subsequent audits and oversight.

图7是根据本申请一个实施例的业务数据的访问系统，包括第一服务节点和授权认证服务器；其中，FIG7 is a system for accessing business data according to an embodiment of the present application, including a first service node and an authorization authentication server; wherein,

第一服务节点，向授权认证服务器发送访问请求；The first service node sends an access request to the authorization and authentication server;

授权认证服务器，基于身份标识，对所述归属人进行授权认证；The authorization and authentication server performs authorization and authentication on the owner based on the identity identifier;

所述授权认证服务器，基于授权认证结果，对所述访问请求进行响应。The authorization and authentication server responds to the access request based on the authorization and authentication result.

需要说明的是，图7所示出的业务数据的访问系统能够执行图1和图2所示的方法，并达到相同的技术效果，在此不再赘述。It should be noted that the business data access system shown in FIG. 7 can execute the methods shown in FIG. 1 and FIG. 2 and achieve the same technical effects, which will not be described in detail here.

下面将结合图8详细描述根据本申请一个实施例的电子设备。参考图8，在硬件层面，电子设备包括处理器，可选地，包括内部总线、网络接口、存储器。其中，存储器可能包含内存，例如高速随机存取存储器(Random-Access Memory，RAM)，也可能还包括非易失性存储器(non-volatile memory)，例如至少1个磁盘存储器等。当然，该电子设备还可能包括其他业务所需要的硬件。The electronic device according to an embodiment of the present application will be described in detail below with reference to FIG8 . Referring to FIG8 , at the hardware level, the electronic device includes a processor, and optionally, an internal bus, a network interface, and a memory. Among them, the memory may include a memory, such as a high-speed random access memory (RAM), and may also include a non-volatile memory (non-volatile memory), such as at least one disk storage, etc. Of course, the electronic device may also include hardware required for other services.

处理器、网络接口和存储器可以通过内部总线相互连接，该内部总线可以是工业标准体系结构(Industry Standard Architecture，ISA)总线、外设部件互连标准(Peripheral Component Interconnect，PCI)总线或扩展工业标准结构(ExtendedIndustry Standard Architecture，EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示，图8中仅用一个双向箭头表示，但并不表示仅有一根总线或一种类型的总线。The processor, network interface, and memory can be interconnected via an internal bus, which can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus. These buses can be classified as address buses, data buses, control buses, and the like. For ease of illustration, FIG8 shows only one bidirectional arrow, but this does not imply that there is only one bus or only one type of bus.

存储器，用于存放程序。具体地，程序可以包括程序代码，所述程序代码包括计算机操作指令。存储器可以包括内存和非易失性存储器，并向处理器提供指令和数据。The memory is used to store programs. Specifically, the program may include program code, which includes computer operating instructions. The memory may include internal memory and non-volatile memory, and provides instructions and data to the processor.

处理器从非易失性存储器中读取对应的计算机程序到内存中然后运行，在逻辑层面上形成业务数据的访问装置。处理器，执行存储器所存放的程序，并具体用于执行以下操作：The processor reads the corresponding computer program from the non-volatile memory into the internal memory and then runs it, forming an access device for business data at the logical level. The processor executes the program stored in the memory and is specifically used to perform the following operations:

接收业务发起方的访问请，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务。Receive an access request from a business initiator, where the access request is used to request access to target business data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target business data. The target encrypted business data on the chain based on the target business is associated with the identity identifier and the business identifier, and the business identifier is used to identify the access business corresponding to the access request.

上述如本申请图3所示实施例揭示的第一服务节点执行的方法可以应用于处理器中，或者由处理器实现。处理器可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器，包括中央处理器(Central Processing Unit，CPU)、网络处理器(Network Processor，NP)等；还可以是数字信号处理器(Digital SignalProcessor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现场可编程门阵列(Field－Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器，处理器读取存储器中的信息，结合其硬件完成上述方法的步骤。The method performed by the first service node disclosed in the embodiment shown in FIG3 of the present application can be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip with signal processing capabilities. During implementation, each step of the method can be completed by hardware integrated logic circuits in the processor or by software instructions. The processor can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. The methods, steps, and logic block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present application can be directly implemented and executed by a hardware decoding processor, or by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium well-known in the art, such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, etc. The storage medium is located in the memory, and the processor reads the information in the memory and, in conjunction with its hardware, completes the steps of the above method.

该电子设备还可执行图1和图2的方法，并实现第一服务节点在图1和图2所示实施例的功能，本申请实施例在此不再赘述。The electronic device can also execute the methods of Figures 1 and 2 and implement the functions of the first service node in the embodiments shown in Figures 1 and 2, which will not be described in detail in the embodiments of the present application.

当然，除了软件实现方式之外，本申请的电子设备并不排除其他实现方式，比如逻辑器件抑或软硬件结合的方式等等，也就是说以下处理流程的执行主体并不限定于各个逻辑单元，也可以是硬件或逻辑器件。Of course, in addition to software implementation, the electronic device of this application does not exclude other implementation methods, such as logic devices or a combination of software and hardware, etc. That is to say, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

本申请实施例还提出了一种计算机可读存储介质，该计算机可读存储介质存储一个或多个程序，该一个或多个程序包括指令，该指令当被包括多个应用程序的电子设备执行时，能够使该电子设备执行图3所示实施例的方法，并具体用于执行以下方法：The present application also provides a computer-readable storage medium that stores one or more programs. The one or more programs include instructions. When executed by an electronic device including multiple application programs, the instructions enable the electronic device to perform the method of the embodiment shown in FIG. 3 , and are specifically configured to perform the following method:

下面将结合图9详细描述根据本申请一个实施例的电子设备。参考图9，在硬件层面，电子设备包括处理器，可选地，包括内部总线、网络接口、存储器。其中，存储器可能包含内存，例如高速随机存取存储器(Random-Access Memory，RAM)，也可能还包括非易失性存储器(non-volatile memory)，例如至少1个磁盘存储器等。当然，该电子设备还可能包括其他业务所需要的硬件。The electronic device according to an embodiment of the present application will be described in detail below with reference to FIG9 . Referring to FIG9 , at the hardware level, the electronic device includes a processor, and optionally, an internal bus, a network interface, and a memory. Among them, the memory may include a memory, such as a high-speed random access memory (RAM), and may also include a non-volatile memory (non-volatile memory), such as at least one disk storage, etc. Of course, the electronic device may also include hardware required for other services.

处理器从非易失性存储器中读取对应的计算机程序到内存中然后运行，在逻辑层面上形成授权认证装置。处理器，执行存储器所存放的程序，并具体用于执行以下操作：The processor reads the corresponding computer program from the non-volatile memory into the internal memory and then runs it, forming an authorization and authentication device at the logical level. The processor executes the program stored in the memory and is specifically used to perform the following operations:

上述如本申请图4所示实施例揭示的授权认证服务器执行的方法可以应用于处理器中，或者由处理器实现。处理器可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器，包括中央处理器(Central Processing Unit，CPU)、网络处理器(Network Processor，NP)等；还可以是数字信号处理器(Digital SignalProcessor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现场可编程门阵列(Field－Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器，处理器读取存储器中的信息，结合其硬件完成上述方法的步骤。The method performed by the authorization authentication server disclosed in the embodiment shown in FIG4 of the present application can be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip with signal processing capabilities. During implementation, each step of the above method can be completed by hardware integrated logic circuits in the processor or by software instructions. The above processor can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. The various methods, steps, and logic block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present application can be directly implemented and executed by a hardware decoding processor, or by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium well-known in the art, such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, etc. The storage medium is located in the memory, and the processor reads the information in the memory and, in conjunction with its hardware, completes the steps of the above method.

该电子设备还可执行图1和图2的方法，并实现授权认证服务器在图1和图2所示实施例的功能，本申请实施例在此不再赘述。The electronic device can also execute the methods of Figures 1 and 2, and implement the functions of the authorization authentication server in the embodiments shown in Figures 1 and 2, and the embodiments of this application will not be repeated here.

本申请实施例还提出了一种计算机可读存储介质，该计算机可读存储介质存储一个或多个程序，该一个或多个程序包括指令，该指令当被包括多个应用程序的电子设备执行时，能够使该电子设备执行图4所示实施例的方法，并具体用于执行以下方法：The present application also provides a computer-readable storage medium that stores one or more programs. The one or more programs include instructions. When executed by an electronic device including multiple application programs, the instructions enable the electronic device to perform the method of the embodiment shown in FIG. 4 , and are specifically configured to perform the following method:

图10是本申请的一个实施例的业务数据的访问装置的结构示意图。请参考图10，在一种软件实施方式中，业务数据的访问装置1000可包括：接收单元1001和发送单元1002，其中，FIG10 is a schematic diagram of the structure of a device for accessing business data according to an embodiment of the present application. Referring to FIG10 , in a software implementation, the device for accessing business data 1000 may include: a receiving unit 1001 and a sending unit 1002, wherein:

接收单元1001，接收业务发起方的访问请求，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；Receiving unit 1001 receives an access request from a service initiator, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, target encrypted service data on the blockchain based on the target service being associated with the identity identifier and service identifier, the service identifier being used to identify the access service corresponding to the access request;

发送单元1002，向授权认证服务器发送所述访问请求，所述授权认证服务器用于基于所述身份标识，对所述归属人进行授权认证，并基于授权认证的结果，对所述访问请求进行响应。The sending unit 1002 sends the access request to the authorization and authentication server. The authorization and authentication server is configured to perform authorization and authentication on the owner based on the identity identifier and respond to the access request based on the result of the authorization and authentication.

可选地，作为一个实施例，所述发送单元1002：Optionally, as an embodiment, the sending unit 1002:

向授权认证服务器发送所述访问请求和目标加密业务数据。Send the access request and target encrypted service data to the authorization authentication server.

可选地，作为一个实施例，所述接收单元1001：Optionally, as an embodiment, the receiving unit 1001:

接收授权认证服务器发送的第二加密密钥对应的第二解密密钥；Receive a second decryption key corresponding to the second encryption key sent by the authorization authentication server;

所述发送单元1002：The sending unit 1002:

采用所述第一加密密钥对应的第一解密密钥和第二解密密钥对目标加密业务数据进行解密得到目标业务数据后发送给业务发起方。The target encrypted service data is decrypted using the first decryption key and the second decryption key corresponding to the first encryption key to obtain the target service data, which is then sent to the service initiator.

向授权认证服务器发送访问请求和业务标识。Send the access request and service ID to the authorization and authentication server.

接收所述哈希值、所述归属人的电子凭证和所述授权认证服务器的电子凭证；Receiving the hash value, the electronic certificate of the owner, and the electronic certificate of the authorization authentication server;

所述发送单元1002：将所述哈希值、所述归属人的电子凭证和所述授权认证服务器的电子凭证，同步到区块链中的节点上。The sending unit 1002 synchronizes the hash value, the electronic certificate of the owner, and the electronic certificate of the authorization authentication server to a node in the blockchain.

本申请实施例的业务数据的访问装置还可执行图1和图2中第一服务节点执行的方法，并实现第一服务节点在图1和图2所示实施例的功能，在此不再赘述。The device for accessing business data in the embodiment of the present application can also execute the method executed by the first service node in Figures 1 and 2, and realize the functions of the first service node in the embodiments shown in Figures 1 and 2, which will not be repeated here.

图11是本申请的一个实施例的授权认证装置的结构示意图。请参考图11，在一种软件实施方式中，授权认证装置1100可包括：收发单元1101和处理单元1102，其中，FIG11 is a schematic diagram of the structure of an authorization and authentication device according to an embodiment of the present application. Referring to FIG11 , in a software implementation, the authorization and authentication device 1100 may include: a transceiver unit 1101 and a processing unit 1102, wherein:

收发单元1101，接收第一服务节点发送的访问请求，所述访问请求由业务发起方发送给所述第一服务节点，所述访问请求用于请求访问区块链上的目标业务数据，所述访问请求中包括身份标识，所述身份标识用于标识所述目标业务数据的归属人，基于所述目标业务数据上链的目标加密业务数据与所述身份标识以及业务标识关联，所述业务标识用于标识与所述访问请求相对应的访问业务；The transceiver unit 1101 receives an access request sent by a first service node. The access request is sent by a service initiator to the first service node. The access request is used to request access to target service data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target service data. The target encrypted service data on the blockchain based on the target service data is associated with the identity identifier and the service identifier. The service identifier is used to identify the access service corresponding to the access request.

处理单元1102，基于所述身份标识，对所述归属人进行授权认证；The processing unit 1102 performs authorization authentication on the owner based on the identity identifier;

所述处理单元1102，基于授权认证的结果，对所述访问请求进行响应。The processing unit 1102 responds to the access request based on the result of the authorization authentication.

可选地，作为一个实施例，收发单元1101：接收第一服务节点发送的目标加密业务数据；Optionally, as an embodiment, the transceiver unit 1101 receives target encrypted service data sent by the first service node;

所述处理单元1102，在授权认证通过的情况下，采用第二加密密钥对应的第二解密密钥对目标加密业务数据进行解密，得到目标初始解密业务数据；The processing unit 1102 decrypts the target encrypted service data using the second decryption key corresponding to the second encryption key to obtain the target initial decrypted service data when the authorization authentication is passed;

所述收发单元1101，向第一服务节点发送目标初始解密业务数据，以使第一服务节点对目标初始解密业务数据进行节目得到目标业务数据后发送给业务发起方，第一服务节点采用第一加密密钥对应的第一解密密钥对目标初始解密业务数据进行解密。The transceiver unit 1101 sends the target initial decrypted service data to the first service node, so that the first service node performs a program on the target initial decrypted service data to obtain the target service data and then sends it to the service initiator. The first service node uses the first decryption key corresponding to the first encryption key to decrypt the target initial decrypted service data.

可选地，作为一个实施例，所述收发单元1101：在授权认证通过的情况下，向第一服务节点发送第二加密密钥对应的第二解密密钥，以使第一服务节点对目标加密业务数据进行解密得到目标业务数据后发送给业务发起方；其中，第一服务节点采用所述第二解密密钥以及所述第一加密密钥对应的第一解密密钥对目标加密业务数据进行解密。Optionally, as an embodiment, the transceiver unit 1101: when the authorization authentication is passed, sends the second decryption key corresponding to the second encryption key to the first service node, so that the first service node decrypts the target encrypted business data to obtain the target business data and then sends it to the business initiator; wherein, the first service node uses the second decryption key and the first decryption key corresponding to the first encryption key to decrypt the target encrypted business data.

可选地，作为一个实施例，所述收发单元1101，接收第一服务节点发送的所述访问请求和所述业务标识；Optionally, as an embodiment, the transceiver unit 1101 receives the access request and the service identifier sent by the first service node;

所述处理单元1102，建立并存储授权认证的认证记录数据、身份标识和业务标识之间的关联关系；确定认证记录数据的哈希值，建立哈希值与身份标识和业务标识之间的关联关系，并通过所述收发单元1101将所述哈希值发送给第一服务节点，以使第一服务节点将哈希值同步到区块链中的节点上，实现哈希值的上链。The processing unit 1102 establishes and stores an association relationship between the authentication record data, identity identifier, and business identifier of the authorized authentication; determines a hash value of the authentication record data, establishes an association relationship between the hash value and the identity identifier and the business identifier, and sends the hash value to the first service node through the transceiver unit 1101, so that the first service node synchronizes the hash value to the node in the blockchain, thereby realizing the hash value on-chain.

可选地，作为一个实施例，所述收发单元1101，将哈希值、所述归属人的电子凭证和所述授权认证服务器的电子凭证发送给第一服务节点。Optionally, as an embodiment, the transceiver unit 1101 sends the hash value, the electronic certificate of the owner, and the electronic certificate of the authorization and authentication server to the first service node.

可选地，作为一个实施例，所述收发单元1101，向器向移动终端发送授权认证请求，所述授权认证请求中包括所述身份标识，以使所述移动终端基于所述身份标识，对所述归属人进行授权认证,接收所述移动终端的身份认证响应，所述身份认证响应中包括所述认证记录数据。Optionally, as an embodiment, the transceiver unit 1101 sends an authorization authentication request to the mobile terminal, wherein the authorization authentication request includes the identity identifier, so that the mobile terminal performs authorization authentication on the owner based on the identity identifier, and receives an identity authentication response from the mobile terminal, wherein the identity authentication response includes the authentication record data.

本申请实施例的授权认证装置还可执行图1和图2中授权认证服务器执行的方法，并实现授权认证服务器在图1和图2所示实施例的功能，在此不再赘述。The authorization and authentication device of the embodiment of the present application can also execute the method executed by the authorization and authentication server in Figures 1 and 2, and realize the functions of the authorization and authentication server in the embodiments shown in Figures 1 and 2, which will not be repeated here.

总之，以上所述仅为本申请的较佳实施例而已，并非用于限定本申请的保护范围。凡在本申请的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本申请的保护范围之内。In short, the above description is only a preferred embodiment of the present application and is not intended to limit the scope of protection of the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the scope of protection of the present application.

上述实施例阐明的系统、装置、模块或单元，具体可以由计算机芯片或实体实现，或者由具有某种功能的产品来实现。一种典型的实现设备为计算机。具体的，计算机例如可以为个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules, or units described in the above embodiments may be implemented by computer chips or entities, or by products having certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括，但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带，磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质，可用于存储可以被计算设备访问的信息。按照本文中的界定，计算机可读介质不包括暂存电脑可读媒体(transitory media)，如调制的数据信号和载波。Computer-readable media includes permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. The information can be computer-readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media (transitory media), such as modulated data signals and carrier waves.

还需要说明的是，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "comprises," "includes," or any other variations thereof are intended to encompass non-exclusive inclusion, such that a process, method, commodity, or apparatus that includes a series of elements includes not only those elements but also other elements not explicitly listed, or includes elements inherent to such process, method, commodity, or apparatus. In the absence of further limitations, an element defined by the phrase "comprises a ..." does not exclude the presence of other identical elements in the process, method, commodity, or apparatus that includes the element.

本说明书中的各个实施例均采用递进的方式描述，各个实施例之间相同相似的部分互相参见即可，每个实施例重点说明的都是与其他实施例的不同之处。尤其，对于系统实施例而言，由于其基本相似于方法实施例，所以描述的比较简单，相关之处参见方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner. Similar parts between the various embodiments can be referred to in conjunction with each other. Each embodiment focuses on the differences between the other embodiments. In particular, the system embodiments are generally similar to the method embodiments, so the description is relatively simple. For relevant parts, refer to the description of the method embodiments.

Claims

1. A method for accessing business data, comprising:

The first service node receives an access request from a service initiator, the access request being used to request access to target service data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target service data. Target encrypted service data on the blockchain based on the target service is associated with the identity identifier and the service identifier, which is used to identify the access service corresponding to the access request.

The first service node sends the access request to the authorization and authentication server;

The authorization authentication server performs authorization authentication on the owner based on the identity identifier;

The authorization authentication server responds to the access request based on the result of the authorization authentication;

The authorization authentication server performs authorization authentication on the owner based on the identity identifier, including: the authorization authentication server sends an authorization authentication request including the identity identifier to the mobile terminal, so that the mobile terminal performs authorization authentication on the owner based on the identity identifier; the authorization authentication server receives the identity authentication response including authentication record data from the mobile terminal.

2. The method according to claim 1, wherein the target encrypted service data is obtained by encrypting the target service data using a first encryption key corresponding to the first service node and a second encryption key corresponding to the owner.

3. The method according to claim 2, before the authorization and authentication server performs authorization and authentication on the owner based on the identity identifier, further comprising:

The first service node sends the target encrypted service data to the authorization and authentication server;

The authorization authentication server responds to the access request based on the result of the authorization authentication, including:

If the authorization authentication is passed, decrypting the target encrypted service data using the second decryption key corresponding to the second encryption key to obtain the target initial decrypted service data;

The target initial decrypted business data is sent to the first service node, so that the first service node decrypts the target initial decrypted business data to obtain the target business data and then sends it to the business initiator, and the first service node uses the first decryption key corresponding to the first encryption key to decrypt the target initial decrypted business data.

4. The method according to claim 2, wherein the authorization authentication server responds to the access request based on the result of the authorization authentication, comprising:

If the authorization authentication is successful, sending the second decryption key corresponding to the second encryption key to the first service node, so that the first service node decrypts the target encrypted service data to obtain the target service data and then sends it to the service initiator;

The first service node decrypts the target encrypted service data using the second decryption key and the first decryption key corresponding to the first encrypted data.

5. The method according to any one of claims 1 to 4, wherein the first service node sends the access request to the authorization and authentication server, comprising:

The first service node sends the access request and the service identifier to the authorization and authentication server;

The method further comprises:

The authorization authentication server establishes and stores the authentication record data of the authorization authentication, the association relationship between the identity identifier and the service identifier;

The authorization authentication server determines a hash value of the authentication record data, establishes an association relationship between the hash value and the identity identifier and the service identifier, and sends the hash value to the first service node;

The first service node synchronizes the hash value to a node in the blockchain to implement on-chain storage of the hash value.

6. The method according to claim 5, wherein sending the hash value to the first service node comprises:

Sending the hash value, the electronic certificate of the owner, and the electronic certificate of the authorization authentication server to the first service node;

The first service node synchronizing the hash value to a node in the blockchain includes:

The first service node synchronizes the hash value, the electronic certificate of the owner, and the electronic certificate of the authorization authentication server to a node in the blockchain.

7. The method according to claim 1, wherein the authorization authentication request further includes authorization authentication mode indication information, and the authorization authentication mode indication information is used to indicate the authentication mode adopted by the mobile terminal for authorization authentication.

8. The method according to claim 7, wherein the authentication record data includes at least one of the authorization authentication time, the identifier of the mobile terminal, the identity identifier, the authorization verification result, and the information to be verified collected during the authorization authentication process.

9. The method according to any one of claims 1 to 4, further comprising:

The second service node receives the target service data sent by the service data provider;

The second service node encrypts the target service data using a first encryption key corresponding to the first service node and a second encryption key corresponding to the owner to obtain the target encrypted service data;

The second service node synchronizes the target encrypted business data to the node of the blockchain to achieve the on-chain of the target encrypted business data.

10. The method according to claim 9, further comprising:

The second service node invokes a communication interface between the second service node and the authorization authentication server to obtain a second encryption key corresponding to the owner.

11. A method for accessing business data, comprising:

The first service node sends the access request to the authorization and authentication server, and the authorization and authentication server is used to send the authorization and authentication request including the identity identifier to the mobile terminal, so that the mobile terminal authorizes and authenticates the owner based on the identity identifier, and receives the identity authentication response including the authentication record data from the mobile terminal.

12. A method for accessing business data, comprising:

The authorization and authentication server receives an access request sent by the first service node. The access request is sent by the service initiator to the first service node. The access request is used to request access to target service data on the blockchain. The access request includes an identity identifier, which is used to identify the owner of the target service data. The target encrypted service data on the blockchain based on the target service data is associated with the identity identifier and the service identifier, and the service identifier is used to identify the access service corresponding to the access request.

13. A business data access system comprising:

A first service node receives an access request from a service initiator, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, and the target encrypted service data on the blockchain based on the target service being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

14. A device for accessing business data, comprising:

A receiving unit receives an access request from a service initiator, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify a person to whom the target service data belongs, and the target encrypted service data on the blockchain based on the target service being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

The sending unit sends the access request to the authorization authentication server, and the authorization authentication server is used to send the authorization authentication request including the identity identifier to the mobile terminal, so that the mobile terminal performs authorization authentication on the owner based on the identity identifier, and receives the identity authentication response including the authentication record data from the mobile terminal.

15. An authorization authentication device, comprising:

A transceiver unit receives an access request sent by a first service node, the access request being sent by a service initiator to the first service node, the access request being used to request access to target service data on a blockchain, the access request including an identity identifier, the identity identifier being used to identify a person to whom the target service data belongs, target encrypted service data on the blockchain based on the target service data being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

A processing unit, performing authorization authentication on the owner based on the identity identifier;

The processing unit responds to the access request based on the result of the authorization authentication;

Among them, the processing unit authorizes and authenticates the owner based on the identity identifier, including: the processing unit sends an authorization and authentication request including the identity identifier to the mobile terminal, so that the mobile terminal authorizes and authenticates the owner based on the identity identifier; the processing unit receives the identity authentication response including authentication record data from the mobile terminal.

16. An electronic device comprising:

processor; and

a memory arranged to store computer-executable instructions which, when executed, cause the processor to:

Receive an access request from a service initiator, the access request being used to request access to target service data on the blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, and the target encrypted service data on the blockchain based on the target service being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

The access request is sent to the authorization authentication server, which is used to send the authorization authentication request including the identity identifier to the mobile terminal, so that the mobile terminal performs authorization authentication on the owner based on the identity identifier, and receives the identity authentication response including the authentication record data from the mobile terminal.

17. An electronic device comprising:

processor; and

Receiving an access request sent by a first service node, the access request being sent by a service initiator to the first service node, the access request being used to request access to target service data on the blockchain, the access request including an identity identifier, the identity identifier being used to identify the owner of the target service data, target encrypted service data on the blockchain based on the target service data being associated with the identity identifier and the service identifier, the service identifier being used to identify the access service corresponding to the access request;

Based on the identity identifier, authorization and authentication are performed on the owner;

Respond to the access request based on the result of the authorization authentication;

Among them, based on the identity identifier, authorizing and authenticating the owner includes: sending an authorization and authentication request including the identity identifier to the mobile terminal, so that the mobile terminal authorizes and authenticates the owner based on the identity identifier; and receiving an identity authentication response including authentication record data from the mobile terminal.

18. A computer-readable medium storing one or more programs that, when executed by an electronic device including a plurality of application programs, causes the electronic device to perform the following operations:

19. A computer-readable medium storing one or more programs that, when executed by an electronic device including a plurality of application programs, causes the electronic device to perform the following operations: