CN111371790A - Data encryption sending method based on alliance chain, related method, device and system - Google Patents

Data encryption sending method based on alliance chain, related method, device and system Download PDF

Info

Publication number
CN111371790A
CN111371790A CN202010146776.XA CN202010146776A CN111371790A CN 111371790 A CN111371790 A CN 111371790A CN 202010146776 A CN202010146776 A CN 202010146776A CN 111371790 A CN111371790 A CN 111371790A
Authority
CN
China
Prior art keywords
shared secret
secret
ciphertext
alliance
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010146776.XA
Other languages
Chinese (zh)
Other versions
CN111371790B (en
Inventor
罗靖
张楠
江富浩
朱琼飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202010146776.XA priority Critical patent/CN111371790B/en
Publication of CN111371790A publication Critical patent/CN111371790A/en
Application granted granted Critical
Publication of CN111371790B publication Critical patent/CN111371790B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data encryption sending method based on a alliance chain, a related method, a device and a system, wherein the data encryption sending method comprises the following steps: encrypting original data according to a secret key to obtain a ciphertext, and uploading the ciphertext and an access control strategy thereof to a alliance chain network in a public accessible mode; encrypting the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sending the shared secret distributed secret to a plurality of alliance chain nodes, so that each alliance chain node in the plurality of alliance chain nodes respectively stores partial shared secrets; each alliance link node in the plurality of alliance link nodes enables a request downloader to download the shared secret according to the authority according to the access control strategy, the authorized person restores the secret key according to the shared secret fed back by each alliance link node, and then the ciphertext is decrypted to obtain the original data, so that the local operation cost is low, and the safety is improved.

Description

Data encryption sending method based on alliance chain, related method, device and system
Technical Field
The present invention relates to the field of block chain technologies, and in particular, to a data encryption transmission method, a related method, a device, and a system based on a federation chain.
Background
The blockchain is a decentralized distributed storage database and has the characteristics of decentralized storage, distributed consensus, unchangeable content on the chain and the like. In the current development stage, the blockchain system generally provides a programmable interface represented by an intelligent contract to support users to utilize the characteristics of the blockchain to realize various functions.
A federation chain is a type of blockchain, which refers to a blockchain that is commonly managed by several organizations or organizations, each running one or more nodes, whose data only allows different organizations within the system to read and send transactions, and to collectively record transaction data. The alliance chain can better play the roles of interconnection and intercommunication and information sharing of the Internet. But as the application scenarios of the alliance chain become richer, the requirement for privacy is higher and higher for the security of data transfer.
At present, if a copy of encrypted data is to be shared by multiple receivers, either the sender notifies the receivers needing to receive the key one by one, or the sender lets the cloud server instead keep the key. However, the first approach may increase the overhead for the sender; in addition, the security of the second method is low because the cloud server may decrypt the key by itself or transmit the key to an unauthorized person to give the unauthorized person the right to view the contents of the file.
Disclosure of Invention
The present invention provides a data encryption and transmission method and apparatus, a data reception and decryption method and apparatus, a shared secret download control method and apparatus, a data encryption and transmission system, an electronic device, and a computer-readable storage medium based on a federation chain, which can at least partially solve the problems in the prior art.
In order to achieve the purpose, the invention adopts the following technical scheme:
in a first aspect, a federation chain-based data encryption transmission method is provided, which operates in a sender node, and includes:
encrypting original data according to a key to obtain a ciphertext, and uploading the ciphertext and an access control strategy thereof to a alliance chain network in a public accessible manner, so that each alliance chain node in the alliance chain network can obtain the ciphertext and the access control strategy thereof;
encrypting the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sending the shared secret distributed secret to a plurality of alliance chain nodes, so that each alliance chain node in the plurality of alliance chain nodes respectively stores partial shared secrets;
and enabling each alliance link node in the plurality of alliance link nodes to enable a requester to download the shared secret according to the access control strategy, restoring the secret key by an authority according to the shared secret fed back by each alliance link node, and further decrypting the ciphertext to obtain the original data.
Further, the data encryption sending method based on the alliance chain further comprises the following steps:
probabilistically outputting the key according to input security parameters.
Further, the access control policy is sent in the form of a transaction request that also includes a ciphertext identifier corresponding to the access control policy.
In a second aspect, there is provided a federation chain-based data encryption transmission apparatus, operable at a sender node, the apparatus comprising:
the cipher text encryption sending module is used for encrypting original data according to a secret key to obtain a cipher text and uploading the cipher text and the access control strategy thereof to a alliance chain network in a public accessible mode so that each alliance chain node in the alliance chain network can obtain the cipher text and the access control strategy thereof;
the shared secret generation and transmission module is used for encrypting the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets and transmitting the shared secret distributed secret to a plurality of alliance chain nodes so that each alliance chain node in the plurality of alliance chain nodes respectively stores part of the shared secret;
and enabling each alliance link node in the plurality of alliance link nodes to enable a requester to download the shared secret according to the access control strategy, restoring the secret key by an authority according to the shared secret fed back by each alliance link node, and further decrypting the ciphertext to obtain the original data.
In a third aspect, a federation chain-based data receiving and decrypting method is provided, which operates in an authorized receiver node, and includes:
issuing a download request to a federation chain network, the download request comprising: the public key and the ciphertext identifier enable a federation chain node storing the shared secret in the federation chain network to judge whether the shared secret is allowed to be downloaded according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key, and if yes, feedback shared secret encryption data obtained by encrypting the shared secret by using the public key;
acquiring shared secret encryption data fed back by the nodes of the alliance;
decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret;
reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key;
and decrypting the pre-acquired ciphertext corresponding to the ciphertext identifier according to the key to obtain original data.
Further, the download request is issued in the form of a transaction request.
Further, the data receiving and decrypting method based on the alliance chain further comprises the following steps:
and acquiring the ciphertext uploaded to the alliance chain network by the sender in a publicly accessible form according to the ciphertext identifier.
In a fourth aspect, there is provided a federation chain-based data reception decryption apparatus, operable at an authorized recipient node, the apparatus comprising:
a download request sending module, which issues a download request to a alliance chain network, wherein the download request comprises: the public key and the ciphertext identifier enable a federation chain node storing the shared secret in the federation chain network to judge whether the shared secret is allowed to be downloaded according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key, and if yes, feedback shared secret encryption data obtained by encrypting the shared secret by using the public key;
the shared secret encrypted data receiving module is used for acquiring shared secret encrypted data fed back by the nodes of the alliance;
the shared secret encrypted data decryption module is used for decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret;
the secret key reduction module is used for reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key;
and the ciphertext decryption module is used for decrypting the ciphertext corresponding to the ciphertext identifier, which is obtained in advance, according to the key to obtain the original data.
In a fifth aspect, a federation chain-based shared secret download control method is provided, applied to a federation chain node pre-storing a shared secret, and including:
acquiring and recording a downloading request sent by a receiver, wherein the downloading request comprises: a public key and a ciphertext identifier;
judging whether the receiver is allowed to download the pre-stored shared secret according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key;
if yes, the shared secret is encrypted by the public key to obtain shared secret encryption data, and the shared secret encryption data are sent to the receiver.
Further, the method for controlling downloading of the shared secret based on the alliance chain further comprises the following steps:
the shared secret sent by the sender is received and stored.
Further, the method for controlling downloading of the shared secret based on the alliance chain further comprises the following steps:
and receiving and storing the ciphertext uploaded to the alliance chain network by the sender in a publicly accessible form and the access control strategy thereof.
In a sixth aspect, there is provided a federation chain-based shared secret download control apparatus, applied to a federation chain node pre-storing a shared secret, the apparatus including:
the download request acquisition module acquires and records a download request sent by a receiver, wherein the download request comprises: a public key and a ciphertext identifier;
the authority verification module is used for judging whether the receiver is allowed to download the prestored shared secret according to the pre-acquired access control strategy corresponding to the ciphertext identifier and the public key;
and the shared secret encryption sending module is used for encrypting the shared secret by using the public key to obtain shared secret encryption data and sending the shared secret encryption data to the receiver if the receiver is allowed to download the pre-stored shared secret.
In a sixth aspect, a federation chain-based data encryption transmission system is provided, including: a sender, a receiver, and a federation link node;
the sender encrypts original data according to a pre-acquired key to obtain a ciphertext, uploads the ciphertext and an access control strategy thereof to a alliance chain network in a publicly accessible manner, encrypts the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sends the shared secret distributed secrets to a plurality of alliance chain nodes;
the receiver issues a download request to the federation chain network, the download request including: a public key and a ciphertext identifier;
the alliance link node judges whether the receiver is allowed to download the prestored shared secret according to the pre-acquired access control strategy corresponding to the ciphertext identifier and the public key; if so, encrypting the shared secret by using the public key to obtain shared secret encrypted data, and sending the shared secret encrypted data to the receiver;
the receiver acquires shared secret encryption data fed back by each alliance link point; decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret in each alliance chain node; reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key; and decrypting the pre-acquired ciphertext corresponding to the ciphertext identifier according to the key to obtain original data.
In a seventh aspect, an electronic device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the program, the processor implements the steps of the above-mentioned method for encrypting and sending data based on a federation chain, or the above-mentioned method for receiving and decrypting data based on a federation chain, or the above-mentioned method for controlling downloading of a shared secret based on a federation chain.
In an eighth aspect, a computer-readable storage medium is provided, on which a computer program is stored, which, when executed by a processor, implements the steps of the above-mentioned federation chain-based data encryption transmission method or the above-mentioned federation chain-based data reception decryption method or the above-mentioned federation chain-based shared secret download control method.
The invention provides a data encryption and transmission method and device based on a alliance chain, a data receiving and decrypting method and device, a shared secret downloading control method and device based on the alliance chain, a data encryption and transmission system based on the alliance chain, electronic equipment and a computer readable storage medium, wherein the data encryption and transmission method based on the alliance chain is operated on a sender node, and the method comprises the following steps: encrypting original data according to a key to obtain a ciphertext, and uploading the ciphertext and an access control strategy thereof to a alliance chain network in a public accessible manner, so that each alliance chain node in the alliance chain network can obtain the ciphertext and the access control strategy thereof; encrypting the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sending the shared secret distributed secret to a plurality of alliance chain nodes, so that each alliance chain node in the plurality of alliance chain nodes respectively stores partial shared secrets; each alliance link node in the plurality of alliance link nodes enables a request downloader to download the shared secret according to the authority according to the access control strategy, an authority restores the secret according to the shared secret fed back by each alliance link node, and further decrypts the ciphertext to obtain the original data, so that the sender only needs to encrypt ciphertext data once, only needs to generate secret sharing of the encrypted secret and set the access control strategy, does not need to send the secret to each receiver, is low in local operation cost, does not depend on a single node due to the fact that the Shamir threshold secret sharing technology is utilized, and safety is improved.
In order to make the aforementioned and other objects, features and advantages of the invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts. In the drawings:
fig. 1 is a first flowchart of a federation chain-based data encryption transmission method in an embodiment of the present invention;
fig. 2 is a flowchart illustrating a second method for sending data encryption based on a federation chain in an embodiment of the present invention;
fig. 3 is a block diagram of a data encryption transmitting apparatus based on a federation chain in the embodiment of the present invention;
FIG. 4 is a flow chart of a federation chain-based data reception decryption method in an embodiment of the present invention;
FIG. 5 is a block diagram of a federation chain-based data receiving decryption apparatus in an embodiment of the present invention;
FIG. 6 is a flowchart illustrating a federation chain-based shared secret download control method in an embodiment of the present invention;
FIG. 7 is a block diagram of a federation chain-based shared secret download control apparatus in an embodiment of the present invention;
FIG. 8 is a diagram illustrating an architecture of a federation chain-based data encryption transport system in an embodiment of the present invention;
fig. 9 is a block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of this application and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 is a first flowchart of a federation chain-based data encryption transmission method in an embodiment of the present invention; as shown in fig. 1, the federation chain-based data encryption transmission method operates on a sender node and may include the following:
step S100: encrypting original data according to a key to obtain a ciphertext, and uploading the ciphertext and an access control strategy thereof to a alliance chain network in a public accessible manner, so that each alliance chain node in the alliance chain network can obtain the ciphertext and the access control strategy thereof;
specifically, a symmetric encryption system may be adopted, specifically adopting the following algorithm:
c ← se. enc (K, P): inputting a symmetric key K and a plaintext P, and outputting a ciphertext C probabilistically;
it is worth mentioning that the following algorithm can be used in decryption:
p ← se.dec (K, C): inputting the symmetric key K and the ciphertext C, and outputting a corresponding plaintext P.
The common symmetric encryption system includes AES, DES, and the like.
Step S200: encrypting the key using a Shamir threshold secret sharing technique to generate a plurality of shared secrets and sending the shared secret distributed secret to a plurality of federation chain nodes.
Wherein each federation chain node of the plurality of federation chain nodes stores a portion of the shared secret by sending the shared secret distributed secret to the plurality of federation chain nodes;
specifically, part of the shared secret may be sent to all federation chain nodes in the federation chain network, or a part of federation chain nodes may be selected to store the shared secret, and in order to reduce the possibility of malicious collusion of each node, it is more advantageous for the nodes participating in storing the shared secret to be more numerous.
It should be noted that, Shamir threshold secret sharing, also called a Shamir (t, n) -threshold secret sharing system, splits a piece of data into n shared secrets, and when any one of the n shared secrets is obtained, the original data can be restored, otherwise, the original data cannot be restored. The Shamir threshold secret sharing regime is typically constructed using lagrange interpolation formulas.
Encrypting the key using Shamir threshold secret sharing technique to generate multiple shared secrets is accomplished using the following algorithm:
(S1,S2,...,Sn) Stir Split (K): encrypting the data K, and decomposing the data K into n shared secrets, so that the K cannot be restored when any shared secrets less than t are obtained;
it is worth to say that, when restoring the secret key K, the following algorithm is adopted:
Figure BDA0002401034350000071
inputting arbitrary t shared secrets
Figure BDA0002401034350000072
(1≤k≤t,1≤ikN) or less, and original data K is restored.
And enabling each alliance link node in the plurality of alliance link nodes to enable a requester to download the shared secret according to the access control strategy, restoring the secret key by an authority according to the shared secret fed back by each alliance link node, and further decrypting the ciphertext to obtain the original data.
It should be noted that each node in the federation chain is a billing node, and each node may be used as a sender node, a receiver node, or a federation chain node storing a shared secret, and is specifically determined according to the node needs.
By adopting the technical scheme, a ciphertext data authorization sharing scheme based on a alliance chain and a Shamir threshold secret sharing system is designed by utilizing the characteristics of decentralized consensus and permanent data recording on the chain of the alliance chain, so that a secret key cannot be leaked, and any access to the secret key can be recorded on an alliance chain network and cannot be changed so as to be audited and checked in the future.
In addition, a sender only needs to encrypt the ciphertext once, only needs to generate secret sharing of a secret key and set an access control strategy, local operation cost is low, all data are stored in the alliance chain network, the data can be guaranteed to be available at any time and any place, and the unavailability of service caused by single-point failure is avoided; furthermore, the execution of the access control strategy does not depend on a single server node, but requires the identification of not less than t central servers (namely, servers of all nodes), the central servers belong to different independent organizations, and the possibility of conspiracy and maliciousness of the central servers is low, so that the ciphertext has higher security; the ciphertext uploading and downloading decryption requests are all carried out through a alliance chain, all the requests related to the secret key are recorded by an alliance chain network, the access behaviors of user data can be tracked, and the method has the advantages of being auditable in operation and traceable in data.
In an alternative embodiment, referring to fig. 2, the federation chain-based data encryption transmission method may further include the following:
step S50: probabilistically outputting the key according to input security parameters.
Specifically, the following algorithm may be employed:
K←SE.KeyGen(1λ): input of safety parameters 1λThe symmetric key K is probabilistically output.
In an alternative embodiment, the access control policy is sent in the form of a transaction request that also includes a ciphertext identifier corresponding to the access control policy.
Specifically, in a federation chain, a user is required to construct a transaction to invoke the functionality of an intelligent contract. After the transaction request is executed by the miners, the miners themselves and the execution results are packaged into blocks for permanent recording and later review.
In an alternative embodiment, the sender node also needs to initialize the necessary environment and parameters in the system.
At this stage, the central server Serv of the n organizations in the federation chainiAnd (i is more than or equal to 1 and less than or equal to n) is taken as a block chain accounting node, added into the alliance chain network and mutually contend for accounting right according to a consensus mechanism. After the alliance chain network is operated, a sender and a receiver register in the alliance chain respectively to be used as users to join in the alliance chain network.
Based on the same inventive concept, the embodiment of the present application further provides a data encryption transmitting apparatus based on a federation chain, which can be used to implement the method described in the foregoing embodiment, as described in the following embodiment. Because the principle of solving the problem of the data encryption transmitting device based on the alliance chain is similar to that of the method, the implementation of the data encryption transmitting device based on the alliance chain can refer to the implementation of the method, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram of a data encryption transmitting apparatus based on a federation chain in the embodiment of the present invention; as shown in fig. 3, the apparatus for encrypting and sending data based on a federation chain specifically includes: ciphertext encryption transmission module 10 and shared secret generation transmission module 20.
The ciphertext encryption sending module 10 encrypts original data according to a key to obtain a ciphertext, and uploads the ciphertext and an access control strategy thereof to a alliance link network in a publicly accessible manner, so that each alliance link node in the alliance link network can obtain the ciphertext and the access control strategy thereof;
the shared secret generation and transmission module 20 encrypts the key by using a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and transmits the shared secret distributed secret to a plurality of alliance-chain nodes, so that each alliance-chain node in the plurality of alliance-chain nodes stores part of the shared secret;
and enabling each alliance link node in the plurality of alliance link nodes to enable a requester to download the shared secret according to the access control strategy, restoring the secret key by an authority according to the shared secret fed back by each alliance link node, and further decrypting the ciphertext to obtain the original data.
FIG. 4 is a flow chart of a federation chain-based data reception decryption method in an embodiment of the present invention; as shown in fig. 4, the federation chain-based data reception decryption method operates on an authorized recipient node, and includes the following:
step S1000: issuing a download request to a federation chain network, the download request comprising: a public key and a ciphertext identifier.
Wherein the download request is issued in the form of a transaction request.
Specifically, a download request is issued to a alliance chain network, so that alliance chain nodes with shared secrets in the alliance chain network judge whether to allow the shared secrets to be downloaded according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key, and if yes, shared secret encryption data obtained by encrypting the shared secrets through the public key is fed back;
it is worth noting that in modern KPI architectures, a public key is able to identify the identity of its owner.
As can be understood by those skilled in the art, for a node without ciphertext reception right, even if the node uploads a download request, the federation node determines that the shared secret is not allowed to be downloaded according to the pre-acquired access control policy corresponding to the ciphertext identifier and the public key, at this time, the process ends, and refuses to send the shared secret to the node without ciphertext reception right.
Step S2000: acquiring shared secret encryption data fed back by the nodes of the alliance;
after the alliance chain verifies the receiver node, the shared secret encryption is fed back to the authorized receiver node, the receiver node receives the shared secret encryption data fed back by each alliance link node, and according to the description of Shamir threshold secret sharing, when the number of the received shared secrets reaches a certain requirement, the secret key can be restored.
The public key is used by the alliance link node to encrypt the shared data, and the following algorithm can be adopted to realize the following steps:
d ← pke. enc (PK, S): inputting a public key PK and a plaintext S, and outputting a ciphertext D;
step S3000: decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret;
the private key and the public key are paired, and the data encrypted by the public key can be decrypted by the private key, so that the private key can be effectively prevented from being leaked.
Specifically, the following algorithm is adopted for implementation:
s ← pke.dec (SK, D): and inputting the private key SK and the ciphertext D, and outputting a corresponding plaintext S.
It should be noted that the encryption and decryption using public and private keys can be implemented using public key encryption entity (PKE), and common public key encryption systems include RSA, ElGama, and the like, which are generally used in a scenario where an encryption party and a decryption party are separated. Where the public key PK is publicly available to all encryptors and the private key SK is kept secret by the decryptor.
Step S4000: reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key;
specifically, the following algorithm is employed:
Figure BDA0002401034350000101
inputting arbitrary t shared secrets
Figure BDA0002401034350000102
(1≤k≤t,1≤ikN) or less, and original data K is restored.
Step S5000: and decrypting the pre-acquired ciphertext corresponding to the ciphertext identifier according to the key to obtain original data.
Specifically, the following algorithm is adopted for implementation:
p ← se.dec (K, C): inputting the symmetric key K and the ciphertext C, and outputting a corresponding plaintext P.
By adopting the technical scheme, the sender only needs to encrypt the ciphertext data once, only needs to generate secret sharing of the encryption key and set an access control strategy, does not need to send the key to each receiver respectively, has low local operation cost, utilizes a Shamir threshold secret sharing technology, does not depend on a single node, and improves the safety.
In an optional embodiment, the federation chain-based data reception decryption method may further include:
and generating a symmetric public and private key pair. The method is realized by adopting the following algorithm:
(PK,SK)←PKE.KeyGen(1λ): input of safety parameters 1λOutputting a public key PK and a private key SK;
in an optional embodiment, the federation chain-based data reception decryption method may further include:
and acquiring the ciphertext uploaded to the alliance chain network by the sender in a publicly accessible form according to the ciphertext identifier.
Based on the same inventive concept, the embodiment of the present application further provides a data receiving and decrypting apparatus based on a federation chain, which can be used to implement the method described in the foregoing embodiment, as described in the following embodiment. Because the principle of solving the problem of the data receiving and decrypting device based on the alliance chain is similar to that of the method, the implementation of the data receiving and decrypting device based on the alliance chain can refer to the implementation of the method, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
FIG. 5 is a block diagram of a federation chain-based data receiving decryption apparatus in an embodiment of the present invention; as shown in fig. 5, the federation chain-based data receiving decryption apparatus includes:
the download request sending module 100 issues a download request to the alliance-link network, where the download request includes: the public key and the ciphertext identifier enable a federation chain node storing the shared secret in the federation chain network to judge whether the shared secret is allowed to be downloaded according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key, and if yes, feedback shared secret encryption data obtained by encrypting the shared secret by using the public key;
the shared secret encrypted data receiving module 200 acquires the shared secret encrypted data fed back by the alliance link points;
the shared secret encrypted data decryption module 300 decrypts the shared secret encrypted data according to the private key corresponding to the public key to obtain a shared secret;
the secret key restoring module 400 restores the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key;
the ciphertext decryption module 500 decrypts the ciphertext corresponding to the ciphertext identifier, which is obtained in advance, according to the key to obtain the original data.
FIG. 6 is a flowchart illustrating a federation chain-based shared secret download control method in an embodiment of the present invention; as shown in fig. 6, the federation chain-based shared secret download control method is applied to a federation chain node in which a shared secret is pre-stored, and includes the following steps:
step S001: acquiring and recording a downloading request sent by a receiver, wherein the downloading request comprises: a public key and a ciphertext identifier;
step S002: judging whether the receiver is allowed to download the pre-stored shared secret according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key;
if yes, go to step S003; if not, the method flow is ended.
Step S003: and encrypting the shared secret by using the public key to obtain shared secret encrypted data, and sending the shared secret encrypted data to the receiver.
Specifically, encrypting the shared secret using the public key is implemented using the following algorithm:
d ← pke. enc (PK, S): the public key PK and the plaintext S are input, and the ciphertext D is output.
It will be appreciated by those skilled in the art that in a node that does not store a shared secret, even if the node receives a download request, no steps such as verifying recipient rights, etc. will be performed because there is no data available for download.
By adopting the technical scheme, the sender only needs to encrypt the ciphertext data once, only needs to generate secret sharing of the encryption key and set an access control strategy, does not need to send the key to each receiver respectively, has low local operation cost, utilizes a Shamir threshold secret sharing technology, does not depend on a single node, and improves the safety.
In an optional embodiment, the federation chain-based shared secret download control method may further include:
the shared secret sent by the sender is received and stored.
In an optional embodiment, the federation chain-based shared secret download control method may further include:
and receiving and storing the ciphertext uploaded to the alliance chain network by the sender in a publicly accessible form and the access control strategy thereof.
Based on the same inventive concept, the embodiment of the present application further provides a shared secret download control device based on a federation chain, which can be used to implement the method described in the foregoing embodiment, as described in the following embodiment. Because the principle of solving the problem of the shared secret download control device based on the alliance chain is similar to that of the method, the implementation of the shared secret download control device based on the alliance chain can refer to the implementation of the method, and repeated details are omitted. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
FIG. 7 is a block diagram of a federation chain-based shared secret download control apparatus in an embodiment of the present invention; as shown in fig. 7, the federation chain-based shared secret download control apparatus includes: a download request acquisition module 001, a right verification module 002 and a shared secret encryption transmission module 003.
The download request obtaining module 001 obtains and records a download request sent by a receiver, where the download request includes: a public key and a ciphertext identifier;
the authority verification module 002 judges whether the receiver is allowed to download the pre-stored shared secret according to the pre-acquired access control strategy corresponding to the ciphertext identifier and the public key;
if the shared secret encryption sending module 003 allows the receiver to download the pre-stored shared secret, the shared secret is encrypted by using the public key to obtain shared secret encrypted data, and the shared secret encrypted data is sent to the receiver.
An embodiment of the present invention further provides a data encryption transmission system based on a federation chain, and referring to fig. 8, the data encryption transmission system based on a federation chain includes: a sender, a receiver, and a federation link node;
the sender encrypts original data according to a pre-acquired key to obtain a ciphertext, uploads the ciphertext and an access control strategy thereof to a alliance chain network in a publicly accessible manner, encrypts the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sends the shared secret distributed secrets to a plurality of alliance chain nodes;
federation nexuses store data ciphertexts, access control policies, and corresponding key-sharing secrets.
The receiver issues a download request to the federation chain network, the download request including: the public key and the ciphertext identifier are sent to the alliance chain network in the form of an intelligent contract;
the alliance link node judges whether the receiver is allowed to download the prestored shared secret according to the pre-acquired access control strategy corresponding to the ciphertext identifier and the public key; if so, encrypting the shared secret by using the public key to obtain shared secret encrypted data, and sending the shared secret encrypted data to the receiver;
the receiver acquires shared secret encryption data fed back by each alliance link point; decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret in each alliance chain node; reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key; and decrypting the pre-acquired ciphertext corresponding to the ciphertext identifier according to the key to obtain original data.
In particular, the present techniqueThe scheme consists of three protocols of system initialization, data uploading sharing and data downloading decryption among three main participants of a alliance chain, a sender S and a receiver R. Wherein, the alliance chain is composed of n (n is more than or equal to 3) organizations which are independent with each other, and each organization provides a set of central server Serv for operating and maintaining the alliance chain systemi(1 ≦ i ≦ n), and it is possible for each organizational structure to obtain billing rights for the blockchain system. That is, each organization may obtain billing rights according to the consensus process.
Next, a description is given of a protocol in units of protocols
1. System initialization
The main role of this protocol is to initialize the necessary environments and parameters in the system, making it ready to execute the following protocol.
At this stage, the central server Serv of the n organizationsiAnd (i is more than or equal to 1 and less than or equal to n) is taken as a alliance chain billing node, added into an alliance chain network and mutually contend for a billing right according to a consensus mechanism. After the alliance chain network is operated, a sender and a receiver register in the alliance chain respectively to be used as users to join in the alliance chain network.
The recipient R runs in this protocol (PK, SK) ← pkeλ) And generating own public and private key pair (PK, SK).
2. Data upload sharing
In this protocol, a sender S encrypts data P and uploads a data cipher text to a federation chain network, and sets authorization information for the data.
First, S run K ← seλ) Generating a one-time symmetric key K, and operating C ← SE.Enc (K, P) to encrypt data P to generate a ciphertext C; operation (S)1,S2,...,Sn) (vii) spline (K) for encrypting the key K and generating n shared secrets for K (S)1,S2,...,Sn) (ii) a Selecting a group of recipients
Figure BDA0002401034350000141
Setting the cipher text identifier of C as IDC(ii) a C is publicly accessibleIs uploaded to a alliance chain network for the user to download publicly, and issues a transaction request to the alliance chain, wherein the content of the request is to set an access control strategy so as to belong to a set
Figure BDA0002401034350000142
All the receivers of (C) can decrypt the content of C; finally, the shared secret Si(i is more than or equal to 1 and less than or equal to n), and secretly uploading the information to the ith central server ServiAnd (5) storing.
Uploading the ciphertext C at S, and identifying the ciphertext C with the identifier IDCAnd a set of recipients
Figure BDA0002401034350000143
After the composed access control strategy transaction request, the central server with the accounting right records C and the corresponding access control strategy request transaction in the alliance chain system permanently.
3. Data download decryption
In this protocol, the recipient R submits a request for downloading the encrypted data C; the central server of the alliance chain checks whether the central server accords with the corresponding access control strategy, if so, the central server returns the shared secret owned by the central server to the R; r restores the encryption key K of C according to the key and decrypts the key.
First, the receiver R determines the identifier ID of the data ciphertext C to be obtainedCThen, the public key PK and ID of the user are setCPackaged together into a transaction request and issued to the federation chain network.
After receiving the transaction submitted by R in the alliance chain network, each central server Servi(1 ≦ i ≦ n) first obtain the ID from the federation chainCThe relevant access control requests a control policy, checking whether R is present in the set of users allowed to be authorized; if not, exiting execution; if the secret exists, the shared secret S of the symmetric key K of the encryption C stored by the user is storediExecute by
Figure BDA0002401034350000151
Encrypting S with the public key PK of RiGenerating a ciphertext
Figure BDA0002401034350000152
And will be
Figure BDA0002401034350000153
And outputting the data to the alliance chain network.
R monitors output data in the alliance chain network, and if t shared secret ciphertexts are collected
Figure BDA0002401034350000154
(1≤k≤t,1≤ikN) or less, stopping monitoring, and for each shared secret ciphertext
Figure BDA0002401034350000155
Performing decryption algorithms
Figure BDA0002401034350000156
Executing an algorithm
Figure BDA0002401034350000157
Obtaining a decryption key of the ciphertext C, and downloading the ciphertext C from the alliance chain network; finally, the algorithm P ← se.dec (K, C) is executed, the original data P is decrypted, and the content thereof is viewed.
By adopting the technical scheme, a ciphertext data authorization sharing scheme based on a alliance chain and a Shamir threshold secret sharing system is designed by utilizing the characteristics of decentralized consensus and permanent data recording on the chain of the alliance chain, so that a secret key cannot be leaked, and any access to the secret key can be recorded on an alliance chain network and cannot be changed so as to be audited and checked in the future.
In addition, a sender only needs to encrypt the ciphertext once, only needs to generate secret sharing of a secret key and set an access control strategy, local operation cost is low, all data are stored in the alliance chain network, the data can be guaranteed to be available at any time and any place, and the unavailability of service caused by single-point failure is avoided; furthermore, the execution of the access control strategy does not depend on a single server node, but requires the identification of not less than t central servers (namely, servers of all nodes), the central servers belong to different independent organizations, and the possibility of conspiracy and maliciousness of the central servers is low, so that the ciphertext has higher security; the ciphertext uploading and downloading decryption requests are all carried out through a alliance chain, all the requests related to the secret key are recorded by an alliance chain network, the access behaviors of user data can be tracked, and the method has the advantages of being auditable in operation and traceable in data.
The apparatuses, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or implemented by a product with certain functions. A typical implementation device is an electronic device, which may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
In a typical example, the electronic device specifically includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor executes the program to implement the steps of the above-mentioned federation chain-based data encryption and transmission method, or the above-mentioned federation chain-based data reception and decryption method, or the above-mentioned federation chain-based shared secret download control method.
Referring now to FIG. 9, shown is a schematic diagram of an electronic device 600 suitable for use in implementing embodiments of the present application.
As shown in fig. 9, the electronic apparatus 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate works and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM)) 603. In the RAM603, various programs and data necessary for the operation of the system 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted as necessary on the storage section 608.
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, an embodiment of the present invention includes a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the above-described federation chain-based data encryption transmission method or the above-described federation chain-based data reception decryption method or the above-described federation chain-based shared secret download control method.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (15)

1. A federation chain-based data encryption transmission method, operable at a sender node, the method comprising:
encrypting original data according to a key to obtain a ciphertext, and uploading the ciphertext and an access control strategy thereof to a alliance chain network in a public accessible manner, so that each alliance chain node in the alliance chain network can obtain the ciphertext and the access control strategy thereof;
encrypting the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sending the shared secret distributed secret to a plurality of alliance chain nodes, so that each alliance chain node in the plurality of alliance chain nodes respectively stores partial shared secrets;
and enabling each alliance link node in the plurality of alliance link nodes to enable a requester to download the shared secret according to the access control strategy, restoring the secret key by an authority according to the shared secret fed back by each alliance link node, and further decrypting the ciphertext to obtain the original data.
2. A federation chain-based data encryption transmission method as recited in claim 1, further comprising:
probabilistically outputting the key according to input security parameters.
3. A federation chain-based data encryption transmission method as claimed in claim 1, wherein the access control policy is transmitted in the form of a transaction request further including a ciphertext identifier corresponding to the access control policy.
4. A federation chain-based data encryption transmission apparatus, operable at a sender node, the apparatus comprising:
the cipher text encryption sending module is used for encrypting original data according to a secret key to obtain a cipher text and uploading the cipher text and the access control strategy thereof to a alliance chain network in a public accessible mode so that each alliance chain node in the alliance chain network can obtain the cipher text and the access control strategy thereof;
the shared secret generation and transmission module is used for encrypting the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets and transmitting the shared secret distributed secret to a plurality of alliance chain nodes so that each alliance chain node in the plurality of alliance chain nodes respectively stores part of the shared secret;
and enabling each alliance link node in the plurality of alliance link nodes to enable a requester to download the shared secret according to the access control strategy, restoring the secret key by an authority according to the shared secret fed back by each alliance link node, and further decrypting the ciphertext to obtain the original data.
5. A federation chain-based data reception decryption method, operable at an authorized recipient node, the method comprising:
issuing a download request to a federation chain network, the download request comprising: the public key and the ciphertext identifier enable a federation chain node storing the shared secret in the federation chain network to judge whether the shared secret is allowed to be downloaded according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key, and if yes, feedback shared secret encryption data obtained by encrypting the shared secret by using the public key;
acquiring shared secret encryption data fed back by the nodes of the alliance;
decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret;
reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key;
and decrypting the pre-acquired ciphertext corresponding to the ciphertext identifier according to the key to obtain original data.
6. A federation chain-based data reception decryption method as claimed in claim 5, wherein the download request is issued in the form of a transaction request.
7. A federation chain-based data reception decryption method as recited in claim 5, further comprising:
and acquiring the ciphertext uploaded to the alliance chain network by the sender in a publicly accessible form according to the ciphertext identifier.
8. A federation chain-based data reception decryption apparatus, operable at an authorized recipient node, the apparatus comprising:
a download request sending module, which issues a download request to a alliance chain network, wherein the download request comprises: the public key and the ciphertext identifier enable a federation chain node storing the shared secret in the federation chain network to judge whether the shared secret is allowed to be downloaded according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key, and if yes, feedback shared secret encryption data obtained by encrypting the shared secret by using the public key;
the shared secret encrypted data receiving module is used for acquiring shared secret encrypted data fed back by the nodes of the alliance;
the shared secret encrypted data decryption module is used for decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret;
the secret key reduction module is used for reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key;
and the ciphertext decryption module is used for decrypting the ciphertext corresponding to the ciphertext identifier, which is obtained in advance, according to the key to obtain the original data.
9. A federation chain-based shared secret download control method applied to a federation chain node in which a shared secret is prestored, the method comprising:
acquiring and recording a downloading request sent by a receiver, wherein the downloading request comprises: a public key and a ciphertext identifier;
judging whether the receiver is allowed to download the pre-stored shared secret according to a pre-acquired access control strategy corresponding to the ciphertext identifier and the public key;
if yes, the shared secret is encrypted by the public key to obtain shared secret encryption data, and the shared secret encryption data are sent to the receiver.
10. The federation chain-based shared secret download control method of claim 9, further comprising:
the shared secret sent by the sender is received and stored.
11. The federation chain-based shared secret download control method of claim 9, further comprising:
and receiving and storing the ciphertext uploaded to the alliance chain network by the sender in a publicly accessible form and the access control strategy thereof.
12. A federation chain-based shared secret download control apparatus for a federation chain node that pre-stores a shared secret, the apparatus comprising:
the download request acquisition module acquires and records a download request sent by a receiver, wherein the download request comprises: a public key and a ciphertext identifier;
the authority verification module is used for judging whether the receiver is allowed to download the prestored shared secret according to the pre-acquired access control strategy corresponding to the ciphertext identifier and the public key;
and the shared secret encryption sending module is used for encrypting the shared secret by using the public key to obtain shared secret encryption data and sending the shared secret encryption data to the receiver if the receiver is allowed to download the pre-stored shared secret.
13. A federation chain-based data encryption transmission system, comprising: a sender, a receiver, and a federation link node;
the sender encrypts original data according to a pre-acquired key to obtain a ciphertext, uploads the ciphertext and an access control strategy thereof to a alliance chain network in a publicly accessible manner, encrypts the key by adopting a Shamir threshold secret sharing technology to generate a plurality of shared secrets, and sends the shared secret distributed secrets to a plurality of alliance chain nodes;
the receiver issues a download request to the federation chain network, the download request including: a public key and a ciphertext identifier;
the alliance link node judges whether the receiver is allowed to download the prestored shared secret according to the pre-acquired access control strategy corresponding to the ciphertext identifier and the public key; if so, encrypting the shared secret by using the public key to obtain shared secret encrypted data, and sending the shared secret encrypted data to the receiver;
the receiver acquires shared secret encryption data fed back by each alliance link point; decrypting the shared secret encrypted data according to a private key corresponding to the public key to obtain a shared secret in each alliance chain node; reducing the obtained shared secret by adopting a Shamir threshold secret sharing technology to obtain a secret key; and decrypting the pre-acquired ciphertext corresponding to the ciphertext identifier according to the key to obtain original data.
14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the federation chain-based data encryption transmission method of any one of claims 1 to 3 or the federation chain-based data reception decryption method of any one of claims 5 to 7 or the federation chain-based shared secret download control method of any one of claims 9 to 11.
15. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the federation chain-based data encryption transmission method of any one of claims 1 to 3 or the federation chain-based data reception decryption method of any one of claims 5 to 7 or the federation chain-based shared secret download control method of any one of claims 9 to 11.
CN202010146776.XA 2020-03-05 2020-03-05 Data encryption sending method based on alliance chain, related method, device and system Active CN111371790B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010146776.XA CN111371790B (en) 2020-03-05 2020-03-05 Data encryption sending method based on alliance chain, related method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010146776.XA CN111371790B (en) 2020-03-05 2020-03-05 Data encryption sending method based on alliance chain, related method, device and system

Publications (2)

Publication Number Publication Date
CN111371790A true CN111371790A (en) 2020-07-03
CN111371790B CN111371790B (en) 2022-06-17

Family

ID=71212527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010146776.XA Active CN111371790B (en) 2020-03-05 2020-03-05 Data encryption sending method based on alliance chain, related method, device and system

Country Status (1)

Country Link
CN (1) CN111371790B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383599A (en) * 2020-07-27 2021-02-19 广东蓄能发电有限公司 Block chain-based distributed storage method for scheduling communication data
CN112464262A (en) * 2020-12-04 2021-03-09 河北圣诺联合科技有限公司 Alliance chain encryption method, device, equipment and storage medium
CN113312647A (en) * 2021-06-23 2021-08-27 东北大学秦皇岛分校 Multi-agent data sharing method based on block chain storage
WO2022105505A1 (en) * 2020-11-20 2022-05-27 腾讯科技(深圳)有限公司 Data processing method and apparatus applied to blockchain system
WO2022121623A1 (en) * 2020-12-09 2022-06-16 深圳前海微众银行股份有限公司 Data set intersection method and apparatus
WO2022134812A1 (en) * 2020-12-21 2022-06-30 深圳壹账通智能科技有限公司 Consortium blockchain-based multi-institution data processing method, apparatus, and related device
CN117176335A (en) * 2023-07-17 2023-12-05 北京邮电大学 Data tracking method based on alliance chain and related equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120639A (en) * 2018-09-26 2019-01-01 众安信息技术服务有限公司 A kind of data cloud storage encryption method and system based on block chain
CN109150968A (en) * 2018-07-13 2019-01-04 上海大学 A kind of block chain distributed storage method based on privacy sharing
CN109672529A (en) * 2019-01-07 2019-04-23 苏宁易购集团股份有限公司 A kind of method and system for going anonymization of combination block chain and privacy sharing
CN110581839A (en) * 2019-07-23 2019-12-17 中国空间技术研究院 Content protection method and device
CN110851859A (en) * 2019-10-22 2020-02-28 华东师范大学 Distributed authoritative node block chain system with (n, t) threshold and authentication method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150968A (en) * 2018-07-13 2019-01-04 上海大学 A kind of block chain distributed storage method based on privacy sharing
CN109120639A (en) * 2018-09-26 2019-01-01 众安信息技术服务有限公司 A kind of data cloud storage encryption method and system based on block chain
CN109672529A (en) * 2019-01-07 2019-04-23 苏宁易购集团股份有限公司 A kind of method and system for going anonymization of combination block chain and privacy sharing
CN110581839A (en) * 2019-07-23 2019-12-17 中国空间技术研究院 Content protection method and device
CN110851859A (en) * 2019-10-22 2020-02-28 华东师范大学 Distributed authoritative node block chain system with (n, t) threshold and authentication method thereof

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383599A (en) * 2020-07-27 2021-02-19 广东蓄能发电有限公司 Block chain-based distributed storage method for scheduling communication data
WO2022105505A1 (en) * 2020-11-20 2022-05-27 腾讯科技(深圳)有限公司 Data processing method and apparatus applied to blockchain system
CN112464262A (en) * 2020-12-04 2021-03-09 河北圣诺联合科技有限公司 Alliance chain encryption method, device, equipment and storage medium
WO2022121623A1 (en) * 2020-12-09 2022-06-16 深圳前海微众银行股份有限公司 Data set intersection method and apparatus
WO2022134812A1 (en) * 2020-12-21 2022-06-30 深圳壹账通智能科技有限公司 Consortium blockchain-based multi-institution data processing method, apparatus, and related device
CN113312647A (en) * 2021-06-23 2021-08-27 东北大学秦皇岛分校 Multi-agent data sharing method based on block chain storage
CN117176335A (en) * 2023-07-17 2023-12-05 北京邮电大学 Data tracking method based on alliance chain and related equipment
CN117176335B (en) * 2023-07-17 2024-03-15 北京邮电大学 Data tracking method based on alliance chain and related equipment

Also Published As

Publication number Publication date
CN111371790B (en) 2022-06-17

Similar Documents

Publication Publication Date Title
CN111371790B (en) Data encryption sending method based on alliance chain, related method, device and system
US8059818B2 (en) Accessing protected data on network storage from multiple devices
JP4814339B2 (en) Constrained encryption key
US10187207B2 (en) Re-encryption key generator, re-encryption apparatus, encryption apparatus, decryption apparatus, and storage medium
US9426131B2 (en) Server apparatus and program to re-encrypt ciphertext data
US8396218B2 (en) Cryptographic module distribution system, apparatus, and program
US8694783B2 (en) Lightweight secure authentication channel
US20140050318A1 (en) Re-encryption key generator, re-encryption apparatus, and program
KR20180115701A (en) Secure manifold loss prevention of cryptographic keys for block-chain-based systems associated with wallet management systems Storage and transmission
US20080209231A1 (en) Contents Encryption Method, System and Method for Providing Contents Through Network Using the Encryption Method
US20070127719A1 (en) Efficient management of cryptographic key generations
JP6363032B2 (en) Key change direction control system and key change direction control method
US11870891B2 (en) Certificateless public key encryption using pairings
CN112532580B (en) Data transmission method and system based on block chain and proxy re-encryption
US9813386B2 (en) Cooperation service providing system and server apparatus
CN113225302A (en) Data sharing system and method based on proxy re-encryption
JP2005252384A (en) Encrypted data storage server system, encrypted data storage method, and re-encryption method
CN109379345A (en) Sensitive information transmission method and system
CN114297721A (en) Information processing method, information processing apparatus, block chain platform, and storage medium
CA2849174C (en) System and method for the safe spontaneous transmission of confidential data over unsecure connections and switching computers
KR102328896B1 (en) Crypto Key distribution and recovery method for 3rd party managed system
CN114760053B (en) Distribution method, device, equipment and medium of symmetric key
EP4283918A1 (en) Methods and arrangements for enabling secure digital communications among a group
US20230188325A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
WO2023043793A1 (en) System and method of creating symmetric keys using elliptic curve cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant